Howdy. I've been a long-time user of freeipa and have had a small instance running at home via fedora packages for the past 5 years or so. Its actually hard to know just how long I've had it running, but that's besides the point; for what feels like ages I've never had to really mess with it and it kept on ticking. Until recently.
I'm no longer able to use the ipa command line tool or the webui. The webui correctly rejects any invalid passwords with an invalid password message, but any /correct/ credentials simply says "Your session has expired. Please log in again.". All of my clients are using the same NTP server as the server, nothing it out of sync, and caches have been cleared multiple times. I know this isn't a browser issue, because of the next point: I can't use the ipa command on my server anymore. Here's a brief sample of one such attempt: [root@io kdc]# kinit admin Password for [email protected]: [root@io kdc]# ipa -d ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: failed to find session_cookie in persistent storage for principal '[email protected]' ipa: DEBUG: trying https://io.malloc.hackerbots.net/ipa/json ipa: DEBUG: Created connection context.rpcclient_139701656917472 ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://io.malloc.hackerbots.net/ipa/json' ipa: DEBUG: New HTTP connection (io.malloc.hackerbots.net) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;' for principal [email protected] ipa: DEBUG: Destroyed connection context.rpcclient_139701656917472 ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) Wish I could say how long its been like this or what I did to break it, but again, its been running for so long that I've never really had to check in on it! This is a Fedora 32 server that has gone through several distro upgrades over the years and through each one, freeipa kept running without issue. I'm certain that at some point in the last year I've upgraded a package that broke this, but there is no way to check. Kerberos continues to work fine; I can login to other services and change passwords and whatnot. ldapsearch returns results and I can bind to it, and other services that utilize ldap for authentication still work great. Except for, of course, the freeipa web app. It looks like freeipa hasn't seen a new release in quite some time, so I'm prepared to do a bunch of debugging myself if anyone could point me in the right directions. Additionally, here's the apache error_log with debug=true in /etc/ipa/server.conf: [Mon Apr 18 10:57:31.776194 2022] [ssl:info] [pid 1989623:tid 1989819] [client 127.0.0.1:42826] AH01964: Connection to child 8 established (server io.malloc.hackerbots.net:443) [Mon Apr 18 10:57:31.776376 2022] [ssl:debug] [pid 1989623:tid 1989819] ssl_engine_kernel.c(2374): [client 127.0.0.1:42826] AH02043: SSL virtual host for servername io.malloc.hackerbots.net found [Mon Apr 18 10:57:31.779851 2022] [ssl:debug] [pid 1989623:tid 1989819] ssl_engine_kernel.c(2254): [client 127.0.0.1:42826] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Mon Apr 18 10:57:31.779966 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x4a -> subcache 10) [Mon Apr 18 10:57:31.779974 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=2, data=(378:410) [Mon Apr 18 10:57:31.779977 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/3, data_pos/data_used=0/595 [Mon Apr 18 10:57:31.779981 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Mon Apr 18 10:57:31.780083 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xde -> subcache 30) [Mon Apr 18 10:57:31.780088 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=1, data=(217:249) [Mon Apr 18 10:57:31.780091 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/2, data_pos/data_used=0/434 [Mon Apr 18 10:57:31.780094 2022] [socache_shmcb:debug] [pid 1989623:tid 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Mon Apr 18 10:57:31.780181 2022] [ssl:debug] [pid 1989623:tid 1989819] ssl_engine_kernel.c(415): [client 127.0.0.1:42826] AH02034: Initial (No.1) HTTPS request received for child 8 (server io.malloc.hackerbots.net:443), referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780373 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780384 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780395 2022] [auth_gssapi:debug] [pid 1989623:tid 1989819] mod_auth_gssapi.c(893): [client 127.0.0.1:42826] URI: /ipa/session/json, no main, no prev, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780450 2022] [auth_gssapi:debug] [pid 1989623:tid 1989819] mod_auth_gssapi.c(983): [client 127.0.0.1:42826] Already established context found!, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780482 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of Require valid-user : granted, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780486 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of <RequireAny>: granted, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780544 2022] [lookup_identity:debug] [pid 1989623:tid 1989819] mod_lookup_identity.c(445): [client 127.0.0.1:42826] invoked for user [email protected], referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780635 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of Require all granted: granted, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780641 2022] [authz_core:debug] [pid 1989623:tid 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: authorization result of <RequireAny>: granted, referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.780648 2022] [auth_gssapi:debug] [pid 1989623:tid 1989819] mod_auth_gssapi.c(726): [client 127.0.0.1:42826] GSSapiImpersonate not On, skipping impersonation., referer: https://io.malloc.hackerbots.net/ipa/xml [Mon Apr 18 10:57:31.781246 2022] [wsgi:error] [pid 1989622:tid 1989934] [remote 127.0.0.1:42826] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Apr 18 10:57:31.781331 2022] [wsgi:error] [pid 1989622:tid 1989934] [remote 127.0.0.1:42826] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Apr 18 10:57:31.836341 2022] [wsgi:error] [pid 1989622:tid 1989934] [remote 127.0.0.1:42826] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
