I'm not sure exactly how to diagnose the actual cause of the issue.
Every login, even as "admin" on the ipa/ui returns a "your session has
expired. Please re-login". I can use kinit and login just fine - it
seems authentication with the host key may be a fault.
Version: 4.5.0-22.el7_4 (RHEL7.4)
When I look at /var/log/sssd/sssd_nss.log I see several lines that looks
like the cause of the issue:
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The
Data Provider returned an error
[org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv]
(0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from
Data Provider
I'm also seeing a lot of these in krb5kdc.log but from what I gather
from searching I can ignore those:
Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18
17 16 23 25 26 20 19}) 10.10.10.70: NEEDED_PREAUTH:
host/host.demo....@demo.net for krbtgt/demo....@demo.net, Additional
pre-authentication required
In /var/log/httpd/errors:
[Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client
71.63.27.120:55198] failed to set perms (3140) on file
(/var/run/ipa/ccaches/ad...@demo.net)!, referer:
https://host.demo.net/ipa/ui/
[Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401
Unauthorized: Insufficient access: Invalid credentials
I'm trying to figure out how to diagnose the actual cause here. The file
above (failed to set perms):
-rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 ad...@demo.net
Now, if apache tries to do something to these files then "duh" of course
it's going to be denied. This used to work - so I'm not sure what's
going on here? Again, trying to figure out a good process to diagnose to
find the root cause.
--
Regards Peter Larsen
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
