search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
614 stars 259 forks source link

Login falures after upgrades from 4.9.11 for a freeipa master container #591

Closed Krmloo closed 9 months ago

Krmloo commented 9 months ago

When upgrading a master node from fedora-35-4.9.11 image to more recent ones (attempted both fedora-39-4.11.1 and fedora-38-4.10.3) the login flow breaks for all non-admin users.

Upgrade script itself seems to be working without issues:

...
Certificate is OK; nothing to do
The IPA services were upgraded
The ipa-server-upgrade command was successful
Upgrading IPA services
Disabled p11-kit-proxy
FreeIPA server upgraded.

Then: Web UI states The password or username you entered is incorrect instantly for non-admin users; kinit [user] displays kinit: Generic error (see e-text) while getting initial credentials; kinit admin works as expected; ipactl status states all services are up;

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

krb5kdc.log:

Feb 22 18:41:29 [hostname].[domain] krb5kdc[298](info): closing down fd 11
Feb 22 18:41:29 [hostname].[domain] krb5kdc[299](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) [ip]: NEEDED_PREAUTH: host/[hostname].[domain]@[REALM] for krbtgt/[REALM]@[REALM], Additional pre-authentication required
Feb 22 18:41:29 [hostname].[domain] krb5kdc[299](info): closing down fd 11
Feb 22 18:41:29 [hostname].[domain] krb5kdc[298](info): preauth (spake) verify failure: Preauthentication failed
Feb 22 18:41:29 [hostname].[domain] krb5kdc[298](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) [ip]: PREAUTH_FAILED: host/[hostname].[domain]@[REALM] for krbtgt/[REALM]@[REALM], Preauthentication failed
Feb 22 18:41:29 [hostname].[domain] krb5kdc[298](info): closing down fd 11

Upgrading to fedora-36-4.9.11 works without any problems, despite still running the same update script. Are there any breaking changes for the 4.9->4.10 upgrade that could be the cause here?

rcritten commented 9 months ago

This is not a container-specific issue. A SID is required for all IPA users to address a security issue. Please see https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/ for multiple threads about this and the solution.