Expiring password Notification email template - images
by Tania Hagan
Hi FreeIPA Users,
Does anyone know if its possible to include inline images in the email template for Expiring Password Notification? I've experimented with including base64 encoding but the message just shows a white box with a black outline. I think this is a limited of our email client, and tried swapping to using CID embedded image but have no way of pointing the template to the image file.
Many Thanks,
Tania
1 month, 1 week
IPA Replica can't authenticate users
by John Doe
I'm playing around with IPA trying to figure out how to set it up to be
redundant. The problem is that the IPA Replica isn't able to authenticate
AD users if IPA Master is down.
My setup;
One Windows Server set up with Active Direcory Domain Services, Active
Directory Certificate Services and DNS server hosting the ad.labnet.org
domain and the Root CA.
Two Linux servers setup in the labnet.org domain. Both using the Windows
Server DNS server.
The first one is setup as a IPA Master server hosting the domain
ipa.labnet.org and act as a subordinate CA server. It was setup with the
following commands;
sudo ipa-server-install --external-ca --external-ca-type=ms-cs
sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
--external-cert-file=/home/$USER/certnew.cer
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
The second one is setup as a IPA Replica also hosting the domain
ipa.labnet.org It has been setup with the following commands;
sudo ipa-client-install --mkhomedir
sudo ipa-replica-install
sudo ipa-ca-install
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
All needed DNS records have been created in the DNS server on the Windows
server. At least I hope so.
IPA Healthceck on both IPA servers don't complain about anything missing.
sudo ipa-healthcheck --output-type human
One IPA Client also setup in the labnet.org domain and using the Windows
server DNS, was setup with the following command;
sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir
Testing authentication on the IPA Client as a user in the ad.labnet.org
works out like this;
Both IPA Servers up works OK
Only IPA Master up works OK
Only IPA Replica up doesn't work.
After this check with IPA Healthcheck on the IPA Replica now comes back
with this;
WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID {}
for ad.labnet.org returned nothing
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: AD
Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: Active
servers:
IPA: lab003.labnet.org
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain Controller:
AD Domain Controller not found in /usr/sbin/sssctl 'domain-status' output:
Active servers:
IPA: lab003.labnet.org
Can anyone suggest what I have done wrong or missed? As far as I can tell
there are no commands that let me write to the GLobal Catalog?
Thanks!
1 month, 1 week
Password expired is not requested with Ubuntu clients
by Carlos Lopez
Good morning,
I have configured some Ubuntu clientes to authenticate via Kerberos against my RHEL9 IdM server. Everything works correctly: clients are authenticated, etc.
The problem comes when a user's password has expired. In the IdM server logs it is clear that the user must change the password:
2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbtgt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG, Additional pre-authentication required
2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
But when accessing to Ubuntu client via ssh, it never prompts to change the password and you can log in.
My sssd's config in Ubuntu client is:
[sssd]
config_file_version = 2
services = pam
domains = mydom.org
[pam]
pam_pwd_expiration_warning = 2
[domain/mydom.org]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
chpass_provider = krb5
krb5_server = rhelidmsrv01.mydom.org
krb5_kpasswd = rhelidmsrv01.mydom.org
krb5_realm = mydom.org
krb5_ccname_template = KEYRING:persistent:%U
krb5_validate = true
cache_credentials = true
What could be the problem?
Best regards,
C. L. Martinez
1 month, 1 week
windows client auth not working
by Anton Menshutin
Hello, list.
I have installed freeipa server 4.10.2-8 under RockyLinux and would like to setup windows clients to join freeipa domain.
I followed the guide https://www.freeipa.org/page/Windows_authentication_against_FreeIPA.
When I enter user credentials for the first time windows asks to change password, after password is changed it does not login.
After that every attempt results in the "wrong user or password" message.
Looking at kerberos log it seems that password is correct but windows does not let the user in for some reason. In audit log it says that login was refused with some error that does not explain anything.
Time is in sync as well as timezone.
There are a lot of posts saying that this should work but I don't have any clues where to look. Any ideas what might be wrong?
1 month, 2 weeks
How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
1 month, 2 weeks
Assertion failure in dns_name_fromtext prevents named-pkcs11 from starting
by Sam Morris
I've got two RHEL 8 servers where named-pkcs11 aborts with an assertion failure after upgrading bind to version 32:9.11.36-11.el8_9.1.
