Bonjour,
Le 30/01/2025 à 10:30, Florence Blanc-Renaud a écrit :
Hi,
The kerberos pre-authentication is failing for HTTP/$HOSTNAME.
Can you run
# klist -kte /var/lib/ipa/gssproxy/http.keytab
entries are duplicated and KVNO is not 1 like the replicas or kvno
HTTP/[email protected]
returns HTTP/[email protected]: kvno = 1 (I
found this command on google but I do not know what I on doing)
Keytab name: FILE:/var/lib/ipa/gssproxy/http.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 28/09/2023 17:13:53
HTTP/[email protected]
(aes256-cts-hmac-sha1-96)
2 28/09/2023 17:13:53
HTTP/[email protected]
(aes128-cts-hmac-sha1-96)
2 28/09/2023 17:13:53
HTTP/[email protected] (des3-cbc-sha1)
2 28/09/2023 17:13:53
HTTP/[email protected] (arcfour-hmac)
2 28/09/2023 15:45:17
HTTP/[email protected]
(aes256-cts-hmac-sha1-96)
2 28/09/2023 15:45:17
HTTP/[email protected]
(aes128-cts-hmac-sha1-96)
2 28/09/2023 15:45:17
HTTP/[email protected] (des3-cbc-sha1)
2 28/09/2023 15:45:17
HTTP/[email protected] (arcfour-hmac)
Note the exact principal name, then try
# KRB5_TRACE=/dev/stderr kinit -kt /var/lib/ipa/gssproxy/http.keytab
$PRINCIPAL
here is what I get from console
[6402] 1738229690.634028: Resolving unique ccache of type KEYRING
[6402] 1738229690.634029: Getting initial credentials for
HTTP/[email protected]
[6402] 1738229690.634030: Looked up etypes in keytab: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac
[6402] 1738229690.634032: Sending unauthenticated request
[6402] 1738229690.634033: Sending request (215 bytes) to
LIX.POLYTECHNIQUE.FR
[6402] 1738229690.634034: Initiating TCP connection to stream
193.55.176.152:88
[6402] 1738229690.634035: Sending TCP request to stream 193.55.176.152:88
[6402] 1738229690.634036: Received answer (352 bytes) from stream
193.55.176.152:88
[6402] 1738229690.634037: Terminating TCP connection to stream
193.55.176.152:88
[6402] 1738229690.634038: Response was from master KDC
[6402] 1738229690.634039: Received error from KDC:
-1765328359/Additional pre-authentication required
[6402] 1738229690.634042: Preauthenticating using KDC method data
[6402] 1738229690.634043: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-COOKIE (133)
[6402] 1738229690.634044: Selected etype info: etype aes256-cts, salt
"B(H"|0MI*@=l?gT\", params ""
[6402] 1738229690.634045: Received cookie: MIT
[6402] 1738229690.634046: PKINIT client has no configured identity;
giving up
[6402] 1738229690.634047: Preauth module pkinit (147) (info) returned:
0/Success
[6402] 1738229690.634048: PKINIT client has no configured identity;
giving up
[6402] 1738229690.634049: Preauth module pkinit (16) (real) returned:
22/Argument invalide
[6402] 1738229690.634050: PKINIT client has no configured identity;
giving up
[6402] 1738229690.634051: Preauth module pkinit (14) (real) returned:
22/Argument invalide
[6402] 1738229690.634052: Retrieving
HTTP/[email protected] from
FILE:/var/lib/ipa/gssproxy/http.keytab (vno 0, enctype aes256-cts) with
result: 0/Success
[6402] 1738229690.634053: AS key obtained for encrypted timestamp:
aes256-cts/CF42
[6402] 1738229690.634055: Encrypted timestamp (for 1738229690.640142):
plain 301AA011180F32303235303133303039333435305AA105020309C48E,
encrypted
DFDBA80FB60F3347BA2554153959E46BCE008762BD0AFE647CA0E78028212C7D67C209AABCBABF1FE80CB70394BA12B3440F97FA2DD4938A
[6402] 1738229690.634056: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[6402] 1738229690.634057: Produced preauth for next request:
PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[6402] 1738229690.634058: Sending request (310 bytes) to
LIX.POLYTECHNIQUE.FR
[6402] 1738229690.634059: Initiating TCP connection to stream
193.55.176.152:88
[6402] 1738229690.634060: Sending TCP request to stream 193.55.176.152:88
[6402] 1738229690.634061: Received answer (352 bytes) from stream
193.55.176.152:88
[6402] 1738229690.634062: Terminating TCP connection to stream
193.55.176.152:88
[6402] 1738229690.634063: Response was from master KDC
[6402] 1738229690.634064: Received error from KDC:
