Dear IPA users,
I need your help on an issue. An upgrade from Fedora 36 to Fedora 38 has
completely broken Kerberos authentication in our Freeipa realm.
kinit <username>
fails for every user but our domain admin. Hosts can't authenticate
themselves, too.
Everything works fine if I add disable_pac = true in the /etc/krb5.conf.
However, this isn't a recommended setting from a security point of view.
Therefore, we can't accept that as a workaround.
I found several posts suggesting generating sids for the users. So I did
that by calling ipa config-mod --enable-sid --add-sids. The job run
without any error and assigned a sid to each user. I confirmed this with
ipa user show --all.
I also verified that the firewall configuration matches the
recommondations of freeipa:
https://www.freeipa.org/page/Active_Directory_trust_setup#iptables
I also thought this issue could be caused by a Freeipa version mismatch
between our two master servers. Therefore, I updated both servers to
Fedora 38, but the problem still exists.
I tried to collect the vital system information.
$ kinit user
Passwort für u...@intern.example.de:
kinit: allgemeiner Fehler (siehe E-Text) bei Anfängliche Anmeldedaten
werden geholt.
the `/var/log/krb5kdc.log` contains the following entries for an
authentication attempt:
Nov 25 20:22:35 id.intern.example.de krb5kdc[2858](Information): AS_REQ
(6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha256-128(19),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25)}) 141.83.153.180:
HANDLE_AUTHDATA: u...@intern.example.de für
krbtgt/intern.example...@intern.example.de, Datei oder Verzeichnis nicht
gefunden
The content of our `/etc/krb5.conf` is:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = INTERN.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
INTERN.EXAMPLE.DE = {
kdc = id.intern.example.de:88
master_kdc = id.intern.example.de:88
kpasswd_server = id.intern.example.de:464
admin_server = id.intern.example.de:749
default_domain = intern.example.de
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.intern.example.de = INTERN.EXAMPLE.DE
intern.example.de = INTERN.EXAMPLE.DE
id.intern.example.de = INTERN.EXAMPLE.DE
[dbmodules]
INTERN.EXAMPLE.DE = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
IPA diagnostics show no error:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I also asked this question on serverfault:
https://serverfault.com/posts/1148566
Please let me know, if I forgot to include anything vital. I never
posted to a user mailing list before. Please let me know if I failed to
follow a best practice. I'd appreciate any help since I am stuck here.
Have a nice day!
David Leeuwestein
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
