On Thu, Mar 21, 2024 at 9:13 AM Alexander Bokovoy <[email protected]> wrote:
>
> On Чцв, 21 сак 2024, Ian Kumlien via FreeIPA-users wrote:
> >On Wed, Mar 20, 2024 at 9:52 PM Florence Renaud <[email protected]> wrote:
> >>
> >>
> >>
> >> > On 20 Mar 2024, at 16:38, Ian Kumlien <[email protected]> wrote:
> >> >
> >> > On Wed, Mar 20, 2024 at 3:52 PM Ian Kumlien <[email protected]>
> >> > wrote:
> >> >>
> >> >>> On Wed, Mar 20, 2024 at 11:21 AM Florence Blanc-Renaud
> >> >>> <[email protected]> wrote:
> >> >>>
> >> >>> Hi,
> >> >>>
> >> >>> On Wed, Mar 20, 2024 at 10:00 AM Ian Kumlien <[email protected]>
> >> >>> wrote:
> >> >>>>
> >> >>>> On Wed, Mar 20, 2024 at 9:45 AM Ian Kumlien <[email protected]>
> >> >>>> wrote:
> >> >>>>>
> >> >>>>> So... this one's new:
> >> >>>>>
> >> >>>>> Connection to https://freeipa-1.xerces.lan/ipa/json failed with
> >> >>>>> Insufficient access: SASL(-1): generic failure: GSSAPI Error:
> >> >>>>> Unspecified GSS failure. Minor code may provide more information
> >> >>>>> (Credential cache is empty)
> >> >>>
> >> >>>
> >> >>> this one can happen if you have an existing ticket in your cache, for
> >> >>> instance from a previous installation, but that is not valid anymore.
> >> >>
> >> >> Ah, ok, i did do kdestroy -A but only on the new machine...
> >> >>
> >> >> A new issue that appeared, no user from the old machines can
> >> >> authenticate at all - still looking in to why it doesn't work
> >> >
> >> > Disabling MS-PAC fixed this issue, will have to dig in to why it was
> >> > later =)
> >> >
> >> > Any clues?
> >> Your users are probably missing a SID. Run ipa config-mod —enable-sid
> >> —add-sids and check with ipa user-show —all —raw that they contain an
> >> ipantsecurityidentifier attribute.
> >
> >Uhm, nope, changed nothing it seems... leaving ms-pac disabled works however
>
> There were plenty of discussions on this list in past couple months,
> including a lot of instructions what to investigate. Have you tried to
> apply those suggestions?
I haven't found any using google...
> You haven't shown a single log excerpt from IPA servers, be it
> /var/log/krb5kdc.log or error logs from the directory server.
And i haven't been asked - i assumed it was something due to the upgrade path
Doing kerberos results in:
Mar 20 16:18:29 freeipa-4.xerces.lan krb5kdc[113624](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.129.0.239: HANDLE_AUTHDATA:
[email protected] for krbtgt/[email protected], No such file or
directory
For ldap authentication, which also fails with ms-pac enabled, i
haven't been able to find any real log with issues.
(So, with ms-pac, things that fails for a user: kerberos, ldap,
freeipa webui. Without ms-pac, everything works)
We don't really use kerberos atm, so potentially leaving it disabled
could be fine, however i would much more like to get to the bottom of
this...
> Disabling MS-PAC basically kills protection mechanisms that we have
> against a numerous breaches using Kerberos protocol's issues.
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
