Hi, By default the web UI tries network authentication for users before the page displays.
The GSS error below indicates that initial negotiation fails, so no pop-up window appears, and the UI doesn't load after that. Have you tried using different browsers? Have you also tried an install without the AD trust? Maybe that is contributing to your problems? If that works, you could try breaking the AD trust before upgrading and re-adding it after upgrade is done? If you are using Google Chrome, try looking at whitelisting your FreeIPA server, or the command line option to enable negotiation to get around any browser issues. I haven't had these issues using Chromium on Fedora, we run FreeIPA on CentOS 7 (recently patched to 7.4). We don't have any AD trust configured. Cheers, Dagan McGregor On 12 December 2017 6:02:49 AM NZDT, Chris Dagdigian via FreeIPA-users <email@example.com> wrote: >Hi folks, > >Stuck in a catch-22 where I can't update our existing 4.4.0 production >servers nor can we stand up new working sandbox servers running IPA-4.5 > >In all cases (upgrade and new install) we end up with a WebUI that is >not functional when deployed on RHEL 7.4 or CentOS 7.4 > >However I think now I have the actual error and there were hints from >the mailing list archive about the culprit maybe being httpd and keytab > >related. Or at least it seems tightly tied to the security changes >implemented between IPA 4.4 and 4.5 releases. > > >Here is the setup from a fresh install on RHEL 7.4 > >- CLI installation works perfectly >- AD trust setup works perfectly >- All CLI tools and commands seem to work just fine >- No errors in standard locations >- "ipactl status" reports no issues >- SELINUX is disabled >- Using Chrome browser for access and testing > > >However the WebUI is totally unusable. The front page just displays an >error box that says: > >HTTP Error 404 >Cannot connect to the server, please check API accesibility >(certificate, API, proxy, etc.) > > >Reading the lists archives this weekend I found the links that point to > >the security changes between 4.4 and 4.5 and I also found the helpful >advice to set "debug=true" in /etc/ipa/server.conf > > >After setting the debug=true values now I see a new message in the >httpd >error logs: > > >[Sun Dec 10 03:13:08.976509 2017] [:error] [pid 7821] ipa: INFO: *** >PROCESS START *** >[Mon Dec 11 11:55:07.102172 2017] [auth_gssapi:error] [pid 7824] >[client >172.29.XX.XX:57976] NO AUTH DATA Client did not send any authentication > >headers, referer: https://usaeilidmp010.XXX.org/ipa/ui/ >[Mon Dec 11 11:55:07.298810 2017] [auth_gssapi:error] [pid 7824] >[client >172.29.XX.XX:57976] GSS ERROR In Negotiate Auth: >gss_accept_sec_context() failed: [An unsupported mechanism was >requested >(Unknown error)], referer: https://usaeilidmp010.XXX.org/ipa/ui/ >[root@usaeilidmp010 ec2-user]# > > >Those error messages have come up in past forum messages but the thread > >replies always led me into a maze of other URls or generic instructions > >to "regenerate the keytab for HTTPD server" > > >I'm pretty sure the above web error is exactly why the webUI is failing > >however I can't find clear or concise instructions on how to fix or >debug further ... > >Has anyone dealt with this already? I may need an idiot's guide to >resolving that particular gss error as I failed at doing so myself this > >weekend :) I pretty much do not understand that error nor how to >address it, heh. > >Thanks! > >-Chris > > > >_______________________________________________ >FreeIPA-users mailing list -- firstname.lastname@example.org >To unsubscribe send an email to >freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org