Bryan Carroll via FreeIPA-users wrote: > Hi all, > > After an upgrade from 4.10.0-8 to 4.11.0-15, I'm getting an authentication > failure in the access log: > > [11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 tag=97 > nentries=0 wtime=0.000076683 optime=0.265358256 etime=0.265415438 - > SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context > > This is preventing anyone from logging in. Kvno was saying the keytab entry > is invalid and wrong principal in request: > > root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab > Keytab name: FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 1 03/08/2023 23:34:09 ldap/pacific.caps....@caps.int > 1 03/08/2023 23:34:09 ldap/pacific.caps....@caps.int > root@pacific ~ $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int > ldap/pacific.caps....@caps.int: kvno = 2, keytab entry invalid > kvno: Wrong principal in request while decrypting ticket for > ldap/pacific.caps....@caps.int > > So I got a new ticket with ktutil and the kvno still shows it is invalid: > > root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab > Keytab name: FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 2 07/11/2024 18:54:19 ldap/pacific.caps....@caps.int > root@pacific dirsrv $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int > ldap/pacific.caps....@caps.int: kvno = 2, keytab entry invalid > kvno: Wrong principal in request while decrypting ticket for > ldap/pacific.caps....@caps.int > > I checked the database for the principal: > > root@pacific dirsrv $ kadmin.local > Authenticating as principal capsipa/ad...@caps.int with password. > kadmin.local: get_principal ldap/pacific.caps.int > Principal: ldap/pacific.caps....@caps.int > Expiration date: [never] > Last password change: Mon Jul 08 10:21:07 CDT 2024 > Password expiration date: [never] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 7 days 00:00:00 > Last modified: Mon Jul 08 10:21:07 CDT 2024 (ldap/pacific.caps....@caps.int) > Last successful authentication: [never] > Last failed authentication: Mon Jul 08 23:54:29 CDT 2024 > Failed password attempts: 4 > Number of keys: 2 > Key: vno 2, aes256-cts-hmac-sha1-96:special > Key: vno 2, aes128-cts-hmac-sha1-96:special > MKey: vno 1 > Attributes: REQUIRES_PRE_AUTH > Policy: [none] > > The ldap.conf contents: > > SASL_NOCANON on > > BASE dc=caps,dc=int > TLS_CACERT /etc/ipa/ca.crt > SASL_MECH GSSAPI > URI ldaps://pacific.caps.int > > The krb5.conf contents: > > includedir /etc/krb5.conf.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = CAPS.INT > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = true > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > CAPS.INT = { > kdc = pacific.caps.int:88 > master_kdc = pacific.caps.int:88 > kpasswd_server = pacific.caps.int:464 > admin_server = pacific.caps.int:749 > default_domain = caps.int > pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > } > > [domain_realm] > .caps.int = CAPS.INT > caps.int = CAPS.INT > pacific.caps.int = CAPS.INT > > [dbmodules] > CAPS.INT = { > db_library = ipadb.so > } > > [plugins] > certauth = { > module = ipakdb:kdb/ipadb.so > enable_only = ipakdb > } > > I'm not sure where to go from here:
You don't say what release you're running but a previous administratively held message you said 9.1 to 9.4. It got held up in a Fedora mailing list server upgrade. Moderation still isn't quite working yet. What you're seeing is probably related to missing SIDs. See https://access.redhat.com/solutions/7052703 or other posts on this list about the same topic. Look for S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC in /var/log/krb5kdc.log rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue