Help with ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure in attempt to loadbalance
by dweller dweller
Hi. I am aware that there have been many discussions regarding fully load balancing FreeIPA replicas, but I am doing it for the sake of experimentation. For my tests, I mainly rely on this article - https://mrgecko.org/blog/2022/freeipa-load-balance, although I am using nginx instead of HAProxy.
Currently, I have only one replica that is behind an nginx proxy, and I am able to access the FreeIPA WebUI via the load balancer's hostname and perform usual operations without any issues. However, I am now trying to enroll a host using the "--server=<loadbalancer_hostname>" option, but the installation fails. I have collected two types of ipaclient-install logs - one that fails when I try to add the host with "--server=<loadbalancer>", and one "healthy" log from the enrollment of the same host, bypassing the proxy directly to the ipa-server (as in the usual operation).
with "--server=<loadbalancer>":
>failed to find session_cookie in persistent storage for principal 'host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL'
>trying https://lb.ipa.edu.novalocal/ipa/json
>Created connection context.rpcclient_140218712782800
>[try 1]: Forwarding 'schema' to json server 'https://lb.ipa.edu.novalocal/ipa/json'
>New HTTP connection (lb.ipa.edu.novalocal)
>[4637] 1690357386.007597: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[4637] 1690357386.007598: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL using ccache FILE:/etc/ipa/.dns_ccache
>[4637] 1690357386.007599: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache)
>[4637] 1690357386.007600: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[4637] 1690357386.007601: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL
>[4637] 1690357386.007602: Requesting tickets for HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL, referrals on
>[4637] 1690357386.007603: Generated subkey for TGS request: aes256-cts/F148
>[4637] 1690357386.007604: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[4637] 1690357386.007606: Encoding request body and padata into FAST request
>[4637] 1690357386.007607: Sending request (2338 bytes) to EDU-IPA.NOVALOCAL
>[4637] 1690357386.007608: Initiating TCP connection to stream 172.28.19.159:88
>[4637] 1690357386.007609: Sending TCP request to stream 172.28.19.159:88
>[4637] 1690357386.007610: Received answer (2307 bytes) from stream 172.28.19.159:88
>[4637] 1690357386.007611: Terminating TCP connection to stream 172.28.19.159:88
>[4637] 1690357386.007612: Response was from master KDC
>[4637] 1690357386.007613: Decoding FAST response
>[4637] 1690357386.007614: FAST reply key: aes256-cts/2EEF
>[4637] 1690357386.007615: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/011A
>[4637] 1690357386.007616: TGS request result: 0/Success
>[4637] 1690357386.007617: Received creds for desired service HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[4637] 1690357386.007618: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL in FILE:/etc/ipa/.dns_ccache
>[4637] 1690357386.007620: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL, seqnum 355879243, subkey aes256-cts/2361, session key aes256-cts/011A
>[4637] 1690357386.007625: Read AP-REP, time 1690357386.7621, subkey aes256-cts/9ABD, seqnum 40531156
>received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;path=/ipa;httponly;secure;']'
>storing cookie 'ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[4637] 1690357386.007629: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;\x00
>[4637] 1690357386.007630: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache
>Destroyed connection context.rpcclient_140218712782800
> File "/usr/lib64/python3/site-packages/ipapython/admintool.py", line 180, in execute
> return_value = self.run()
> File "/usr/lib64/python3/site-packages/ipapython/install/cli.py", line 342, in run
> return cfgr.run()
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 360, in run
> return self.execute()
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 386, in execute
> for rval in self._executor():
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, in __runner
> exc_handler(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, in __runner
> step()
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 655, in _configure
> next(executor)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, in __runner
> exc_handler(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 518, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 515, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, in __runner
> step()
> File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib64/python3/site-packages/ipapython/install/common.py", line 65, in _install
> for unused in self._installer(self.parent):
> File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 3833, in main
> install(self)
> File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 2520, in install
> _install(options)
> File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 2846, in _install
> api.finalize()
> File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 751, in finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 438, in __do_if_not_done
> getattr(self, name)()
> File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 630, in load_plugins
