I am still trying to debug why the webUI on my new replica is not
authenticating me.
One difference I have noticed between my two replicas, one working and
one not is:
working replica:
# KRB5RCACHEDIR=/var/lib/gssproxy/rcache klist
Ticket cache: KCM:0
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
2022-02-04 08:58:59 2022-02-05 08:58:56 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
2022-02-04 08:59:03 2022-02-05 08:58:56 HTTP/server-staging.example.com(a)EXAMPLE.COM
Non-working replica:
# KRB5RCACHEDIR=/var/lib/gssproxy/rcache klist
Ticket cache: KEYRING:persistent:0:krb_ccache_AunlIbq
Default principal: host/server.example.com(a)EXAMPLE.COM
Valid starting Expires Service principal
1969-12-31 19:00:00 1969-12-31 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
What could cause the latter to not be getting any tickets like the
former is?
FWIW, the difference in ticket cache type appears to be due to:
# cat /etc/krb5.conf.d/kcm_default_ccache
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file (/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
#
# To enable the KCM credential cache enable the KCM socket and the service:
# systemctl enable sssd-secrets.socket sssd-kcm.socket
# systemctl start sssd-kcm.socket
#
# To disable the KCM credential cache, comment out the following lines.
[libdefaults]
default_ccache_name = KCM:
which is due to sssd-kcm-2.4.0-9.el8_4.2.x86_64 being installed on the
working replica and not on the non-working replica.
Maybe this is a big red herring though?
Ultimately gssproxy is reporting the following when I try to log on to
the webUI:
[2022/02/05 16:08:51]: Debug Enabled (level: 3)
[2022/02/05 16:08:51]: Service: ipa-httpd, Keytab: /var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: ipa-api, Keytab: /var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: ipa-sweeper, Keytab: /var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 18
[2022/02/05 16:08:51]: Client [2022/02/05 16:08:51]: (/usr/sbin/gssproxy) [2022/02/05 16:08:51]: connected (fd = 14)[2022/02/05 16:08:51]: (pid = 8306) (uid = 0) (gid = 0)[2022/02/05 16:08:51]: (context = system_u:system_r:kernel_t:s0)[2022/02/05 16:08:51]:
[2022/02/05 16:08:59]: Client [2022/02/05 16:08:59]: (/usr/sbin/httpd) [2022/02/05 16:08:59]: connected (fd = 15)[2022/02/05 16:08:59]: (pid = 4266) (uid = 977) (gid = 973)[2022/02/05 16:08:59]: (context = system_u:system_r:httpd_t:s0)[2022/02/05 16:08:59]:
[CID 15][2022/02/05 16:08:59]: [status] Handling query input: 0x55f111269810 (176)
[CID 15][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 15][2022/02/05 16:08:59]: [status] Processing request [0x55f111269810 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x55f111269810 (176)]
[CID 15][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-api", euid: 977,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name: { "brian(a)EXAMPLE.COM" { 1 2 840 113554 1 2 2 1 } [ ] [ ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 "Unspecified GSS failure. Minor code may provide more information" "No credentials cache found" [ ] } output_cred_handle: <Null> )
[CID 15][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x55f111269810 (176)]: [0x7fdf7c08a880 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c08a880 (176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c08a880 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c08a880 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c08a880 (176)]: successful write of 176
[CID 15][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c08a880 (176)
[CID 15][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 15][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c08a880 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c08a880 (176)]
[CID 15][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-api", euid: 977,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name: { "brian(a)EXAMPLE.COM" { 1 2 840 113554 1 2 2 1 } [ ] [ ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 "Unspecified GSS failure. Minor code may provide more information" "No credentials cache found" [ ] } output_cred_handle: <Null> )
[CID 15][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c08a880 (176)]: [0x7fdf7c066260 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c066260 (176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c066260 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c066260 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c066260 (176)]: successful write of 176
[2022/02/05 16:08:59]: Client [2022/02/05 16:08:59]: (/usr/sbin/httpd) [2022/02/05 16:08:59]: connected (fd = 16)[2022/02/05 16:08:59]: (pid = 4268) (uid = 977) (gid = 973)[2022/02/05 16:08:59]: (context = system_u:system_r:httpd_t:s0)[2022/02/05 16:08:59]:
[CID 16][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c066260 (176)
[CID 16][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 16][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c066260 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c066260 (176)]
[CID 16][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-api", euid: 977,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name: { "brian(a)EXAMPLE.COM" { 1 2 840 113554 1 2 2 1 } [ ] [ ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 "Unspecified GSS failure. Minor code may provide more information" "No credentials cache found" [ ] } output_cred_handle: <Null> )
[CID 16][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c066260 (176)]: [0x7fdf7c05c9e0 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c05c9e0 (176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c05c9e0 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c05c9e0 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c05c9e0 (176)]: successful write of 176
[CID 16][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c05c9e0 (176)
[CID 16][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 16][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c05c9e0 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c05c9e0 (176)]
[CID 16][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-api", euid: 977,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: <Null> add_cred: 0 desired_name: { "brian(a)EXAMPLE.COM" { 1 2 840 113554 1 2 2 1 } [ ] [ ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 "Unspecified GSS failure. Minor code may provide more information" "No credentials cache found" [ ] } output_cred_handle: <Null> )
[CID 16][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x7fdf7c05c9e0 (176)]: [0x7fdf7c03f690 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c03f690 (176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c03f690 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c03f690 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c03f690 (176)]: successful write of 176
Cheers,
b.