Hi,
we have freeipa running as docker container and i am facing the
same problem,(Login Failed due to an unknown reason).
This is the output from container shell.
sh-4.2# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
, CN=Certificate Authority
Validity
Not Before: Mar 28 15:30:41 2020 GMT
Not After : Mar 29 15:30:41 2022 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:15:96:06:ec:5e:10:8d:92:a4:c4:29:11:58:
eb:47:94:46:b3:e0:92:0b:e1:60:50:ce:50:1b:6a:
25:28:88:de:5b:41:c7:3c:92:cf:02:c3:0c:a5:14:
37:68:04:c0:c6:e1:1a:c4:ac:6f:8c:04:55:d5:42:
3d:3c:78:29:88:3f:a4:81:52:35:88:3f:7e:fc:80:
8a:ea:14:2a:f2:a8:49:ab:d6:32:5b:ea:35:d4:3b:
4d:14:4f:2c:5a:97:e3:a5:83:be:a6:9e:61:21:0a:
e0:2a:37:f8:41:9a:a2:8c:fb:54:a2:b2:9a:9d:32:
ff:8a:bb:0d:a4:05:b9:31:db:cd:9e:75:05:b3:bf:
7f:f4:d7:84:8e:2e:16:92:db:51:97:01:1e:19:58:
93:1b:9b:1c:56:a1:18:10:62:3f:8e:43:84:4f:c5:
90:3b:e9:de:2e:71:4e:32:33:52:22:1f:51:a8:7b:
fa:46:88:8f:ea:d5:c7:0a:ab:9a:36:ca:ff:e4:d2:
fb:04:4a:39:81:06:b1:59:fc:9b:59:d9:2d:91:9d:
bc:65:c9:e0:55:37:88:ba:4d:f8:4d:68:7a:4c:70:
69:4b:3e:74:aa:d4:c2:65:20:bf:d5:37:5e:73:c6:
b3:a8:4b:ca:37:8c:09:ee:cd:23:26:ed:d8:65:e0:
3b:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:E2:12:D1:0E:77:B1:9B:A6:5F:96:06:9E:C1:4F:9D:C1:6A:1C:5C:0C
Authority Information Access:
OCSP -
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.2.3.5
X509v3 CRL Distribution Points:
Full Name:
CRL Issuer:
DirName: O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
6B:84:45:F0:3F:20:AA:C9:6A:FE:08:33:A7:4F:4D:F5:07:95:18:31
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
08:97:ce:4f:cf:25:c3:8b:3b:c5:70:b3:1e:57:2d:49:2a:70:
18:cf:7a:93:01:6a:26:0b:7b:7e:42:0d:8e:77:01:20:cd:41:
50:9d:03:0d:8b:ad:52:1c:e0:c0:56:3e:2a:de:3c:b4:c5:49:
63:11:8e:10:04:1a:d9:9a:3d:59:2c:7f:f2:7f:88:37:82:15:
aa:b7:c0:cc:83:a0:98:22:6f:e8:f9:8e:95:5f:d8:0f:65:ba:
96:cb:cc:22:ab:fe:e2:54:b5:f3:35:f8:39:4e:3e:7d:55:77:
4a:79:9e:0e:c0:1c:26:b1:b4:05:a1:92:0c:9c:4c:b8:46:73:
a4:b2:07:ff:6c:20:c7:e8:cb:44:66:78:e3:68:a5:74:0d:33:
d3:93:5c:dc:df:46:c9:d7:18:09:a9:8b:d2:02:b2:34:f6:ac:
2f:10:19:d1:c8:35:d8:4e:94:5a:5f:ac:b3:27:3c:ba:3f:06:
9c:64:6a:24:72:75:c1:8e:f4:6a:4a:1f:a6:31:93:74:36:78:
99:89:d0:34:5f:2b:f2:ab:90:5f:ce:46:8e:cf:6a:19:66:31:
df:57:2f:d5:98:b1:f7:69:a7:a3:f2:9f:80:77:56:d1:ff:22:
ef:80:25:d0:fd:5f:6a:a6:74:df:4c:3a:99:62:b6:40:64:d5:
0e:d4:c9:c0
Could you please help .
Thanks,
Anil
On Tue, Dec 29, 2020 at 2:08 AM D R via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
@abokovoy - Thanks for the heads up, the manual fix helped me solving
the
issue.