> for package in self.packages:
> File "/usr/lib64/python3/site-packages/ipalib/__init__.py", line 949, in packages
> ipaclient.remote_plugins.get_package(self),
> File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package
> plugins = schema.get_package(server_info, client)
> File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package
> schema = Schema(client)
> File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 402, in __init__
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
> File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 427, in _fetch
> schema = client.forward(u'schema', **kwargs)['result']
> File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1151, in forward
> return self._call_command(command, params)
> File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1127, in _call_command
> return command(*params)
> File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1281, in _call
> return self.__request(name, args)
> File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1275, in __request
> raise error_class(**kw)
>
>The ipa-client-install command failed, exception: ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
>Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
normal enrollment (same spot in the logs):
>restart of certmonger.service complete
>Adding SSH public key from /etc/openssh/ssh_host_rsa_key.pub
>Adding SSH public key from /etc/openssh/ssh_host_dsa_key.pub
>Adding SSH public key from /etc/openssh/ssh_host_ecdsa_key.pub
>Adding SSH public key from /etc/openssh/ssh_host_ed25519_key.pub
>[try 1]: Forwarding 'host_mod' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json'
>HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal)
>[3825] 1690356381.860222: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356381.860223: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache
>[3825] 1690356381.860224: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3825] 1690356381.860226: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 279994011, subkey aes256-cts/E278, session key aes256-cts/B2AD
>[3825] 1690356381.860231: Read AP-REP, time 1690356381.860227, subkey aes256-cts/6032, seqnum 235082758
>received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;path=/ipa;httponly;secure;']'
>storing cookie 'ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356381.860235: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;\x00
>[3825] 1690356381.860236: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache
>
>
>Found zone name: edu.novalocal
>The master is: infra-ipa-master-01.edu-ipa.novalocal
>start_gssrequest
>[3898] 1690356381.745962: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3898] 1690356381.745963: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL using ccache FILE:/etc/ipa/.dns_ccache
>[3898] 1690356381.745964: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3898] 1690356381.745966: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, seqnum 15181654, subkey aes256-cts/ECC7, session key aes256-cts/607C
>send_gssrequest
>
>
>Process finished, return code=1
>stdout=
>stderr=
>[3825] 1690356380.148934: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148935: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148936: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache)
>[3825] 1690356380.148937: Retrying host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache)
>[3825] 1690356380.148938: Server has referral realm; starting with ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148939: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3825] 1690356380.148940: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148941: Requesting tickets for ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, referrals on
>[3825] 1690356380.148942: Generated subkey for TGS request: aes256-cts/3DE8
>[3825] 1690356380.148943: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[3825] 1690356380.148945: Encoding request body and padata into FAST request
>[3825] 1690356380.148946: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL
>[3825] 1690356380.148947: Initiating TCP connection to stream 172.28.19.159:88
>[3825] 1690356380.148948: Sending TCP request to stream 172.28.19.159:88
>[3825] 1690356380.148949: Received answer (2302 bytes) from stream 172.28.19.159:88
>[3825] 1690356380.148950: Terminating TCP connection to stream 172.28.19.159:88
>[3825] 1690356380.148951: Response was from master KDC
>[3825] 1690356380.148952: Decoding FAST response
>[3825] 1690356380.148953: FAST reply key: aes256-cts/BBE7
>[3825] 1690356380.148954: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/207E
>[3825] 1690356380.148955: TGS request result: 0/Success
>[3825] 1690356380.148956: Received creds for desired service ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148957: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148958: Also storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL based on ticket
>[3825] 1690356380.148959: Removing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148961: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 224156792, subkey aes256-cts/6EF9, session key aes256-cts/207E
>[3825] 1690356380.148966: Read AP-REP, time 1690356380.148962, subkey aes256-cts/4E53, seqnum 820684970
>Adding CA certificates to the IPA NSS database.
