Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] Traceback (most recent call last): [Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application [Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return self.route(environ, start_response) [Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return app(environ, start_response) [Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name) [Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True) [Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string, str(output)) [Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_6150 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_19265 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/ ANONYMOUS@A-LABS.COM [12904] 1609104974.342212: Sending unauthenticated request [12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM [12904] 1609104974.342214: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342216: Received answer (335 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342217: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342218: Response was from master KDC [12904] 1609104974.342219: Received error from KDC: -1765328359/Additional pre-authentication required [12904] 1609104974.342222: Preauthenticating using KDC method data [12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342225: Received cookie: MIT [12904] 1609104974.342226: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum 9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3 [12904] 1609104974.342232: PKINIT client making DH request [12904] 1609104974.342233: Preauth module pkinit (16) (real) returned: 0/Success [12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM [12904] 1609104974.342236: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342238: Received answer (1603 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342239: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342240: Response was from master KDC [12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147) [12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342243: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342244: PKINIT client verified DH reply [12904] 1609104974.342245: Preauth module pkinit (17) (real) returned: -1765328308/KDC name mismatch [12904] 1609104974.342246: Produced preauth for next request: (empty) [12904] 1609104974.342247: Getting AS key, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS@A-LABS.COM: [12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN.COM, CN=ipa.domain.com Validity Not Before: Dec 27 07:38:54 2020 GMT Not After : Dec 27 07:38:54 2021 GMT Subject: O=DOMAIN.COM, CN=ipa.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80: 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d: d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2: 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48: c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb: d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c: 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d: 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0: 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73: 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34: 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7: ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0: 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01: a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f: 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9: 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5: 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66: b0:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks some attributes. I'm just not sure how to generate a proper cert.
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] Traceback (most recent call last): [Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application [Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return self.route(environ, start_response) [Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return app(environ, start_response) [Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name) [Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True) [Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string, str(output)) [Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_6150 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_19265 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/ ANONYMOUS@A-LABS.COM [12904] 1609104974.342212: Sending unauthenticated request [12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM [12904] 1609104974.342214: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342216: Received answer (335 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342217: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342218: Response was from master KDC [12904] 1609104974.342219: Received error from KDC: -1765328359/Additional pre-authentication required [12904] 1609104974.342222: Preauthenticating using KDC method data [12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342225: Received cookie: MIT [12904] 1609104974.342226: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum 9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3 [12904] 1609104974.342232: PKINIT client making DH request [12904] 1609104974.342233: Preauth module pkinit (16) (real) returned: 0/Success [12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM [12904] 1609104974.342236: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342238: Received answer (1603 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342239: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342240: Response was from master KDC [12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147) [12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342243: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342244: PKINIT client verified DH reply [12904] 1609104974.342245: Preauth module pkinit (17) (real) returned: -1765328308/KDC name mismatch
It says 'KDC name mismatch'.
There are two requirements in the MIT Kerberos PKINIT plugin code on the client side. After validating signed data and collecting SANs from the certificate presented by KDC, PKINIT plugin on the client checks:
- whether list of SANs contains Kerberos principal for krbtgt/REALM@REALM, this is enough, no other checks would be needed
- whether list of SANs contains KDC hostname and whether one of EKUs in the certificate match id-pkinit-kdc
See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
[12904] 1609104974.342246: Produced preauth for next request: (empty) [12904] 1609104974.342247: Getting AS key, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS@A-LABS.COM: [12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN.COM, CN=ipa.domain.com
This is a self-issued local certificate, looks like the issue above. The issuer here should be
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Validity Not Before: Dec 27 07:38:54 2020 GMT Not After : Dec 27 07:38:54 2021 GMT Subject: O=DOMAIN.COM, CN=ipa.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80: 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d: d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2: 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48: c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb: d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c: 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d: 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0: 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73: 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34: 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7: ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0: 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01: a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f: 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9: 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5: 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66: b0:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSESignature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks some attributes. I'm just not sure how to generate a proper cert.
It would be good to see all extensions and SANs from the cert. You need to use GnuTLS tools to be able to print Kerberos extensions correctly.
Install gnutls-utils and do # certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
@abokovoy - Thanks for the heads up, the manual fix helped me solving the issue.
