From https://issues.redhat.com/browse/RHEL-4874
How reproducible:
[root@example ~]# ipa config-mod --user-auth-type=pkinit
ipa cannot be started
[root@example ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Failed to restart krb5kdc Service Shutting down
Steps to Reproduce:
[root@example ~]# ipa config-mod --user-auth-type={otp,pkinit} Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: test.realm Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TEST.REALM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-sx0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:sx0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE Default user authentication types: otp, pkinit IPA masters: example.test.realm IPA master capable of PKINIT: example.test.realm IPA CA servers: example.test.realm IPA CA renewal master: example.test.realm IPA DNS servers: example.test.realm [root@example ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Failed to restart krb5kdc Service Shutting down [root@example ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: STOPPED ipa-custodia Service: STOPPED ^CCancelled. ------
And following logs can be seen in the krb5kdc.log during this time.
------ May 02 22:40:41 example.test.realm krb5kdc[103666](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM May 02 22:43:53 example.test.realm krb5kdc[103761](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM May 02 22:44:14 example.test.realm krb5kdc[103837](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM
Additionally: the global configuration ipa config-mod --user-auth-type={password,otp} prevents host principals from authenticating with PKINIT. For auto-enrollment we rely on PKINIT with X.509 certs to install IPA clients. One of test setups had PKINIT globally disabled and then installation of new clients failed with error message "KDC policy rejects request".
ipa config-mod --user-auth-type={password,otp}
PR: https://github.com/freeipa/freeipa/pull/7084
Metadata Update from @abbra: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7084 - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-4874
master:
ipa-4-11:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-4874, https://issues.redhat.com/browse/RHEL-21813 (was: https://issues.redhat.com/browse/RHEL-4874)
ipa-4-9:
Log in to comment on this ticket.