Stefan, I resolved a similar issue on a Fedora host by setting selinux to permissive instead of enforcing. The setting is located in /etc/selinux/config
On Thu, Aug 17, 2017 at 10:37 AM, Stefan Uygur via FreeIPA-users < [email protected]> wrote: > Hi everyone, > > I have an IPA instance installed and working for the last 6 months but > after the patching yesterday the Web UI login has stopped to work. > > > > To be clear the IPA server is fully functional at the backend, the problem > is when I try to login via web UI I get the following error: > > Login failed due to an unknown reason. > > > > The server is a Red Hat Enterprise Linux Server release 7.4 (Maipo) with > the IPA VERSION: 4.5.0, API_VERSION: 2.228 > > > > Furthermore, this is what I get from apache error logs while trying to > login using web UI: > > > > [Thu Aug 17 11:58:40.727456 2017] [:error] [pid 20879] ipa: INFO: *** > PROCESS START *** > > [Thu Aug 17 11:58:40.911349 2017] [:error] [pid 20878] ipa: INFO: *** > PROCESS START *** > > [Thu Aug 17 11:58:57.224594 2017] [auth_gssapi:error] [pid 20884] [client > IPADDR:54323] NO AUTH DATA Client did not send any authentication headers, > referer: https://-ipa1.example.com/ipa/ui/ > > [Thu Aug 17 11:58:57.266259 2017] [auth_gssapi:error] [pid 20884] [client > IPADDR:54323] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: > [An unsupported mechanism was requested (Unknown error)], referer: > https://ipa1.example.com/ipa/ui/ > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: > SecurityWarning: Certificate has no `subjectAltName`, falling back to check > for a `commonName` for now. This feature is being removed by major browsers > and deprecated by RFC 2818. (See https://github.com/shazow/ > urllib3/issues/497 for details.) > > SecurityWarning > > [Thu Aug 17 11:59:03.637157 2017] [:error] [pid 20878] ipa: INFO: 404 Not > Found: URL="/ipa/session/cookie", URL fragment "/session/cookie" does not > have a handler > > [Thu Aug 17 11:59:03.638346 2017] [:error] [pid 20879] ipa: INFO: 401 > Unauthorized: No session cookie found > > [Thu Aug 17 12:00:01.567042 2017] [:error] [pid 20882] SSL Library Error: > -12195 Peer does not recognize and trust the CA that issued your certificate > > [Thu Aug 17 12:00:01.617683 2017] [:error] [pid 21225] SSL Library Error: > -12195 Peer does not recognize and trust the CA that issued your certificate > > [Thu Aug 17 12:00:09.967173 2017] [auth_gssapi:error] [pid 20881] [client > IPADDR:54377] NO AUTH DATA Client did not send any authentication headers, > referer: https://-ipa1.example.com/ipa/ui/ > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: > SecurityWarning: Certificate has no `subjectAltName`, falling back to check > for a `commonName` for now. This feature is being removed by major browsers > and deprecated by RFC 2818. (See https://github.com/shazow/ > urllib3/issues/497 for details.) > > SecurityWarning > > [Thu Aug 17 12:00:17.495782 2017] [:error] [pid 20879] ipa: INFO: 404 Not > Found: URL="/ipa/session/cookie", URL fragment "/session/cookie" does not > have a handler > > [Thu Aug 17 12:00:17.497067 2017] [:error] [pid 20878] ipa: INFO: 401 > Unauthorized: No session cookie found > > > > > > I know it is complaining about the new mod_gssapi but never seen this sort > of problem before on IPA. > > > > Any help would be greatly appreciated. > > > > Stefan > > > > *__________________________________________* > *__________ **Stefan Uygur *| *First Derivatives Ireland Ltd* | > +353 16307761 <+353%201%20630%207761> | [email protected] > > > > > > ************************************************************ > ******************************************************************* > > This email, its contents and any files attached are a confidential > communication and are intended only for the named addressees indicated in > the message. > > If you are not the named addressee or if you have received this email in > error, you may not, without the consent of First Derivatives, copy, use or > rely on any information or attachments in any way. Please notify the sender > by return email and delete it from your email system. > > Unless separately agreed, First Derivatives does not accept any > responsibility for the accuracy or completeness of the contents of this > email or its attachments. Please note that any views, opinion or advice > contained in this communication are those of the sending individual and not > those of First Derivatives and First Derivatives shall have no liability > whatsoever in relation to this communication (or its content) unless > separately agreed. > > ************************************************************ > ******************************************************************* > > > > ************************************************************ > ******************************************************************* > > This email, its contents and any files attached are a confidential > communication and are intended only for the named addressees indicated in > the message. > > If you are not the named addressee or if you have received this email in > error, you may not, without the consent of First Derivatives, copy, use or > rely on any information or attachments in any way. Please notify the sender > by return email and delete it from your email system. > > Unless separately agreed, First Derivatives does not accept any > responsibility for the accuracy or completeness of the contents of this > email or its attachments. Please note that any views, opinion or advice > contained in this communication are those of the sending individual and not > those of First Derivatives and First Derivatives shall have no liability > whatsoever in relation to this communication (or its content) unless > separately agreed. > > ************************************************************ > ******************************************************************* > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > -- *Jason Sherrill* *IT Specialist* Deeplocal Inc. <http://deeplocal.com/> mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