On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] Traceback (most recent call last): [Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application [Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return self.route(environ, start_response) [Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return app(environ, start_response) [Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name) [Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] run(args, env=env, raiseonerr=True,
capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string, str(output)) [Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_6150 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_19265 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/ ANONYMOUS@A-LABS.COM [12904] 1609104974.342212: Sending unauthenticated request [12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM [12904] 1609104974.342214: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342216: Received answer (335 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342217: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342218: Response was from master KDC [12904] 1609104974.342219: Received error from KDC: -1765328359/Additional pre-authentication required [12904] 1609104974.342222: Preauthenticating using KDC method data [12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-COOKIE
(133) [12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342225: Received cookie: MIT [12904] 1609104974.342226: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum 9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3 [12904] 1609104974.342232: PKINIT client making DH request [12904] 1609104974.342233: Preauth module pkinit (16) (real) returned: 0/Success [12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM [12904] 1609104974.342236: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342238: Received answer (1603 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342239: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342240: Response was from master KDC [12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147) [12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342243: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342244: PKINIT client verified DH reply [12904] 1609104974.342245: Preauth module pkinit (17) (real) returned: -1765328308/KDC name mismatch
It says 'KDC name mismatch'.
There are two requirements in the MIT Kerberos PKINIT plugin code on the client side. After validating signed data and collecting SANs from the certificate presented by KDC, PKINIT plugin on the client checks:
whether list of SANs contains Kerberos principal for krbtgt/REALM@REALM, this is enough, no other checks would be needed
whether list of SANs contains KDC hostname and whether one of EKUs in the certificate match id-pkinit-kdc
See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
[12904] 1609104974.342246: Produced preauth for next request: (empty) [12904] 1609104974.342247: Getting AS key, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS@A-LABS.COM: [12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN.COM, CN=ipa.domain.com
This is a self-issued local certificate, looks like the issue above. The issuer here should be
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Validity Not Before: Dec 27 07:38:54 2020 GMT Not After : Dec 27 07:38:54 2021 GMT Subject: O=DOMAIN.COM, CN=ipa.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80: 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d: d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2: 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48: c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb: d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c: 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d: 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0: 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73: 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34: 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7: ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0: 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01: a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f: 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9: 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5: 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66: b0:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSESignature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks some attributes. I'm just not sure how to generate a proper cert.
It would be good to see all extensions and SANs from the cert. You need to use GnuTLS tools to be able to print Kerberos extensions correctly.
Install gnutls-utils and do # certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Hi, we have freeipa running as docker container and i am facing the same problem,(Login Failed due to an unknown reason). This is the output from container shell.
sh-4.2# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=XXX.COM, CN=Certificate Authority Validity Not Before: Mar 28 15:30:41 2020 GMT Not After : Mar 29 15:30:41 2022 GMT Subject: O=XXX.COM, CN=freeipa.XXX.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c6:15:96:06:ec:5e:10:8d:92:a4:c4:29:11:58: eb:47:94:46:b3:e0:92:0b:e1:60:50:ce:50:1b:6a: 25:28:88:de:5b:41:c7:3c:92:cf:02:c3:0c:a5:14: 37:68:04:c0:c6:e1:1a:c4:ac:6f:8c:04:55:d5:42: 3d:3c:78:29:88:3f:a4:81:52:35:88:3f:7e:fc:80: 8a:ea:14:2a:f2:a8:49:ab:d6:32:5b:ea:35:d4:3b: 4d:14:4f:2c:5a:97:e3:a5:83:be:a6:9e:61:21:0a: e0:2a:37:f8:41:9a:a2:8c:fb:54:a2:b2:9a:9d:32: ff:8a:bb:0d:a4:05:b9:31:db:cd:9e:75:05:b3:bf: 7f:f4:d7:84:8e:2e:16:92:db:51:97:01:1e:19:58: 93:1b:9b:1c:56:a1:18:10:62:3f:8e:43:84:4f:c5: 90:3b:e9:de:2e:71:4e:32:33:52:22:1f:51:a8:7b: fa:46:88:8f:ea:d5:c7:0a:ab:9a:36:ca:ff:e4:d2: fb:04:4a:39:81:06:b1:59:fc:9b:59:d9:2d:91:9d: bc:65:c9:e0:55:37:88:ba:4d:f8:4d:68:7a:4c:70: 69:4b:3e:74:aa:d4:c2:65:20:bf:d5:37:5e:73:c6: b3:a8:4b:ca:37:8c:09:ee:cd:23:26:ed:d8:65:e0: 3b:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier:
keyid:E2:12:D1:0E:77:B1:9B:A6:5F:96:06:9E:C1:4F:9D:C1:6A:1C:5C:0C
Authority Information Access: OCSP - URI:http://ipa-ca.XXX.com/ca/ocsp
X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, 1.3.6.1.5.2.3.5 X509v3 CRL Distribution Points:
Full Name: URI:http://ipa-ca.XXX.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier: 6B:84:45:F0:3F:20:AA:C9:6A:FE:08:33:A7:4F:4D:F5:07:95:18:31 X509v3 Subject Alternative Name: othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 08:97:ce:4f:cf:25:c3:8b:3b:c5:70:b3:1e:57:2d:49:2a:70: 18:cf:7a:93:01:6a:26:0b:7b:7e:42:0d:8e:77:01:20:cd:41: 50:9d:03:0d:8b:ad:52:1c:e0:c0:56:3e:2a:de:3c:b4:c5:49: 63:11:8e:10:04:1a:d9:9a:3d:59:2c:7f:f2:7f:88:37:82:15: aa:b7:c0:cc:83:a0:98:22:6f:e8:f9:8e:95:5f:d8:0f:65:ba: 96:cb:cc:22:ab:fe:e2:54:b5:f3:35:f8:39:4e:3e:7d:55:77: 4a:79:9e:0e:c0:1c:26:b1:b4:05:a1:92:0c:9c:4c:b8:46:73: a4:b2:07:ff:6c:20:c7:e8:cb:44:66:78:e3:68:a5:74:0d:33: d3:93:5c:dc:df:46:c9:d7:18:09:a9:8b:d2:02:b2:34:f6:ac: 2f:10:19:d1:c8:35:d8:4e:94:5a:5f:ac:b3:27:3c:ba:3f:06: 9c:64:6a:24:72:75:c1:8e:f4:6a:4a:1f:a6:31:93:74:36:78: 99:89:d0:34:5f:2b:f2:ab:90:5f:ce:46:8e:cf:6a:19:66:31: df:57:2f:d5:98:b1:f7:69:a7:a3:f2:9f:80:77:56:d1:ff:22: ef:80:25:d0:fd:5f:6a:a6:74:df:4c:3a:99:62:b6:40:64:d5: 0e:d4:c9:c0
Could you please help .
Thanks, Anil
On Tue, Dec 29, 2020 at 2:08 AM D R via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
@abokovoy - Thanks for the heads up, the manual fix helped me solving the issue.
On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] Traceback (most recent call last): [Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application [Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return self.route(environ, start_response) [Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return app(environ, start_response) [Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name) [Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] run(args, env=env, raiseonerr=True,
capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string, str(output)) [Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_6150 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_19265 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/ ANONYMOUS@A-LABS.COM [12904] 1609104974.342212: Sending unauthenticated request [12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM [12904] 1609104974.342214: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342216: Received answer (335 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342217: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342218: Response was from master KDC [12904] 1609104974.342219: Received error from KDC:
-1765328359/Additional
pre-authentication required [12904] 1609104974.342222: Preauthenticating using KDC method data [12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-COOKIE
(133) [12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342225: Received cookie: MIT [12904] 1609104974.342226: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum 9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3 [12904] 1609104974.342232: PKINIT client making DH request [12904] 1609104974.342233: Preauth module pkinit (16) (real) returned: 0/Success [12904] 1609104974.342234: Produced preauth for next request:
PA-FX-COOKIE
(133), PA-PK-AS-REQ (16) [12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM [12904] 1609104974.342236: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342238: Received answer (1603 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342239: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342240: Response was from master KDC [12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147) [12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342243: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342244: PKINIT client verified DH reply [12904] 1609104974.342245: Preauth module pkinit (17) (real) returned: -1765328308/KDC name mismatch
It says 'KDC name mismatch'.
There are two requirements in the MIT Kerberos PKINIT plugin code on the client side. After validating signed data and collecting SANs from the certificate presented by KDC, PKINIT plugin on the client checks:
whether list of SANs contains Kerberos principal for krbtgt/REALM@REALM, this is enough, no other checks would be needed
whether list of SANs contains KDC hostname and whether one of EKUs in the certificate match id-pkinit-kdc
See https://pagure.io/freeipa/issue/8532 for a possible manual fix.
[12904] 1609104974.342246: Produced preauth for next request: (empty) [12904] 1609104974.342247: Getting AS key, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS@A-LABS.COM: [12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN.COM, CN=ipa.domain.com
This is a self-issued local certificate, looks like the issue above. The issuer here should be
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Validity Not Before: Dec 27 07:38:54 2020 GMT Not After : Dec 27 07:38:54 2021 GMT Subject: O=DOMAIN.COM, CN=ipa.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80: 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d: d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2: 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48: c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb: d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c: 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d: 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0: 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73: 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34: 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7: ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0: 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01: a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f: 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9: 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5: 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66: b0:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSESignature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it
lacks
some attributes. I'm just not sure how to generate a proper cert.
It would be good to see all extensions and SANs from the cert. You need to use GnuTLS tools to be able to print Kerberos extensions correctly.
Install gnutls-utils and do # certtool -i --infile /var/kerberos/krb5kdc/kdc.crt
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
we are experiencing similar behavior in the UI after a certificate update.
Though in our case the kinit trace results in a ` [10159] 1622027606.25528: Received error from KDC: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials `
running kinit on remote machines for authentication still works fine. Only the UI won't let us log in anymore.
Can you help, please?
Best, Philipp
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
anilkumar panditi -
D R -
Philipp Leusmann