After following the @Dan West <https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/> solution described at https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU , users are able to login to IPA WebGUI.
My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius. Now the users are unable to login into the WIFI network using the radius server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1 C=269d5124d7a4e4f1 v=1" I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan West solution this attribute was deleted. On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <[email protected]> wrote: > On la, 29 tammi 2022, code bugs via FreeIPA-users wrote: > >Hello, > > > >-IPA WebGUI login fails with "Login failed due to an unknown reason" > >-After upgrading IPA, can no longer log into the WebGUI > >Version/Release/Distribution > > > >$ cat /etc/centos-release > >CentOS Linux release 8.5.2111 > >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base > >pki-ca krb5-server > >package freeipa-server is not installed > >package freeipa-client is not installed > >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 > >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 > >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 > >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch > >krb5-server-1.18.2-14.el8.x86_64 > >Additional info: > > > >tail /var/log/httpd/error_log > > > >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: > >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor > code > >may provide more information, Minor (2598844948): TGT has been revoked > > Please show entries in /var/log/krb5kdc.log corresponding to this > timeframe. If TGT is revoked, it most likely is documented why in that > log. Also, if possible, show other requests in httpd's error_log for the > same timeframe -- if that was Web UI login, there would be few around > this error. > > One possible problem could be what is documented in > > https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU > but then it would not be possible to get a Kerberos ticket in kinit as > well. Perhaps, you have a problem with anonymous PKINIT on this host > instead. > > > > >further, > > > > 1. default "admin" user can IPA WebGUIlogin > > 2. other users cannot login IPA WebGUIlogin, but can login using cli > > (kinit) > > 3. when i create a new user, the new user can login IPA WebGUI. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
