3:40 p.m.
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
5:20 p.m.
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
It says 'KDC name mismatch'.
There are two requirements in the MIT Kerberos PKINIT plugin code on the
client side. After validating signed data and collecting SANs from the
certificate presented by KDC, PKINIT plugin on the client checks:
- whether list of SANs contains Kerberos principal for
krbtgt/REALM@REALM, this is enough, no other checks would be needed
- whether list of SANs contains KDC hostname and whether one of
EKUs in the certificate match id-pkinit-kdc
See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
This is a self-issued local certificate, looks like the issue above. The
issuer here should be
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
It would be good to see all extensions and SANs from the cert. You need
to use GnuTLS tools to be able to print Kerberos extensions correctly.
Install gnutls-utils and do
# certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2:38 p.m.
@abokovoy - Thanks for the heads up, the manual fix helped me solving the
issue.
On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
>Greetings,
>
>After automatic KDC certificate renewal, I'm no longer able to access the
>UI.
>
>[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] Traceback (most recent call last):
>[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
>[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
>start_response)
>[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
>__call__
>[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] return self.route(environ, start_response)
>[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
>route
>[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] return app(environ, start_response)
>[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
>__call__
>[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
>[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
>kinit
>[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
>paths.KDC_CA_BUNDLE_PEM],
>[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
>kinit_armor
>[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] run(args, env=env, raiseonerr=True,
capture_error=True)
>[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] File
>"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
>[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
>str(output))
>[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
>/var/run/ipa/ccaches/armor_6150 -X
>X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>non-zero exit status 1
>
>---
>
>KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
>/var/run/ipa/ccaches/armor_19265 -X
>X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
>ANONYMOUS(a)A-LABS.COM
>[12904] 1609104974.342212: Sending unauthenticated request
>[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
>[12904] 1609104974.342214: Initiating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
>[12904] 1609104974.342216: Received answer (335 bytes) from stream
>10.xx.xx.90:88
>[12904] 1609104974.342217: Terminating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342218: Response was from master KDC
>[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
>pre-authentication required
>[12904] 1609104974.342222: Preauthenticating using KDC method data
>[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
>PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
>PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-COOKIE
>(133)
>[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>[12904] 1609104974.342225: Received cookie: MIT
>[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
>0/Success
>[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
>9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
>[12904] 1609104974.342232: PKINIT client making DH request
>[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
>0/Success
>[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
>(133), PA-PK-AS-REQ (16)
>[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
>[12904] 1609104974.342236: Initiating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
>[12904] 1609104974.342238: Received answer (1603 bytes) from stream
>10.xx.xx.90:88
>[12904] 1609104974.342239: Terminating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342240: Response was from master KDC
>[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
>PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
>[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
>0/Success
>[12904] 1609104974.342244: PKINIT client verified DH reply
>[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
>-1765328308/KDC name mismatch
It says 'KDC name mismatch'.
There are two requirements in the MIT Kerberos PKINIT plugin code on the
client side. After validating signed data and collecting SANs from the
certificate presented by KDC, PKINIT plugin on the client checks:
- whether list of SANs contains Kerberos principal for
krbtgt/REALM@REALM, this is enough, no other checks would be needed
- whether list of SANs contains KDC hostname and whether one of
EKUs in the certificate match id-pkinit-kdc
See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
>[12904] 1609104974.342246: Produced preauth for next request: (empty)
>[12904] 1609104974.342247: Getting AS key, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
>[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
>kinit: Password incorrect while getting initial credentials
>
>--
>
>openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=DOMAIN.COM, CN=ipa.domain.com
This is a self-issued local certificate, looks like the issue above. The
issuer here should be
Issuer: CN=Certificate Authority,O=DOMAIN.COM
> Validity
> Not Before: Dec 27 07:38:54 2020 GMT
> Not After : Dec 27 07:38:54 2021 GMT
> Subject: O=DOMAIN.COM, CN=ipa.domain.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
> 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
> d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
> 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
> c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
> d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
> 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
> 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
> 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
> 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
> 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
> ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
> 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
> a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
> 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
> 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
> 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
> b0:93
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> Signature Algorithm: sha256WithRSAEncryption
>
>To my understanding, something is wrong with the kdc certificate, it lacks
>some attributes. I'm just not sure how to generate a proper cert.
It would be good to see all extensions and SANs from the cert. You need
to use GnuTLS tools to be able to print Kerberos extensions correctly.
Install gnutls-utils and do
# certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
7:55 a.m.
Hi,
we have freeipa running as docker container and i am facing the
same problem,(Login Failed due to an unknown reason).