```
Apr 13 15:54:50 named-pkcs11[372364]: zone localhost/IN: loaded serial 0
Apr 13 15:54:50 named-pkcs11[372364]: zone localhost.localdomain/IN: loaded serial 0
Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 13 15:54:50 named-pkcs11[372364]: all zones loaded
Apr 13 15:54:50 named-pkcs11[372364]: running
Apr 13 15:54:50 named-pkcs11[372364]: ../../../lib/dns-pkcs11/name.c:1116: REQUIRE((target != ((void *)0) && (__builtin_expect(((target) != ((void *)0)), 1) && __builtin_ex>
Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does not belong to service, and PID file is not owned by root. Refusing.
Apr 13 15:54:50 named-pkcs11[372364]: #0 0x563c05be4d14 in ??
Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does not belong to service, and PID file is not owned by root. Refusing.
Apr 13 15:54:50 named-pkcs11[372364]: #1 0x7fb179f28fe0 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #2 0x7fb17a23b7b2 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #3 0x7fb1687e4156 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #4 0x7fb1687e45e1 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #5 0x7fb1687e5e60 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #6 0x7fb1687e6214 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #7 0x7fb1687ef3e0 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #8 0x7fb179f50904 in ??
Apr 13 15:54:50 named-pkcs11[372364]: #9 0x7fb179f5158f in ??
Apr 13 15:54:50 named-pkcs11[372364]: #10 0x7fb17733e1ca in ??
Apr 13 15:54:50 named-pkcs11[372364]: #11 0x7fb176c42e73 in ??
Apr 13 15:54:50 named-pkcs11[372364]: exiting (due to assertion failure)
```
Downgrading to 9.11.36-11.el8_9.x86_64 fixes the problem.
Here's the stack trace from 'coredumpctl info named-pkcs11':
```
Stack trace of thread 325662:
#0 0x00007f0575081acf raise (libc.so.6)
#1 0x00007f0575054ea5 abort (libc.so.6)
#2 0x0000557c3cbecd2a assertion_failed.cold.5 (named-pkcs11)
#3 0x00007f0578352fe0 isc_assertion_failed (libisc-pkcs11.so.1107)
#4 0x00007f05786657b2 dns_name_fromtext (libdns-pkcs11.so.1115)
#5 0x00007f056e20b156 empty_zone_search_next (ldap.so)
#6 0x00007f056e20b5e1 empty_zone_handle_conflicts (ldap.so)
#7 0x00007f056e20ce60 fwd_configure_zone (ldap.so)
#8 0x00007f056e20d214 fwd_reconfig_global (ldap.so)
#9 0x00007f056e2163e0 update_serverconfig (ldap.so)
#10 0x00007f057837a904 dispatch (libisc-pkcs11.so.1107)
#11 0x00007f057837b58f run_normal (libisc-pkcs11.so.1107)
#12 0x00007f05757681ca start_thread (libpthread.so.0)
#13 0x00007f057506ce73 __clone (libc.so.6)
```
I can open a Jira, attach coredumps, etc. next week if needed.
```
--
Sam Morris <sam(a)robots.org.uk>
```
1 month, 2 weeks
ipaclient-install.log certutil: Could not find cert:
by C Wilson
Hello
I'm trying to roll out a new IPA server for our development environment and have nicely automated the server installation process with Ansible but when I've come to rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpassword' -U
I get the following error:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials
I've disabled the firewall on both systems, DNS resolves the server name. I can nmap and telnet to the ports listed so I don't think it's a networking issue. The ipa server appears to be running fine:
[root@server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled)
Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
Main PID: 18336 (code=exited, status=0/SUCCESS)
CPU: 1.610s
Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
Looking at the ipaclient-install.log there are lines that are semi interesting but I can't see how to progress from here to resolve the issue:
2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=
2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found
but if I run `kinit admin(a)server.domain.local` it authenticates.
I seem to be at a dead end, How do I troubleshoot this further?
