Hi all, After an upgrade from 4.10.0-8 to 4.11.0-15, I'm getting an authentication failure in the access log:
[11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 tag=97 nentries=0 wtime=0.000076683 optime=0.265358256 etime=0.265415438 - SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context This is preventing anyone from logging in. Kvno was saying the keytab entry is invalid and wrong principal in request: root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 03/08/2023 23:34:09 ldap/[email protected] 1 03/08/2023 23:34:09 ldap/[email protected] root@pacific ~ $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int ldap/[email protected]: kvno = 2, keytab entry invalid kvno: Wrong principal in request while decrypting ticket for ldap/[email protected] So I got a new ticket with ktutil and the kvno still shows it is invalid: root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 07/11/2024 18:54:19 ldap/[email protected] root@pacific dirsrv $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int ldap/[email protected]: kvno = 2, keytab entry invalid kvno: Wrong principal in request while decrypting ticket for ldap/[email protected] I checked the database for the principal: root@pacific dirsrv $ kadmin.local Authenticating as principal capsipa/[email protected] with password. kadmin.local: get_principal ldap/pacific.caps.int Principal: ldap/[email protected] Expiration date: [never] Last password change: Mon Jul 08 10:21:07 CDT 2024 Password expiration date: [never] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Jul 08 10:21:07 CDT 2024 (ldap/[email protected]) Last successful authentication: [never] Last failed authentication: Mon Jul 08 23:54:29 CDT 2024 Failed password attempts: 4 Number of keys: 2 Key: vno 2, aes256-cts-hmac-sha1-96:special Key: vno 2, aes128-cts-hmac-sha1-96:special MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] The ldap.conf contents: SASL_NOCANON on BASE dc=caps,dc=int TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI URI ldaps://pacific.caps.int The krb5.conf contents: includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CAPS.INT dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] CAPS.INT = { kdc = pacific.caps.int:88 master_kdc = pacific.caps.int:88 kpasswd_server = pacific.caps.int:464 admin_server = pacific.caps.int:749 default_domain = caps.int pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .caps.int = CAPS.INT caps.int = CAPS.INT pacific.caps.int = CAPS.INT [dbmodules] CAPS.INT = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } I'm not sure where to go from here: Thank you, Bryan Carroll -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