This is the output from container shell.
sh-4.2# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=XXX.COM, CN=Certificate Authority
Validity
Not Before: Mar 28 15:30:41 2020 GMT
Not After : Mar 29 15:30:41 2022 GMT
Subject: O=XXX.COM, CN=freeipa.XXX.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:15:96:06:ec:5e:10:8d:92:a4:c4:29:11:58:
eb:47:94:46:b3:e0:92:0b:e1:60:50:ce:50:1b:6a:
25:28:88:de:5b:41:c7:3c:92:cf:02:c3:0c:a5:14:
37:68:04:c0:c6:e1:1a:c4:ac:6f:8c:04:55:d5:42:
3d:3c:78:29:88:3f:a4:81:52:35:88:3f:7e:fc:80:
8a:ea:14:2a:f2:a8:49:ab:d6:32:5b:ea:35:d4:3b:
4d:14:4f:2c:5a:97:e3:a5:83:be:a6:9e:61:21:0a:
e0:2a:37:f8:41:9a:a2:8c:fb:54:a2:b2:9a:9d:32:
ff:8a:bb:0d:a4:05:b9:31:db:cd:9e:75:05:b3:bf:
7f:f4:d7:84:8e:2e:16:92:db:51:97:01:1e:19:58:
93:1b:9b:1c:56:a1:18:10:62:3f:8e:43:84:4f:c5:
90:3b:e9:de:2e:71:4e:32:33:52:22:1f:51:a8:7b:
fa:46:88:8f:ea:d5:c7:0a:ab:9a:36:ca:ff:e4:d2:
fb:04:4a:39:81:06:b1:59:fc:9b:59:d9:2d:91:9d:
bc:65:c9:e0:55:37:88:ba:4d:f8:4d:68:7a:4c:70:
69:4b:3e:74:aa:d4:c2:65:20:bf:d5:37:5e:73:c6:
b3:a8:4b:ca:37:8c:09:ee:cd:23:26:ed:d8:65:e0:
3b:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:E2:12:D1:0E:77:B1:9B:A6:5F:96:06:9E:C1:4F:9D:C1:6A:1C:5C:0C
Authority Information Access:
OCSP - URI:http://ipa-ca.XXX.com/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.2.3.5
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.XXX.com/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName: O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
6B:84:45:F0:3F:20:AA:C9:6A:FE:08:33:A7:4F:4D:F5:07:95:18:31
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
08:97:ce:4f:cf:25:c3:8b:3b:c5:70:b3:1e:57:2d:49:2a:70:
18:cf:7a:93:01:6a:26:0b:7b:7e:42:0d:8e:77:01:20:cd:41:
50:9d:03:0d:8b:ad:52:1c:e0:c0:56:3e:2a:de:3c:b4:c5:49:
63:11:8e:10:04:1a:d9:9a:3d:59:2c:7f:f2:7f:88:37:82:15:
aa:b7:c0:cc:83:a0:98:22:6f:e8:f9:8e:95:5f:d8:0f:65:ba:
96:cb:cc:22:ab:fe:e2:54:b5:f3:35:f8:39:4e:3e:7d:55:77:
4a:79:9e:0e:c0:1c:26:b1:b4:05:a1:92:0c:9c:4c:b8:46:73:
a4:b2:07:ff:6c:20:c7:e8:cb:44:66:78:e3:68:a5:74:0d:33:
d3:93:5c:dc:df:46:c9:d7:18:09:a9:8b:d2:02:b2:34:f6:ac:
2f:10:19:d1:c8:35:d8:4e:94:5a:5f:ac:b3:27:3c:ba:3f:06:
9c:64:6a:24:72:75:c1:8e:f4:6a:4a:1f:a6:31:93:74:36:78:
99:89:d0:34:5f:2b:f2:ab:90:5f:ce:46:8e:cf:6a:19:66:31:
df:57:2f:d5:98:b1:f7:69:a7:a3:f2:9f:80:77:56:d1:ff:22:
ef:80:25:d0:fd:5f:6a:a6:74:df:4c:3a:99:62:b6:40:64:d5:
0e:d4:c9:c0
Could you please help .
Thanks,
Anil
On Tue, Dec 29, 2020 at 2:08 AM D R via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
@abokovoy - Thanks for the heads up, the manual fix helped me solving
the
issue.
On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On su, 27 joulu 2020, D R via FreeIPA-users wrote:
> >Greetings,
> >
> >After automatic KDC certificate renewal, I'm no longer able to access the
> >UI.
