Description of problem: Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Version-Release number of selected component (if applicable): Installed Packages freeipa-client.x86_64 3.1.2-1.fc18 @updates freeipa-python.x86_64 3.1.2-1.fc18 @updates How reproducible: Consistent Steps to Reproduce: 1. Build a new virtual machine with dynamic IP address assignment 2. yum install --assumeyes freeipa-client 3. ipa-client-install Actual results: [root@fedora18 ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Discovery was successful! Hostname: fedora18.hunter.org Realm: HUNTER.ORG DNS Domain: hunter.org IPA Server: ipa.hunter.org BaseDN: dc=hunter,dc=org Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. [root@fedora18 ~]# Expected results: I expected successful completion of the IPA client. Additional info: /var/log/ipaclient-install.log 2013-03-12T14:16:01Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': True, 'mkhomedir': False, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-03-12T14:16:01Z DEBUG missing options might be asked for interactively later 2013-03-12T14:16:01Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-03-12T14:16:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-03-12T14:16:01Z DEBUG [IPA Discovery] 2013-03-12T14:16:01Z DEBUG Starting IPA discovery with domain=hunter.org, server=None, hostname=fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Search for LDAP SRV record in hunter.org 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [Kerberos realm search] 2013-03-12T14:16:01Z DEBUG Search DNS for TXT record of _kerberos.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: "HUNTER.ORG" 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _kerberos._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 88 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [LDAP server check] 2013-03-12T14:16:01Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is an IPA server 2013-03-12T14:16:01Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Search LDAP server for IPA base DN 2013-03-12T14:16:01Z DEBUG Check if naming context 'dc=hunter,dc=org' is for IPA 2013-03-12T14:16:01Z DEBUG Naming context 'dc=hunter,dc=org' is a valid IPA context 2013-03-12T14:16:01Z DEBUG Search for (objectClass=krbRealmContainer) in dc=hunter,dc=org (sub) 2013-03-12T14:16:01Z DEBUG Found: cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG Discovery result: Success; server=ipa.hunter.org, domain=hunter.org, kdc=ipa.hunter.org, basedn=dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG will use discovered domain: hunter.org 2013-03-12T14:16:01Z DEBUG Start searching for LDAP SRV record in "hunter.org" (Validating DNS Discovery) and its sub-domains 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG DNS validated, enabling discovery 2013-03-12T14:16:01Z DEBUG will use discovered server: ipa.hunter.org 2013-03-12T14:16:01Z INFO Discovery was successful! 2013-03-12T14:16:01Z DEBUG will use discovered realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG will use discovered basedn: dc=hunter,dc=org 2013-03-12T14:16:01Z INFO Hostname: fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Hostname source: Machine's FQDN 2013-03-12T14:16:01Z INFO Realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO DNS Domain: hunter.org 2013-03-12T14:16:01Z DEBUG DNS Domain source: Discovered LDAP SRV records from hunter.org 2013-03-12T14:16:01Z INFO IPA Server: ipa.hunter.org 2013-03-12T14:16:01Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO BaseDN: dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG BaseDN source: From IPA server ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Process finished, return code=3 2013-03-12T14:16:01Z DEBUG stdout= 2013-03-12T14:16:01Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2013-03-12T14:16:01Z INFO Synchronizing time with KDC... 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 123 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org 2013-03-12T14:16:08Z DEBUG Process finished, return code=0 2013-03-12T14:16:08Z DEBUG stdout= 2013-03-12T14:16:08Z DEBUG stderr= 2013-03-12T14:16:08Z DEBUG Writing Kerberos configuration to /tmp/tmpGow23H: 2013-03-12T14:16:08Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = HUNTER.ORG dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] HUNTER.ORG = { kdc = ipa.hunter.org:88 master_kdc = ipa.hunter.org:88 admin_server = ipa.hunter.org:749 default_domain = hunter.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .hunter.org = HUNTER.ORG hunter.org = HUNTER.ORG 2013-03-12T14:16:08Z DEBUG Starting external process 2013-03-12T14:16:08Z DEBUG args=kinit admin 2013-03-12T14:16:09Z DEBUG Process finished, return code=0 2013-03-12T14:16:09Z DEBUG stdout=Password for admin: 2013-03-12T14:16:09Z DEBUG stderr= 2013-03-12T14:16:09Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.hunter.org 2013-03-12T14:16:09Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found) 2013-03-12T14:16:09Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found)", 'desc': 'Local error'} 2013-03-12T14:16:09Z ERROR Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. 2013-03-12T14:16:09Z ERROR Installation failed. Rolling back changes. 2013-03-12T14:16:09Z ERROR IPA client is not configured on this system.
