[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response

Florence Blanc-Renaud via FreeIPA-users Thu, 30 Jan 2025 04:49:55 -0800

Hi,

the server is in a strange situation as it has in the file a keytab with
kvno 2 but in the LDAP database kvno 1.
This could happen if the keytab was renewed someday but there was an
ipa-restore or re-initialize from other replicas which would not know of
this new one.


To fix the issue I would try to retrieve the keytab with kvno 1 with the
following command:
ipa-getkeytab -r -p ' HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr'
-D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab

The -r option is very important as it allows to retrieve the keytab
(without the -r option, a new keytab gets generated).
Then check that the new keytab has kvno 1 as expected with klist -kte
/tmp/gssproxy.keytab, try kinit with this one.
If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab with
/tmp/gssproxy.keytab (make a backup first) and restart ipa services with
ipactl restart.

You should also check that there is no replication issue between your
servers.

flo

On Thu, Jan 30, 2025 at 10:48 AM Frederic Ayrault <f...@lix.polytechnique.fr>
wrote:

> Bonjour, <f...@lix.polytechnique.fr>
>
> Le 30/01/2025 à 10:30, Florence Blanc-Renaud a écrit :
>
> Hi,
>
> The kerberos pre-authentication is failing for HTTP/$HOSTNAME.
> Can you run
> # klist -kte /var/lib/ipa/gssproxy/http.keytab
>
>
> entries are duplicated and KVNO is not 1 like the replicas or kvno
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> returns HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr: kvno = 1 (I
> found this command on google but I do not know what I on doing)
>
> Keytab name: FILE:/var/lib/ipa/gssproxy/http.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>    2 28/09/2023 17:13:53
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> (aes256-cts-hmac-sha1-96)
>    2 28/09/2023 17:13:53
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> (aes128-cts-hmac-sha1-96)
>    2 28/09/2023 17:13:53
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (des3-cbc-sha1)
>    2 28/09/2023 17:13:53
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (arcfour-hmac)
>    2 28/09/2023 15:45:17
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> (aes256-cts-hmac-sha1-96)
>    2 28/09/2023 15:45:17
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> (aes128-cts-hmac-sha1-96)
>    2 28/09/2023 15:45:17
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (des3-cbc-sha1)
>    2 28/09/2023 15:45:17
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (arcfour-hmac)
>
> Note the exact principal name, then try
> # KRB5_TRACE=/dev/stderr  kinit -kt  /var/lib/ipa/gssproxy/http.keytab
> $PRINCIPAL
>
>
> here is what I get from console
>
> [6402] 1738229690.634028: Resolving unique ccache of type KEYRING
> [6402] 1738229690.634029: Getting initial credentials for
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
> [6402] 1738229690.634030: Looked up etypes in keytab: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts, aes128-cts, des3-cbc-sha1,
> rc4-hmac
> [6402] 1738229690.634032: Sending unauthenticated request
> [6402] 1738229690.634033: Sending request (215 bytes) to
> LIX.POLYTECHNIQUE.FR
> [6402] 1738229690.634034: Initiating TCP connection to stream
> 193.55.176.152:88
> [6402] 1738229690.634035: Sending TCP request to stream 193.55.176.152:88
> [6402] 1738229690.634036: Received answer (352 bytes) from stream
> 193.55.176.152:88
> [6402] 1738229690.634037: Terminating TCP connection to stream
> 193.55.176.152:88
> [6402] 1738229690.634038: Response was from master KDC
> [6402] 1738229690.634039: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [6402] 1738229690.634042: Preauthenticating using KDC method data
> [6402] 1738229690.634043: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
> PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
> (133)
> [6402] 1738229690.634044: Selected etype info: etype aes256-cts, salt
> "B(H"|0MI*@=l?gT\", params ""
> [6402] 1738229690.634045: Received cookie: MIT
> [6402] 1738229690.634046: PKINIT client has no configured identity; giving
> up
> [6402] 1738229690.634047: Preauth module pkinit (147) (info) returned:
> 0/Success
> [6402] 1738229690.634048: PKINIT client has no configured identity; giving
> up
> [6402] 1738229690.634049: Preauth module pkinit (16) (real) returned:
> 22/Argument invalide
> [6402] 1738229690.634050: PKINIT client has no configured identity; giving
> up
> [6402] 1738229690.634051: Preauth module pkinit (14) (real) returned:
> 22/Argument invalide
> [6402] 1738229690.634052: Retrieving
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr from
> FILE:/var/lib/ipa/gssproxy/http.keytab (vno 0, enctype aes256-cts) with
> result: 0/Success
> [6402] 1738229690.634053: AS key obtained for encrypted timestamp:
> aes256-cts/CF42
> [6402] 1738229690.634055: Encrypted timestamp (for 1738229690.640142):
> plain 301AA011180F32303235303133303039333435305AA105020309C48E, encrypted
> DFDBA80FB60F3347BA2554153959E46BCE008762BD0AFE647CA0E78028212C7D67C209AABCBABF1FE80CB70394BA12B3440F97FA2DD4938A