1 month, 2 weeks
Cannot retrieve CRL from new EL9 IPA replica
by Orion Poplawski
I've just added an EL9 IPA replica into our domain. I seems to generally be
working fine, but trying to download the MasterCRL.bin fails:
==> /var/log/httpd/access_log <==
10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ipa/crl/MasterCRL.bin
HTTP/1.1" 301 293 "-" "curl/7.76.1"
==> /var/log/httpd/error_log <==
[Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid 28040]
(70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't
receive header
[Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid 28040]
[client 10.20.0.37:35124] AH00992: ajp_read_header: ajp_ilink_receive failed
[Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid 28040]
(70007)The timeout specified has expired: [client 10.20.0.37:35124] AH00878:
read response failed from [::1]:8009 (localhost:8009)
==> /var/log/httpd/access_log <==
10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET
/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL HTTP/1.1" 500 527 "-"
"curl/7.76.1"
I'm not sure where else to look for logs.
TIA,
Orion
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
1 month, 2 weeks
httpd uses 2x100% CPU
by Bo Lind
I just went to check on one of my replicas, and noticed that the IPA web server seems to use a lot of CPU:
From htop:
PID USER PRI NI VIRT RES SHR S CPU%▽MEM% TIME+ Command
507664 ipaapi 20 0 1353M 459M 16656 S 100.8 0.2 24h15:19 (wsgi:ipa) -DFOREGROUND
507984 ipaapi 20 0 1353M 459M 16656 R 100.8 0.2 24h15:12 (wsgi:ipa) -DFOREGROUND
From top:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
507664 ipaapi 20 0 1385892 470580 16656 S 100.0 0.2 1456:06 httpd
I checked /var/log/httpd/access_log and error_log, but there was nothing out of the ordinary.
I have not yet restarted the service/machine, as it's in production.
Any ideas?
1 month, 3 weeks
"Credential cache is empty" error preventing certmonger from renewing a host's certificate
by Sam Morris
I've got an IPA client on which certmonger is unable to renew a
certificate.
Here are the log messages from certmonger...
2023-06-20 08:24:49 [622035] Certificate submission attempt complete.
2023-06-20 08:24:49 [622035] Child status = 2.
2023-06-20 08:24:49 [622035] Child output:
"Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is >
"
2023-06-20 08:24:49 [622035] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more infor>
Here's the tracking request, nothing looks out of the ordinary to me...
# getcert list -i 20220519165212
Number of certificates and requests being tracked: 2.
Request ID '20220519165212':
status: MONITORING
ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cre.
stuck: no
key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.key'
certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=myhost.ipa.example.com,O=IPA.EXAMPLE.COM
issued: 2023-03-25 16:52:45 UTC
expires: 2023-06-23 16:52:45 UTC
dns: myhost.ipa.example.com
principal name: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
In order to rule out a problem with ipa5, I used 'ipactl' to stop
everything on it, then re-ran 'getcert resubmit -i 20220519165212'. In
the subsequent output of 'getcert list -i 20220519165212' I saw the same
error message displayed but with the name of a different IPA server. So
I don't think this is a problem with a particular IPA server.
Next I extracted the CSR data from
'/var/lib/certmonger/requests/20220519165212' to a file, authenticated
as host/myhost.ipa.example.com (with 'kinit -k') and then ran 'ipa
cert-request host.req --principal=host/myhost.ipa.example.com', which
worked!
So perhaps the problem is with certmonger, or with the way in which it
interacts with the IPA server that differs from simply running 'ipa
cert-request' as I did manually.
I also tried to look for logs on the server side, but I didn't find
anything very useful. /var/log/httpd/access_log has:
192.168.0.4 - - [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 401 2719
192.168.0.4 - host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 200 526
So it looks like certmonger is having no problem authenticating to
ipaapi. httpd is logging:
$ journalctl -u httpd -e
Jun 20 13:21:56 [121899]: GSSAPI client step 1
Jun 20 13:21:56 [121899]: GSSAPI client step 1
Jun 20 13:21:57 [121899]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
So is looks like ipaapi might be having trouble using Kerberos as a
client?