Looking through the log I saw a reference to a credentials cache file in /run/user/0. I repeated the install and looked for the credentials cache file. I found a file with a different (primary) whose contents were the name of the desired file (txt). 2013-03-12T16:39:24Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_36363e1cdf61e72775562eeb513f5341/tkt' not found)", 'desc': 'Local error'} [root@fedora18 ~]# ls -l /run/user/0/krb5cc_36363e1cdf61e72775562eeb513f5341 total 4 -rw-------. 1 root root 4 Mar 12 11:37 primary [root@fedora18 ~]# cat /run/user/0/krb5cc_36363e1cdf61e72775562eeb513f5341/primary tkt
This seems to be the pattern for every local account I use: /run/user/$UID/krb5cc_somenumber/primary where the contents of primary are "tkt". When I look at an enterprise (IPA) account the pattern is different: /run/user/$UID/krb5cc/primary where the contents of primary are "tkt" + 6 characters which forms the name of another file in the credential cache directory that is 512 bytes long. I do not know if this helps, but it was fun digging for it. I found another similar bug report https://bugzilla.redhat.com/show_bug.cgi?id=853558
What version of krb5-workstation do you have installed?
Sorry, you caught me taking a late lunch. I was thinking along similar lines as I ate. ipa-client-install worked on Feb 27 when I last rebuilt my physical machine client. I have since updated it and tried to reinstall the IPA client today with the same error as reported above. Here is what is on all my machines today: Installed Packages krb5-libs.x86_64 1.10.3-5.fc18 @anaconda krb5-workstation.x86_64 1.10.3-5.fc18 @anaconda
Dean can you run klist /run/user/0/krb5cc_36363e1cdf61e72775562eeb513f5341/txt (subsittute with teh correct name but keep 'tkt') and paste here the output ?
[root@fedora18 ~]# ls -dl /run/user/0/krb5cc_* drwx------. 2 root root 60 Mar 12 15:31 /run/user/0/krb5cc_eb07e33843102ce22c325258513f7d1f [root@fedora18 ~]# klist /run/user/0/krb5cc_eb07e33843102ce22c325258513f7d1f/tkt klist: No credentials cache found (ticket cache FILE:/run/user/0/krb5cc_eb07e33843102ce22c325258513f7d1f/tkt) [root@fedora18 ~]#
From the update history of the machine where ipa-client-install worked on Feb 27: [root@client18 ~]# yum history package-list freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit ID | Action(s) | Package ------------------------------------------------------------------------------- 34 | Install | freeipa-client-3.1.2-1.fc18.x86_64 history package-list [root@client18 ~]# yum history package-list krb5-workstation Loaded plugins: langpacks, presto, refresh-packagekit ID | Action(s) | Package ------------------------------------------------------------------------------- 33 | Install | krb5-workstation-1.10.3-5.fc18.x86_64 history package-list [root@client18 ~]# yum history package-list sssd Loaded plugins: langpacks, presto, refresh-packagekit ID | Action(s) | Package ------------------------------------------------------------------------------- 37 | Updated | sssd-1.9.4-3.fc18.x86_64 37 | Update | 1.9.4-5.fc18.x86_64 10 | Updated | sssd-1.9.3-1.fc18.x86_64 10 | Update | 1.9.4-3.fc18.x86_64 2 | Updated | sssd-1.9.2-3.fc18.x86_64 EE 2 | Update | 1.9.3-1.fc18.x86_64 EE 1 | Install | sssd-1.9.2-3.fc18.x86_64 history package-list I am thinking the problem is in a package that has been updated since Feb 27. And that maybe I could roll back the change to verify and to get working while y'all work on a correction. Are there other packages I should examine?
