What I don't understand is why web interface is working fine but during enrollment has some troubles with ipaapi service.
I'm attaching gssproxy log during failed interaction: >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: Connection matched service ipa-api >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for >service "ipa-api", euid: 289,socket: (null) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } add_cred: 0 desired_name: ><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } >cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } ) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: Connection matched service ipa-api >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for >service "ipa-api", euid: 289,socket: (null) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } add_cred: 0 desired_name: ><Null> time_req: 0 desired_mechs: { } cred_usage: INITIATE initiator_time_req: >0 acceptor_time_req: 0 ) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } ) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: Connection matched service ipa-api >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) >for service "ipa-api", euid: 289,socket: (null) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [ ] } context_handle: <Null> >cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } target_name: >"l...@infra-ipa-master-01.edu-ipa.novalocal" mech_type: { 1 2 840 113554 1 2 2 >} req_flags: 58 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ >sync.modified.cr... ] [ 64656661756c740 ] } ] ) >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >17][2023/07/27 06:44:36]: Credentials allowed by configuration >Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_INIT_SEC_CONTEXT( status: { 851968 { 1 2 840 113554 1 2 2 } >2529639053 "Unspecified GSS failure. Minor code may provide more information" >"Matching credential not found" [ ] } context_handle: <Null> output_token: ><Null> ) Success interaction >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: Connection matched service ipa-api >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for >service "ipa-api", euid: 289,socket: (null) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: ><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } >cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: Connection matched service ipa-api >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for >service "ipa-api", euid: 289,socket: (null) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: ><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } >cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: Connection matched service ipa-api >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for >service "ipa-api", euid: 289,socket: (null) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: ><Null> time_req: 0 desired_mechs: { } cred_usage: INITIATE initiator_time_req: >0 acceptor_time_req: 0 ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } >output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ >{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 >} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: Connection matched service ipa-api >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) >for service "ipa-api", euid: 289,socket: (null) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [ ] } context_handle: <Null> >cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { >"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } >INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } target_name: >"l...@infra-ipa-master-01.edu-ipa.novalocal" mech_type: { 1 2 840 113554 1 2 2 >} req_flags: 58 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ >sync.modified.cr... ] [ 64656661756c740 ] } ] ) >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID >16][2023/07/27 07:06:27]: Credentials allowed by configuration >Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: >GSSX_RES_INIT_SEC_CONTEXT( status: { 1 { 1 2 840 113554 1 2 2 } 0 "The routine >must be called again to complete its function" "" [ ] } context_handle: { [ >......H............ ] [ ] 0 { 1 2 840 113554 1 2 2 } "" "" 0 314 1 0 } >output_token: [ ........H.......... ] ) As I described previously for proxying I'm realying on putting my custom ldap and HTTP service for the load balancer proxy in retrospective ds.keytab and http.keytab and also enabling [libdefaults] ignore_acceptor_hostname = true Also during the enrollment in /run/ipa/ccaches I only see those kinda credentials to show up: -rw-rw---- 1 apache ipaapi 6822 Jul 27 09:44 host~test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL-eJnspL So I guess the only successul ticket retrieve is for the HTTP service. During the successful enrollment I see that there must be following service ticket (for ipaapi service): -rw------- 1 ipaapi ipaapi 12062 Jul 27 10:06 host~test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL-LFxJFa Can you help me comprehend what I might be overlooking? Kind of exhausted thoughts on how to debug this further. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue