I tried changing the password but that did not work. When I ran #ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen I am getting ipa: ERROR: attribute "ipanthas" not allowed same Error when dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=testchangetype: modifyadd: ipaNTHashipaNTHash: MagicRegenFrom: Alexander Bokovoy On ke, 02 helmi 2022, Alexander Bokovoy via FreeIPA-users wrote: >On ke, 02 helmi 2022, code bugs wrote: >>After following the @Dan West >><https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/> >>solution >>described at >>https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU >>, users are able to login to IPA WebGUI. >> >>My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius. >> >>Now the users are unable to login into the WIFI network using the radius >>server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1 >>C=269d5124d7a4e4f1 v=1" >>I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan >>West solution this attribute was deleted. > >That's most likely cause, yes. > >There are two ways to recover iapNTHash attribute values. First one: >change password. This will cause ipaNTHash to be generated if its >generation is not disabled in IPA configuration (it is not by default). > >Another path depends on whether your users' Kerberos keys have >arcfour-hmac encryption keys already. If they do, you can trigger >re-creation of ipaNTHash by adding it with a special value: > >dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test >changetype: modify >add: ipaNTHash >ipaNTHash: MagicRegen > >You can do this either as cn=Directory Manager, or as an admin, or as a >user themselves. Perhaps, doing this as cn=Directory Manager will be a >bit easier. In case there is no arcfour-hmac encryption key in the >Kerberos keys for the user in question, you would get LDAP error >LDAP_UNWILLING_TO_PERFORM. Just tried this on my test system, it works. # ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test changetype: modify delete: ipaNTHash ^D modifying entry "uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test" # ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen # ipa -e in_server=true user-show mtest --all --raw |grep ipaNTHash ipaNTHash: some-value > > >> >> >>On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <[email protected]> >>wrote: >> >>>On la, 29 tammi 2022, code bugs via FreeIPA-users wrote: >>>>Hello, >>>> >>>>-IPA WebGUI login fails with "Login failed due to an unknown reason" >>>>-After upgrading IPA, can no longer log into the WebGUI >>>>Version/Release/Distribution >>>> >>>>$ cat /etc/centos-release >>>>CentOS Linux release 8.5.2111 >>>>$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base >>>>pki-ca krb5-server >>>>package freeipa-server is not installed >>>>package freeipa-client is not installed >>>>ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >>>>ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >>>>389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 >>>>pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch >>>>krb5-server-1.18.2-14.el8.x86_64 >>>>Additional info: >>>> >>>>tail /var/log/httpd/error_log >>>> >>>>[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: >>>>INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor >>>code >>>>may provide more information, Minor (2598844948): TGT has been revoked >>> >>>Please show entries in /var/log/krb5kdc.log corresponding to this >>>timeframe. If TGT is revoked, it most likely is documented why in that >>>log. Also, if possible, show other requests in httpd's error_log for the >>>same timeframe -- if that was Web UI login, there would be few around >>>this error. >>> >>>One possible problem could be what is documented in >>> >>>https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU >>>but then it would not be possible to get a Kerberos ticket in kinit as >>>well. Perhaps, you have a problem with anonymous PKINIT on this host >>>instead. >>> >>>> >>>>further, >>>> >>>> 1. default "admin" user can IPA WebGUIlogin >>>> 2. other users cannot login IPA WebGUIlogin, but can login using cli >>>> (kinit) >>>> 3. when i create a new user, the new user can login IPA WebGUI. >>> >>> >>> >>> >>>-- >>>/ Alexander Bokovoy >>>Sr. Principal Software Engineer >>>Security / Identity Management Engineering >>>Red Hat Limited, Finland >>> >>> > > > > >-- >/ Alexander Bokovoy >Sr. Principal Software Engineer >Security / Identity Management Engineering >Red Hat Limited, Finland >_______________________________________________ >FreeIPA-users mailing list -- [email protected] >To unsubscribe send an email to [email protected] >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/[email protected] >Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland |
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
