YES! great. That helped. The /etc/sssd/sssd.conf contained both IPA hosts on both IPA hosts. After correcting that, removing the mentioned file and restarting sssd the login into the webui now works.
Thanks a lot! Am Do., 20. Feb. 2025 um 09:52 Uhr schrieb Florence Blanc-Renaud < [email protected]>: > Hi, > > On Wed, Feb 19, 2025 at 5:43 PM Boris <[email protected]> wrote: > >> yes, SELINUX seems to be disabled. >> >> [root@ipa2 ~]# kinit boris@DOMAIN >> Passwort für boris@DOMAIN: >> >> [root@ipa2 ~]# ipa pkinit-status >> ----------------- >> 2 servers matched >> ----------------- >> Servername: ipa1.redacted >> PKINIT status: disabled >> >> Servername: ipa2.redacted >> PKINIT status: enabled >> ------------------------------------- >> Anzahl der zurückgegebenen Einträge 2 >> ------------------------------------- >> >> [root@ipa2 ~]# ipa-pkinit-manage status >> PKINIT is enabled >> The ipa-pkinit-manage command was successful >> [root@ipa2 ~]# kdestroy -A >> [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache >> [55944] 1739982907.606095: Getting initial credentials for >> WELLKNOWN/ANONYMOUS@DOMAIN >> [55944] 1739982907.606097: Sending unauthenticated request >> [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN >> ... >> >> the kinit command tries to connect to the ipa1, in the >> /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same >> on the ipa1 host. >> > > On an IPA server, the above file should only contain the server itself. > Try to delete the file (it will get re-created by SSSD), and check the > content of /etc/sssd/sssd.conf. It should contain a section for the IPA > domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value > *ipa_server > = $YOUR_SERVER*). Make sure that ipa_server has a single value, > containing the hostname of the machine. If it contains something like _srv_ > it means that the server is automatically discovered using DNS records but > that setting should not appear on a server. > > HTH, > flo > >> >> >> Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < >> [email protected]>: >> >>> Hi, >>> >>> On Wed, Feb 19, 2025 at 4:07 PM Boris <[email protected]> wrote: >>> >>>> Hi flo, >>>> >>>> certificate and ca looks good. Certificate is signed by the correct ca >>>> and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT) >>>> >>>> the permissions looks different (the questionmark) >>>> >>>> [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>> -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 >>>> /var/kerberos/krb5kdc/kdc.crt >>>> [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> -rw-r--r-- 1 root root ? 1294 15. Mär 2023 >>>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> >>> >>> The question mark means that there is no selinux context for those >>> files. The system probably has SELINUX=disabled in /etc/selinux/config. >>> >>> Can you also check the following: >>> # kinit admin >>> # ipa pkinit-status >>> The above will show you which servers are enabled for PKINIT. >>> >>> # ipa-pkinit-manage status >>> >>> # kdestroy -A >>> # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache >>> >>> In the logs for kinit -n, double-check that the request is sent to ipa2. >>> If that's not the case, you may have a wrong config >>> (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from >>> ipa2). >>> >>> flo >>> >>> >>>> in comparission to the ipa1 >>>> [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb >>>> 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 >>>> 13:19 /var/kerberos/krb5kdc/kdc.crt >>>> >>>> The krb5-pkinit is installed >>>> krb5-pkinit-1.19.2-9.fc35.x86_64 >>>> >>>> >>>> >>>> Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < >>>> [email protected]>: >>>> >>>>> Hi, >>>>> >>>>> >>>>> On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi list, >>>>>> as I am currently sorting out our freeipa problems we stumbled across >>>>>> another problem. >>>>>> After the last reboot of our 2ndary IPA host, we can no longer login >>>>>> into the webui on the 2nd host. >>>>>> >>>>>> The webui on the first host works. >>>>>> >>>>>> I've checked some logs but was only able to find meaningful entries >>>>>> in the httpd log which is this: >>>>>> >>>>>> mod_wsgi (pid=1137): Exception occurred processing WSGI script >>>>>> '/usr/share/ipa/wsgi.py'. >>>>>> Traceback (most recent call last): >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, >>>>>> in application >>>>>> return api.Backend.wsgi_dispatch(environ, start_response) >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>> line 301, in __call__ >>>>>> return self.route(environ, start_response) >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>> line 313, in route >>>>>> return app(environ, start_response) >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>> line 1066, in __call__ >>>>>> result = attempt_kinit(user_principal, password, >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>> line 996, in attempt_kinit >>>>>> self.kinit(user_principal, password, >>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>> line 1094, in kinit >>>>>> kinit_armor( >>>>>> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", >>>>>> line 129, in kinit_armor >>>>>> run(args, env=env, raiseonerr=True, capture_error=True) >>>>>> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line >>>>>> 599, in run >>>>>> raise CalledProcessError( >>>>>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >>>>>> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >>>>>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>>>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>>>>> returned non-zero exit status 1: 'kinit: Cannot read password while >>>>>> getting >>>>>> initial credentials\\n') >>>>>> >>>>>> What is the content of this kdc.crt certificate? >>>>> openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt >>>>> The output will tell us if it's a self-signed PKINIT cert or signed by >>>>> IPA CA (look for the Issuer: value in the output). >>>>> >>>>> Does the kdc-ca-bundle.pem contain the CA that signed this certificate? >>>>> openssl crl2pkcs7 -nocrl -certfile >>>>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs >>>>> -text -noout >>>>> >>>>> On a working system I see the following permissions for the above >>>>> files: >>>>> # ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb >>>>> 19 14:02 /var/kerberos/krb5kdc/kdc.crt >>>>> # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 >>>>> Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> >>>>> Do you have the package krb5-pkinit installed on your machine? >>>>> >>>>> flo >>>>> >>>>> Does someone know in which direction I need to debug further? >>>>>> >>>>>> Cheers >>>>>> Boris >>>>>> -- >>>>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>>>> im groüen Saal. >>>>>> -- >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to >>>>>> [email protected] >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>>> Do not reply to spam, report it: >>>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>>> >>>>> >>>> >>>> -- >>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>> im groüen Saal. >>>> >>> >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
