Hi,
I'm currently running 3 Fedora 37 VMs (freeipa01, freeipa02 and freeipa03), running
FreeIPA in a cluster. I decided today to upgrade the freeipa03 VM to Fedora 38. After the
upgrade, I am no longer able to successfully login to the FreeIPA web GUI on this VM using
my account credentials, nor am I able to 'kinit' successfully on the VM either
with this account. Using the same account on the other two Fedora 37 VMs still works, so I
would like to resolve this issue before upgrading the rest of the cluster. Note that the
'admin' account still works on freeipa03, though, both in the GUI and using
'kinit'. It also seems that pure LDAP authentication is unaffected (i.e. I can log
in successfully with my account using the OpenLDAP client).
Suspecting that the problem might be Kerberos-specific, I followed the instructions on
this page (
https://www.freeipa.org/page/Troubleshooting/Kerberos) and ran (user and domain
names changed to protect the innocent):
--------------
[root@freeipa03 log]# KRB5_TRACE=/dev/stdout kinit buddy
[1542] 1695160597.889222: Matching buddy(a)EXAMPLE.COM in collection with result: 0/Success
[1542] 1695160597.889223: Getting initial credentials for buddy(a)EXAMPLE.COM
[1542] 1695160597.889225: Sending unauthenticated request
[1542] 1695160597.889226: Sending request (170 bytes) to
EXAMPLE.COM
[1542] 1695160597.889227: Initiating TCP connection to stream 192.168.40.133:88
[1542] 1695160597.889228: Sending TCP request to stream 192.168.40.133:88
[1542] 1695160597.889229: Received answer (519 bytes) from stream 192.168.40.133:88
[1542] 1695160597.889230: Terminating TCP connection to stream 192.168.40.133:88
[1542] 1695160597.889231: Response was from primary KDC
[1542] 1695160597.889232: Received error from KDC: -1765328359/Additional
pre-authentication required
[1542] 1695160597.889235: Preauthenticating using KDC method data
[1542] 1695160597.889236: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2),
PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1542] 1695160597.889237: Selected etype info: etype aes256-cts, salt
"a&591&^W'=$!B6#6", params ""
[1542] 1695160597.889238: Received cookie:
MIT1\x00\x00\x00\x01Q\xa3RO\xea\xa6\xc4Z\xa4\xd6_w\xacA\x05\x97J\xaf\x12\x1c*\xab\xa0vkGq\x88\xfa\xb3\x98\xb3v\xc02\xe2>\xebZ%g\x9e'7\xac\x97\xb5\x18w\x11e\x870**\xddvQs\xcd\x81\x95\x90\xd5\x0b\xd5\x9f\x11%\x88\xfb\xc7*l\xea\xceV\xc0%\xca{\x14\xe7\xbf\xbf\x9a\xef\x93\xa1\xe4v\x13\xe8C\xd9B\xceay\xe4U\x1e\x1b\x01V\xf9\xc45\x84\x1a\x99W\x18j\xed\xf1V\xc9\x08\xa98\x91\x14\xb1\x95L\xf4\xe2\xef\xc9\xff\xe2\xe95\xcb\xdf\xaa\xe4\x1e\xc7,G
[1542] 1695160597.889239: PKINIT client has no configured identity; giving up
[1542] 1695160597.889240: Preauth module pkinit (147) (info) returned: 0/Success
[1542] 1695160597.889241: PKINIT client received freshness token from KDC
[1542] 1695160597.889242: Preauth module pkinit (150) (info) returned: 0/Success
[1542] 1695160597.889243: PKINIT client has no configured identity; giving up
[1542] 1695160597.889244: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[1542] 1695160597.889245: SPAKE challenge received with group 1, pubkey
E03357913D632FED4908863B7F43145F9A64BBE14921DA6C9FBD7C1C21F60E14
Password for buddy(a)EXAMPLE.COM:
[1542] 1695160600.810901: SPAKE key generated with pubkey
75C14A0B07690CDCB14EE2580FD53E19BF28D7AC548CC276CE35A6EBE971E46C
[1542] 1695160600.810902: SPAKE algorithm result:
53671BE2D5C567F80864741EF0C69555C3817303DEDA9A5F28E9823001438226
[1542] 1695160600.810903: SPAKE final transcript hash:
9C2818F938FDF8F916F7100C4A5426FCAE4FCE53A34BFDF82BF1F6BA55296513
[1542] 1695160600.810904: Sending SPAKE response
[1542] 1695160600.810905: Preauth module spake (151) (real) returned: 0/Success
[1542] 1695160600.810906: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE
(151)
[1542] 1695160600.810907: Sending request (441 bytes) to
EXAMPLE.COM
[1542] 1695160600.810908: Initiating TCP connection to stream 192.168.40.133:88
[1542] 1695160600.810909: Sending TCP request to stream 192.168.40.133:88
[1542] 1695160600.810910: Received answer (143 bytes) from stream 192.168.40.133:88
[1542] 1695160600.810911: Terminating TCP connection to stream 192.168.40.133:88
[1542] 1695160600.810912: Response was from primary KDC
[1542] 1695160600.810913: Received error from KDC: -1765328324/Generic error (see e-text)
kinit: Generic error (see e-text) while getting initial credentials
--------------
Something I see different between the working Kerberos authentication on freeipa01 and
freeipa02 and the non-working one on freeipa03 is the presence of this line in
'/var/log/krb5kdc.log' on freeipa03:
--------------
Sep 19 18:09:07
freeipa03.infra.example.com krb5kdc[888](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25)})
192.168.40.133: HANDLE_AUTHDATA: buddy(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, No
such file or directory
--------------
On Fedora 38, I am running FreeIPA 4.10.2, whereas on Fedora 37 I am running 4.10.1.
I found this RedHat article (
https://access.redhat.com/solutions/7015184 "Cannot
authenticate using Kerberos after upgrading Red Hat Identity Management") which
describes the problem as: "After updating ipa-server to 4.10.1-3 or newer, domain
users cannot login anymore with Kerberos" with the exact same 'kinit
<user>' error I obtained, and the same error line in
'/var/log/krb5kdc.log'.
The article then suggests running the following:
--------------
$ kinit admin
$ ipa config-mod --enable-sid --add-sids
Check if a SID has been generated for the user:
$ ipa user-show <user> --all | grep ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-198193297-2287641477-1368658080-1001
--------------
So, I ran 'ipa config-mod --enable-sid --add-sids', but even after running this
command 'ipa user-show buddy --all | grep ipantsecurityidentifier' still shows up
empty.
Since this seems to be the exact same problem I have, but it doesn't seem to fix my
particular situation, is there anything else I need to do and/or check?
Thank you,
-Martin