Hi,

The kerberos pre-authentication is failing for HTTP/$HOSTNAME.
Can you run
# klist -kte /var/lib/ipa/gssproxy/http.keytab
Note the exact principal name, then try
# KRB5_TRACE=/dev/stderr  kinit -kt  /var/lib/ipa/gssproxy/http.keytab
$PRINCIPAL
and check the logs in /var/log/krb5kdc.log

flo

On Wed, Jan 22, 2025 at 6:40 PM Frederic Ayrault via FreeIPA-users <
[email protected]> wrote:

> Bonsoir, <[email protected]>
>
> Le 22/01/2025 à 17:45, Florence Blanc-Renaud via FreeIPA-users a écrit :
>
> Hi,
>
> CA-less => did you install the server with a PKINIT certificate (with
> --pkinit-cert-file) or with --no-pkinit?
>
>
> All the servers where installed with --no-pkinit (I have 4 replicas and
> only have the problem on the master)
>
>
>
> You can also check if gssproxy service is up and running and follow the
> troubleshooting steps from https://www.freeipa.org/page/Troubleshooting
> <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
>
>
> gssproxy is active (running)
>
> /PrivilegeSeparation
> <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
>
>
> I did setup the debug_level for gssproxy, and here is what I get when I
> run the ipa ping
>
> Jan 22 18:21:51 ipa4 gssproxy: [2025/01/22 17:21:51]: Client connected (fd
> = 10)[2025/01/22 17:21:51]:  (pid = 12908) (uid = 0) (gid = 0)[2025/01/22
> 17:21:51]:  (context = system_u:system_r:kernel_t:s0)[2025/01/22 17:21:51]:
> Jan 22 18:23:56 ipa4 gssproxy: [2025/01/22 17:23:56]: Client connected (fd
> = 11)[2025/01/22 17:23:56]:  (pid = 1267) (uid = 48) (gid = 48)[2025/01/22
> 17:23:56]:  (context = system_u:system_r:httpd_t:s0)[2025/01/22 17:23:56]:
> Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
> euid: 48,socket: (null)
> Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ]
> } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
> 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
> initiator_time_req: 0 acceptor_time_req: 0 )
> Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1
> 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure.  Minor code may
> provide more information" "Preauthentication failed" [  ] }
> output_cred_handle: <Null> )
> Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
> euid: 48,socket: (null)
> Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ]
> } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
> 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
> initiator_time_req: 0 acceptor_time_req: 0 )
> Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1
> 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure.  Minor code may
> provide more information" "Preauthentication failed" [  ] }
> output_cred_handle: <Null> )
>
> I run getcert list, I have 1 certificate, its status is monitoring and
> will expire in december
>
>
> flo
>
>
> Thank you for your help
>
> Regards,
>
> Frederic
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to