I have an issue with my IPA server. Suddenly, after some recent system update, I am unable to log-in to web UI nor execute any command due to the 'unknown reason' and some "Unspecified GSS failure." I went through the suggested debugging process but no luck. I've seen similar issues in the past marked as a bug, but without clean solution rather than `updating to a newer version of ipa`.
So I've filled bug report assuming that it could be a bug again. https://pagure.io/freeipa/issue/8065
Unfortunately, Devs might be too busy to look into that, so I was wondering if there is a way that I could re-install ipa-server without creating complete chaos and keeping all DNS/USER/HOSTS data?
Any suggestions?
Thanks!
Albert Szostkiewicz via FreeIPA-users wrote:
I have an issue with my IPA server. Suddenly, after some recent system update, I am unable to log-in to web UI nor execute any command due to the 'unknown reason' and some "Unspecified GSS failure." I went through the suggested debugging process but no luck. I've seen similar issues in the past marked as a bug, but without clean solution rather than `updating to a newer version of ipa`.
You upgraded from what version?
What debugging did you try?
So I've filled bug report assuming that it could be a bug again. https://pagure.io/freeipa/issue/8065
Unfortunately, Devs might be too busy to look into that, so I was wondering if there is a way that I could re-install ipa-server without creating complete chaos and keeping all DNS/USER/HOSTS data?
There is no non-destructive way to re-install.
rob
You upgraded from what version?
*Updated. Simple dnf update that I du regularly on Fedora 29 server where FreeIPA is installed. Unfortunately, it was quite a while and I am unable to pinpoint exactly which libraries got updated. This is my best theory as I do not recall playing with configs (I am not a power user and I was just enjoying my few boxes provisioned without messing around)
What debugging did you try?
Maybe debugging is not a good wording here - I went through 'troubleshoting' guides provided on freeipa website as much as I could understand the, as a mortal user. At least to my, non-experienced eye, everything is set as it should be and all daemons are working.
On the internet, when googling "GSS Failure" I found a suggestion on stackexchange https://tinyurl.com/y6q7ou62 - "duplicate PTR Record can cause issues"
While I don't see duplicates, user cannot resolve ip, but not sure if that is ok or not:
From the server itself, when asked by own ip:
$ dig -x 10.0.1.10 ;; ANSWER SECTION: 10.1.0.10.in-addr.arpa. 86400 IN PTR ipaserv.home.mydomain.com.
$ host ipaserv.home.mydomain.com ipaserv.home.mydomain.com has address 10.0.1.10 ipaserv.home.mydomain.com has IPv6 address fe80::c8e5:xxxx:xxxx:xxxx $ host 10.0.1.10 10.1.0.10.in-addr.arpa domain name pointer ipaserv.home.mydomain.com.
From user desktop, I am not getting an answer: (?) $ dig -x 10.0.1.10 ;; QUESTION SECTION: ;10.1.0.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION: 10.IN-ADDR.ARPA. 86400 IN SOA 10.IN-ADDR.ARPA. . 0 28800 7200 604800 86400
;; Query time: 0 msec ;; SERVER: 10.0.1.10#53(10.0.1.10)
$ host 10.0.1.10 Host 10.1.0.10.in-addr.arpa. not found: 3(NXDOMAIN) $ host ipaserv.home.mydomain.com ipaserv.home.mydomain.com has address 10.0.1.10 ipaserv.home.mydomain.com has IPv6 address fe80::c8e5:xxxx:xxxx:xxxx $ cat /etc/hosts 10.0.1.10 ipaserv.home.mydomain.com ipaserv 10.0.1.4 usera.home.mydomain.com usera
I'm really not a power user and trying everything to best of my knowledge to figure it out. If you have any clues or suggestions, I would appreciate it ! Thanks!
Albert Szostkiewicz via FreeIPA-users wrote:
You upgraded from what version?
*Updated. Simple dnf update that I du regularly on Fedora 29 server where FreeIPA is installed. Unfortunately, it was quite a while and I am unable to pinpoint exactly which libraries got updated. This is my best theory as I do not recall playing with configs (I am not a power user and I was just enjoying my few boxes provisioned without messing around)
/var/log/dnf*.log* should have details on what packages were updated and when.
What debugging did you try?
Maybe debugging is not a good wording here - I went through 'troubleshoting' guides provided on freeipa website as much as I could understand the, as a mortal user. At least to my, non-experienced eye, everything is set as it should be and all daemons are working.
On the internet, when googling "GSS Failure" I found a suggestion on stackexchange https://tinyurl.com/y6q7ou62
- "duplicate PTR Record can cause issues"
While I don't see duplicates, user cannot resolve ip, but not sure if that is ok or not:
From the server itself, when asked by own ip:
$ dig -x 10.0.1.10 ;; ANSWER SECTION: 10.1.0.10.in-addr.arpa. 86400 IN PTR ipaserv.home.mydomain.com.