-1765328360/Preauthentication failed
[6402] 1738229690.634067: Preauthenticating using KDC method data
[6402] 1738229690.634068: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-COOKIE (133)
[6402] 1738229690.634069: Selected etype info: etype aes256-cts, salt
"B(H"|0MI*@=l?gT\", params ""
[6402] 1738229690.634070: Received cookie: MIT
[6402] 1738229690.634071: Preauth module pkinit (147) (info) returned:
0/Success
[6402] 1738229690.634072: PKINIT client has no configured identity;
giving up
[6402] 1738229690.634073: Preauth module pkinit (14) (real) returned:
22/Argument invalide
kinit: Preauthentication failed while getting initial credentials
and check the logs in /var/log/krb5kdc.log
and in the log
Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): AS_REQ
(8 etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: NEEDED_PREAUTH:
HTTP/[email protected] for
krbtgt/[email protected], Additional
pre-authentication required
Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
down fd 11
Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): AS_REQ
(8 etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: PREAUTH_FAILED:
HTTP/[email protected] for
krbtgt/[email protected], Preauthentication failed
Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
down fd 11
Jan 30 10:36:06 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
down fd 11
flo
Thank you for your help
Regards
Frederic
On Wed, Jan 22, 2025 at 6:40 PM Frederic Ayrault via FreeIPA-users
<[email protected]
<mailto:[email protected]>> wrote:
Bonsoir,
Le 22/01/2025 à 17:45, Florence Blanc-Renaud via FreeIPA-users a
écrit :
Hi,
CA-less => did you install the server with a PKINIT certificate
(with --pkinit-cert-file) or with --no-pkinit?
All the servers where installed with --no-pkinit (I have 4
replicas and only have the problem on the master)
You can also check if gssproxy service is up and running and
follow the troubleshooting steps from
https://www.freeipa.org/page/Troubleshooting
<https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
gssproxy is active (running)
/PrivilegeSeparation
<https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
I did setup the debug_level for gssproxy, and here is what I get
when I run the ipa ping
Jan 22 18:21:51 ipa4 gssproxy: [2025/01/22 17:21:51]: Client
connected (fd = 10)[2025/01/22 17:21:51]: (pid = 12908) (uid = 0)
(gid = 0)[2025/01/22 17:21:51]: (context =
system_u:system_r:kernel_t:s0)[2025/01/22 17:21:51]:
Jan 22 18:23:56 ipa4 gssproxy: [2025/01/22 17:23:56]: Client
connected (fd = 11)[2025/01/22 17:23:56]: (pid = 1267) (uid = 48)
(gid = 48)[2025/01/22 17:23:56]: (context =
system_u:system_r:httpd_t:s0)[2025/01/22 17:23:56]:
Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
"ipa-httpd", euid: 48,socket: (null)
Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: {
"" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name:
<Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2
2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 )
Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: {
851968 { 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS
failure. Minor code may provide more information"
"Preauthentication failed" [ ] } output_cred_handle: <Null> )
Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
"ipa-httpd", euid: 48,socket: (null)
Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: {
"" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name:
<Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2
2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 )
Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: {
851968 { 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS
failure. Minor code may provide more information"
"Preauthentication failed" [ ] } output_cred_handle: <Null> )
I run getcert list, I have 1 certificate, its status is monitoring
and will expire in december
flo
Thank you for your help
Regards,
Frederic
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
