On ma, 07 elo 2017, Troels Hansen via FreeIPA-users wrote:
Hi, we just upgraded one of our FreeIPA 4.4 to FreeIPA 4.5 (running on RHEL) 
and wanted to put this here before creating a bug report with RedHat.

After upgrading we are unable to log into web-ui but everything else seems to 
be working OK.

WBR-UI gives us an: "Login failed due to an unknown reason"

I see this in the httpd error log:

[Mon Aug 07 15:27:55.404965 2017] [:error] [pid 1963] [remote] 
mod_wsgi (pid=1963): Exception occurred processing WSGI script 
[Mon Aug 07 15:27:55.405090 2017] [:error] [pid 1963] [remote] 
Traceback (most recent call last):
[Mon Aug 07 15:27:55.405155 2017] [:error] [pid 1963] [remote] File 
"/usr/share/ipa/wsgi.py", line 51, in application
[Mon Aug 07 15:27:55.405341 2017] [:error] [pid 1963] [remote] 
return api.Backend.wsgi_dispatch(environ, start_response)
[Mon Aug 07 15:27:55.405384 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Mon Aug 07 15:27:55.405985 2017] [:error] [pid 1963] [remote] 
return self.route(environ, start_response)
[Mon Aug 07 15:27:55.406040 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Mon Aug 07 15:27:55.406097 2017] [:error] [pid 1963] [remote] 
return app(environ, start_response)
[Mon Aug 07 15:27:55.406127 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Mon Aug 07 15:27:55.406153 2017] [:error] [pid 1963] [remote] 
self.kinit(user_principal, password, ipa_ccache_name)
[Mon Aug 07 15:27:55.406178 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Mon Aug 07 15:27:55.406200 2017] [:error] [pid 1963] [remote] 
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Mon Aug 07 15:27:55.406218 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in 
[Mon Aug 07 15:27:55.406368 2017] [:error] [pid 1963] [remote] 
run(args, env=env, raiseonerr=True, capture_error=True)
[Mon Aug 07 15:27:55.406402 2017] [:error] [pid 1963] [remote] File 
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Mon Aug 07 15:27:55.407040 2017] [:error] [pid 1963] [remote] 
raise CalledProcessError(p.returncode, arg_string, str(output))
[Mon Aug 07 15:27:55.407135 2017] [:error] [pid 1963] [remote] 
CalledProcessError: Command '/usr/bin/kinit -n -c 
/var/run/ipa/ccaches/armor_1963 -X 
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X 
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero 
exit status 1

Natually, first thing I tried was disabling SELinux, and reboot, but same 

IPA is version: ipa-server-4.5.0-21.el7.x86_64
(replica being latest 4.4 on RHEL but not sure we dare updating this).

Problem seems much like this: 
But Again, not entirely and that seemes SELinux related and things doesn't 
seems to be SELinux related here.

Also, trying the kinit listed in the error log asks for password. I suspect 
that this should succeed?

/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1982 -X 
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X 
Yes, this should succeed.
Can you run the kinit line with KRB5_TRACE=/dev/stderr kinit ... ?
Also check permissions for /var/kerberos/krb5kdc/kdc.crt and
/var/lib/ipa-client/pki/kdc-ca-bundle.pem for user ipaapi, does it get
access to them?

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to