>
>
>failed to find session_cookie in persistent storage for principal 'host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL'
>trying https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json
>Created connection context.rpcclient_139803356784400
>Try RPC connection
>[try 1]: Forwarding 'ping' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json'
>New HTTP connection (infra-ipa-master-01.edu-ipa.novalocal)
>[3825] 1690356380.148857: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148858: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148859: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache)
>[3825] 1690356380.148860: Retrying host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache)
>[3825] 1690356380.148861: Server has referral realm; starting with HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148862: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3825] 1690356380.148863: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148864: Requesting tickets for HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, referrals on
>[3825] 1690356380.148865: Generated subkey for TGS request: aes256-cts/46AB
>[3825] 1690356380.148866: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[3825] 1690356380.148868: Encoding request body and padata into FAST request
>[3825] 1690356380.148869: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL
>[3825] 1690356380.148870: Initiating TCP connection to stream 172.28.19.159:88
>[3825] 1690356380.148871: Sending TCP request to stream 172.28.19.159:88
>[3825] 1690356380.148872: Received answer (2345 bytes) from stream 172.28.19.159:88
>[3825] 1690356380.148873: Terminating TCP connection to stream 172.28.19.159:88
>[3825] 1690356380.148874: Response was from master KDC
>[3825] 1690356380.148875: Decoding FAST response
>[3825] 1690356380.148876: FAST reply key: aes256-cts/4ACD
>[3825] 1690356380.148877: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/B2AD
>[3825] 1690356380.148878: TGS request result: 0/Success
>[3825] 1690356380.148879: Received creds for desired service HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148880: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148881: Also storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL based on ticket
>[3825] 1690356380.148882: Removing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148884: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 232117189, subkey aes256-cts/E5F8, session key aes256-cts/B2AD
>[3825] 1690356380.148889: Read AP-REP, time 1690356380.148885, subkey aes256-cts/9C66, seqnum 920243718
>received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;path=/ipa;httponly;secure;']'
>storing cookie 'ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148893: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;\x00
>[3825] 1690356380.148894: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache
>[try 1]: Forwarding 'ca_is_enabled' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json'
>HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal)
>[3825] 1690356380.148898: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148899: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148900: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3825] 1690356380.148902: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 678605449, subkey aes256-cts/747F, session key aes256-cts/B2AD
>[3825] 1690356380.148907: Read AP-REP, time 1690356380.148903, subkey aes256-cts/C2C1, seqnum 37258182
>received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;path=/ipa;httponly;secure;']'
>storing cookie 'ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148911: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;\x00
>[3825] 1690356380.148912: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache
>[try 1]: Forwarding 'config_show' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json'
>HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal)
>[3825] 1690356380.148916: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148917: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache
>[3825] 1690356380.148918: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success
>[3825] 1690356380.148920: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 896576105, subkey aes256-cts/02A5, session key aes256-cts/B2AD
>[3825] 1690356380.148925: Read AP-REP, time 1690356380.148921, subkey aes256-cts/D3B7, seqnum 175125735
>received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;path=/ipa;httponly;secure;']'
>storing cookie 'ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL
>[3825] 1690356380.148929: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;\x00
>[3825] 1690356380.148930: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache
>Starting external process
>args=['/usr/bin/certutil', '-d', '/etc/ipa/nssdb', '-N', '-f', '/etc/ipa/nssdb/pwdfile.txt', '-@', '/etc/ipa/nssdb/pwdfile.txt']
Seems like for some reason install script is unable to save credentials to /etc/ipa/.dns_ccache in the first case. Any ideas why it can be happenning? Despite obvious permissions issues, cause I specifically ran normal installation in the same environment, to eliminate any host setup problems.
Client version is: freeipa-client-4.8.9-alt4.c9f2.3.x86_64
10 months, 1 week
local root can login but freeipa users can't
by barry y
This happen randomly, local root can login through SSH to the affected system but for freeipa user, login was successful but there's no prompt.
When successfully logged in, it only display a message saying "Last login: xxx" and then no prompt.
There's no sssd errors though, restarting the service doesn't help either. While the issue happen to one system, other systems freeipa users can login no problem.
Only way to get out of this is to restart the entire system.
10 months, 1 week
Using IPA's 389-ds for other directory information trees?
by Mathieu Baudier
Hello,
we are using IPA as the backbone of a middle-sized infrastructure whose purpose is to host multi-tenants (Java) applications. These applications use 389-ds instances to manage the authentication and authorisation. The 389-ds instances are deployed on hosts which are IPA clients but are not IPA servers.
Since we monitor closely the IPA servers and their 389-ds instances, I was wondering whether it could be efficient to also host the applicative 389-ds LDAP trees on the same hosts as the IPA servers. These instances are small (hundreds of applicative users maximum) and use only the standard LDAP schemas, consistently with IPA (which was taken as the reference when developing the user-management model of these applications).
I can see three approaches:
1) Separate 389-ds instances on distinct ports. In that case, only the software is shared.
2) Separate 389-ds backends in the IPA instances, with their own replication agreements.
3) Separate LDAP subtrees within the IPA backends. In that case, IPA replication agreements are leveraged.
Intuitively, I would favour 2), then 1), then 3).
Did I miss something in this analysis?
Is it reasonable/advisable to reuse the IPA servers for such purposes?
Does anyone have experience with such a setup?
Thanks in advance for any comment!
Mathieu
10 months, 1 week
Re: Exporting certificates with keys associated in FreeIPA
by Jernej Jakob
On Wed, 26 Jul 2023 11:10:23 +0000
Carlos Lopez via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
wrote:
> Hi all,
>
> Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
>
> How can I export pem cert and key file?
>
> Regards,
> C. L. Martinez
>
While I don't know the answer to your question, I can say that the
private key should not leave the server (machine, service, user,...)
which uses it. The standard procedure for PKI is to generate a private
key on the machine, generate a CSR, send the CSR to the CA to get
signed (which issues the certificate), then install the certificate
back on the machine. If the machine is enrolled into FreeIPA you can do
this with certmonger. If not, you can probably still get FreeIPA to
sign your CSR.
