freeipa-container: Cannot login through Web UI after upgrading from Fedora 25 to 27

I upgraded upgraded my image from fedora-25 to fedora-27. The upgrade completed successfully.

freeipa | The IPA services were upgraded freeipa | The ipa-server-upgrade command was successful

But after the upgrade, login using the web UI is failing with message

Login failed due to an unknown reason.

Apache error log contains the following stack trace, corresponding to the above error

 mod_wsgi (pid=1830): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
 Traceback (most recent call last):
   File "/usr/share/ipa/wsgi.py", line 59, in application
     return api.Backend.wsgi_dispatch(environ, start_response)
   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 267, in __call__
     return self.route(environ, start_response)
   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 279, in route
     return app(environ, start_response)
   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 937, in __call__
     self.kinit(user_principal, password, ipa_ccache_name)
   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 973, in kinit
     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
   File "/usr/lib/python3.6/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
     run(args, env=env, raiseonerr=True, capture_error=True)
   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 561, in run
     raise CalledProcessError(p.returncode, arg_string, str(output))
 subprocess.CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1830 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1.

The issue is similar to the one discussed in the following thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/2ZU6DVAE6TPR7MVR5LCJTWPY53GT75CR/

But in my case, this is the only server. And the ip address is also matching.

# KRB5_TRACE="/dev/stderr" kinit -n
[3140] 1541800345.443417: Getting initial credentials for WELLKNOWN/ANONYMOUS@ENNEXA.COM
[3140] 1541800345.443419: Sending request (184 bytes) to ENNEXA.COM
[3140] 1541800345.443420: Initiating TCP connection to stream 10.10.0.106:88
[3140] 1541800345.443421: Sending TCP request to stream 10.10.0.106:88
[3140] 1541800345.443422: Received answer (287 bytes) from stream 10.10.0.106:88
[3140] 1541800345.443423: Terminating TCP connection to stream 10.10.0.106:88
[3140] 1541800345.443424: Response was from master KDC
[3140] 1541800345.443425: Received error from KDC: -1765328359/Additional pre-authentication required
[3140] 1541800345.443428: Processing preauth types: 136, 19, 2, 133
[3140] 1541800345.443429: Selected etype info: etype aes256-cts, salt "ENNEXA.COMWELLKNOWNANONYMOUS", params ""
[3140] 1541800345.443430: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS@ENNEXA.COM:
[3140] 1541800507.299803: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted
kinit: Pre-authentication failed: Password read interrupted while getting initial credentials

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 26 (1 by maintainers)

Most upvoted comments

Okay, that was the problem.

The solution is

  • Copy /etc/krb5.conf from fedora-27 container

  • Copy /etc/ipa/ca.crt to /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/lib/ipa-client/pki/ca-bundle.pem

    cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem

  • Regenerate /var/kerberos/krb5kdc/kdc.crt with

    getcert resubmit -vwf /var/kerberos/krb5kdc/kdc.crt

  • Verify by running

    /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_482 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
+1
JoyceBabu on Jul 28, 2019

I’ve tested upgrade from .fedora-25 to .fedora-27 a to .fedora-28, and compared it to fresh .fedora-28 installation.

The /etc/ipa/kdcproxy/ipa-kdc-proxy.conf on the upgraded setup (to .fedora-28) matches the content on fresh .fedora-28 container. So that part seems to be resolved on latest Fedora 28.

On the other hand, the /etc/krb5.conf does not get upgraded, so it still has pkinit_anchors = FILE:/etc/ipa/ca.crt after the upgrade, not matching the fresh installation. Might that be a problem?

+1
adelton on Mar 5, 2019

I confirm the failure in the Fedora 25 -> Fedora 27 image upgrade situation.

Furthermore, rerunning that kinit -n ... command in the FreeIPA server container asks for a password:

[root@ipa /]# /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_2591 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
Password for WELLKNOWN/ANONYMOUS@EXAMPLE.TEST: 
kinit: Pre-authentication failed: Password read interrupted while getting initial credentials

Further upgrade to Fedora 29 image does not fix the issue.

We likely need some expertise from the FreeIPA team. @abbra, any idea what we should be looking for?

+1
adelton on Dec 24, 2018

Please check if you aren’t starting the container with --privileged or --cap-add SYS_ADMIN, for the remote chance that the system might be hitting some kernel keyring outside of the container.

+1
adelton on Dec 7, 2018
Read more comments on GitHub
← freeipa-container: Attempt to run fedora-27 image in OpenShift fails
freeipa-container: FreeIPA Replica Server Container Exit →