Hi, On Wed, Feb 19, 2025 at 4:07 PM Boris <[email protected]> wrote:
> Hi flo, > > certificate and ca looks good. Certificate is signed by the correct ca and > just got renewed (Not Before: Feb 15 09:43:26 2025 GMT) > > the permissions looks different (the questionmark) > > [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt > -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt > [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem > -rw-r--r-- 1 root root ? 1294 15. Mär 2023 > /var/lib/ipa-client/pki/kdc-ca-bundle.pem > The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config. Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT. # ipa-pkinit-manage status # kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2). flo > in comparission to the ipa1 > [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem > -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 > 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem > [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt > -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 > 13:19 /var/kerberos/krb5kdc/kdc.crt > > The krb5-pkinit is installed > krb5-pkinit-1.19.2-9.fc35.x86_64 > > > > Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < > [email protected]>: > >> Hi, >> >> >> On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < >> [email protected]> wrote: >> >>> Hi list, >>> as I am currently sorting out our freeipa problems we stumbled across >>> another problem. >>> After the last reboot of our 2ndary IPA host, we can no longer login >>> into the webui on the 2nd host. >>> >>> The webui on the first host works. >>> >>> I've checked some logs but was only able to find meaningful entries in >>> the httpd log which is this: >>> >>> mod_wsgi (pid=1137): Exception occurred processing WSGI script >>> '/usr/share/ipa/wsgi.py'. >>> Traceback (most recent call last): >>> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in >>> application >>> return api.Backend.wsgi_dispatch(environ, start_response) >>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>> 301, in __call__ >>> return self.route(environ, start_response) >>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>> 313, in route >>> return app(environ, start_response) >>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>> 1066, in __call__ >>> result = attempt_kinit(user_principal, password, >>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>> 996, in attempt_kinit >>> self.kinit(user_principal, password, >>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>> 1094, in kinit >>> kinit_armor( >>> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line >>> 129, in kinit_armor >>> run(args, env=env, raiseonerr=True, capture_error=True) >>> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line >>> 599, in run >>> raise CalledProcessError( >>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >>> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned >>> non-zero exit status 1: 'kinit: Cannot read password while getting initial >>> credentials\\n') >>> >>> What is the content of this kdc.crt certificate? >> openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt >> The output will tell us if it's a self-signed PKINIT cert or signed by >> IPA CA (look for the Issuer: value in the output). >> >> Does the kdc-ca-bundle.pem contain the CA that signed this certificate? >> openssl crl2pkcs7 -nocrl -certfile >> /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs >> -text -noout >> >> On a working system I see the following permissions for the above files: >> # ls -lZ /var/kerberos/krb5kdc/kdc.crt >> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 >> 14:02 /var/kerberos/krb5kdc/kdc.crt >> # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 >> Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> >> Do you have the package krb5-pkinit installed on your machine? >> >> flo >> >> Does someone know in which direction I need to debug further? >>> >>> Cheers >>> Boris >>> -- >>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >>> groüen Saal. >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
