Hi, The kerberos pre-authentication is failing for HTTP/$HOSTNAME. Can you run # klist -kte /var/lib/ipa/gssproxy/http.keytab Note the exact principal name, then try # KRB5_TRACE=/dev/stderr kinit -kt /var/lib/ipa/gssproxy/http.keytab $PRINCIPAL and check the logs in /var/log/krb5kdc.log
flo On Wed, Jan 22, 2025 at 6:40 PM Frederic Ayrault via FreeIPA-users < [email protected]> wrote: > Bonsoir, <[email protected]> > > Le 22/01/2025 à 17:45, Florence Blanc-Renaud via FreeIPA-users a écrit : > > Hi, > > CA-less => did you install the server with a PKINIT certificate (with > --pkinit-cert-file) or with --no-pkinit? > > > All the servers where installed with --no-pkinit (I have 4 replicas and > only have the problem on the master) > > > > You can also check if gssproxy service is up and running and follow the > troubleshooting steps from https://www.freeipa.org/page/Troubleshooting > <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation> > > > gssproxy is active (running) > > /PrivilegeSeparation > <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation> > > > I did setup the debug_level for gssproxy, and here is what I get when I > run the ipa ping > > Jan 22 18:21:51 ipa4 gssproxy: [2025/01/22 17:21:51]: Client connected (fd > = 10)[2025/01/22 17:21:51]: (pid = 12908) (uid = 0) (gid = 0)[2025/01/22 > 17:21:51]: (context = system_u:system_r:kernel_t:s0)[2025/01/22 17:21:51]: > Jan 22 18:23:56 ipa4 gssproxy: [2025/01/22 17:23:56]: Client connected (fd > = 11)[2025/01/22 17:23:56]: (pid = 1267) (uid = 48) (gid = 48)[2025/01/22 > 17:23:56]: (context = system_u:system_r:httpd_t:s0)[2025/01/22 17:23:56]: > Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]: > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", > euid: 48,socket: (null) > Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] > } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req: > 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH > initiator_time_req: 0 acceptor_time_req: 0 ) > Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 > 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor code may > provide more information" "Preauthentication failed" [ ] } > output_cred_handle: <Null> ) > Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]: > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", > euid: 48,socket: (null) > Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] > } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req: > 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH > initiator_time_req: 0 acceptor_time_req: 0 ) > Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 > 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor code may > provide more information" "Preauthentication failed" [ ] } > output_cred_handle: <Null> ) > > I run getcert list, I have 1 certificate, its status is monitoring and > will expire in december > > > flo > > > Thank you for your help > > Regards, > > Frederic > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
