I'm not sure exactly how to diagnose the actual cause of the issue. Every login, even as "admin" on the ipa/ui returns a "your session has expired. Please re-login". I can use kinit and login just fine - it seems authentication with the host key may be a fault.
Version: 4.5.0-22.el7_4 (RHEL7.4) When I look at /var/log/sssd/sssd_nss.log I see several lines that looks like the cause of the issue: (Mon Jan 1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Mon Jan 1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from Data Provider I'm also seeing a lot of these in krb5kdc.log but from what I gather from searching I can ignore those: Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.10.10.70: NEEDED_PREAUTH: host/host.demo....@demo.net for krbtgt/demo....@demo.net, Additional pre-authentication required In /var/log/httpd/errors: [Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client 71.63.27.120:55198] failed to set perms (3140) on file (/var/run/ipa/ccaches/ad...@demo.net)!, referer: https://host.demo.net/ipa/ui/ [Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials I'm trying to figure out how to diagnose the actual cause here. The file above (failed to set perms): -rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 ad...@demo.net Now, if apache tries to do something to these files then "duh" of course it's going to be denied. This used to work - so I'm not sure what's going on here? Again, trying to figure out a good process to diagnose to find the root cause. -- Regards Peter Larsen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org