Hi,
ipa commands and the web ui login work fine with ipa accounts -
$ ssh -p 2222 user1@192.168.87.90 user1@192.168.87.90's password: Last login: Sun Dec 23 16:12:32 2018 from 192.168.87.90 -sh-4.2$ klist Ticket cache: KEYRING:persistent:1060800015:krb_ccache_Y8lD56F Default principal: user1@LOCAL.LAN
Valid starting Expires Service principal 23/12/18 19:16:20 24/12/18 19:16:20 krbtgt/LOCAL.LAN@LOCAL.LAN -sh-4.2$ ipa trust-find --------------- 1 trust matched --------------- Realm name: windocker.jackland.demon.co.uk Domain NetBIOS name: WINDOMAIN Domain Security Identifier: S-1-5-21-3550747279-381245828-2166630727 ---------------------------- Number of entries returned 1 ---------------------------- -sh-4.2$
However, these don't work with AD users -
$ ssh -p 2222 user3@windocker.jackland.demon.co.uk@192.168.87.90 user3@windocker.jackland.demon@192.168.87.90's password: Last login: Sun Dec 23 17:59:26 2018 from 192.168.87.90 -sh-4.2$ klist Ticket cache: KEYRING:persistent:638401138:krb_ccache_pjehZUI Default principal: user3@WINDOCKER.JACKLAND.DEMON.CO.UK
Valid starting Expires Service principal 23/12/18 19:21:23 24/12/18 05:21:23 krbtgt/WINDOCKER.JACKLAND.DEMON.CO.UK@WINDOCKER.JACKLAND.DEMON.CO.UK renew until 24/12/18 19:21:22 -sh-4.2$ ipa trust-find ipa: ERROR: cannot connect to 'https://ipa001.local.lan/ipa/json': Internal Server Error -sh-4.2$ klist Ticket cache: KEYRING:persistent:638401138:krb_ccache_pjehZUI Default principal: user3@WINDOCKER.JACKLAND.DEMON.CO.UK
Valid starting Expires Service principal 23/12/18 19:21:54 24/12/18 05:21:23 HTTP/ipa001.local.lan@LOCAL.LAN renew until 24/12/18 19:21:22 23/12/18 19:21:49 24/12/18 05:21:23 krbtgt/LOCAL.LAN@WINDOCKER.JACKLAND.DEMON.CO.UK renew until 24/12/18 19:21:22 23/12/18 19:21:23 24/12/18 05:21:23 krbtgt/WINDOCKER.JACKLAND.DEMON.CO.UK@WINDOCKER.JACKLAND.DEMON.CO.UK renew until 24/12/18 19:21:22 -sh-4.2$
The access_log on the ipa server contains for these -
192.168.96.2 - user1@LOCAL.LAN [23/Dec/2018:19:16:43 +0000] "POST /ipa/json HTTP/1.1" 200 90140 192.168.96.2 - user1@LOCAL.LAN [23/Dec/2018:19:16:44 +0000] "POST /ipa/session/json HTTP/1.1" 200 278 192.168.96.2 - user3@WINDOCKER.JACKLAND.DEMON.CO.UK [23/Dec/2018:19:21:54 +0000] "POST /ipa/json HTTP/1.1" 500 527
.. and ther error_log -
[Sun Dec 23 19:15:18.812726 2018] [wsgi:error] [pid 9113:tid 139948548441856] [remote 192.168.96.3:43412] mod_wsgi (pid=9113): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Sun Dec 23 19:15:18.812857 2018] [wsgi:error] [pid 9113:tid 139948548441856] [remote 192.168.96.3:43412] TypeError: sequence of byte string values expected, value of type int found [Sun Dec 23 19:16:43.723255 2018] [wsgi:error] [pid 9112:tid 139948548441856] [remote 192.168.96.2:51012] ipa: INFO: [jsonserver_kerb] user1@LOCAL.LAN: schema(known_fingerprints=('145a5999',), version='2.170'): SUCCESS [Sun Dec 23 19:16:44.277967 2018] [:warn] [pid 9452:tid 139948665587456] [client 192.168.96.2:51024] failed to set perms (3140) on file (/var/run/ipa/ccaches/user1@LOCAL.LAN)!, referer: https://ipa001.local.lan/ipa/xml [Sun Dec 23 19:16:44.530489 2018] [wsgi:error] [pid 9113:tid 139948548441856] [remote 192.168.96.2:51024] ipa: INFO: [jsonserver_session] user1@LOCAL.LAN: trust_find/1(None, version='2.229'): SUCCESS [Sun Dec 23 19:21:55.463003 2018] [wsgi:error] [pid 9112:tid 139948548441856] [remote 192.168.96.2:51142] mod_wsgi (pid=9112): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Sun Dec 23 19:21:55.463144 2018] [wsgi:error] [pid 9112:tid 139948548441856] [remote 192.168.96.2:51142] TypeError: sequence of byte string values expected, value of type int found
I've tried adding settings for windocker.jackland.demon.co.uk to /etc/krb5.conf on the ipa master (both LOCAL.LAN and WINDOCKER.JACKLAND.DEMON.CO.UK), but neither choices made any difference.
[domain_realm] .local.lan = LOCAL.LAN local.lan = LOCAL.LAN ipa001.local.lan = LOCAL.LAN
.windocker.jackland.demon.co.uk = LOCAL.LAN windocker.jackland.demon.co.uk = LOCAL.LAN
The version is -
-sh-4.2$ ipa --version VERSION: 4.6.4, API_VERSION: 2.229 -sh-4.2$
For testing both the client and server are currently Docker containers running Centos 7.
Can anyone please explain how to fix this ?
Thanks
Bob Hinton