Try unsetting KRB5CCNAME before running the client installer.
I was able to duplicate this by setting KRB5CCNAME to DIR:/run/user/0 and then running the client installer. What is happening is we fork off to run kinit and pass it a clean environment, which doesn't contain this, and it uses a FILE ccache. When we call python-ldap to bind there is no ticket, so it fails. This seems to fix it. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ ipa-client-install index bd458ed..49a61d3 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1958,6 +1958,8 @@ def install(options, env, fstore, statestore): root_logger.error("Test kerberos configuration failed") return CLIENT_INSTALL_ERROR env['KRB5_CONFIG'] = krb_name + if 'KRB5CCNAME' in os.environ: + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] join_args = ["/usr/sbin/ipa-join", "-s", cli_server[0], "-b", str(r ealm_to_suffix(cli_realm))] if options.debug: join_args.append("-d")
We should be creating a using a temporary ccache for enrollment. We also need to handle the CA retrieval failure better and have it fall back to other methods.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3512
[root@fedora18 ~]# echo KRB5CCNAME: $KRB5CCNAME KRB5CCNAME: DIR:/run/user/0/krb5cc_61a4cc5cfdfba0a453f79ddb513fbce7 [root@fedora18 ~]# KRB5CCNAME= [root@fedora18 ~]# echo KRB5CCNAME: $KRB5CCNAME KRB5CCNAME: [root@fedora18 ~]# # Install IPA client [root@fedora18 ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Discovery was successful! Hostname: fedora18.hunter.org Realm: HUNTER.ORG DNS Domain: hunter.org IPA Server: ipa.hunter.org BaseDN: dc=hunter,dc=org Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system.
And from /var/log/ipaclient-install.log: 2013-03-12T23:52:56Z DEBUG stderr= 2013-03-12T23:52:56Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.hunter.org 2013-03-12T23:52:56Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '' not found) 2013-03-12T23:52:56Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '' not found)", 'desc': 'Local error'} 2013-03-12T23:52:56Z ERROR Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. 2013-03-12T23:52:56Z ERROR Installation failed. Rolling back changes. 2013-03-12T23:52:56Z ERROR IPA client is not configured on this system.
Try: unset KRB5CCNAME
Thank you. That is much better: [root@fedora18 ~]# echo KRB5CCNAME: $KRB5CCNAME KRB5CCNAME: DIR:/run/user/0/krb5cc_ec1bfa4da65e6d51dad50418513fede1 [root@fedora18 ~]# unset KRB5CCNAME [root@fedora18 ~]# echo KRB5CCNAME: $KRB5CCNAME KRB5CCNAME: [root@fedora18 ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Discovery was successful! Hostname: fedora18.hunter.org Realm: HUNTER.ORG DNS Domain: hunter.org IPA Server: ipa.hunter.org BaseDN: dc=hunter,dc=org Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=HUNTER.ORG Issuer: CN=Certificate Authority,O=HUNTER.ORG Valid From: Tue Mar 12 03:30:00 2013 UTC Valid Until: Sat Mar 12 03:30:00 2033 UTC Enrolled in IPA realm HUNTER.ORG Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm HUNTER.ORG trying https://ipa.hunter.org/ipa/xml Hostname (fedora18.hunter.org) not found in DNS DNS server record set to: fedora18.hunter.org -> 192.168.1.130 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://ipa.hunter.org/ipa/xml' SSSD enabled SSSD service restart was unsuccessful. Configured /etc/openldap/ldap.conf Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@fedora18 ~]#
# Configure IPA authentication # Identity & Authentication # User Account Configuration # User Account Database: FreeIPA # LDAP Search Base DN: dc=hunter, dc=org # LDAP Server: ldaps://server.hunter.org # Use TLS to encrypt connections: No (default) # Authentification Configuration # Authentication Method: Kerberos Password [default] # Realm: HUNTER.ORG (default) # KDCs: (default) # Admin Servers: (default) # Use DNS to resolve host to realms: No (default) # Use DNS to locate KDCs for realms: Yes (default) # Advanced Options # Local Authentication Options # Enable fingerprint reader support: No (default) # Enable Local access control: No (default) # Password Hashing Algorithm: SHA512 (default) # Other Authentication Options # Create home directories on the first login: Yes # Smart Card Authentication Options # Enable smart card support: No (default) # Password Options (default) system-config-authentication # Navigate the tabs After using the GUI to configure FreeIPA authentication (Is there a command line tool for configuring FreeIPA?), the login page is reporting "Authentication error" after entering the user name and selecting "Sign In".
