Bonsoir,
Le 22/01/2025 à 17:45, Florence Blanc-Renaud via FreeIPA-users a écrit :
Hi,
CA-less => did you install the server with a PKINIT certificate (with
--pkinit-cert-file) or with --no-pkinit?
All the servers where installed with --no-pkinit (I have 4 replicas and
only have the problem on the master)
You can also check if gssproxy service is up and running and follow
the troubleshooting steps from
https://www.freeipa.org/page/Troubleshooting
<https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
gssproxy is active (running)
/PrivilegeSeparation
<https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
I did setup the debug_level for gssproxy, and here is what I get when I
run the ipa ping
Jan 22 18:21:51 ipa4 gssproxy: [2025/01/22 17:21:51]: Client connected
(fd = 10)[2025/01/22 17:21:51]: (pid = 12908) (uid = 0) (gid =
0)[2025/01/22 17:21:51]: (context =
system_u:system_r:kernel_t:s0)[2025/01/22 17:21:51]:
Jan 22 18:23:56 ipa4 gssproxy: [2025/01/22 17:23:56]: Client connected
(fd = 11)[2025/01/22 17:23:56]: (pid = 1267) (uid = 48) (gid =
48)[2025/01/22 17:23:56]: (context =
system_u:system_r:httpd_t:s0)[2025/01/22 17:23:56]:
Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
euid: 48,socket: (null)
Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [
] } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
initiator_time_req: 0 acceptor_time_req: 0 )
Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 {
1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor code
may provide more information" "Preauthentication failed" [ ] }
output_cred_handle: <Null> )
Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
euid: 48,socket: (null)
Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [
] } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
initiator_time_req: 0 acceptor_time_req: 0 )
Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 {
1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor code
may provide more information" "Preauthentication failed" [ ] }
output_cred_handle: <Null> )
I run getcert list, I have 1 certificate, its status is monitoring and
will expire in december
flo
Thank you for your help
Regards,
Frederic
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
