On ma, 11 joulu 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,

Stuck in a catch-22 where I can't update our existing 4.4.0 production servers nor can we stand up new working sandbox servers running IPA-4.5

In all cases (upgrade and new install) we end up with a WebUI that is not functional when deployed on RHEL 7.4 or CentOS 7.4

However I think now I have the actual error and there were hints from the mailing list archive about the culprit maybe being httpd and keytab related. Or at least it seems tightly tied to the security changes implemented between IPA 4.4 and 4.5 releases.


Here is the setup from a fresh install on RHEL 7.4

- CLI installation works perfectly
- AD trust setup works perfectly
- All CLI tools and commands seem to work just fine
- No errors in standard locations
- "ipactl status" reports no issues
- SELINUX is disabled
- Using Chrome browser for access and testing


However the WebUI is totally unusable. The front page just displays an error box that says:

HTTP Error 404
Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)


Reading the lists archives this weekend I found the links that point to the security changes between 4.4 and 4.5 and I also found the helpful advice to set "debug=true" in /etc/ipa/server.conf


After setting the debug=true values now I see a new message in the httpd error logs:


[Sun Dec 10 03:13:08.976509 2017] [:error] [pid 7821] ipa: INFO: *** PROCESS START *** [Mon Dec 11 11:55:07.102172 2017] [auth_gssapi:error] [pid 7824] [client 172.29.XX.XX:57976] NO AUTH DATA Client did not send any authentication headers, referer: https://usaeilidmp010.XXX.org/ipa/ui/ [Mon Dec 11 11:55:07.298810 2017] [auth_gssapi:error] [pid 7824] [client 172.29.XX.XX:57976] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer: https://usaeilidmp010.XXX.org/ipa/ui/
[root@usaeilidmp010 ec2-user]#


Those error messages have come up in past forum messages but the thread replies always led me into a maze of other URls or generic instructions to "regenerate the keytab for HTTPD server"


I'm pretty sure the above web error is exactly why the webUI is failing however I can't find clear or concise instructions on how to fix or debug further ...

Has anyone dealt with this already? I may need an idiot's guide to resolving that particular gss error as I failed at doing so myself this weekend :) I pretty much do not understand that error nor how to address it, heh.

This looks like an internal redirect which is done by the IPA framework
when user is authenticated by entering username/password, to generate
cookies. Is the [client 172.29.XX.XX] actually *that* same IPA master?
What CA configuration is in use? Is it IPA CA or some external CA?

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to