[Freeipa-users] WEB UI access issues with AD account

Fri, 21 Apr 2023 04:20:08 -0700 

Hello, 

I have a FreeIPA setup with ad trust configured. Everything works, except the 
login to the WEB UI with an Active Directory account. The only possibility to 
login to the WEB UI is via the admin account. 

In the /var/log/krb5kdc.log i have the following entries after i try to connect 
to WEB UI:

Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: 
NEEDED_PREAUTH: WELLKNOWN/[email protected] for 
krbtgt/[email protected], Additional pre-authentication required
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 
11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: 
authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
WELLKNOWN/[email protected] for 
krbtgt/[email protected]
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 
11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: 
REFERRAL: ad_user\@[email protected] for 
krbtgt/[email protected], Realm not local to KDC
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 
11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: 
authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
[email protected] for HTTP/[email protected]
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 
11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: 
authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
HTTP/[email protected] for 
ldap/[email protected]
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ... 
CONSTRAINED-DELEGATION [email protected]
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down fd 11

In the/var/log/httpd/error_log : 
 
[Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: http://server1.ipa.example.corp:80 "GET 
/ipa/session/cookie HTTP/1.1" 301 264
[Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: Starting new HTTPS connection (1): 
server1.ipa.example.corp:443
[Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: https://server1.ipa.example.corp:443 
"GET /ipa/session/cookie HTTP/1.1" 200 0
[Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Insufficient access:  
Invalid credentials
[Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864] 
[client 10.30.93.93:55487] failed to set perms (3140) on file 
(/run/ipa/ccaches/[email protected])!, referer: 
https://server1.ipa.example.corp/ipa/ui/
[Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: DEBUG: WSGI KerberosLogin.__call__:
[Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid 139830049466112] 
[remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Major (851968): 
Unspecified GSS failure.  Minor code may provide more information, Minor 
(108962060): Credential cache is empty

From WEB UI i tri to connect with ad_user account with and without appending 
the AD domain (EXAMPLE.CORP). 

The error message i get on the UI is : Your session has expired. Please log in 
again.

Does anyone have any suggestion or idea how can it be fixed ? 

 

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to