> [6402] 1738229690.634056: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [6402] 1738229690.634057: Produced preauth for next request: PA-FX-COOKIE
> (133), PA-ENC-TIMESTAMP (2)
> [6402] 1738229690.634058: Sending request (310 bytes) to
> LIX.POLYTECHNIQUE.FR
> [6402] 1738229690.634059: Initiating TCP connection to stream
> 193.55.176.152:88
> [6402] 1738229690.634060: Sending TCP request to stream 193.55.176.152:88
> [6402] 1738229690.634061: Received answer (352 bytes) from stream
> 193.55.176.152:88
> [6402] 1738229690.634062: Terminating TCP connection to stream
> 193.55.176.152:88
> [6402] 1738229690.634063: Response was from master KDC
> [6402] 1738229690.634064: Received error from KDC:
> -1765328360/Preauthentication failed
> [6402] 1738229690.634067: Preauthenticating using KDC method data
> [6402] 1738229690.634068: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
> PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
> (133)
> [6402] 1738229690.634069: Selected etype info: etype aes256-cts, salt
> "B(H"|0MI*@=l?gT\", params ""
> [6402] 1738229690.634070: Received cookie: MIT
> [6402] 1738229690.634071: Preauth module pkinit (147) (info) returned:
> 0/Success
> [6402] 1738229690.634072: PKINIT client has no configured identity; giving
> up
> [6402] 1738229690.634073: Preauth module pkinit (14) (real) returned:
> 22/Argument invalide
> kinit: Preauthentication failed while getting initial credentials
>
>
> and check the logs in /var/log/krb5kdc.log
>
>
> and in the log
>
> Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): AS_REQ (8
> etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: NEEDED_PREAUTH:
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr for
> krbtgt/lix.polytechnique...@lix.polytechnique.fr, Additional
> pre-authentication required
> Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
> down fd 11
> Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): AS_REQ (8
> etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: PREAUTH_FAILED:
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr for
> krbtgt/lix.polytechnique...@lix.polytechnique.fr, Preauthentication failed
> Jan 30 10:34:50 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
> down fd 11
> Jan 30 10:36:06 ipa4.lix.polytechnique.fr krb5kdc[30130](info): closing
> down fd 11
>
>
> flo
>
>
>
> Thank you for your help
>
> Regards
>
> Frederic
>
>
> On Wed, Jan 22, 2025 at 6:40 PM Frederic Ayrault via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Bonsoir,
>>
>> Le 22/01/2025 à 17:45, Florence Blanc-Renaud via FreeIPA-users a écrit :
>>
>> Hi,
>>
>> CA-less => did you install the server with a PKINIT certificate (with
>> --pkinit-cert-file) or with --no-pkinit?
>>
>>
>> All the servers where installed with --no-pkinit (I have 4 replicas and
>> only have the problem on the master)
>>
>>
>>
>> You can also check if gssproxy service is up and running and follow the
>> troubleshooting steps from https://www.freeipa.org/page/Troubleshooting
>> <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
>>
>>
>> gssproxy is active (running)
>>
>> /PrivilegeSeparation
>> <https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation>
>>
>>
>> I did setup the debug_level for gssproxy, and here is what I get when I
>> run the ipa ping
>>
>> Jan 22 18:21:51 ipa4 gssproxy: [2025/01/22 17:21:51]: Client connected
>> (fd = 10)[2025/01/22 17:21:51]:  (pid = 12908) (uid = 0) (gid =
>> 0)[2025/01/22 17:21:51]:  (context =
>> system_u:system_r:kernel_t:s0)[2025/01/22 17:21:51]:
>> Jan 22 18:23:56 ipa4 gssproxy: [2025/01/22 17:23:56]: Client connected
>> (fd = 11)[2025/01/22 17:23:56]:  (pid = 1267) (uid = 48) (gid =
>> 48)[2025/01/22 17:23:56]:  (context =
>> system_u:system_r:httpd_t:s0)[2025/01/22 17:23:56]:
>> Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
>> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
>> euid: 48,socket: (null)
>> Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ]
>> } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
>> 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
>> initiator_time_req: 0 acceptor_time_req: 0 )
>> Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 {
>> 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure.  Minor code may
>> provide more information" "Preauthentication failed" [  ] }
>> output_cred_handle: <Null> )
>> Jan 22 18:23:56 ipa4 gssproxy: [CID 11][2025/01/22 17:23:56]:
>> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
>> euid: 48,socket: (null)
>> Jan 22 18:23:56 ipa4 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ]
>> } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
>> 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
>> initiator_time_req: 0 acceptor_time_req: 0 )
>> Jan 22 18:23:56 ipa4 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968 {
>> 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure.  Minor code may
>> provide more information" "Preauthentication failed" [  ] }
>> output_cred_handle: <Null> )
>>
>> I run getcert list, I have 1 certificate, its status is monitoring and
>> will expire in december
>>
>>
>> flo
>>
>>
>> Thank you for your help
>>
>> Regards,
>>
>> Frederic
>>
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response

Reply via email to