10 months, 1 week
TXT - SPF & DKIM
by lejeczek
Hi guys.
Would you know a correct or best-practice way to add such
records.
When I look at how those resolve for some(a few a tried)
well-know domains - in order to get the same/similar with
IPA it seems, that I have to escape some chars, name
white-spaces.
Is that normal/expected - it did not feel as such to me.
many thanks, L.
10 months, 1 week
cert management - ? - pkcs format
by lejeczek
Hi guys.
Is it possible IPA output format (when rendered into files)
is _pkcs_, for both keys & certs?
Being not a security/cryptography expert thus unable to put
it into better words - format/container which works with/in
Java?
Like when:
-> $ openssl pkcs8 ... -topk8 -nocrypt -v1 PBE-SHA1-3DES ..
many thanks, L.
10 months, 1 week
Exporting certificates with keys associated in FreeIPA
by Carlos Lopez
Hi all,
Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
How can I export pem cert and key file?
Regards,
C. L. Martinez
10 months, 1 week
Krb5kdc and kadmin services not getting started
by Polavarapu Manideep Sai
Hi Team,
Krb5kdc and kadmin services not getting started
PFB error logs
As you can see we are getting "Kerberos User Principal not found. Do you have a valid Credential Cache?" upon getting new keytab
[root@dir ~]# tail -f /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
krb5kdc: Server error - while fetching master key K/M for realm IPA.DOMAIN.COM
-------------------------------------------------------------------------------------------------------
[root@dir ~]#
[root@dir ~]#
[root@dir ~]# tail -f /var/log/kadmind.log
Jul 24 19:49:57 dir.IPA.DOMAIN.COM kadmind[211105](Error): Server error while initializing, aborting
Jul 24 19:56:29 dir.IPA.DOMAIN.COM kadmind[2807](Error): Server error while initializing, aborting
Jul 24 20:50:50 dir.IPA.DOMAIN.COM kadmind[5803](Error): Server error while initializing, aborting
Jul 24 20:55:02 dir.IPA.DOMAIN.COM kadmind[6560](Error): Server error while initializing, aborting
Jul 24 21:39:45 dir.IPA.DOMAIN.COM kadmind[9520](Error): Server error while initializing, aborting
----------------------------------------------------------------------------------------------------------
[root@dir ~]#
[root@dir ~]#
[root@dir ~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 05/14/2019 13:23:12 host/dir.IPA.DOMAIN.COM(a)IPA.DOMAIN.COM
1 05/14/2019 13:23:12 host/dir.IPA.DOMAIN.COM(a)IPA.DOMAIN.COM
----------------------------------------------------------------------------------------------------------
[root@dir ~]#
[root@dir ~]#
[root@dir ~]# mv /etc/krb5.keytab /etc/krb5.keytab-bak
[root@dir ~]#
------------------------------------------------------------------------------------------------------------
[root@dir ~]# ipa-getkeytab -s central01.ipa.domain.com -p host/dir.IPA.DOMAIN.COM(a)IPA.DOMAIN.COM -k /etc/krb5.keytab
Kerberos User Principal not found. Do you have a valid Credential Cache?
[root@dir ~]#
[root@dir ~]#
Regards
Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
10 months, 1 week
Cannot get rid of a replica/agreement
by lejeczek
Hi guys.
Two masters from which third got disconnected in a "dirty"
manner.
-> $ ipa-replica-manage del midway.ccn.priv.dom
Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server love.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom
Topology does not allow server midway.ccn.priv.dom to
replicate with servers:
love.ccn.priv.dom
punch.ccn.priv.dom
Topology does not allow server punch.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom.
-> $ ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom
Left node: punch.ccn.priv.dom
Right node: love.ccn.priv.dom
Connectivity: both
----------------------------
Number of entries returned 1
-> $ ipa-replica-manage del midway.ccn.priv.dom --force
ipa: WARNING:
/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973:
The subsystem in PKIConnection.__init__() has been
deprecated
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Updating DNS system records
Not allowed on non-leaf entry
I've tried to 'reinitialize' but without success.
Anybody care to share suggestions & thoughts?
many thanks, L.
10 months, 2 weeks
Do you want to search for missing reverse zones?
by Ian Pilcher
I am attempting to automate a FreeIPA installation (for troubleshooting
purposes), and I cannot figure out how to get rid of this question. I
have tried adding '--no-reverse' to the ipa-server-install command, but
I am still getting the prompt.
What option do I need to use?
Thanks!
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
10 months, 2 weeks