Bryan Carroll via FreeIPA-users wrote:
> Hi all,
>
> After an upgrade from 4.10.0-8 to 4.11.0-15, I'm getting an authentication
> failure in the access log:
>
> [11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 tag=97
> nentries=0 wtime=0.000076683 optime=0.265358256 etime=0.265415438 -
> SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
>
> This is preventing anyone from logging in. Kvno was saying the keytab entry
> is invalid and wrong principal in request:
>
> root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab
> Keytab name: FILE:/etc/dirsrv/ds.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 03/08/2023 23:34:09 ldap/pacific.caps....@caps.int
> 1 03/08/2023 23:34:09 ldap/pacific.caps....@caps.int
> root@pacific ~ $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int
> ldap/pacific.caps....@caps.int: kvno = 2, keytab entry invalid
> kvno: Wrong principal in request while decrypting ticket for
> ldap/pacific.caps....@caps.int
>
> So I got a new ticket with ktutil and the kvno still shows it is invalid:
>
> root@pacific dirsrv $ klist -kt /etc/dirsrv/ds.keytab
> Keytab name: FILE:/etc/dirsrv/ds.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 2 07/11/2024 18:54:19 ldap/pacific.caps....@caps.int
> root@pacific dirsrv $ kvno -k /etc/dirsrv/ds.keytab ldap/pacific.caps.int
> ldap/pacific.caps....@caps.int: kvno = 2, keytab entry invalid
> kvno: Wrong principal in request while decrypting ticket for
> ldap/pacific.caps....@caps.int
>
> I checked the database for the principal:
>
> root@pacific dirsrv $ kadmin.local
> Authenticating as principal capsipa/ad...@caps.int with password.
> kadmin.local: get_principal ldap/pacific.caps.int
> Principal: ldap/pacific.caps....@caps.int
> Expiration date: [never]
> Last password change: Mon Jul 08 10:21:07 CDT 2024
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Mon Jul 08 10:21:07 CDT 2024 (ldap/pacific.caps....@caps.int)
> Last successful authentication: [never]
> Last failed authentication: Mon Jul 08 23:54:29 CDT 2024
> Failed password attempts: 4
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96:special
> Key: vno 2, aes128-cts-hmac-sha1-96:special
> MKey: vno 1
> Attributes: REQUIRES_PRE_AUTH
> Policy: [none]
>
> The ldap.conf contents:
>
> SASL_NOCANON on
>
> BASE dc=caps,dc=int
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> URI ldaps://pacific.caps.int
>
> The krb5.conf contents:
>
> includedir /etc/krb5.conf.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = CAPS.INT
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> CAPS.INT = {
> kdc = pacific.caps.int:88
> master_kdc = pacific.caps.int:88
> kpasswd_server = pacific.caps.int:464
> admin_server = pacific.caps.int:749
> default_domain = caps.int
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }
>
> [domain_realm]
> .caps.int = CAPS.INT
> caps.int = CAPS.INT
> pacific.caps.int = CAPS.INT
>
> [dbmodules]
> CAPS.INT = {
> db_library = ipadb.so
> }
>
> [plugins]
> certauth = {
> module = ipakdb:kdb/ipadb.so
> enable_only = ipakdb
> }
>
> I'm not sure where to go from here:
You don't say what release you're running but a previous
administratively held message you said 9.1 to 9.4. It got held up in a
Fedora mailing list server upgrade. Moderation still isn't quite working
yet.
What you're seeing is probably related to missing SIDs. See
https://access.redhat.com/solutions/7052703 or other posts on this list
about the same topic.
Look for S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC in /var/log/krb5kdc.log
rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
