So update, the one user that works when ms-pac is enabled has a ipantsecurityidentifier but no other user has that.
ipa config-mod --enable-sid --add-sids did not fix this for some reason On Thu, Mar 21, 2024 at 9:36 AM Ian Kumlien <ian.kuml...@gmail.com> wrote: > > On Thu, Mar 21, 2024 at 9:13 AM Alexander Bokovoy <aboko...@redhat.com> wrote: > > > > On Чцв, 21 сак 2024, Ian Kumlien via FreeIPA-users wrote: > > >On Wed, Mar 20, 2024 at 9:52 PM Florence Renaud <fren...@redhat.com> wrote: > > >> > > >> > > >> > > >> > On 20 Mar 2024, at 16:38, Ian Kumlien <ian.kuml...@gmail.com> wrote: > > >> > > > >> > On Wed, Mar 20, 2024 at 3:52 PM Ian Kumlien <ian.kuml...@gmail.com> > > >> > wrote: > > >> >> > > >> >>> On Wed, Mar 20, 2024 at 11:21 AM Florence Blanc-Renaud > > >> >>> <f...@redhat.com> wrote: > > >> >>> > > >> >>> Hi, > > >> >>> > > >> >>> On Wed, Mar 20, 2024 at 10:00 AM Ian Kumlien <ian.kuml...@gmail.com> > > >> >>> wrote: > > >> >>>> > > >> >>>> On Wed, Mar 20, 2024 at 9:45 AM Ian Kumlien <ian.kuml...@gmail.com> > > >> >>>> wrote: > > >> >>>>> > > >> >>>>> So... this one's new: > > >> >>>>> > > >> >>>>> Connection to https://freeipa-1.xerces.lan/ipa/json failed with > > >> >>>>> Insufficient access: SASL(-1): generic failure: GSSAPI Error: > > >> >>>>> Unspecified GSS failure. Minor code may provide more information > > >> >>>>> (Credential cache is empty) > > >> >>> > > >> >>> > > >> >>> this one can happen if you have an existing ticket in your cache, > > >> >>> for instance from a previous installation, but that is not valid > > >> >>> anymore. > > >> >> > > >> >> Ah, ok, i did do kdestroy -A but only on the new machine... > > >> >> > > >> >> A new issue that appeared, no user from the old machines can > > >> >> authenticate at all - still looking in to why it doesn't work > > >> > > > >> > Disabling MS-PAC fixed this issue, will have to dig in to why it was > > >> > later =) > > >> > > > >> > Any clues? > > >> Your users are probably missing a SID. Run ipa config-mod —enable-sid > > >> —add-sids and check with ipa user-show —all —raw that they contain an > > >> ipantsecurityidentifier attribute. > > > > > >Uhm, nope, changed nothing it seems... leaving ms-pac disabled works > > >however > > > > There were plenty of discussions on this list in past couple months, > > including a lot of instructions what to investigate. Have you tried to > > apply those suggestions? > > I haven't found any using google... > > > You haven't shown a single log excerpt from IPA servers, be it > > /var/log/krb5kdc.log or error logs from the directory server. > > And i haven't been asked - i assumed it was something due to the upgrade path > > Doing kerberos results in: > Mar 20 16:18:29 freeipa-4.xerces.lan krb5kdc[113624](info): AS_REQ (6 > etypes {aes256-cts-hmac-sha384-192(20), > aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), > aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), > camellia128-cts-cmac(25)}) 10.129.0.239: HANDLE_AUTHDATA: > u...@xerces.lan for krbtgt/xerces....@xerces.lan, No such file or > directory > > For ldap authentication, which also fails with ms-pac enabled, i > haven't been able to find any real log with issues. > (So, with ms-pac, things that fails for a user: kerberos, ldap, > freeipa webui. Without ms-pac, everything works) > > We don't really use kerberos atm, so potentially leaving it disabled > could be fine, however i would much more like to get to the bottom of > this... > > > Disabling MS-PAC basically kills protection mechanisms that we have > > against a numerous breaches using Kerberos protocol's issues. > > > > > > > > -- > > / Alexander Bokovoy > > Sr. Principal Software Engineer > > Security / Identity Management Engineering > > Red Hat Limited, Finland > > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue