После обновления сервера Fedora у меня сломалась Freeipa, и я не знаю, как с этим бороться. Есть ли у кого-нибудь идеи, в чем может быть проблема?
Я не могу войти в веб-интерфейс или выполнить какую-либо команду IPA.
$ journalctl
gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed
$ cat / var / log / httpd / error_log
[suexec:notice] [pid 5529:tid 139897184471296] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_module is already loaded, skipping
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_http_module is already loaded, skipping
[lbmethod_heartbeat:notice] [pid 5529:tid 139897184471296] AH02282: No slotmem from mod_heartmonitor
[mpm_event:notice] [pid 5529:tid 139897184471296] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1c mod_wsgi/4.6.4 Python/3.7 3.9 mod_perl/2.0.10 Perl/v5.28.2 configured -- resuming normal operations
[core:notice] [pid 5529:tid 139897184471296] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[wsgi:error] [pid 5833:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5837:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5832:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5839:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: CCESS
[:warn] [pid 5842:tid 139896429713152] [client 10.0.1.8:36236] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[:warn] [pid 5841:tid 139896561800960] [client 10.0.1.8:36238] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[auth_gssapi:error] [pid 5840:tid 139896236779264] [client 10.0.1.10:47164] GSS ERROR gss_acquire_cred[_from]() failed to get lure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: 401 Unauthorized: No session cookie found
$ ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
$ kinit myuser
Password for myuser@HOME.MYDOMAIN.COM:
$ klist
Ticket cache: KEYRING:persistent:1907400001:krb_ccache_QYeLVmz
Default principal: myuser@HOME.MYDOMAIN.COM
Valid starting Expires Service principal
08/09/19 00:11:36 09/09/19 00:11:33 krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM
$ ipa -v пинг
ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_139944946411792
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 649, in get_auth_info
response = self._sec_context.step()
File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-15>", line 2, in step
File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 167, in check_last_err
return func(self, *args, **kwargs)
File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-5>", line 2, in step
File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
return func(self, *args, **kwargs)
File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 521, in step
return self._initiator_step(token=token)
File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
token)
File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cache: KEYRING:persistent:0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 699, in single_request
self.get_auth_info()
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info
self._handle_exception(e, service=service)
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception
raise errors.CCacheError()
ipalib.errors.CCacheError: did not receive Kerberos credentials
ipa: DEBUG: Destroyed connection context.rpcclient_139944946411792
ipa: ERROR: did not receive Kerberos credentials
$ kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP / $
ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM
kinit: Preauthentication failed while getting initial credentials
$ ipa -vv pwpolicy-show global_policy
ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@HOME.IBLVFX.COM'
ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140652464016656
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
if not self._auth_complete(response):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
ipa: DEBUG: Destroyed connection context.rpcclient_140652464016656
ipa: ERROR: No valid Negotiate header in server response
$ cat /var/log/krb5kdc.log
38:08 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:08 ipa (info): closing down fd 11
38:11 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM
38:11 ipa (info): closing down fd 11
38:21 ipa (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 ipa (info): closing down fd 11
$ kvno ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM
ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM: kvno = 2
$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:des3-cbc-sha1)
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:arcfour-hmac)
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia128-cts-cmac)
2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia256-cts-cmac)
4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
Попробуйте изменить разрешение для krb5kdc, в моем случае это работает
chmod a+x /var/lib/krb5kdc/