← Back to team overview

freeipa team mailing list archive

Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

 

*** This bug is a duplicate of bug 1772447 ***
    https://bugs.launchpad.net/bugs/1772447

I agree with Russ.
On the Debian side, I would not support a change to krb5-kdc to make
/var/lib/krb5kdc world readable.
I think putting the public cert in /etc/krb5kdc is fine: I can make a
case it's configuration not state.
If you don't like that, place it somewhere else under /var/lib.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

Status in freeipa package in Ubuntu:
  New
Status in krb5 package in Ubuntu:
  New

Bug description:
  After installing freeipa-server you cannot login via the browser. You'll get
  a message: "Login failed due to an unknown reason."

  In /var/log/apache2/error.log there is this:
  ---------------------8X-----------------8X------------------
  [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest.nl@xxxxxxxxx: schema(version=u'2.170'): SUCCESS
  [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: ping(): SUCCESS
  [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: ca_is_enabled(version=u'2.107'): SUCCESS
  [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist
  [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
  [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last):
  [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/share/ipa/wsgi.py", line 57, in application
  [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return api.Backend.wsgi_dispatch(environ, start_response)
  [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__
  [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return self.route(environ, start_response)
  [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
  [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return app(environ, start_response)
  [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__
  [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     self.kinit(user_principal, password, ipa_ccache_name)
  [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
  [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
  [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor
  [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     run(args, env=env, raiseonerr=True, capture_error=True)
  [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
  [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     p.returncode, arg_string, output_log, error_log
  [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\\n")
  ---------------------8X-----------------8X------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions


References