[Freeipa-users] Cannot log in to the FreeIPA replica UI with AD credentials

Thu, 19 Oct 2017 05:47:52 -0700 

Hi all,

I set up an instance of FreeIPA server and established trust with AD domain. I 
configured AD users and they can successfully log in to the web UI. Then, I set 
up a replica. Although the trust is visible for that instance both in the web 
UI and CLI, AD users cannot log in to it, nor can I execute su - for them. Upon 
unsuccessful login I get this error message from web UI:

Runtime error
Web UI got in unrecoverable state during "profile" phase.

Technical details:

Cannot read property 'cn' of undefined
TypeError: Cannot read property 'cn' of undefined
    at Object.update_logged_in 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:18183)
    at Object.choose_profile 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:16656)
    at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:1190)
    at https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3478
    at Object.forEach 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:29752)
    at Object._run_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3442)
    at Object.next_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3904)
    at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3631)
    at c (https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:60960)
    at Object.then.t.then 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:62246)

When I try to verify trust on the replica server, it behaves exactly as 
described in the documentation:

[root@idm2 ~]# kinit [email protected]
Password for [email protected]: 
[root@idm2 ~]# kvno -S host idm2.ipa.domain.com
host/[email protected]: kvno = 1
[root@idm2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kwhpOWN
Default principal: [email protected]

Valid starting       Expires              Service principal
10/19/2017 08:35:05  10/19/2017 18:34:55  
host/[email protected]
        renew until 10/20/2017 08:34:49
10/19/2017 08:35:05  10/19/2017 18:34:55  krbtgt/[email protected]
        renew until 10/20/2017 08:34:49
10/19/2017 08:34:55  10/19/2017 18:34:55  krbtgt/[email protected]
        renew until 10/20/2017 08:34:49

What's more, FreeIPA can't seem to find testuser for idm2 host:

[root@idm2 ~]# su - [email protected]
su: user [email protected] does not exist

Whereas this works for idm1 - primary FreeIPA server.

Can you please advise on how to solve it?

Many thanks,
Bart
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to