On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On su, 27 joulu 2020, D R via FreeIPA-users wrote:
> >Greetings,
> >
> >After automatic KDC certificate renewal, I'm no longer able to access the
> >UI.
> >
> >[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] Traceback (most recent call last):
> >[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in
application
> >[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
> >start_response)
> >[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267,
in
> >__call__
> >[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return self.route(environ, start_response)
> >[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279,
in
> >route
> >[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return app(environ, start_response)
> >[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937,
in
> >__call__
> >[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
> >[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973,
in
> >kinit
> >[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
> >paths.KDC_CA_BUNDLE_PEM],
> >[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127,
in
> >kinit_armor
> >[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] run(args, env=env, raiseonerr=True,
> capture_error=True)
> >[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in
run
> >[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
> >str(output))
> >[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_6150 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> >X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
> >non-zero exit status 1
> >
> >---
> >
> >KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_19265 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> >X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> >[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
> >ANONYMOUS(a)A-LABS.COM
> >[12904] 1609104974.342212: Sending unauthenticated request
> >[12904] 1609104974.342213: Sending request (184 bytes) to
A-LABS.COM
> >[12904] 1609104974.342214: Initiating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
> >[12904] 1609104974.342216: Received answer (335 bytes) from stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342217: Terminating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342218: Response was from master KDC
> >[12904] 1609104974.342219: Received error from KDC:
> -1765328359/Additional
> >pre-authentication required
> >[12904] 1609104974.342222: Preauthenticating using KDC method data
> >[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
> >PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
> >PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
> PA-FX-COOKIE
> >(133)
> >[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >[12904] 1609104974.342225: Received cookie: MIT
> >[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
> >0/Success
> >[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
> >9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
> >[12904] 1609104974.342232: PKINIT client making DH request
> >[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
> >0/Success
> >[12904] 1609104974.342234: Produced preauth for next request:
> PA-FX-COOKIE
> >(133), PA-PK-AS-REQ (16)
> >[12904] 1609104974.342235: Sending request (1497 bytes) to
A-LABS.COM
> >[12904] 1609104974.342236: Initiating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
> >[12904] 1609104974.342238: Received answer (1603 bytes) from stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342239: Terminating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342240: Response was from master KDC
> >[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
> >PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
> >[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
> >0/Success
> >[12904] 1609104974.342244: PKINIT client verified DH reply
> >[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
> >-1765328308/KDC name mismatch
>
> It says 'KDC name mismatch'.
>
> There are two requirements in the MIT Kerberos PKINIT plugin code on the
> client side. After validating signed data and collecting SANs from the
> certificate presented by KDC, PKINIT plugin on the client checks:
>
> - whether list of SANs contains Kerberos principal for
> krbtgt/REALM@REALM, this is enough, no other checks would be needed
>
> - whether list of SANs contains KDC hostname and whether one of
> EKUs in the certificate match id-pkinit-kdc
>
> See
https://pagure.io/freeipa/issue/8532 for a possible manual fix.
>
>
> >[12904] 1609104974.342246: Produced preauth for next request: (empty)
> >[12904] 1609104974.342247: Getting AS key, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
> >[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
> >kinit: Password incorrect while getting initial credentials
> >
> >--
> >
> >openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
> >Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 10 (0xa)
> > Signature Algorithm: sha256WithRSAEncryption
> > Issuer:
O=DOMAIN.COM,
CN=ipa.domain.com
>
> This is a self-issued local certificate, looks like the issue above. The
> issuer here should be
>
> Issuer: CN=Certificate
Authority,O=DOMAIN.COM
>
> > Validity
> > Not Before: Dec 27 07:38:54 2020 GMT
> > Not After : Dec 27 07:38:54 2021 GMT
> > Subject:
O=DOMAIN.COM,
CN=ipa.domain.com
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
> > 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
> > d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
> > 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
> > c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
> > d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
> > 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
> > 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
> > 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
> > 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
> > 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
> > ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
> > 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
> > a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
> > 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
> > 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
> > 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
> > b0:93
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints: critical
> > CA:FALSE
> > Signature Algorithm: sha256WithRSAEncryption
> >
> >To my understanding, something is wrong with the kdc certificate, it
> lacks
> >some attributes. I'm just not sure how to generate a proper cert.
>
> It would be good to see all extensions and SANs from the cert. You need
> to use GnuTLS tools to be able to print Kerberos extensions correctly.
>
> Install gnutls-utils and do
> # certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> _______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...