I added KRB5_TRACE=/var/lib/httpd/krb5.trace to httpd.service's
Environment= and restarted it, then re-ran 'getcert resubmit' on the
tracking request. I got these messages:
[124285] 1687270136.437160: Initializing FILE:/tmp/krb5cc-httpd with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM
[124285] 1687270136.437161: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/tmp/krb5cc-httpd
[124285] 1687270136.437163: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: from FILE:/tmp/krb5cc-httpd with result: 0/Success
[124285] 1687270136.437165: Initializing FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124285] 1687270136.437166: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl
No errors there either. I set KRB5_TRACE=/var/lib/gssproxy/krb5.trace in
gssproxy.service's Environment= and got:
[124798] 1687270460.854044: Resolving unique ccache of type MEMORY
[124798] 1687270460.854045: Initializing MEMORY:GJanRRF with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270460.854046: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:GJanRRF
[124798] 1687270460.854047: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:GJanRRF
[124798] 1687270460.854048: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:GJanRRF
[124798] 1687270460.854049: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:GJanRRF
[124798] 1687270460.854052: Destroying ccache MEMORY:GJanRRF
[124798] 1687270460.854054: Resolving unique ccache of type MEMORY
[124798] 1687270460.854055: Initializing MEMORY:Cn5E8Va with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270460.854056: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:Cn5E8Va
[124798] 1687270460.854057: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:Cn5E8Va
[124798] 1687270460.854058: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:Cn5E8Va
[124798] 1687270460.854059: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:Cn5E8Va
[124798] 1687270460.854062: Destroying ccache MEMORY:Cn5E8Va
[124798] 1687270460.854064: Resolving unique ccache of type MEMORY
[124798] 1687270460.854065: Initializing MEMORY:8e5DNHy with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270460.854066: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:8e5DNHy
[124798] 1687270460.854067: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:8e5DNHy
[124798] 1687270460.854068: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:8e5DNHy
[124798] 1687270460.854069: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:8e5DNHy
[124798] 1687270460.854071: Decrypted AP-REQ with server principal HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM: aes256-cts/E0A2
[124798] 1687270460.854072: AP-REQ ticket: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, session key aes256-cts/1952
[124798] 1687270460.854073: Negotiated enctype based on authenticator: aes256-cts
[124798] 1687270460.854074: Authenticator contains subkey: aes256-cts/2098
[124798] 1687270460.854075: Resolving unique ccache of type MEMORY
[124798] 1687270460.854076: Initializing MEMORY:FX6Yqgq with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270460.854077: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq
[124798] 1687270460.854078: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:FX6Yqgq
[124798] 1687270460.854079: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:FX6Yqgq
[124798] 1687270460.854080: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:FX6Yqgq
[124798] 1687270460.854081: Storing config in MEMORY:FX6Yqgq for : proxy_impersonator: HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270460.854082: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:FX6Yqgq
[124798] 1687270460.854083: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq
[124798] 1687270460.854085: Creating AP-REP, time 1687270460.725581, subkey aes256-cts/BB66, seqnum 668121546
[124798] 1687270461.005570: Destroying ccache MEMORY:FX6Yqgq
[124798] 1687270461.005573: Destroying ccache MEMORY:8e5DNHy
[124798] 1687270461.005575: Resolving unique ccache of type MEMORY
[124798] 1687270461.005576: Initializing MEMORY:NmnNwyD with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005577: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD
[124798] 1687270461.005578: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:NmnNwyD
[124798] 1687270461.005579: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:NmnNwyD
[124798] 1687270461.005580: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:NmnNwyD
[124798] 1687270461.005581: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:NmnNwyD
[124798] 1687270461.005582: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD
[124798] 1687270461.005585: Destroying ccache MEMORY:NmnNwyD
[124798] 1687270461.005587: Resolving unique ccache of type MEMORY
[124798] 1687270461.005588: Initializing MEMORY:gUnl8Xt with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005589: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt
[124798] 1687270461.005590: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:gUnl8Xt
[124798] 1687270461.005591: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:gUnl8Xt
[124798] 1687270461.005592: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:gUnl8Xt
[124798] 1687270461.005593: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:gUnl8Xt
[124798] 1687270461.005594: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt
[124798] 1687270461.005597: Destroying ccache MEMORY:gUnl8Xt
[124798] 1687270461.005599: Resolving unique ccache of type MEMORY
[124798] 1687270461.005600: Initializing MEMORY:wBGblf3 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005601: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3
[124798] 1687270461.005602: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:wBGblf3
[124798] 1687270461.005603: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:wBGblf3
[124798] 1687270461.005604: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:wBGblf3
