On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users wrote:
> Hello, ipa-users!
> 
> Can't login into my FreeIpa system with admin user.
> 
> *On WebUi *
> 
> Login failed due to an unknown reason.
> 
> *In krb5kdc.log:*
> 
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/
> anonym...@mydomain.com for krbtgt/mydomain....@mydomain.com, Additional
> pre-authentication required
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
> {rep=18 tkt=18 ses=18}, WELLKNOWN/anonym...@mydomain.com for krbtgt/
> mydomain....@mydomain.com
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: ad...@mydomain.com
> for krbtgt/mydomain....@mydomain.com, Additional pre-authentication required
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
> {rep=18 tkt=18 ses=18}, ad...@mydomain.com for krbtgt/
> mydomain....@mydomain.com
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
> {rep=18 tkt=18 ses=18}, ad...@mydomain.com for HTTP/
> myhost.mydom...@mydomain.com
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
> myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> Additional pre-authentication required
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
> myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> Preauthentication failed

It is not your authentication which failed but the authentication
attempt of the web server. I guess the keys on the server were updated
but not written into the keytab.

Can you try if

    kinit -k -t /var/lib/ipa/gssproxy/http.keytab 
HTTP/myhost.mydom...@mydomain.com

returns the same error ((preauth (encrypted_timestamp) verify failure:
Preauthentication failed)? In this case you should update the keytab
with ipa-getkeytab and restart httpd.

HTH

bye,
Sumit

> Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
> myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> Additional pre-authentication required
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes {18
> 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
> myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> Preauthentication failed
> Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
> 
> *In httpd error log:*
> 
> [Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client
> 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get
> server creds: [Unspecified GSS failure.  Minor code may provide more
> information ( SPNEGO cannot find mechanisms to negotiate)]
> [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401
> Unauthorized: No session cookie found
> 
> *In messages:*
> 
> Oct  9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1
> 2 2 }) Unspecified GSS failure.  Minor code may provide more information,
> Preauthentication failed
> Oct  9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1
> 2 2 }) Unspecified GSS failure.  Minor code may provide more information,
> Preauthentication failed
> 
> *The password is correct 100%.*
> *I can do kinit for admin.*
> *Where to look next?*
> *Restart didn't help.*
> 
> OS Red Hat Enterprise Linux Server release 7.4
> [root@myhost ipa]# uname -a
> Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 10:49:01
> PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> Regards,
> Andrey

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to