Stefan,

I resolved a similar issue on a Fedora host by setting selinux to
permissive instead of enforcing. The setting is located in
/etc/selinux/config

On Thu, Aug 17, 2017 at 10:37 AM, Stefan Uygur via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi everyone,
>
> I have an IPA instance installed and working for the last 6 months but
> after the patching yesterday the Web UI login has stopped to work.
>
>
>
> To be clear the IPA server is fully functional at the backend, the problem
> is when I try to login via web UI I get the following error:
>
> Login failed due to an unknown reason.
>
>
>
> The server is a Red Hat Enterprise Linux Server release 7.4 (Maipo) with
> the IPA VERSION: 4.5.0, API_VERSION: 2.228
>
>
>
> Furthermore, this is what I get from apache error logs while trying to
> login using web UI:
>
>
>
> [Thu Aug 17 11:58:40.727456 2017] [:error] [pid 20879] ipa: INFO: ***
> PROCESS START ***
>
> [Thu Aug 17 11:58:40.911349 2017] [:error] [pid 20878] ipa: INFO: ***
> PROCESS START ***
>
> [Thu Aug 17 11:58:57.224594 2017] [auth_gssapi:error] [pid 20884] [client
> IPADDR:54323] NO AUTH DATA Client did not send any authentication headers,
> referer: https://-ipa1.example.com/ipa/ui/
>
> [Thu Aug 17 11:58:57.266259 2017] [auth_gssapi:error] [pid 20884] [client
> IPADDR:54323] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed:
> [An unsupported mechanism was requested (Unknown error)], referer:
> https://ipa1.example.com/ipa/ui/
>
> /usr/lib/python2.7/site-packages/urllib3/connection.py:251:
> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
> for a `commonName` for now. This feature is being removed by major browsers
> and deprecated by RFC 2818. (See https://github.com/shazow/
> urllib3/issues/497 for details.)
>
>   SecurityWarning
>
> [Thu Aug 17 11:59:03.637157 2017] [:error] [pid 20878] ipa: INFO: 404 Not
> Found: URL="/ipa/session/cookie", URL fragment "/session/cookie" does not
> have a handler
>
> [Thu Aug 17 11:59:03.638346 2017] [:error] [pid 20879] ipa: INFO: 401
> Unauthorized: No session cookie found
>
> [Thu Aug 17 12:00:01.567042 2017] [:error] [pid 20882] SSL Library Error:
> -12195 Peer does not recognize and trust the CA that issued your certificate
>
> [Thu Aug 17 12:00:01.617683 2017] [:error] [pid 21225] SSL Library Error:
> -12195 Peer does not recognize and trust the CA that issued your certificate
>
> [Thu Aug 17 12:00:09.967173 2017] [auth_gssapi:error] [pid 20881] [client
> IPADDR:54377] NO AUTH DATA Client did not send any authentication headers,
> referer: https://-ipa1.example.com/ipa/ui/
>
> /usr/lib/python2.7/site-packages/urllib3/connection.py:251:
> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
> for a `commonName` for now. This feature is being removed by major browsers
> and deprecated by RFC 2818. (See https://github.com/shazow/
> urllib3/issues/497 for details.)
>
>   SecurityWarning
>
> [Thu Aug 17 12:00:17.495782 2017] [:error] [pid 20879] ipa: INFO: 404 Not
> Found: URL="/ipa/session/cookie", URL fragment "/session/cookie" does not
> have a handler
>
> [Thu Aug 17 12:00:17.497067 2017] [:error] [pid 20878] ipa: INFO: 401
> Unauthorized: No session cookie found
>
>
>
>
>
> I know it is complaining about the new mod_gssapi but never seen this sort
> of problem before on IPA.
>
>
>
> Any help would be greatly appreciated.
>
>
>
> Stefan
>
>
>
> *__________________________________________*
> *__________ **Stefan Uygur *| *First Derivatives Ireland Ltd* |
> +353 16307761 <+353%201%20630%207761> | suy...@firstderivatives.com
>
>
>
>
>
> ************************************************************
> *******************************************************************
>
> This email, its contents and any files attached are a confidential
> communication and are intended only for the named addressees indicated in
> the message.
>
> If you are not the named addressee or if you have received this email in
> error, you may not, without the consent of First Derivatives, copy, use or
> rely on any information or attachments in any way. Please notify the sender
> by return email and delete it from your email system.
>
> Unless separately agreed, First Derivatives does not accept any
> responsibility for the accuracy or completeness of the contents of this
> email or its attachments. Please note that any views, opinion or advice
> contained in this communication are those of the sending individual and not
> those of First Derivatives and First Derivatives shall have no liability
> whatsoever in relation to this communication (or its content) unless
> separately agreed.
>
> ************************************************************
> *******************************************************************
>
>
>
> ************************************************************
> *******************************************************************
>
> This email, its contents and any files attached are a confidential
> communication and are intended only for the named addressees indicated in
> the message.
>
> If you are not the named addressee or if you have received this email in
> error, you may not, without the consent of First Derivatives, copy, use or
> rely on any information or attachments in any way. Please notify the sender
> by return email and delete it from your email system.
>
> Unless separately agreed, First Derivatives does not accept any
> responsibility for the accuracy or completeness of the contents of this
> email or its attachments. Please note that any views, opinion or advice
> contained in this communication are those of the sending individual and not
> those of First Derivatives and First Derivatives shall have no liability
> whatsoever in relation to this communication (or its content) unless
> separately agreed.
>
> ************************************************************
> *******************************************************************
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 

*Jason Sherrill*
*IT Specialist*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to