Hi, In order to login to the WebUI using an AD user, refer to the following doc: *Web UI login for Active Directory users* [1]. An idoverride is required for each AD user that wants to connect to the WebUI.
HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/accessing_identity_management_services/logging-in-to-ipa-in-the-web-ui-using-a-kerberos-ticket_accessing-idm-services#web-ui-login-for-ad-users-login-web-ui-krb On Fri, Apr 21, 2023 at 1:20 PM iulian roman via FreeIPA-users < [email protected]> wrote: > Hello, > > I have a FreeIPA setup with ad trust configured. Everything works, except > the login to the WEB UI with an Active Directory account. The only > possibility to login to the WEB UI is via the admin account. > > In the /var/log/krb5kdc.log i have the following entries after i try to > connect to WEB UI: > > Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: > NEEDED_PREAUTH: WELLKNOWN/[email protected] for > krbtgt/[email protected], Additional pre-authentication > required > Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing > down fd 11 > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: > ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, > WELLKNOWN/[email protected] for > krbtgt/[email protected] > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing > down fd 11 > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: > REFERRAL: ad_user\@[email protected] for > krbtgt/[email protected], Realm not local to KDC > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing > down fd 11 > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: > ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, > [email protected] for HTTP/[email protected] > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing > down fd 11 > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: > ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, > HTTP/[email protected] for > ldap/[email protected] > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ... > CONSTRAINED-DELEGATION [email protected] > Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down > fd 11 > > In the/var/log/httpd/error_log : > > [Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: > http://server1.ipa.example.corp:80 "GET /ipa/session/cookie HTTP/1.1" 301 > 264 > [Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: Starting new > HTTPS connection (1): server1.ipa.example.corp:443 > [Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: > https://server1.ipa.example.corp:443 "GET /ipa/session/cookie HTTP/1.1" > 200 0 > [Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: > Insufficient access: Invalid credentials > [Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864] > [client 10.30.93.93:55487] failed to set perms (3140) on file > (/run/ipa/ccaches/[email protected])!, referer: > https://server1.ipa.example.corp/ipa/ui/ > [Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI > KerberosLogin.__call__: > [Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid > 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: > Major (851968): Unspecified GSS failure. Minor code may provide more > information, Minor (108962060): Credential cache is empty > > From WEB UI i tri to connect with ad_user account with and without > appending the AD domain (EXAMPLE.CORP). > > The error message i get on the UI is : Your session has expired. Please > log in again. > > Does anyone have any suggestion or idea how can it be fixed ? > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