/var/log/sssd/sssd_default.log reports: (Tue Mar 12 22:41:16 2013) [sssd[be[default]]] [load_backend_module] (0x0010): Error (22) in module (ldap) initialization (sssm_ldap_id_init)! (Tue Mar 12 22:41:16 2013) [sssd[be[default]]] [be_process_init] (0x0010): fatal error initializing data providers (Tue Mar 12 22:41:16 2013) [sssd[be[default]]] [main] (0x0010): Could not initialize backend [22]
ipa-client-install is the command-line for configuring an IPA client. There is no need to use the GUI too. Chances are that authconfig just stomped over the configuration that ipa-client-install did which might explain why sssd is not working.
I am not using authconfig. I would like to be able to use something like it so I can script the configuration so that it is easier to repeat. But authconfig does not seem to have the options required for FreeIPA. After ipa-client-install is successful I must use system-config-authentication as follows: # Change Authentication Configuration # Identity & Authentication # User Account Configuration # User Account Database: FreeIPA # LDAP Search Base DN: dc=hunter, dc=org # LDAP Server: ldaps://server.hunter.org # Use TLS to encrypt connections: No (default) # Authentification Configuration # Authentication Method: Kerberos Password [default] # Realm: HUNTER.ORG (default) # KDCs: (default) # Admin Servers: (default) # Use DNS to resolve host to realms: No (default) # Use DNS to locate KDCs for realms: Yes (default) # Advanced Options # Local Authentication Options # Enable fingerprint reader support: No # Enable Local access control: No (default) # Password Hashing Algorithm: SHA512 (default) # Other Authentication Options # Create home directories on the first login: Yes # Smart Card Authentication Options # Enable smart card support: No (default) # Password Options (default)
Right, this is authconfig. It may be overwriting some configuration that ipa-client-install is doing. I'd compare the sssd.conf pre/post running it, as well as krb5.conf and perhaps nsswitch.conf. It isn't clear what you are changing here.
If I do not use system-config-authentication, the User Account Database is set to Local and I can not do an IPA login. Are you saying that ipa-client-install should be configuring the authentication settings and I should not need to use system-config-authentication?
Would need to see the sssd.conf, nsswitch.conf and errors at login to know for sure.
[root@fedora18 ~]# cat /etc/sssd/sssd.conf [domain/hunter.org] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hunter.org id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = fedora18.hunter.org chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.hunter.org ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = hunter.org [nss] [pam] [sudo] [autofs] [ssh] [pac] [root@fedora18 ~]# find / -name nsswitch.conf /usr/share/doc/yp-tools-2.12/nsswitch.conf /etc/nsswitch.conf /var/lib/authconfig/last/nsswitch.conf [root@fedora18 ~]# cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus [root@fedora18 ~]# ls -l /var/log/sssd total 0 -rw-------. 1 root root 0 Mar 13 15:16 krb5_child.log -rw-------. 1 root root 0 Mar 13 15:16 ldap_child.log -rw-------. 1 root root 0 Mar 13 15:16 sssd_hunter.org.log -rw-------. 1 root root 0 Mar 13 15:16 sssd.log -rw-------. 1 root root 0 Mar 13 15:16 sssd_nss.log -rw-------. 1 root root 0 Mar 13 15:16 sssd_pac.log -rw-------. 1 root root 0 Mar 13 15:16 sssd_pam.log -rw-------. 1 root root 0 Mar 13 15:16 sssd_ssh.log
About an hour ago, as a part of testing selinux-policy-3.11.1-85.fc18.noarch from updates-t3esting, I noticed that I also received krb5-workstation-1.10.3-14.fc18.x86_64. The "Authentication error" when entering a login has now been resolved. And, thank you very kindly, I did not need to use system-config-authentication to enable FreeIPA logins. However, I did notice that system-config-authentication still indicates that the local user database is being used. I had expected it to show the FreeIPA user database as being used. Never the less, I am down to just the one problem described in the subject of this bug report and you have provided a workaround. Thank you for your patience and your timely responses. I will wait patiently to hear that an updated ipa-client-install script is available for testing. Thank you, again.
Strange, I'm not aware of anything fixed in krb5 that would affect this, but its working so I'm not going to argue with success. I filed https://bugzilla.redhat.com/show_bug.cgi?id=921579 against authconfig for the display issue.
Thank you for the bug report. I agree about not arguing with success. I have got another issue maybe related to authconfig. When I do not use authconfig on the IPA server I can not use an IPA login. The login fails becuase it can not create /home/dean/.ICEauthority. On the IPA server there is no home directory created for the user so I guess it can not create a subdirectory. On IPA clients there is the --mkhomedir option for ipa-client-install, but there does not seem to be a similar option for the client when using ipa-server-install. Previously I had always followed ipa-server-install with authconfig to set this option. But if I am not supposed to need to use authconfig what do I do?
You just don't need to mess with the authentication config. To enable home directory creation use: authconfig --enablemkhomedir --update Make sure that the oddjob version is installed otherwise you'll run into SELinux issues.
By "oddjob version" Rob means you have to make sure you installed the package named: oddjob-mkhomedir before running that authconfig command. Otherwise pam_mkhomedir will be configured and pam_mkhomedir cannot properly set the selinux contenxt on your new homedir causing login failures. Also Dean, would you mind closing this bug a NOTABUG if you solved all your auth issues and no actual bug is found ? Thanks, HTH
Simo, there is still an issue and a ticket attached, see https://fedorahosted.org/freeipa/ticket/3512. I already sent patches to fix it. ipa-client-install will now use its own temporary CCACHE, i.e. misconfigured or unexpected KRB5CCNAME setting in user environment will not crash the installer. I also made the CA retrieval fallback to HTTP method in case of an error like this one.
