[Freeipa-users] Re: several IPA CA certificate entries
On 23. okt. 2017 19:45, Bhavin Vaidya via FreeIPA-users wrote: > We did manage to delete the certificates, all but the right one (we > figured out looking at clients' /etc/ipa/ca.crt) > > I have seen /etc/ipa/ca.crt get out of date before. It wasn't updated automatically when renewing the CA cert, though I was using 3.x versions at the time. Thankfully, it's easy to check. You can open up the Web UI and check what the expiry date is in the browser. If it matches the below, just ignore this message. > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=EXAMPLE.COM > Issuer: CN=Certificate Authority,O=EXAMPLE.COM > Valid From: Thu Jun 01 12:55:08 2017 UTC > Valid Until: Mon Jun 01 12:55:08 2037 UTC > > Joining realm failed: libcurl failed to execute the HTTP POST > transaction. Peer certificate cannot be authenticated with known CA > certificates > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Just learned a new keyboard shortcut in my mail client. Didn't mean to send without saying thanks a lot, that was very helpful. > 6. okt. 2017 kl. 12.24 skrev Marius Bjørnstad via FreeIPA-users > <freeipa-users@lists.fedorahosted.org>: > > Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed > that it would use the value in krb5.conf, which is the 4.5 server). It goes > to 248 every time. > > strace showed me that kinit gets the IP address from > /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP > address of the other master. I changed it to 192.168.1.249, the 4.5 master, > and it works! > > >> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <aboko...@redhat.com >> <mailto:aboko...@redhat.com>>: >> >> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote: >>> Thanks for the replies! I do have the krb5-pkinit package installed. >>> ipa-pkinit-manage status was disabled, but enabling it with >>> ipa-pkinit-manage enable didn't fix the problem. >>> >>> $ ipa pkinit-status --server=SERVER_NAME >>> says PKINIT is disabled. >>> # ipa-pkinit-manage status >>> now says it is enabled. >>> $ ipa config-show >>> does not list any IPA masters supporting PKINIT. >>> >>> If I disable then re-enable using ipa-pkinit-manage, nothing changes. >>> >>> I should note that we now have one server on 4.4, which I daren't touch, >>> and this one on 4.5 which is having issues. >>> >>> This is the output from kinit -n as my user, with KRB5_TRACE on. I >>> terminated it at the password prompt. So there is something wrong with the >>> KDC? >>> >>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING >>> [3790] 1507282499.679205: Getting initial credentials for >>> WELLKNOWN/anonym...@ous.nsc.LOCAL <mailto:WELLKNOWN/anonym...@ous.nsc.LOCAL> >>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL >>> [3790] 1507282499.681128: Initiating TCP connection to stream >>> 192.168.1.248:88 >>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88 >>> [3790] 1507282499.683001: Received answer (296 bytes) from stream >>> 192.168.1.248:88 >>> [3790] 1507282499.683008: Terminating TCP connection to stream >>> 192.168.1.248:88 >>> [3790] 1507282499.683039: Response was from master KDC >>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional >>> pre-authentication required >>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133 >>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt >>> "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params "" >>> [3790] 1507282499.683081: Received cookie: MIT >>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) >>> returned: -1765328252/Password read interrupted >> >> 192.168.1.248 -- which KDC is this? 4.4 or 4.5? >> >> >>> >>> >>> >>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com >>>> <mailto:aboko...@redhat.com>>: >>>> >>>> On to, 05 loka 2017, Jochen Hein wrote: >>>>> Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com>> >>>>> writes: >>>>> >>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote: >>>>> >>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote >>>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c >>>>>>>> /var/run/ipa/ccaches/armor_7424 -X >>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X >>>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned >>>>>>>> non-zero exit status 1 >>>>>>> >>>>>>> Do you have krb5-pkinit installed? I think there is a dependency >>>>>>> missing. And I ran "ipa-pkinit-manage enable", but I don't remember if >>>>>>> it's needed for WebUI login. >>>>>> Looking into RHEL/CentOS spec file, I see: >>>>> >>>>> Hm, then the dependency was missing for the client pakages for >>>>> Debian/Ubuntu. >>>> This should not be a problem for the case above because it is IPA >>>> master, not a client here. >>>> >>>> -- >>>> / Alexander Bokovoy >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> -- >> / Alexander Bokovoy > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time. strace showed me that kinit gets the IP address from /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP address of the other master. I changed it to 192.168.1.249, the 4.5 master, and it works! > 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <aboko...