Hi, I managed to get a working installation of freeipa-server using the docker
image docker.io/freeipa/freeipa-server:rocky-9-4.11.0.
I activated OTP, hbac, and sudoers rules, and got everything working without
issues. I tried login in with ssh(password+OTP), doing sudo and everything
worked ok.
After having lunch, I tried again, and noticed that when I try to log in, I get
a failure in the authentication.
This is not the first time this is happenning. For example, yesterday something
similar happened, and I tried several things like ipactl restart, restarting
the server, to no avail. At some moment, the system resumed working again
probably without my intervention. The previous days I had a similar
experiencie, with the system stopping and resuming working without a clear
cause for me.
I'm copying some logs in case you provide some hints about how to debug the
source of this error:
freeipa-server:
/data/var/log/krb5kdc.log <==
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): preauth (otp)
verify failure: Generic preauthentication failure
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): preauth (otp)
verify failure: Generic preauthentication failure
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
PREAUTH_FAILED: [email protected] for
krbtgt/[email protected], Preauthentication failed
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.16.113.76:
PREAUTH_FAILED: [email protected] for
krbtgt/[email protected], Preauthentication failed
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Nov 05 16:07:12 ldap.staging.domain.com krb5kdc[278](info): closing down fd 12
Logs from ipa client:
==> krb5_child.log <==
(2024-11-05 17:07:12): [krb5_child[3980764]] [get_and_save_tgt] (0x0020):
[RID#49] 1725: [-1765328360][Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2024-11-05 17:07:12): [krb5_child[3980764]] [main] (0x0400): [RID#49]
krb5_child started.
* (2024-11-05 17:07:12): [krb5_child[3980764]] [unpack_buffer] (0x1000):
[RID#49] total buffer size: [171]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [unpack_buffer] (0x0100):
[RID#49] cmd [241 (auth)] uid [1393800005] gid [1393800005] validate [true]
enterprise principal [false] offline [false] UPN [[email protected]]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [unpack_buffer] (0x2000):
[RID#49] No old ccache
* (2024-11-05 17:07:12): [krb5_child[3980764]] [unpack_buffer] (0x0100):
[RID#49] ccname: [KEYRING:persistent:1393800005] old_ccname: [not set] keytab:
[/etc/krb5.keytab]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [k5c_precreate_ccache]
(0x4000): [RID#49] Recreating ccache
* (2024-11-05 17:07:12): [krb5_child[3980764]] [k5c_setup_fast] (0x0100):
[RID#49] Fast principal is set to
[host/[email protected]]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [find_principal_in_keytab]
(0x4000): [RID#49] Trying to find principal
host/[email protected] in keytab.
* (2024-11-05 17:07:12): [krb5_child[3980764]] [match_principal] (0x1000):
[RID#49] Principal matched to the sample
(host/[email protected]).
* (2024-11-05 17:07:12): [krb5_child[3980764]] [check_fast_ccache]
(0x0200): [RID#49] FAST TGT is still valid.
* (2024-11-05 17:07:12): [krb5_child[3980764]] [become_user] (0x0200):
[RID#49] Trying to become user [1393800005][1393800005].
* (2024-11-05 17:07:12): [krb5_child[3980764]] [main] (0x2000): [RID#49]
Running as [1393800005][1393800005].
* (2024-11-05 17:07:12): [krb5_child[3980764]] [set_lifetime_options]
(0x0100): [RID#49] No specific renewable lifetime requested.
* (2024-11-05 17:07:12): [krb5_child[3980764]] [set_lifetime_options]
(0x0100): [RID#49] No specific lifetime requested.
* (2024-11-05 17:07:12): [krb5_child[3980764]] [set_canonicalize_option]
(0x0100): [RID#49] Canonicalization is set to [true]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [main] (0x0400): [RID#49]
Will perform auth
* (2024-11-05 17:07:12): [krb5_child[3980764]] [main] (0x0400): [RID#49]
Will perform online auth
* (2024-11-05 17:07:12): [krb5_child[3980764]] [tgt_req_child] (0x1000):
[RID#49] Attempting to get a TGT
* (2024-11-05 17:07:12): [krb5_child[3980764]] [get_and_save_tgt] (0x0400):
[RID#49] Attempting kinit for realm [STAGING.DOMAIN.COM]
* (2024-11-05 17:07:12): [krb5_child[3980764]] [sss_krb5_responder]
(0x4000): [RID#49] Got question [otp].
* (2024-11-05 17:07:12): [krb5_child[3980764]] [get_and_save_tgt] (0x0020):
[RID#49] 1725: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2024-11-05 17:07:12): [krb5_child[3980764]] [map_krb5_error] (0x0020):
[RID#49] 1854: [-1765328360][Preauthentication failed]
==> /var/log/auth.log <==
Nov 5 16:07:12 db sshd[3980717]: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.113.180 user=username4
Nov 5 16:07:12 db sshd[3980717]: pam_sss(sshd:auth): received for user
username4: 7 (Authentication failure)
Nov 5 16:07:15 db sshd[3980713]: error: PAM: Authentication failure for
username4 from 172.16.113.180
Nov 5 16:07:15 db sshd[3980713]: Postponed keyboard-interactive for username4
from 172.16.113.180 port 55090 ssh2 [preauth]
Any hint you can give about how to find the cause of these errors would be
greatly appreciated.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
