Appreciate the reply

I think it may only be the webUi that is busted

- kinit works fine
- I can resolve AD users
- I can login with my AD credentials
- krb5dc.log is just full of errors about clients not being in the database (likely a replication failure issue)

So from the command line things look good except for busted replication on this host which we knew about. Only the webUI seems totally unusable.

Did the same upgrade to our primary IDM server and saw same results. Instantly revered back to ipa-server v4.4 so we are at least up and running for user logins and RBAC controls.

Very strange!

Felipe Barreto wrote:
Are you able to authenticate with kinit?

Does krb5kdc.log shows you some error?

On 11/17/2017 12:17 PM, Chris Dagdigian via FreeIPA-users wrote:

Did the "yum upgrade" followed by "sudo ipa-server-upgrade" followed by a reboot on two different IPA servers

Now the webUI fails on both. The webUI error is:

Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

httpd error log says this:

[Fri Nov 17 14:08:38.914506 2017] [:error] [pid 2748] ipa: INFO: *** PROCESS START *** [Fri Nov 17 14:08:39.002769 2017] [:error] [pid 2747] ipa: INFO: *** PROCESS START *** [Fri Nov 17 14:11:42.214284 2017] [auth_gssapi:error] [pid 2749] [client] NO AUTH DATA Client did not send any authentication headers, referer: [Fri Nov 17 14:11:42.304960 2017] [auth_gssapi:error] [pid 2749] [client] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer:
[root@usaeilidmp002 httpd]#

Browser is Chrome - same as I've always been using to access the admin UI

Any tips or guidance?  May have to restore from backup


FreeIPA-users mailing list --
To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to