@redhat.com>: > > On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote: >> Thanks for the replies! I do have the krb5-pkinit package installed. >> ipa-pkinit-manage status was disabled, but enabling it with >> ipa-pkinit-manage enable didn't fix the problem. >> >> $ ipa pkinit-status --server=SERVER_NAME >> says PKINIT is disabled. >> # ipa-pkinit-manage status >> now says it is enabled. >> $ ipa config-show >> does not list any IPA masters supporting PKINIT. >> >> If I disable then re-enable using ipa-pkinit-manage, nothing changes. >> >> I should note that we now have one server on 4.4, which I daren't touch, and >> this one on 4.5 which is having issues. >> >> This is the output from kinit -n as my user, with KRB5_TRACE on. I >> terminated it at the password prompt. So there is something wrong with the >> KDC? >> >> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING >> [3790] 1507282499.679205: Getting initial credentials for >> WELLKNOWN/anonym...@ous.nsc.LOCAL >> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL >> [3790] 1507282499.681128: Initiating TCP connection to stream >> 192.168.1.248:88 >> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88 >> [3790] 1507282499.683001: Received answer (296 bytes) from stream >> 192.168.1.248:88 >> [3790] 1507282499.683008: Terminating TCP connection to stream >> 192.168.1.248:88 >> [3790] 1507282499.683039: Response was from master KDC >> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional >> pre-authentication required >> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133 >> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt >> "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params "" >> [3790] 1507282499.683081: Received cookie: MIT >> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) >> returned: -1765328252/Password read interrupted > > 192.168.1.248 -- which KDC is this? 4.4 or 4.5? > > >> >> >> >>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com>: >>> >>> On to, 05 loka 2017, Jochen Hein wrote: >>>> Alexander Bokovoy <aboko...@redhat.com> writes: >>>> >>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote: >>>> >>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote >>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c >>>>>>> /var/run/ipa/ccaches/armor_7424 -X >>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X >>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned >>>>>>> non-zero exit status 1 >>>>>> >>>>>> Do you have krb5-pkinit installed? I think there is a dependency >>>>>> missing. And I ran "ipa-pkinit-manage enable", but I don't remember if >>>>>> it's needed for WebUI login. >>>>> Looking into RHEL/CentOS spec file, I see: >>>> >>>> Hm, then the dependency was missing for the client pakages for >>>> Debian/Ubuntu. >>> This should not be a problem for the case above because it is IPA >>> master, not a client here. >>> >>> -- >>> / Alexander Bokovoy >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > > -- > / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Web UI login fails after upgrading to 4.5
Hi all, After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an unknown reason" on the web UI, no matter if I use the admin user or my personal user. From what I can tell, all the ipa commands work fine on the command line, and kinit also works fine. I have included some output from /var/log/httpd/error_log below. It would be great if someone could make a guess (or better) at what is going wrong, or which logs to look at, etc. When I run the command in the CalledProcessError, I get a password prompt for WELLKNOWN/anonym...@ous.nsc.LOCAL (the second part is the realm name). Thanks, Marius [Thu Oct 05 11:36:34.898930 2017] [core:notice] [pid 7417] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu Oct 05 11:36:34.899649 2017] [suexec:notice] [pid 7417] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Oct 05 11:36:34.899669 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Oct 05 11:36:35.065273 2017] [auth_digest:notice] [pid 7417] AH01757: generating secret for digest authentication ... [Thu Oct 05 11:36:35.065933 2017] [lbmethod_heartbeat:notice] [pid 7417] AH02282: No slotmem from mod_heartmonitor [Thu Oct 05 11:36:35.065947 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Oct 05 11:36:35.100828 2017] [mpm_prefork:notice] [pid 7417] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Thu Oct 05 11:36:35.100849 2017] [core:notice] [pid 7417] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Oct 05 11:36:36.676629 2017] [:error] [pid 7424] ipa: INFO: *** PROCESS START *** [Thu Oct 05 11:36:36.695362 2017] [:error] [pid 7425] ipa: INFO: *** PROCESS START *** --- login attempt performed now --- [Thu Oct 05 11:36:38.504718 2017] [:error] [pid 7424] [remote 192.168.1.48:244] mod_wsgi (pid=7424): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Oct 05 11:36:38.504758 2017] [:error] [pid 7424] [remote 192.168.1.48:244] Traceback (most recent call last): [Thu Oct 05 11:36:38.504776 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/share/ipa/wsgi.py", line 51, in application [Thu