> >
> >[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] Traceback (most recent call last):
> >[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in
application
> >[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
> >start_response)
> >[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267,
in
> >__call__
> >[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return self.route(environ, start_response)
> >[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279,
in
> >route
> >[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] return app(environ, start_response)
> >[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937,
in
> >__call__
> >[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
> >[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973,
in
> >kinit
> >[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
> >paths.KDC_CA_BUNDLE_PEM],
> >[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127,
in
> >kinit_armor
> >[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] run(args, env=env, raiseonerr=True,
> capture_error=True)
> >[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] File
> >"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in
run
> >[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
> >str(output))
> >[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
> >10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_6150 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> >X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
> >non-zero exit status 1
> >
> >---
> >
> >KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_19265 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> >X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> >[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
> >ANONYMOUS(a)A-LABS.COM
> >[12904] 1609104974.342212: Sending unauthenticated request
> >[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
> >[12904] 1609104974.342214: Initiating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
> >[12904] 1609104974.342216: Received answer (335 bytes) from stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342217: Terminating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342218: Response was from master KDC
> >[12904] 1609104974.342219: Received error from KDC:
> -1765328359/Additional
> >pre-authentication required
> >[12904] 1609104974.342222: Preauthenticating using KDC method data
> >[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
> >PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
> >PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
> PA-FX-COOKIE
> >(133)
> >[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >[12904] 1609104974.342225: Received cookie: MIT
> >[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
> >0/Success
> >[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
> >[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
> >9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
> >[12904] 1609104974.342232: PKINIT client making DH request
> >[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
> >0/Success
> >[12904] 1609104974.342234: Produced preauth for next request:
> PA-FX-COOKIE
> >(133), PA-PK-AS-REQ (16)
> >[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
> >[12904] 1609104974.342236: Initiating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
> >[12904] 1609104974.342238: Received answer (1603 bytes) from stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342239: Terminating TCP connection to stream
> >10.xx.xx.90:88
> >[12904] 1609104974.342240: Response was from master KDC
> >[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
> >PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
> >[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
> >0/Success
> >[12904] 1609104974.342244: PKINIT client verified DH reply
> >[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
> >-1765328308/KDC name mismatch
>
> It says 'KDC name mismatch'.
>
> There are two requirements in the MIT Kerberos PKINIT plugin code on the
> client side. After validating signed data and collecting SANs from the
> certificate presented by KDC, PKINIT plugin on the client checks:
>
> - whether list of SANs contains Kerberos principal for
> krbtgt/REALM@REALM, this is enough, no other checks would be needed
>
> - whether list of SANs contains KDC hostname and whether one of
> EKUs in the certificate match id-pkinit-kdc
>
> See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
>
>
> >[12904] 1609104974.342246: Produced preauth for next request: (empty)
> >[12904] 1609104974.342247: Getting AS key, salt
> >"A-LABS.COMWELLKNOWNANONYMOUS", params ""
> >Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
> >[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
> >kinit: Password incorrect while getting initial credentials
> >
> >--
> >
> >openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
> >Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 10 (0xa)
> > Signature Algorithm: sha256WithRSAEncryption
> > Issuer: O=DOMAIN.COM, CN=ipa.domain.com
>
> This is a self-issued local certificate, looks like the issue above. The
> issuer here should be
>
> Issuer: CN=Certificate Authority,O=DOMAIN.COM
>
> > Validity
> > Not Before: Dec 27 07:38:54 2020 GMT
> > Not After : Dec 27 07:38:54 2021 GMT
> > Subject: O=DOMAIN.COM, CN=ipa.domain.com
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
> > 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
> > d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
> > 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
> > c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
> > d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
> > 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
> > 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
> > 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
> > 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
> > 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
> > ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
> > 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
> > a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
> > 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
> > 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
> > 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
> > b0:93
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints: critical
> > CA:FALSE
> > Signature Algorithm: sha256WithRSAEncryption
> >
> >To my understanding, something is wrong with the kdc certificate, it
> lacks
> >some attributes. I'm just not sure how to generate a proper cert.
>
> It would be good to see all extensions and SANs from the cert. You need
> to use GnuTLS tools to be able to print Kerberos extensions correctly.
>
> Install gnutls-utils and do
> # certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> _______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
6:25 a.m.
Hi,
we are experiencing similar behavior in the UI after a certificate update.
Though in our case the kinit trace results in a
`
[10159] 1622027606.25528: Received error from KDC: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials
`
running kinit on remote machines for authentication still works fine. Only the UI
won't let us log in anymore.
Can you help, please?
Best,
Philipp
1060
days inactive
1210
days old
freeipa-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
Alexander Bokovoy -
anilkumar panditi -
D R -
Philipp Leusmann