Yep, its still there. I thought that was strange too but I can't figure out why it thinks it is off even though there's *nowhere* in any of my apache configs that turn it off.
On Thu, Apr 28, 2022, at 1:57 PM, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > On Tue, Apr 26, 2022 at 9:15 PM Victoria Fierce via FreeIPA-users > <[email protected]> wrote: >> Howdy. >> >> I've been a long-time user of freeipa and have had a small instance running >> at home via fedora packages for the past 5 years or so. Its actually hard >> to know just how long I've had it running, but that's besides the point; for >> what feels like ages I've never had to really mess with it and it kept on >> ticking. Until recently. >> >> I'm no longer able to use the ipa command line tool or the webui. The webui >> correctly rejects any invalid passwords with an invalid password message, >> but any /correct/ credentials simply says "Your session has expired. Please >> log in again.". All of my clients are using the same NTP server as the >> server, nothing it out of sync, and caches have been cleared multiple times. >> I know this isn't a browser issue, because of the next point: >> >> I can't use the ipa command on my server anymore. Here's a brief sample of >> one such attempt: >> >> [root@io kdc]# kinit admin >> Password for [email protected]: >> [root@io kdc]# ipa -d >> ipa: DEBUG: Loading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> ipa: DEBUG: Loading StateFile from >> '/var/lib/ipa-client/sysrestore/sysrestore.state' >> ipa: DEBUG: Loading StateFile from >> '/var/lib/ipa-client/sysrestore/sysrestore.state' >> ipa: DEBUG: failed to find session_cookie in persistent storage for >> principal '[email protected]' >> ipa: DEBUG: trying https://io.malloc.hackerbots.net/ipa/json >> ipa: DEBUG: Created connection context.rpcclient_139701656917472 >> ipa: DEBUG: [try 1]: Forwarding 'schema' to json server >> 'https://io.malloc.hackerbots.net/ipa/json' >> ipa: DEBUG: New HTTP connection (io.malloc.hackerbots.net) >> ipa: DEBUG: received Set-Cookie (<class >> 'list'>)'['ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;path=/ipa;httponly;secure;']' >> ipa: DEBUG: storing cookie >> 'ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;' >> for principal [email protected] >> ipa: DEBUG: Destroyed connection context.rpcclient_139701656917472 >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information >> (Credential cache is empty) >> >> Wish I could say how long its been like this or what I did to break it, but >> again, its been running for so long that I've never really had to check in >> on it! This is a Fedora 32 server that has gone through several distro >> upgrades over the years and through each one, freeipa kept running without >> issue. I'm certain that at some point in the last year I've upgraded a >> package that broke this, but there is no way to check. Kerberos continues to >> work fine; I can login to other services and change passwords and whatnot. >> ldapsearch returns results and I can bind to it, and other services that >> utilize ldap for authentication still work great. Except for, of course, the >> freeipa web app. It looks like freeipa hasn't seen a new release in quite >> some time, so I'm prepared to do a bunch of debugging myself if anyone could >> point me in the right directions. >> >> Additionally, here's the apache error_log with debug=true in >> /etc/ipa/server.conf: >> >> [Mon Apr 18 10:57:31.776194 2022] [ssl:info] [pid 1989623:tid 1989819] >> [client 127.0.0.1:42826] AH01964: Connection to child 8 established (server >> io.malloc.hackerbots.net:443) >> [Mon Apr 18 10:57:31.776376 2022] [ssl:debug] [pid 1989623:tid 1989819] >> ssl_engine_kernel.c(2374): [client 127.0.0.1:42826] AH02043: SSL virtual >> host for servername io.malloc.hackerbots.net found >> [Mon Apr 18 10:57:31.779851 2022] [ssl:debug] [pid 1989623:tid 1989819] >> ssl_engine_kernel.c(2254): [client 127.0.0.1:42826] AH02041: Protocol: >> TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) >> [Mon Apr 18 10:57:31.779966 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x4a -> >> subcache 10) >> [Mon Apr 18 10:57:31.779974 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=2, >> data=(378:410) >> [Mon Apr 18 10:57:31.779977 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: >> idx_pos/idx_used=0/3, data_pos/data_used=0/595 >> [Mon Apr 18 10:57:31.779981 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store >> successfully >> [Mon Apr 18 10:57:31.780083 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xde -> >> subcache 30) >> [Mon Apr 18 10:57:31.780088 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=1, >> data=(217:249) >> [Mon Apr 18 10:57:31.780091 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: >> idx_pos/idx_used=0/2, data_pos/data_used=0/434 >> [Mon Apr 18 10:57:31.780094 2022] [socache_shmcb:debug] [pid 1989623:tid >> 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store >> successfully >> [Mon Apr 18 10:57:31.780181 2022] [ssl:debug] [pid 1989623:tid 1989819] >> ssl_engine_kernel.c(415): [client 127.0.0.1:42826] AH02034: Initial (No.1) >> HTTPS request received for child 8 (server io.malloc.hackerbots.net:443), >> referer: https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780373 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of Require valid-user : denied (no authenticated user >> yet), referer: https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780384 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of <RequireAny>: denied (no authenticated user yet), >> referer: https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780395 2022] [auth_gssapi:debug] [pid 1989623:tid >> 1989819] mod_auth_gssapi.c(893): [client 127.0.0.1:42826] URI: >> /ipa/session/json, no main, no prev, referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780450 2022] [auth_gssapi:debug] [pid 1989623:tid >> 1989819] mod_auth_gssapi.c(983): [client 127.0.0.1:42826] Already >> established context found!, referer: https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780482 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of Require valid-user : granted, referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780486 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of <RequireAny>: granted, referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780544 2022] [lookup_identity:debug] [pid 1989623:tid >> 1989819] mod_lookup_identity.c(445): [client 127.0.0.1:42826] invoked for >> user [email protected], referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780635 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of Require all granted: granted, referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780641 2022] [authz_core:debug] [pid 1989623:tid >> 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: >> authorization result of <RequireAny>: granted, referer: >> https://io.malloc.hackerbots.net/ipa/xml >> [Mon Apr 18 10:57:31.780648 2022] [auth_gssapi:debug] [pid 1989623:tid >> 1989819] mod_auth_gssapi.c(726): [client 127.0.0.1:42826] GSSapiImpersonate >> not On, skipping impersonation., referer: >> https://io.malloc.hackerbots.net/ipa/xml > > " GSSapiImpersonate not On" looks suspicious to me. Can you check if > /etc/httpd/conf.d/ipa.conf contains "GssapiImpersonate On" in the sections > <Location "/ipa"> and <Location "/ipa/session/login_x509"> ? > > flo >> >> [Mon Apr 18 10:57:31.781246 2022] [wsgi:error] [pid 1989622:tid 1989934] >> [remote 127.0.0.1:42826] ipa: DEBUG: WSGI wsgi_dispatch.__call__: >> [Mon Apr 18 10:57:31.781331 2022] [wsgi:error] [pid 1989622:tid 1989934] >> [remote 127.0.0.1:42826] ipa: DEBUG: WSGI jsonserver_session.__call__: >> [Mon Apr 18 10:57:31.836341 2022] [wsgi:error] [pid 1989622:tid 1989934] >> [remote 127.0.0.1:42826] ipa: INFO: 401 Unauthorized: Insufficient access: >> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >> code may provide more information (Credential cache is empty) >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