Oct 05 11:36:38.504845 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Oct 05 11:36:38.504855 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__ [Thu Oct 05 11:36:38.505045 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return self.route(environ, start_response) [Thu Oct 05 11:36:38.505054 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route [Thu Oct 05 11:36:38.505067 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return app(environ, start_response) [Thu Oct 05 11:36:38.505072 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__ [Thu Oct 05 11:36:38.505079 2017] [:error] [pid 7424] [remote 192.168.1.48:244] self.kinit(user_principal, password, ipa_ccache_name) [Thu Oct 05 11:36:38.505083 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit [Thu Oct 05 11:36:38.505089 2017] [:error] [pid 7424] [remote 192.168.1.48:244] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Oct 05 11:36:38.505094 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Oct 05 11:36:38.505135 2017] [:error] [pid 7424] [remote 192.168.1.48:244] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Oct 05 11:36:38.505143 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run [Thu Oct 05 11:36:38.505346 2017] [:error] [pid 7424] [remote 192.168.1.48:244] raise CalledProcessError(p.returncode, arg_string, str(output)) [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_7424 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Can't log on using password when /tmp is full
Thanks for the replies. We have migrated most servers to RHEL7. I'll see about configuring the default_ccache_name on those, one way or another. -Marius > 20. sep. 2017 kl. 09.02 skrev Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org>: > > On Tue, Sep 19, 2017 at 04:25:21PM -0400, Simo Sorce wrote: >> On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users >> wrote: >>> On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via >>> FreeIPA-users wrote: >>>> Hi, >>>> >>>> When /tmp is full, it is impossible to authenticate with Kerberos. >>>> Login with password over SSH and sudo don't work. Login with ssh >>>> key works fine. Here is the output in the system log when I try to >>>> log on via SSH with password auth (this is on RHEL 6): >>>> >>>> Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 >>>> Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port >>>> 49917 >>>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache >>>> I/O operation failed XXX >>>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache >>>> I/O operation failed XXX >>>> Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from >>>> 192.168.1.48 port 49917 ssh2 >>>> Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48 >>>> >>>> From SSH I get: >>>> Permission denied, please try again. >>>> >>>> The problem seems to be that Kerberos can't store its credentials >>>> cache. Is this normal, and is there a way around it? Sure, ideally >>>> I should limit the space usable by each user, but that doesn't help >>>> when a given user needs to log in and fix their tmp usage. >>> >>> Well, you need to store the credentials /somewhere/...so if the >>> credential storage is full, the only remaining thing is to fall back >>> to >>> cached passwords. >>> >>> Which, if they are available (through cache_credentials=True in >>> sssd.conf) is what I'd expect to happen. If that doesn't happen, >>> please >>> post your sssd logs.. >>> >> >> That should happen only if we are offline, not if krb auth fails? > > Yes, you're right, sorry. > > (Although we've had a request to allow to run sssd in a degraded > responder-only mode in case /var is full and the providers can't write > into the db, I guess that's what I confused the issue with) > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Can't log on using password when /tmp is full
Hi, When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6): Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48 From SSH I get: Permission denied, please try again. The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage. Thanks, Marius ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Integrating a server which only supports kadmin
Hi list, A bit of a longshot: We have a Dell/EMC Isilon cluster, which we use for NAS. I am considering to set up Kerberos authentication for NFSv4, but I'm not able to create the Service Principal Names (SPNs). I believe kadmin is not supported by the FreeIPA servers, but wonder if there are any work-arounds. I can configure the KDCs, domain and realm successfully in the Isilon UI. The UI then asks for a username and password, and which SPNs to "Add". When I use the admin user, this fails right away (with an error "Failed to join realm: LW_ERROR_KADM5_AUTH_ADD"). It doesn't matter if I create the service principal in the FreeIPA system first, I get the same error. The UI doesn't have an option to take a keytab, just a username and password. I'm curious if anyone has been able to work with systems which insist on using the kadmin protocol. (LDAP is working perfectly) Thanks, Marius ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
