[Freeipa-users] Re: After upgrade to f39/freeipa-server-4.12.2 kinit and webinterface login do not work anymore

Fri, 21 Feb 2025 07:12:17 -0800 

I've checked some more logs.

the krb5kdc.log is flooded with these logs
Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11:
NEEDED_PREAUTH: boris@redacted for krbtgt/redacted@redacted, Additional
pre-authentication required
Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): closing down fd 11
Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): preauth (spake) verify
failure: More preauthentication data is required
Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11:
PREAUTH_FAILED: boris@redacted for krbtgt/redacted@redacted, More
preauthentication data is required
...
Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ : handle_authdata
(2)
Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11:
HANDLE_AUTHDATA: boris@redacted for krbtgt/redacted@redacted, No such file
or directory

But I still haven't found something that leads into any direction.

Am Fr., 21. Feb. 2025 um 13:11 Uhr schrieb Boris <[email protected]>:

> Hi,
>
> sorry to pester this mailinglist with my problems.
>
> After you people helped me to get the old problems off the table I did an
> fedora upgrade to 39 with the freeipa-server-4.12.2-1.fc39.x86_64
>
> dnf upgrade --refresh
> dnf system-upgrade download --releasever=39
> dnf system-upgrade reboot
> ipa-server-upgrade
>
>
> This all went through without errors.
>
> But now the webinterface login gives the error "Username or password
> incorrect". This is what the httpd log says:
>
> ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> ipa: DEBUG: WSGI login_password.__call__:
> ipa: DEBUG: Valid Referer https://ipa1.redacted/ipa/ui/
> ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_1378
> ipa: DEBUG: Initializing anonymous ccache
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c',
> '/run/ipa/ccaches/armor_1378', '-X',
> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X',
> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Initializing principal boris using password
> ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_1378 for FAST webauth
> ipa: DEBUG: Requesting principal canonicalization
> ipa: DEBUG: Using enterprise principal
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/kinit', '-c', '/run/ipa/ccaches/kinit_1378',
> '-T', '/run/ipa/ccaches/armor_1378', '-C', '-E', '--', 'boris']
> ipa: DEBUG: Process finished, return code=1
> ipa: DEBUG: stdout=Password for boris@redacted:
>
> ipa: DEBUG: stderr=kinit: Generic error (see e-text) while getting initial
> credentials
>
> ipa: DEBUG: Cleanup the armor ccache
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c',
> '/run/ipa/ccaches/armor_1378']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: INFO: 401 Unauthorized: kinit: Generic error (see e-text) while
> getting initial credentials
>
> and when I try a kinit on the terminal of ipa1 I receive
>
> [root@ipa1 ~]# kinit boris@redacted
> Password for boris@redacted:
> kinit: Generic error (see e-text) while getting initial credentials
>
> the ipa2 is still on fedora37 and the login works there.
>
> --
> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
> groüen Saal.
>


-- 
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to