$ host ipaserv.home.mydomain.com ipaserv.home.mydomain.com has address 10.0.1.10 ipaserv.home.mydomain.com has IPv6 address fe80::c8e5:xxxx:xxxx:xxxx $ host 10.0.1.10 10.1.0.10.in-addr.arpa domain name pointer ipaserv.home.mydomain.com.
From user desktop, I am not getting an answer: (?) $ dig -x 10.0.1.10 ;; QUESTION SECTION: ;10.1.0.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION: 10.IN-ADDR.ARPA. 86400 IN SOA 10.IN-ADDR.ARPA. . 0 28800 7200 604800 86400
;; Query time: 0 msec ;; SERVER: 10.0.1.10#53(10.0.1.10)
$ host 10.0.1.10 Host 10.1.0.10.in-addr.arpa. not found: 3(NXDOMAIN) $ host ipaserv.home.mydomain.com ipaserv.home.mydomain.com has address 10.0.1.10 ipaserv.home.mydomain.com has IPv6 address fe80::c8e5:xxxx:xxxx:xxxx $ cat /etc/hosts 10.0.1.10 ipaserv.home.mydomain.com ipaserv 10.0.1.4 usera.home.mydomain.com usera
I'm really not a power user and trying everything to best of my knowledge to figure it out. If you have any clues or suggestions, I would appreciate it ! Thanks!
/var/log/krb5kdc.log might have more details on the GSS failures, or the journal.
rob
Thanks for reply Rob!
/var/log/krb5kdc.log might have more details on the GSS failures, or the journal.
Yeah, I've checked that as well. Unfortunately 'Preauthentication failed' Was no more explanatory to me. After two weeks of searching for answers, I gave up and decided to reinstall ipa server.
I guess, one has to have much deeper knowledge to use it properly and I am just a mortal user :)
/var/log/krb5kdc.log 38:21 (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM 38:21 (info): closing down fd 11 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required 38:21 (info): closing down fd 11 38:21 (info): preauth (spake) verify failure: Preauthentication failed 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed 38:21 (info): closing down fd 11 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required 38:21 (info): closing down fd 11 38:21 (info): preauth (spake) verify failure: Preauthentication failed 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed 38:21 (info): closing down fd 11
Cheers!
I have another reason to want to do a reinstall.
I have 3 Centos 7 servers. I want to move to Centos 8. (eventually. I’ll do some testing first). The official approach is a new installation. Obviously I can create 3 replicas and kill the originals. But then I’ll have to find every client and update the hostnames of the servers in their configurations. We use DNS discovery where possible, but we have software that can’t do it, and of course the admin server attribute in krb5.conf doesn’t support it. Trying to find everything that needs reconfiguring is going to be a bit of a mess.
I’d like to end up with new servers having the same hostnames. This is a bit of a different situation from the original request, since I have all the data on 3 servers. Does it make sense to kill a replica and then create a new replica with the same hostname?
Last time I tried to kill a replica and reinstall, it failed. There were things left over preventing the installation. But that was a couple of years ago, so things might be better now.
On Sep 19, 2019, at 11:51 AM, Albert Szostkiewicz via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Thanks for reply Rob!
/var/log/krb5kdc.log might have more details on the GSS failures, or the journal.
Yeah, I've checked that as well. Unfortunately 'Preauthentication failed' Was no more explanatory to me. After two weeks of searching for answers, I gave up and decided to reinstall ipa server.
I guess, one has to have much deeper knowledge to use it properly and I am just a mortal user :)
/var/log/krb5kdc.log 38:21 (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM 38:21 (info): closing down fd 11 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required 38:21 (info): closing down fd 11 38:21 (info): preauth (spake) verify failure: Preauthentication failed 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed 38:21 (info): closing down fd 11 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required 38:21 (info): closing down fd 11 38:21 (info): preauth (spake) verify failure: Preauthentication failed 38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed 38:21 (info): closing down fd 11
Cheers! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Albert Szostkiewicz via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Thanks for reply Rob!
/var/log/krb5kdc.log might have more details on the GSS failures, or the journal.
Yeah, I've checked that as well. Unfortunately 'Preauthentication failed' Was no more explanatory to me.
Here, it means that a mismatch has occurred between the keytab and the KDC's view of the world.
"preauthentication" is the first part of requesting a Kerberos ticket from the KDC in a modern workflow, wherein the client proves its identity to the server.
I would guess that, if you ran `kvno HTTP/ipa.home.mydomain.com`, it would not match the kvno listed in your webserer's keytab. Probably at some point a new keytab was issued, incrementing the kvno, but it wasn't copied to this server.
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org