Hello all,
I was hoping someone may have seen this issue or suggest how to further
troubleshoot.
We had FreeIPA configured a few years ago by a team that is now gone.
Several months ago we had an issue where passwords seemed to expire and
authentication started failing for users. For example we were not able to
login to the LDAP server via ssh as an LDAP user, shows "Permission
denied":
[fred@fred ~]$ ssh cr0777kk@biobb-ss
cr0777kk@biobb-ss's password:
Permission denied, please try again.
cr0777kk@biobb-ss's password:
Permission denied, please try again.
cr0777kk@biobb-ss's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[fred@fred ~]$
We checked the user status in LDAP and it is not locked and has the correct
permissions. Then we noticed that the server is marked as LOCKED by
kerberos in kerberos log:
[/var/log/krb5kdc.log]
root ldap-p1 ~
# grep biobb-ss /var/log/krb5kdc.log | tail
May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example....@freeipa.example.com for
krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example....@freeipa.example.com for
krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20457](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example....@freeipa.example.com for
krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20458](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example....@freeipa.example.com for
krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have
been revoked
root ldap-p1 ~
#
For this we have a Workaround which is to re-enroll the server in LDAP DB:
On the LDAP server, we execute these commands:
# kinit <LDAP_Admin>
# ipa host-del biobb-ss.freeipa.example.com
# ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx
# ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com
This was working for a couple of months, but now when we try the second
command (to delete the server from the LDAP DB), it fails. And if we re
execute the same command it shows different errors in the order below:
Here is what we see now:
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
Any help appreciated. Thank you in advance.
-Vin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