[124798] 1687270461.005605: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:wBGblf3
[124798] 1687270461.005606: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3
[124798] 1687270461.005609: Destroying ccache MEMORY:wBGblf3
[124798] 1687270461.005611: Resolving unique ccache of type MEMORY
[124798] 1687270461.005612: Initializing MEMORY:4uHf47g with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005613: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g
[124798] 1687270461.005614: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:4uHf47g
[124798] 1687270461.005615: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:4uHf47g
[124798] 1687270461.005616: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:4uHf47g
[124798] 1687270461.005617: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:4uHf47g
[124798] 1687270461.005618: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g
[124798] 1687270461.005621: Destroying ccache MEMORY:4uHf47g
[124798] 1687270461.005623: Resolving unique ccache of type MEMORY
[124798] 1687270461.005624: Initializing MEMORY:9LUdBez with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005625: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez
[124798] 1687270461.005626: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:9LUdBez
[124798] 1687270461.005627: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:9LUdBez
[124798] 1687270461.005628: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:9LUdBez
[124798] 1687270461.005629: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:9LUdBez
[124798] 1687270461.005630: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez
[124798] 1687270461.005634: Initializing MEMORY:cred_allowed_0x7f85d9152380 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
[124798] 1687270461.005635: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005636: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005637: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005638: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005639: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005640: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005641: Destroying ccache MEMORY:cred_allowed_0x7f85d9152380
[124798] 1687270461.005644: Getting credentials host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ using ccache MEMORY:9LUdBez
[124798] 1687270461.005645: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found
[124798] 1687270461.005646: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ from MEMORY:9LUdBez with result: -1765328243/Matching credential not found
[124798] 1687270461.005647: Retrying host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM with result: -1765328243/Matching credential not found
[124798] 1687270461.005648: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success
[124798] 1687270461.005649: Getting credentials HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM using ccache MEMORY:9LUdBez
[124798] 1687270461.005650: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found
[124798] 1687270461.005651: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success
[124798] 1687270461.005652: Get cred via TGT krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM after requesting ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM (canonicalize on)
[124798] 1687270461.005653: Generated subkey for TGS request: aes256-cts/FBB4
[124798] 1687270461.005654: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-cts, aes128-sha2, camellia128-cts
[124798] 1687270461.005656: Encoding request body and padata into FAST request
[124798] 1687270461.005657: Sending request (5335 bytes) to IPA.EXAMPLE.COM
[124798] 1687270461.005658: Initiating TCP connection to stream 192.168.0.5:88
[124798] 1687270461.005659: Sending TCP request to stream 192.168.0.5:88
[124798] 1687270461.005660: Received answer (508 bytes) from stream 192.168.0.5:88
[124798] 1687270461.005661: Terminating TCP connection to stream 192.168.0.5:88
[124798] 1687270461.005662: Response was from master KDC
[124798] 1687270461.005663: Decoding FAST response
[124798] 1687270461.005664: Decoding FAST response
[124798] 1687270461.005665: Got cred; -1765328371/KDC can't fulfill requested option
[124798] 1687270461.005669: Destroying ccache MEMORY:9LUdBez
The only thing that looks like an error in that output is "KDC can't
fulfill requested option".
The last place I can think of looking is in /var/log/krb5kdc.log:
Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ : handle_authdata (-1765328371)
Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.0.5: HANDLE_AUTHDATA: authtime 1687270653, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option
Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): ... CONSTRAINED-DELEGATION s4u-client=host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM
Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): closing down fd 12
There's another instance of "KDC can't fulfill requested option".
My best guess is that there's something wrong with the constrained
delegation setup that lets ipaapi access the directory on behalf of the
client host? But this looks fine:
$ ipa servicedelegationrule-show ipa-http-delegation
Delegation name: ipa-http-delegation
Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets
Member principals: HTTP/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM
$ ipa servicedelegationtarget-show ipa-ldap-delegation-targets
Delegation name: ipa-ldap-delegation-targets
Member principals: ldap/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM
... and in any case a simple 'ipa cert-request' as the host worked fine,
it's only certmonger's attempts to request a certificate that are
failing.
The IPA client has:
ipa-client-4.9.11-5.module+el8.8.0+18147+84fe6ec1.x86_64
certmonger-0.79.17-2.el8.x86_64
... and the server has:
ipa-server-4.9.11-5.module+el8.8.0+18146+a1d8660b.x86_64
Any troubleshooting help is really appreciated!
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 month, 3 weeks