[Freeipa-users] Kerberos appears to be broken on a FreeIPA server on CentOS 7.8

Vinícius Ferrão via FreeIPA-users Tue, 09 Feb 2021 21:02:07 -0800

Hello,

FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by myself. 
After reading a lot of threads here on the list, it appears that I’ve the same 
issue as this topic: 
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg05501.html


Since Kerberos is apparently not working as expected, I cannot use FreeIPA and 
none of the services are working correctly. Following the debug guide I was 
able to at least start named with single authentication to further debug. 
(Workaround 1 of 
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html)

And now I’m stuck on item 5 of the same manual.

[root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H 
'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI -b 
'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br<ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket'%20-Y%20GSSAPI%20-b%20'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>'
SASL/GSSAPI authentication started
[6588] 1612932571.244080: ccselect module realm chose cache 
KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal 
DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 for server principal 
ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
[6588] 1612932571.244081: Getting credentials 
DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 -> 
ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC
[6588] 1612932571.244082: Retrieving 
DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 -> 
ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success
[6588] 1612932571.244084: Creating authenticator for 
DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
 -> 
ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>,
 seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E
ldap_sasl_interactive_bind_s: Invalid credentials (49)

[root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw
ipa: ERROR: Insufficient access:  Invalid credentials

[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC
Default principal: 
DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>

Valid starting       Expires              Service principal
02/10/2021 01:52:43  02/11/2021 01:49:04  
HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
02/10/2021 01:49:16  02/11/2021 01:49:04  
ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br<mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>
02/10/2021 01:49:04  02/11/2021 01:49:04  
krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br<mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br>

Any ideia on how to fix this?

Thanks,
Vinícius.

PS: Before the workaround named-pkcs11 fails to start with the following error:

Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone for view 
_default, file '/var/named/dynamic/managed-keys.bind'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance 'ipa' 
driver '/usr/lib64/bind/ldap.so'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version 11.1 
compiled at 02:16:24 Apr  1 2020, compiler 4.8.5 20150623 (Red Hat 4.8.5-39)
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid credentials: 
bind to LDAP server failed
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish connection in 
LDAP connection pool: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa' 
configuration failed: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration: permission 
denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal error)
Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control process exited, 
code=exited status=1
Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet Name Domain 
(DNS) with native PKCS#11.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Kerberos appears to be broken on a FreeIPA server on CentOS 7.8

Reply via email to