Hello, looking for some help.
We've recently noted that the majority of our web UI's have started to fail to
login. I have at least 1 that's still allowing log-in's at present.
When attempting to login, we get a 401 unauthorised in the networking tab for
the login POST request, and a banner appears: "Your session has expired. Please
log in again."
In the kerbos logs I see the following:
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
NEEDED_PREAUTH:
WELLKNOWN/[email protected]<mailto:WELLKNOWN/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha384-192(20),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/[email protected]<mailto:WELLKNOWN/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
NEEDED_PREAUTH: [email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected]<mailto:[email protected]> for
HTTP/[email protected]<mailto:HTTP/[email protected]>
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
{rep=UNSUPPORTED:(0)}
HTTP/[email protected]<mailto:HTTP/[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>,
KDC policy rejects request
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
{rep=UNSUPPORTED:(0)}
HTTP/[email protected]<mailto:HTTP/[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>,
KDC policy rejects request
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
We are not having issue with other parts of the authing system as we are still
able to ssh into servers, use sudo over shared auth etc. And we can verify the
issue isn't config on the cluster side. These hosts are update regularly in a
round robin. One host that is allowing web-ui access was updated and restarted
last night, so don't believe it's a package / code level issue either.
Any help or pointers would be greatly appreciated.
Regards,
Marc.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
