Hi Sumit! Thank you very much!!! This worked!
Regards, Andrey 2017-10-09 16:16 GMT+03:00 Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users > wrote: > > Hello, ipa-users! > > > > Can't login into my FreeIpa system with admin user. > > > > *On WebUi * > > > > Login failed due to an unknown reason. > > > > *In krb5kdc.log:* > > > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/ > > anonym...@mydomain.com for krbtgt/mydomain....@mydomain.com, Additional > > pre-authentication required > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, > etypes > > {rep=18 tkt=18 ses=18}, WELLKNOWN/anonym...@mydomain.com for krbtgt/ > > mydomain....@mydomain.com > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: > ad...@mydomain.com > > for krbtgt/mydomain....@mydomain.com, Additional pre-authentication > required > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, > etypes > > {rep=18 tkt=18 ses=18}, ad...@mydomain.com for krbtgt/ > > mydomain....@mydomain.com > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, > etypes > > {rep=18 tkt=18 ses=18}, ad...@mydomain.com for HTTP/ > > myhost.mydom...@mydomain.com > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ > > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com, > > Additional pre-authentication required > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth > > (encrypted_timestamp) verify failure: Preauthentication failed > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ > > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com, > > Preauthentication failed > > It is not your authentication which failed but the authentication > attempt of the web server. I guess the keys on the server were updated > but not written into the keytab. > > Can you try if > > kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/ > myhost.mydom...@mydomain.com > > returns the same error ((preauth (encrypted_timestamp) verify failure: > Preauthentication failed)? In this case you should update the keytab > with ipa-getkeytab and restart httpd. > > HTH > > bye, > Sumit > > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ > > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com, > > Additional pre-authentication required > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth > > (encrypted_timestamp) verify failure: Preauthentication failed > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes > {18 > > 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ > > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com, > > Preauthentication failed > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11 > > > > *In httpd error log:* > > > > [Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client > > 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get > > server creds: [Unspecified GSS failure. Minor code may provide more > > information ( SPNEGO cannot find mechanisms to negotiate)] > > [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401 > > Unauthorized: No session cookie found > > > > *In messages:* > > > > Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 > 1 > > 2 2 }) Unspecified GSS failure. Minor code may provide more information, > > Preauthentication failed > > Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 > 1 > > 2 2 }) Unspecified GSS failure. Minor code may provide more information, > > Preauthentication failed > > > > *The password is correct 100%.* > > *I can do kinit for admin.* > > *Where to look next?* > > *Restart didn't help.* > > > > OS Red Hat Enterprise Linux Server release 7.4 > > [root@myhost ipa]# uname -a > > Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 > 10:49:01 > > PDT 2017 x86_64 x86_64 x86_64 GNU/Linux > > > > > > Regards, > > Andrey > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org