[Freeipa-users] Re: FreeIPA web UI login's failing

[Rob Crittenden via FreeIPA-users]

Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
> Hello, looking for some help.
> 
> We’ve recently noted that the majority of our web UI’s have started to
> fail to login. I have at least 1 that’s still allowing log-in’s at present.
> 
> When attempting to login, we get a 401 unauthorised in the networking
> tab for the login POST request, and a banner appears: “Your session has
> expired. Please log in again.”
> 
> In the kerbos logs I see the following:
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
> NEEDED_PREAUTH: WELLKNOWN/anonym...@int.i-neda.com
> <mailto:WELLKNOWN/anonym...@int.i-neda.com> for
> krbtgt/int.i-neda....@int.i-neda.com
> <mailto:krbtgt/int.i-neda....@int.i-neda.com>, Additional
> pre-authentication required
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
> authtime 1707232119, etypes {rep=aes256-cts-hmac-sha384-192(20),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> WELLKNOWN/anonym...@int.i-neda.com
> <mailto:WELLKNOWN/anonym...@int.i-neda.com> for
> krbtgt/int.i-neda....@int.i-neda.com
> <mailto:krbtgt/int.i-neda....@int.i-neda.com>
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
> NEEDED_PREAUTH: marc.ad...@int.i-neda.com
> <mailto:marc.ad...@int.i-neda.com> for
> krbtgt/int.i-neda....@int.i-neda.com
> <mailto:krbtgt/int.i-neda....@int.i-neda.com>, Additional
> pre-authentication required
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
> authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> marc.ad...@int.i-neda.com <mailto:marc.ad...@int.i-neda.com> for
> krbtgt/int.i-neda....@int.i-neda.com
> <mailto:krbtgt/int.i-neda....@int.i-neda.com>
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): TGS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
> authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> marc.ad...@int.i-neda.com <mailto:marc.ad...@int.i-neda.com> for
> HTTP/red-ipa01.int.i-neda....@int.i-neda.com
> <mailto:HTTP/red-ipa01.int.i-neda....@int.i-neda.com>
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1861](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
> S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
> {rep=UNSUPPORTED:(0)} HTTP/red-ipa01.int.i-neda....@int.i-neda.com
> <mailto:HTTP/red-ipa01.int.i-neda....@int.i-neda.com> for
> ldap/red-ipa01.int.i-neda....@int.i-neda.com
> <mailto:ldap/red-ipa01.int.i-neda....@int.i-neda.com>, KDC policy
> rejects request
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
> CONSTRAINED-DELEGATION s4u-client=<unknown>
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
> down fd 12
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
> S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
> {rep=UNSUPPORTED:(0)} HTTP/red-ipa01.int.i-neda....@int.i-neda.com
> <mailto:HTTP/red-ipa01.int.i-neda....@int.i-neda.com> for
> ldap/red-ipa01.int.i-neda....@int.i-neda.com
> <mailto:ldap/red-ipa01.int.i-neda....@int.i-neda.com>, KDC policy
> rejects request
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
> CONSTRAINED-DELEGATION s4u-client=<unknown>
> 
> Feb 06 15:08:39 red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
> down fd 12
> 
> We are not having issue with other parts of the authing system as we are
> still able to ssh into servers, use sudo over shared auth etc. And we
> can verify the issue isn’t config on the cluster side. These hosts are
> update regularly in a round robin. One host that is allowing web-ui
> access was updated and restarted last night, so don’t believe it’s a
> package / code level issue either.
> 
> Any help or pointers would be greatly appreciated.

Please check this list archives. IPA now requires a PAC. This means
every user needs a SID. It is likely yours is missing it.

rob

> 
> Regards,
> 
> Marc.
> 
> 
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue