无法登录 FreeIPA Web UI - “由于未知原因,登录失败。”

无法登录 FreeIPA Web UI - “由于未知原因,登录失败。”

Fedora 服务器更新后,我的 Freeipa 坏了,我不知道该如何处理。有人知道可能是什么问题吗?

我无法登录 Web UI 也无法执行任何 IPA 命令。

$ journalctl

gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed

$ cat /var/log/httpd/error_log

[suexec:notice] [pid 5529:tid 139897184471296] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_module is already loaded, skipping
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_http_module is already loaded, skipping
[lbmethod_heartbeat:notice] [pid 5529:tid 139897184471296] AH02282: No slotmem from mod_heartmonitor
[mpm_event:notice] [pid 5529:tid 139897184471296] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1c mod_wsgi/4.6.4 Python/3.7 3.9 mod_perl/2.0.10 Perl/v5.28.2 configured -- resuming normal operations
[core:notice] [pid 5529:tid 139897184471296] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[wsgi:error] [pid 5833:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5837:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5832:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5839:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: CCESS
[:warn] [pid 5842:tid 139896429713152] [client 10.0.1.8:36236] KRB5CCNAME file (/run/ipa/ccaches/[email protected]) lookup .home.mydomain.com/ipa/ui/
[:warn] [pid 5841:tid 139896561800960] [client 10.0.1.8:36238] KRB5CCNAME file (/run/ipa/ccaches/[email protected]) lookup .home.mydomain.com/ipa/ui/
[auth_gssapi:error] [pid 5840:tid 139896236779264] [client 10.0.1.10:47164] GSS ERROR gss_acquire_cred[_from]() failed to get lure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: 401 Unauthorized: No session cookie found

$ ipa-pkinit-管理状态

PKINIT is enabled
The ipa-pkinit-manage command was successful

$ kinit 我的用户

Password for [email protected]: 
$ klist
Ticket cache: KEYRING:persistent:1907400001:krb_ccache_QYeLVmz
Default principal: [email protected]

Valid starting     Expires            Service principal
08/09/19 00:11:36  09/09/19 00:11:33  krbtgt/[email protected]

$ ipa-v ping 命令

ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_139944946411792
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 649, in get_auth_info
    response = self._sec_context.step()
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-15>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 167, in check_last_err
    return func(self, *args, **kwargs)
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-5>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
    return func(self, *args, **kwargs)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 521, in step
    return self._initiator_step(token=token)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
    token)
  File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cache: KEYRING:persistent:0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 699, in single_request
    self.get_auth_info()
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception
    raise errors.CCacheError()
ipalib.errors.CCacheError: did not receive Kerberos credentials
ipa: DEBUG: Destroyed connection context.rpcclient_139944946411792
ipa: ERROR: did not receive Kerberos credentials

$ kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/$

[email protected]
kinit: Preauthentication failed while getting initial credentials

$ ipa -vv pwpolicy-显示全局策略

ipa: DEBUG: failed to find session_cookie in persistent storage for principal '[email protected]'
ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140652464016656
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
ipa: DEBUG: Destroyed connection context.rpcclient_140652464016656
ipa: ERROR: No valid Negotiate header in server response

$ cat /var/log/krb5kdc.log

38:08 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
38:08 ipa (info): closing down fd 11
38:11 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
38:11 ipa (info): closing down fd 11
38:21 ipa (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for HTTP/[email protected]
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/[email protected] for krbtgt/[email protected], Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/[email protected] for krbtgt/[email protected], Preauthentication failed
38:21 ipa (info): closing down fd 11
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/[email protected] for krbtgt/[email protected], Additional pre-authentication required
38:21 ipa (info): closing down fd 11
38:21 ipa (info): preauth (spake) verify failure: Preauthentication failed
38:21 ipa (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/[email protected] for krbtgt/[email protected], Preauthentication failed
38:21 ipa (info): closing down fd 11

$ kvno ldap/[电子邮件保护]

ldap/[email protected]: kvno = 2

$ klist-kte

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2019-02-18 18:46:43 host/[email protected] (aes256-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/[email protected] (aes128-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/[email protected] (DEPRECATED:des3-cbc-sha1) 
   2 2019-02-18 18:46:43 host/[email protected] (DEPRECATED:arcfour-hmac) 
   2 2019-02-18 18:46:43 host/[email protected] (camellia128-cts-cmac) 
   2 2019-02-18 18:46:43 host/[email protected] (camellia256-cts-cmac) 
   4 2019-02-19 00:33:12 host/[email protected] (aes256-cts-hmac-sha1-96) 
   4 2019-02-19 00:33:12 host/[email protected] (aes128-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/[email protected] (aes256-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/[email protected] (aes128-cts-hmac-sha1-96) 

答案1

就我而言,我通过为 gssproxy 和 krb5 重新创建密钥表解决了我的问题

$ sudo kinit admin
$ sudo rm -f /etc/krb5.keytab /var/lib/ipa/gssproxy/http.keytab
$ sudo ipa-getkeytab -s server.example.com -p host/[email protected] -k /etc/krb5.keytab
$ sudo ipa-getkeytab -s server.example.com -p HTTP/[email protected] -k /var/lib/ipa/gssproxy/http.keytab
$ sudo ipactl restart

答案2

尝试更改 krb5kdc 的权限,对我来说这是可行的

chmod a+x /var/lib/krb5kdc/

相关内容