Hi Sumit!
Thank you very much!!! This worked!
Regards,
Andrey
2017-10-09 16:16 GMT+03:00 Sumit Bose via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users
> wrote:
> > Hello, ipa-users!
> >
> > Can't login into my FreeIpa system with admin user.
> >
> > *On WebUi *
> >
> > Login failed due to an unknown reason.
> >
> > *In krb5kdc.log:*
> >
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/
> > anonym...@mydomain.com for krbtgt/mydomain....@mydomain.com, Additional
> > pre-authentication required
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
> etypes
> > {rep=18 tkt=18 ses=18}, WELLKNOWN/anonym...@mydomain.com for krbtgt/
> > mydomain....@mydomain.com
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH:
> ad...@mydomain.com
> > for krbtgt/mydomain....@mydomain.com, Additional pre-authentication
> required
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
> etypes
> > {rep=18 tkt=18 ses=18}, ad...@mydomain.com for krbtgt/
> > mydomain....@mydomain.com
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
> etypes
> > {rep=18 tkt=18 ses=18}, ad...@mydomain.com for HTTP/
> > myhost.mydom...@mydomain.com
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
> > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> > Additional pre-authentication required
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
> > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> > Preauthentication failed
>
> It is not your authentication which failed but the authentication
> attempt of the web server. I guess the keys on the server were updated
> but not written into the keytab.
>
> Can you try if
>
> kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/
> myhost.mydom...@mydomain.com
>
> returns the same error ((preauth (encrypted_timestamp) verify failure:
> Preauthentication failed)? In this case you should update the keytab
> with ipa-getkeytab and restart httpd.
>
> HTH
>
> bye,
> Sumit
>
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
> > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> > Additional pre-authentication required
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes
> {18
> > 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
> > myhost.mydom...@mydomain.com for krbtgt/mydomain....@mydomain.com,
> > Preauthentication failed
> > Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
> >
> > *In httpd error log:*
> >
> > [Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client
> > 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get
> > server creds: [Unspecified GSS failure. Minor code may provide more
> > information ( SPNEGO cannot find mechanisms to negotiate)]
> > [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401
> > Unauthorized: No session cookie found
> >
> > *In messages:*
> >
> > Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554
> 1
> > 2 2 }) Unspecified GSS failure. Minor code may provide more information,
> > Preauthentication failed
> > Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554
> 1
> > 2 2 }) Unspecified GSS failure. Minor code may provide more information,
> > Preauthentication failed
> >
> > *The password is correct 100%.*
> > *I can do kinit for admin.*
> > *Where to look next?*
> > *Restart didn't help.*
> >
> > OS Red Hat Enterprise Linux Server release 7.4
> > [root@myhost ipa]# uname -a
> > Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
> 10:49:01
> > PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > Regards,
> > Andrey
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
