> On my fairly recently created replica, trying to sign on to the webUI > fails both with a ticket and with username/password. The httpd error > log reports: > > [Thu Feb 03 09:43:20.551081 2022] [wsgi:error] [pid 332932:tid > 140681111185152] [remote > 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] ipa: INFO: > [jsonserver_i18n_messages] > UNKNOWN: i18n_messages(version='2.237'): SUCCESS > [Thu Feb 03 09:43:21.096431 2022] [auth_gssapi:error] [pid 332935:tid > 140680940726016] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal > session data!, > referer: https://server.example.com/ipa/ui/ > [Thu Feb 03 09:43:21.146884 2022] [auth_gssapi:error] [pid 332935:tid > 140681090156288] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal > session data!, > referer: https://server.example.com/ipa/ui/ > [Thu Feb 03 09:43:21.605055 2022] [auth_gssapi:error] [pid 332935:tid > 140681090156288] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR > gss_acquire_cred[_from]() > failed to get server creds: [Unspecified GSS failure. Minor code may > provide more > information ( SPNEGO cannot find mechanisms to negotiate)], referer: > https://server.example.com/ipa/ui/ > [Thu Feb 03 09:43:21.621376 2022] [auth_gssapi:error] [pid 332935:tid > 140680923940608] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal > session data!, > referer: https://server.example.com/ipa/ui/ > [Thu Feb 03 09:43:21.672265 2022] [auth_gssapi:error] [pid 332935:tid > 140680907155200] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal > session data!, > referer: https://server.example.com/ipa/ui/ > [Thu Feb 03 09:43:22.019527 2022] [auth_gssapi:error] [pid 332935:tid > 140680907155200] > [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR > gss_acquire_cred[_from]() > failed to get server creds: [Unspecified GSS failure. Minor code may > provide more > information ( SPNEGO cannot find mechanisms to negotiate)], referer: > https://server.example.com/ipa/ui/ > > I found some google hits on gssproxy being the culprit but I can't > seem > to find anything wrong with it. It's not logging any errors or such. > > Any ideas on what the problem could be here?
Some additional information... I get the same kinds of errors from ipa ping also: # ipa ping ipa: ERROR: No valid Negotiate header in server response This seems to be the same issue as reported at: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/GZ5ISOSFYO34DZILJFCPOGKBBGD5RBHI/ Not being a kerberos and ldap expert, I'm not terribly comfortable with trying to replicate the solution above: "pulled the value of krbprincipalkey from the server and used ldapmodify to fix it on the other servers". There in fact seems to be a lot of google hits on "ipa: ERROR: No valid Negotiate header in server response" with not much at all in the way of solutions. One google search result says the solution is: # ipa-getkeytab -D "cn=directory manager" -w <Directory Manager Password> -s <IPA master server FQDN> -p 'HTTP/<IPA server FQDN>' -r -k /var/lib/ipa/gssproxy/http.keytab When I do that, and then kinit admin again and try to ipa ping that works as do other ipa commands such as {server,user,host}-find, etc. However logging into the webUI still doesn't work. The only message in the httpd error log is: [wsgi:error] [pid 428864:tid 140609438590720] [remote fd31:aeb1:48df:0:3b14:e643:83d8:7017:44824] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.237'): SUCCESS But that only logged once and doesn't log with each attempt to log into the webUI. The access log logs: fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:29 -0500] "GET /ipa/ui/ HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/js/libs/loader.js HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/js/libs/json2.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/css/patternfly.css?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/css/bootstrap-datepicker3.min.css?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/css/ipa.css?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET /ipa/ui/ipa.css?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/jquery.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/bootstrap.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/bootstrap-datepicker.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/patternfly.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/jquery.ordered-map.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/browser.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/dojo/dojo.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/qrcode.js?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/freeipa/app.js?40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/libs/d3.js?40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "POST /ipa/i18n_messages HTTP/1.1" 200 13160 fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/js/freeipa/plugins.js?40608 HTTP/1.1" 200 59 fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/favicon.ico?v=40608 HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/images/header-logo.png HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET /ipa/ui/images/login-screen-background.jpg HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - br...@example.com [04/Feb/2022:08:54:31 -0500] "POST /ipa/session/json HTTP/1.1" 401 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - br...@example.com [04/Feb/2022:08:54:32 -0500] "GET /ipa/session/login_kerberos?_=1643982871287 HTTP/1.1" 401 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET /ipa/ui/images/login-screen-logo.png HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET /ipa/ui/images/product-name.png HTTP/1.1" 304 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET /ipa/ui/fonts/fontawesome/fontawesome-webfont.ttf?v=4.0.3 HTTP/1.1" 304 - On each attempt and failure. The client is not even getting an HTTP ticket for the IPA server when it's trying the above. Trying to use username and password also doesn't work but with much less logged: fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:09:16:54 -0500] "POST /ipa/session/login_password HTTP/1.1" 200 25 fd31:aeb1:48df:0:3b14:e643:83d8:7017 - br...@example.com [04/Feb/2022:09:16:55 -0500] "POST /ipa/session/json HTTP/1.1" 401 - fd31:aeb1:48df:0:3b14:e643:83d8:7017 - br...@example.com [04/Feb/2022:09:16:55 -0500] "GET /ipa/session/login_kerberos?_=1643984001538 HTTP/1.1" 401 - Any ideas why the webUI doesn't authenticate? Cheers, b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure