IPA broken after dnf update on CentOS 8
by Vinícius Ferrão
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago
Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details:
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'.
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is:
2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Thank you all.
2 years, 3 months
Problems after replacing SSL certificates
by Andreas Bulling
Dear all,
I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university.
I've followed the procedure described here (no errors):
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain:
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Also, ipa-certupdate on the respective clients shows
ipa-certupdate
trying https://X/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://X/ipa/json'
cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
The ipa-certupdate command failed.
Also, I can't login to the web UI anymore. I tried
ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab
on the freeipa server (followed by ipactl restart) but this didn't help.
Any idea/suggestions for how to get everything working again?
Thanks a lot!
2 years, 6 months
User in AD not found by IPA
by Marc Boorshtein
We added a new account to AD that has a domain trust with FreeIPA. This
one user is having an issue where IPA can't find him. The user is in the
same OU as other users that work fine. The user is unlocked
(userAccountControl is 512) and the userprincipalname is set. When I try
to add the user to an id view or an external group IPA gives me the error
"trusted domain object not found" . Not really sure where to look next to
figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks
Marc
2 years, 6 months
freeIPA Status Debian/Ubuntu
by Nico Maas
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
2 years, 7 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 7 months
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 9 months
Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
2 years, 10 months
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
2 years, 11 months
using SSH with password authentication when NIS is still running with FreeIPA
by Robert Kudyba
We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying
to determine why ssh -k from any client is hanging and not even connecting.
Does sssd need to be configured as in this 2013 training document?
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
The goal is to eliminate NIS so perhaps the issue is running both
concurrently? The good news is, thanks to tips here last week, all the NIS
users migrated along with their passwords. And kinit on the Free IPA server
even prompts to change their password.
sssd is running:
sssd_be[2329]: GSSAPI client step 1
sssd_be[2329]: GSSAPI client step 2
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ourserver.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ourserver.EDU = {
kdc = ourserver.edu:88
master_kdc = ourserver.edu:88
admin_server = ourserver.edu:749
default_domain = ourserver.edu
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
[dbmodules]
ourserver.EDU = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
HBAC is wide open:
ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system
user session
Enabled: TRUE
Here are some debug ssh server logs:
Feb 8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395.
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5
newsock 5 pipe 10 sock 11
Feb 8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after
dupping: 4, 4
Feb 8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port
45806 on 150.108.64.156 port 22 rdomain ""
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for
"ouruser"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to
"xx.xx.xx.xx"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method publickey [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg
rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb 8 16:23:27 ourserver sshd[510395]: debug1: trying public key file
/home/ouruser/.ssh/authorized_keys
and ssh -k from a Fedora client, note the user I'm logged in as is NOT the
same user I'm trying to log in to:
ssh -vv -k ouruser@ourserver
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match not found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22"
does not exist
debug2: resolving "ourserver" port 22
debug2: ssh_connect_direct
debug1: Connecting to ourserver [150.108.64.156] port 22.
debug1: Connection established.
debug1: identity file /home/ouruser/.ssh/id_rsa type 0
debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_dsa type -1
debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3
debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_xmss type -1
debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ourserver:22 as 'ouruser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01(a)openssh.com,
ecdsa-sha2-nistp384-cert-v01(a)openssh.com,
ecdsa-sha2-nistp521-cert-v01(a)openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01(a)openssh.com
,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01(a)openssh.com,
rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01(a)openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519(a)openssh.com
,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib(a)openssh.com,zlib
debug2: compression stoc: none,zlib(a)openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: ciphers stoc: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib(a)openssh.com
debug2: compression stoc: none,zlib(a)openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'ourserver' is known and matches the ECDSA host key.
debug1: Found key in /home/ouruser/.ssh/known_hosts:46
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug1: Will attempt key: /home/ouruser/.ssh/id_dsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519
SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,
sk-ssh-ed25519(a)openssh.com
,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256(a)openssh.com,
webauthn-sk-ecdsa-sha2-nistp256(a)openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
What am I missing? I appreciate the help last week!
Rob
3 years