I'm not sure exactly how to diagnose the actual cause of the issue.
Every login, even as "admin" on the ipa/ui returns a "your session has
expired. Please re-login". I can use kinit and login just fine - it
seems authentication with the host key may be a fault.

Version: 4.5.0-22.el7_4 (RHEL7.4)

When I look at /var/log/sssd/sssd_nss.log I see several lines that looks
like the cause of the issue:

(Mon Jan  1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The
Data Provider returned an error
(Mon Jan  1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv]
(0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from
Data Provider

I'm also seeing a lot of these in krb5kdc.log but from what I gather
from searching I can ignore those:

Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18
17 16 23 25 26 20 19}) NEEDED_PREAUTH:
host/host.demo....@demo.net for krbtgt/demo....@demo.net, Additional
pre-authentication required

In /var/log/httpd/errors:

[Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client] failed to set perms (3140) on file
(/var/run/ipa/ccaches/ad...@demo.net)!, referer:
[Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401
Unauthorized: Insufficient access:  Invalid credentials

I'm trying to figure out how to diagnose the actual cause here. The file
above (failed to set perms):

-rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 ad...@demo.net

Now, if apache tries to do something to these files then "duh" of course
it's going to be denied. This used to work - so I'm not sure what's
going on here? Again, trying to figure out a good process to diagnose to
find the root cause.

 Regards Peter Larsen
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to