I rebuilt the IPA VM, just to make sure it was clean, and installed the IPA server: ipa-server-install \ --admin-password=adminpassword \ --domain=hunter.org \ --ds-password=dspassword \ --forwarder=75.75.76.76 \ --forwarder=75.75.75.75 \ --hostname=ipa.hunter.org \ --realm=HUNTER.ORG \ --setup-dns \ --unattended authconfig --enablemkhomedir --update Now I am getting "Authentication error" about 10-15 seconds after entering the user name on the login screen. I can find no report of an error: [root@ipa ~]# ls -l /var/log/sssd total 0 -rw-------. 1 root root 0 Mar 14 10:16 krb5_child.log -rw-------. 1 root root 0 Mar 14 10:16 ldap_child.log -rw-------. 1 root root 0 Mar 14 10:16 sssd_hunter.org.log -rw-------. 1 root root 0 Mar 14 10:16 sssd.log -rw-------. 1 root root 0 Mar 14 10:16 sssd_nss.log -rw-------. 1 root root 0 Mar 14 10:16 sssd_pac.log -rw-------. 1 root root 0 Mar 14 10:16 sssd_pam.log -rw-------. 1 root root 0 Mar 14 10:16 sssd_ssh.log I have verified that the username/password are valid using kinit after a local login and that oddjob is installed: [root@ipa ~]# rpm -q oddjob-mkhomedir oddjob-mkhomedir-0.31.3-2.fc18.x86_64
"authconfig --enablemkhomedir --update" stops and disables sssd.service: [root@ipa ~]# systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: active (exited) since Thu 2013-03-14 11:46:44 CDT; 3min 4s ago Process: 4452 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: ipa: INFO: request 'https://ipa...' Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: ipa: INFO: The ipactl command w...l Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting Directory Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting krb5kdc Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting kadmin Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting named Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting ipa_memcached Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting httpd Service Mar 14 11:46:44 ipa.hunter.org ipactl[4452]: Starting pki-tomcatd Service Mar 14 11:46:44 ipa.hunter.org systemd[1]: Started Identity, Policy, Audit. [root@ipa ~]# systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: active (running) since Thu 2013-03-14 11:46:42 CDT; 3min 16s ago Main PID: 4419 (sssd) CGroup: name=systemd:/system/sssd.service ├─4419 /usr/sbin/sssd -D -f ├─4420 /usr/libexec/sssd/sssd_be --domain hunter.org --debu... ├─4421 /usr/libexec/sssd/sssd_nss --debug-to-files ├─4422 /usr/libexec/sssd/sssd_pam --debug-to-files ├─4423 /usr/libexec/sssd/sssd_ssh --debug-to-files └─4424 /usr/libexec/sssd/sssd_pac --debug-to-files Mar 14 11:46:40 ipa.hunter.org systemd[1]: Starting System Security Services.... Mar 14 11:46:41 ipa.hunter.org sssd[4419]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[be[4420]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4421]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4422]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4423]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4424]: Starting up Mar 14 11:46:42 ipa.hunter.org systemd[1]: Started System Security Services .... [root@ipa ~]# authconfig --enablemkhomedir --update [root@ipa ~]# systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled) Active: inactive (dead) Mar 14 11:46:42 ipa.hunter.org sssd[4422]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4423]: Starting up Mar 14 11:46:42 ipa.hunter.org sssd[4424]: Starting up Mar 14 11:46:42 ipa.hunter.org systemd[1]: Started System Security Services .... Mar 14 11:50:28 ipa.hunter.org systemd[1]: Stopping System Security Services.... Mar 14 11:50:28 ipa.hunter.org sssd[4422]: Shutting down Mar 14 11:50:28 ipa.hunter.org sssd[be[4420]: Shutting down Mar 14 11:50:28 ipa.hunter.org sssd[4423]: Shutting down Mar 14 11:50:28 ipa.hunter.org sssd[4424]: Shutting down Mar 14 11:50:28 ipa.hunter.org sssd[4421]: Shutting down Mar 14 11:50:28 ipa.hunter.org systemd[1]: Stopped System Security Services .... [root@ipa ~]#
Sounds like you have found another bug in authconfig. I'd suggest you file that separately. We still need to track the ccache problem in this bug against IPA.
Moving "authconfig --enablemkhomedir --update" before ipa-server-install resolved the problem. Just to summarize this chain: 1) https://fedorahosted.org/freeipa/ticket/3512 is for a problem with the certificate cache in ipa-client-install. The work-around is to unset KRB5CCNAME before running ipa-client-install. 2) https://bugzilla.redhat.com/show_bug.cgi?id=921579 is for a problem with authconfig (system-config-authentication) not displaying the results of ipa-client-install. 3) There is also a problem configuring the client to make the home directory on the IPA server. The work-around is to execute "authconfig --enablemkhomedir --update" before ipa-server-install.
