[Freeipa-users] Re: Help with ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure in attempt to loadbalance

Thu, 27 Jul 2023 00:25:20 -0700 

What I don't understand is why web interface is working fine but during 
enrollment has some troubles with ipaapi service.

I'm attaching gssproxy log during failed interaction:

>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: Connection matched service ipa-api
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for 
>service "ipa-api", euid: 289,socket: (null)
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } add_cred: 0 desired_name: 
><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
>cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } )
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: Connection matched service ipa-api
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for 
>service "ipa-api", euid: 289,socket: (null)
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } add_cred: 0 desired_name: 
><Null> time_req: 0 desired_mechs: { } cred_usage: INITIATE initiator_time_req: 
>0 acceptor_time_req: 0 )
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } )
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: Connection matched service ipa-api
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) 
>for service "ipa-api", euid: 289,socket: (null)
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [  ] } context_handle: <Null> 
>cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84121 0 } ] [ ....JGeFFv......... ] 0 } target_name: 
>"l...@infra-ipa-master-01.edu-ipa.novalocal" mech_type: { 1 2 840 113554 1 2 2 
>} req_flags: 58 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ 
>sync.modified.cr... ] [ 64656661756c740 ] } ] )
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>17][2023/07/27 06:44:36]: Credentials allowed by configuration
>Jul 27 09:44:36 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_INIT_SEC_CONTEXT( status: { 851968 { 1 2 840 113554 1 2 2 } 
>2529639053 "Unspecified GSS failure.  Minor code may provide more information" 
>"Matching credential not found" [  ] } context_handle: <Null> output_token: 
><Null> )


Success interaction

>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: Connection matched service ipa-api
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for 
>service "ipa-api", euid: 289,socket: (null)
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: 
><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
>cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: Connection matched service ipa-api
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for 
>service "ipa-api", euid: 289,socket: (null)
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: 
><Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
>cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: Connection matched service ipa-api
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for 
>service "ipa-api", euid: 289,socket: (null)
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } add_cred: 0 desired_name: 
><Null> time_req: 0 desired_mechs: { } cred_usage: INITIATE initiator_time_req: 
>0 acceptor_time_req: 0 )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [  ] } 
>output_cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ 
>{ "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 
>} INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: Connection matched service ipa-api
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) 
>for service "ipa-api", euid: 289,socket: (null)
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [  ] } context_handle: <Null> 
>cred_handle: { "host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" [ { 
>"host/test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL" { 1 2 840 113554 1 2 2 } 
>INITIATE 84735 0 } ] [ .4..aR.....4.R..... ] 0 } target_name: 
>"l...@infra-ipa-master-01.edu-ipa.novalocal" mech_type: { 1 2 840 113554 1 2 2 
>} req_flags: 58 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ 
>sync.modified.cr... ] [ 64656661756c740 ] } ] )
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]: [CID 
>16][2023/07/27 07:06:27]: Credentials allowed by configuration
>Jul 27 10:06:27 infra-ipa-master-01.edu-ipa.novalocal gssproxy[100]:     
>GSSX_RES_INIT_SEC_CONTEXT( status: { 1 { 1 2 840 113554 1 2 2 } 0 "The routine 
>must be called again to complete its function" "" [  ] } context_handle: { [ 
>......H............ ] [  ] 0 { 1 2 840 113554 1 2 2 } "" "" 0 314 1 0 } 
>output_token: [ ........H.......... ] )

As I described previously for proxying I'm realying on putting my custom ldap 
and HTTP service for the load balancer proxy in retrospective ds.keytab and 
http.keytab and also enabling

[libdefaults]
 ignore_acceptor_hostname = true

Also during the enrollment in /run/ipa/ccaches I only see those kinda 
credentials to show up:
-rw-rw---- 1 apache ipaapi  6822 Jul 27 09:44 
host~test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL-eJnspL

So I guess the only successul ticket retrieve is for the HTTP service. During 
the successful enrollment I see that there must be following service ticket 
(for ipaapi service):
-rw------- 1 ipaapi ipaapi 12062 Jul 27 10:06 
host~test-lb-enroll.edu.novalocal@EDU-IPA.NOVALOCAL-LFxJFa

Can you help me comprehend what I might be overlooking? Kind of exhausted 
thoughts on how to debug this further.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to