Hi Alexander,
I did perform ipa-server-upgrade and it did apply all changes indeed.

Attached the ipa.conf file.

First attempt to use Web UI gave me the error as per attached png.

And httpd error.log shows the following:
[Fri Aug 18 12:49:48.196040 2017] [auth_gssapi:error] [pid 4944] [client] NO AUTH DATA Client did not send any authentication 
headers, referer: https://aws-ipa1.firstderivatives.com/ipa/ui/
[Fri Aug 18 12:49:48.235657 2017] [auth_gssapi:error] [pid 4944] [client] GSS ERROR In Negotiate Auth: gss_accept_sec_context() 
failed: [An unsupported mechanism was requested (Unknown error)], referer: 

So basically now it is not even letting me into login page.

Will dig a little more for this new error.


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: 18 August 2017 13:01
To: FreeIPA users list
Cc: Stefan Uygur; Troels Hansen; Fraser Tweedale
Subject: Re: [Freeipa-users] Re: web UI - login failed after updates on server

On pe, 18 elo 2017, Alexander Bokovoy via FreeIPA-users wrote:
>On pe, 18 elo 2017, Stefan Uygur wrote:
>>Yeah sorry, the debug logs were not included originally. Re to RPMs, I 
>>have removed all dupes, they were many. All is clean now and the 
>>system is up to date.
>>Attached is the ipa.conf file.
>Alias for /session/cookie is missing in it.
>You can see a correct ipa.conf here:
>You need to make sure your version has all parts, including
># Target for login with internal connections Alias /ipa/session/cookie 
BTW, your ipa.conf has version 22 while a proper version should be 27.

Combined together with the fact that you had duplicates in rpms, looks like 
there was general upgrade issue that did not complete overall upgrade.

It may be better to run ipa-server-upgrade manually to see if some other parts 
were missing.

/ Alexander Bokovoy

This email, its contents and any files attached are a confidential 
communication and are
intended only for the named addressees indicated in the message. 

If you are not the named addressee or if you have received this email in error, 
you may not, 
without the consent of First Derivatives, copy, use or rely on any information 
or attachments in any way. 
Please notify the sender by return email and delete it from your email system. 

Unless separately agreed, First Derivatives does not accept any responsibility 
for the accuracy or
completeness of the contents of this email or its attachments. Please note that 
any views,
opinion or advice contained in this communication are those of the sending 
and not those of First Derivatives and First Derivatives shall have no 
liability whatsoever in relation to
this communication (or its content) unless separately agreed.

Attachment: ipa.conf
Description: ipa.conf

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to