3

After Fedora server update, my Freeipa broke and I am not sure how to deal with it. Does anyone have some ideas what might be the issue?

I am unable to log in to web UI nor execute any IPA command.

$ journalctl 

gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed

$ cat /var/log/httpd/error_log

[suexec:notice] [pid 5529:tid 139897184471296] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_module is already loaded, skipping
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_http_module is already loaded, skipping
[lbmethod_heartbeat:notice] [pid 5529:tid 139897184471296] AH02282: No slotmem from mod_heartmonitor
[mpm_event:notice] [pid 5529:tid 139897184471296] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1c mod_wsgi/4.6.4 Python/3.7 3.9 mod_perl/2.0.10 Perl/v5.28.2 configured -- resuming normal operations
[core:notice] [pid 5529:tid 139897184471296] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[wsgi:error] [pid 5833:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5837:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5832:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5839:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: CCESS
[:warn] [pid 5842:tid 139896429713152] [client 10.0.1.8:36236] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[:warn] [pid 5841:tid 139896561800960] [client 10.0.1.8:36238] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[auth_gssapi:error] [pid 5840:tid 139896236779264] [client 10.0.1.10:47164] GSS ERROR gss_acquire_cred[_from]() failed to get lure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: 401 Unauthorized: No session cookie found

$ ipa-pkinit-manage status

PKINIT is enabled
The ipa-pkinit-manage command was successful

$ kinit myuser

Password for myuser@HOME.MYDOMAIN.COM: 
$ klist
Ticket cache: KEYRING:persistent:1907400001:krb_ccache_QYeLVmz
Default principal: myuser@HOME.MYDOMAIN.COM

Valid starting     Expires            Service principal
08/09/19 00:11:36  09/09/19 00:11:33  krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM

$ ipa -v ping

ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_139944946411792
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 649, in get_auth_info
    response = self._sec_context.step()
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-15>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 167, in check_last_err
    return func(self, *args, **kwargs)
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-5>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
    return func(self, *args, **kwargs)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 521, in step
    return self._initiator_step(token=token)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
    token)
  File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cache: KEYRING:persistent:0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 699, in single_request
    self.get_auth_info()
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception
    raise errors.CCacheError()
ipalib.errors.CCacheError: did not receive Kerberos credentials
ipa: DEBUG: Destroyed connection context.rpcclient_139944946411792
ipa: ERROR: did not receive Kerberos credentials

$ kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/$ 

ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM
kinit: Preauthentication failed while getting initial credentials

$ ipa -vv pwpolicy-show global_policy

ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@HOME.IBLVFX.COM'
ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140652464016656
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
ipa: DEBUG: Destroyed connection context.rpcclient_140652464016656
ipa: ERROR: No valid Negotiate header in server response

$ cat /var/log/krb5kdc.log

38:08 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:08 ipa (info): closing down fd 11
38:11 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM
38:11 ipa (info): closing down fd 11
38:21 ipa (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 ipa (info): closing down fd 11

$ kvno ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM

ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM: kvno = 2

$ klist -kte

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:des3-cbc-sha1) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:arcfour-hmac) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia128-cts-cmac) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia256-cts-cmac) 
   4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
tmdag
  • 133
  • 1
  • 6

1 Answers1

0

Try to change the permission for krb5kdc it's work in my case 

chmod a+x /var/lib/krb5kdc/
Nan
  • 101