(In reply to comment #29) > Simo, there is still an issue and a ticket attached, see > https://fedorahosted.org/freeipa/ticket/3512. > > I already sent patches to fix it. ipa-client-install will now use its own > temporary CCACHE, i.e. misconfigured or unexpected KRB5CCNAME setting in > user environment will not crash the installer. I also made the CA retrieval > fallback to HTTP method in case of an error like this one. Apologies Dean and Martin, I overlooked that. Simo.
(In reply to comment #33) > Moving "authconfig --enablemkhomedir --update" before ipa-server-install > resolved the problem. > > Just to summarize this chain: > > 1) https://fedorahosted.org/freeipa/ticket/3512 is for a problem with the > certificate cache in ipa-client-install. The work-around is to unset > KRB5CCNAME before running ipa-client-install. Right, a fix is under review and I want it to be part of next Fedora 18 release. > > 2) https://bugzilla.redhat.com/show_bug.cgi?id=921579 is for a problem with > authconfig (system-config-authentication) not displaying the results of > ipa-client-install. > > 3) There is also a problem configuring the client to make the home directory > on the IPA server. The work-around is to execute "authconfig > --enablemkhomedir --update" before ipa-server-install. Yes, I see you created a bug for that - Bug 921579. Thanks for nice summary!
Fixed upstream: master: 1336b399065ff47477029ba487f1d392f1ce6ac8 Improve client install LDAP cert retrieval fallback 6540eff4687bbc400e285a68936d8edf1895168e Use temporary CCACHE in ipa-client-install ipa-3-1: fdfcd2cf2456fce303553d88cbf53067c975d2f3 Improve client install LDAP cert retrieval fallback 07755e815e09ef722fc1fdb6715fd538aa2d08d4 Use temporary CCACHE in ipa-client-install
freeipa-3.1.3-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/freeipa-3.1.3-1.fc18
Just for your information, but maybe you already knew it, while testing this update I discovered that KRB5CCNAME is not set for an ssh login, only a gdm login. Between reporting this problem and testing this update I changed my procedure from cut and paste into terminal to scp and ssh a script. While checking the initial conditions for the test I made this discovery.
I think that KRB5CCNAME is being set by sssd, which means that the authentication to the system needs to go through sssd (it does with gdm as it is processed in PAM). As for ssh, IIUC, the authentication may bypass sssd in some configuration and thus avoid setting KRB5CCNAME (and other implications like HBAC policy not applied). I think it needs to have "UsePAM yes" (it should be set by ipa-client-install if you did not use --no-sshd option). Is this the case?
Package freeipa-3.1.3-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-1.fc18 then log in and leave karma (feedback).
Here is how I installed the IPA client: # Install the IPA client yum install --assumeyes --enablerepo=updates-testing freeipa-client # BR 920716 ipa-client-install \ --domain=hunter.org \ --enable-dns-updates \ --force-ntp \ --mkhomedir \ --password=adminpassword \ --principal=admin \ --realm=HUNTER.ORG \ --ssh-trust-dns \ --unattended
Package freeipa-3.1.3-2.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-2.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-2.fc18 then log in and leave karma (feedback).
Using freeipa 3.1.3.3 I have successfully rebuilt: - 1 VM IPA server - 2 VM IPA clients and I have reinstalled: - 2 PM IPA clients I have updated the karma verifying the correction for 916399 and 920716.
Package freeipa-3.1.3-4.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-4.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-4.fc18 then log in and leave karma (feedback).
Using: Installed Packages freeipa-client.x86_64 3.1.3-4.fc18 @updates-testing freeipa-python.x86_64 3.1.3-4.fc18 @updates-testing this script: # Install IPA client yum install --assumeyes --enablerepo=updates-testing freeipa-client # freeipa 3512 ipa-client-install \ --domain=hunter.org \ --enable-dns-updates \ --force-ntp \ --mkhomedir \ --password=adminpassword \ --principal=admin \ --realm=HUNTER.ORG \ --ssh-trust-dns \ --unattended successfully installed the IPA client without this error message: Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system.
freeipa-3.1.3-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.