Hello all,
I was hoping someone may have seen this issue or suggest how to further troubleshoot. We had FreeIPA configured a few years ago by a team that is now gone. Several months ago we had an issue where passwords seemed to expire and authentication started failing for users. For example we were not able to login to the LDAP server via ssh as an LDAP user, shows "Permission denied": [fred@fred ~]$ ssh cr0777kk@biobb-ss cr0777kk@biobb-ss's password: Permission denied, please try again. cr0777kk@biobb-ss's password: Permission denied, please try again. cr0777kk@biobb-ss's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [fred@fred ~]$ We checked the user status in LDAP and it is not locked and has the correct permissions. Then we noticed that the server is marked as LOCKED by kerberos in kerberos log: [/var/log/krb5kdc.log] root ldap-p1 ~ # grep biobb-ss /var/log/krb5kdc.log | tail May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example....@freeipa.example.com for krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example....@freeipa.example.com for krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20457](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example....@freeipa.example.com for krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20458](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example....@freeipa.example.com for krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have been revoked root ldap-p1 ~ # For this we have a Workaround which is to re-enroll the server in LDAP DB: On the LDAP server, we execute these commands: # kinit <LDAP_Admin> # ipa host-del biobb-ss.freeipa.example.com # ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx # ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com This was working for a couple of months, but now when we try the second command (to delete the server from the LDAP DB), it fails. And if we re execute the same command it shows different errors in the order below: Here is what we see now: # ipa host-del host.freeipa.example.comm # ipa: ERROR: cannot connect to 'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. # ipa host-del host.freeipa.example.comm # ipa: ERROR: cannot connect to 'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. # ipa host-del host.freeipa.example.comm # ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Any help appreciated. Thank you in advance. -Vin
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project