Hi
I'm using Oracle Linux8 on all IPA servers
After IPA upgrade i noticed several problems
1) Nobody including admin can log into WEB UI (Your session has expired.
Please log in again.)
2) Can't add new machines to IPA (JSON-RPC response:
{"result": null, "error": {"code": 2100, "message": "Insufficient
access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Credential cache is
empty)", "data": {"info": "SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)"}, "name": "ACIError"}, "id": null,
"principal": "UNKNOWN", "version": "4.9.13"})
3) certificate reneval (ipa-getcert) fails (ca-error: Server at
https://dc02.dc.makolab.pl/ipa/json denied our request, giving up: 2100
(Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)).) - this command was run directly on IPA
server dc02 (reneval of certificate for rsyslog TLS)
Replication between IPA servers seems to be working ok
Ipa healthchek does not find any errors or critical only few warnings
ipa-healthcheck --output-type human --all --severity WARNING
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20220104115549:
certmonger tracking request 20220104115549 found and is not expected on
an IPA master. <- certificate for metricbit TLS
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20220104120152:
certmonger tracking request 20220104120152 found and is not expected on
an IPA master. <- certificate for rsyslog TLS
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:tcp:dc02.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:udp:dc02.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:tcp:dc03.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:udp:dc03.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:tcp:dc04.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:udp:dc04.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:tcp:dc05.dc.makolab.pl.:
Expected URI record missing
WARNING:
ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.dc.makolab.pl.:krb5srv:m:udp:dc05.dc.makolab.pl.:
Expected URI record missing
when running ipa ping on remote machine or directly ipa server i get error:
kinit admin && ipa -d ping
Password for [email protected]:
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: failed to find session_cookie in persistent storage for
principal '[email protected]'
ipa: DEBUG: trying https://dc02.dc.makolab.pl/ipa/json
ipa: DEBUG: New HTTP connection (dc02.dc.makolab.pl)
ipa: DEBUG: received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=WX9t37J4908GxZduLpoz%2fW6IvRmXHrv21rq%2bjWklhTT1Xdk4%2fkUiAzIjGwZuHKk9Tvbb5h5WEHLpzLgN5Rn6gBFp88%2fj%2bZUjKTwSfQtcc8eaO45GUR4juCXxkoNCc9QGlPsqfeLthgHVpCy2jdP3PNyndOGLAWc8cx7kwskzQZd7NQV45VQ2WUJ5LSe3P79vAa5wvP8GgUSVJpcNdtQk2A%3d%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie
'ipa_session=MagBearerToken=WX9t37J4908GxZduLpoz%2fW6IvRmXHrv21rq%2bjWklhTT1Xdk4%2fkUiAzIjGwZuHKk9Tvbb5h5WEHLpzLgN5Rn6gBFp88%2fj%2bZUjKTwSfQtcc8eaO45GUR4juCXxkoNCc9QGlPsqfeLthgHVpCy2jdP3PNyndOGLAWc8cx7kwskzQZd7NQV45VQ2WUJ5LSe3P79vAa5wvP8GgUSVJpcNdtQk2A%3d%3d;'
for principal [email protected]
ipa: INFO: Connection to https://dc02.dc.makolab.pl/ipa/json failed with
Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
ipa: DEBUG: trying https://dc05.dc.makolab.pl/ipa/json
ipa: DEBUG: New HTTP connection (dc05.dc.makolab.pl)
ipa: DEBUG: received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=QZfbEtCnuZSE9aKBHV%2fMhFu25SHZOdV%2b9hmiA8T2fMLWv4%2bGiIjTkmijQhBSMeMTW1usB1Ufod1k17ZtIYrF3swFZkwte7GeQVoGzSRnp66oQPlzGC6JzTrE8Sy0QvOqaIKZKDgBpKSYLltGMNkCCziKFsfsGCfulwQmDeHsa5coQ6jazBB6%2fJBhf7ZJlIKA9uHkFYQdHzkAPbkjG5T8Mw%3d%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie
'ipa_session=MagBearerToken=QZfbEtCnuZSE9aKBHV%2fMhFu25SHZOdV%2b9hmiA8T2fMLWv4%2bGiIjTkmijQhBSMeMTW1usB1Ufod1k17ZtIYrF3swFZkwte7GeQVoGzSRnp66oQPlzGC6JzTrE8Sy0QvOqaIKZKDgBpKSYLltGMNkCCziKFsfsGCfulwQmDeHsa5coQ6jazBB6%2fJBhf7ZJlIKA9uHkFYQdHzkAPbkjG5T8Mw%3d%3d;'
for principal [email protected]
ipa: INFO: Connection to https://dc05.dc.makolab.pl/ipa/json failed with
Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
ipa: DEBUG: trying https://dc03.dc.makolab.pl/ipa/json
ipa: DEBUG: New HTTP connection (dc03.dc.makolab.pl)
ipa: DEBUG: received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=qHTfoDQ%2bsTVui5w8dxcfx6Fx9GORKX%2fHFsEAc2yoI6g7eL4qsvVXh9uNZLfrop7nSTqrJs0toSjpGQfSkjloUY6%2f338%2fwVz1xazGV5aVAMujclsd%2bVrX%2bj92r%2bsf1%2fdtPU1VLsPBflqWuwOLOFLGnTEWQKVeGgBkf%2fvZ7f3vIa%2fP0OvYtTaORQE49tf%2bXUkQ%2bQiW5I11D%2f0hBLKnjqc2Qw%3d%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie
'ipa_session=MagBearerToken=qHTfoDQ%2bsTVui5w8dxcfx6Fx9GORKX%2fHFsEAc2yoI6g7eL4qsvVXh9uNZLfrop7nSTqrJs0toSjpGQfSkjloUY6%2f338%2fwVz1xazGV5aVAMujclsd%2bVrX%2bj92r%2bsf1%2fdtPU1VLsPBflqWuwOLOFLGnTEWQKVeGgBkf%2fvZ7f3vIa%2fP0OvYtTaORQE49tf%2bXUkQ%2bQiW5I11D%2f0hBLKnjqc2Qw%3d%3d;'
for principal [email protected]
ipa: INFO: Connection to https://dc03.dc.makolab.pl/ipa/json failed with
Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
ipa: DEBUG: trying https://dc04.dc.makolab.pl/ipa/json
ipa: DEBUG: New HTTP connection (dc04.dc.makolab.pl)
ipa: DEBUG: received Set-Cookie (<class
'list'>)'['ipa_session=MagBearerToken=fLBKVOskfDdrVsu%2fU7p5ZzYPDKKl2g3uCVZbUnioVPNNeH8Hrwpt4IHz4edHc%2bTrj0ERrqUK8egmfv8797SpAk27pE7%2bfDkHOPrndW9n4Uzkm4SvUa1QFnjxSwey3vdXA8L9H%2bQJaI7tDtPUbRw5nTfSzWi22bhH%2fLIsIqVcibzHjSzzRz1NB%2by6j5IIuUiTO1nokizbe1%2bV3TN7%2fWA2Dw%3d%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie
'ipa_session=MagBearerToken=fLBKVOskfDdrVsu%2fU7p5ZzYPDKKl2g3uCVZbUnioVPNNeH8Hrwpt4IHz4edHc%2bTrj0ERrqUK8egmfv8797SpAk27pE7%2bfDkHOPrndW9n4Uzkm4SvUa1QFnjxSwey3vdXA8L9H%2bQJaI7tDtPUbRw5nTfSzWi22bhH%2fLIsIqVcibzHjSzzRz1NB%2by6j5IIuUiTO1nokizbe1%2bV3TN7%2fWA2Dw%3d%3d;'
for principal [email protected]
ipa: INFO: Connection to https://dc04.dc.makolab.pl/ipa/json failed with
Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
ipa: ERROR: cannot connect to 'any of the configured servers':
https://dc02.dc.makolab.pl/ipa/json,
https://dc05.dc.makolab.pl/ipa/json,
https://dc03.dc.makolab.pl/ipa/json, https://dc04.dc.makolab.pl/ipa/json
Checked the admin user has ipaNTSecurityIdentifier:
S-1-5-21-1851759508-3520056987-880742157-500
Other users also have ipaNTSecurityIdentifier defined in ldap
klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
1 12/30/21 13:09:34 ldap/[email protected]
1 12/30/21 13:09:34 ldap/[email protected]
kvno -k /etc/dirsrv/ds.keytab ldap/dc02.dc.makolab.pl
ldap/[email protected]: kvno = 1, keytab entry valid
Problems I spotted in logs:
in /var/log/dirsrv/slapd-DOMAIN/error
[25/Jul/2024:12:36:11.325055589 +0000] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/[email protected]] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[25/Jul/2024:12:36:16.399028241 +0000] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=dc,dc=makolab,dc=pl
[25/Jul/2024:12:36:16.401195077 +0000] - ERR - schema-compat-plugin -
Finished plugin initialization.
from httpd error_log
[Fri Jul 26 10:58:46.588000 2024] [wsgi:error] [pid 11820:tid
140020710070016] [remote 172.16.129.240:59424] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
[Fri Jul 26 10:58:46.636457 2024] [wsgi:error] [pid 11821:tid
140020710070016] [remote 172.16.129.240:59424] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
I would like to ask for any help with this problems.
Regards
Przemyslaw Orzechowski
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
