Hello all, I have a problem with logging in to the web interface (username/pw) of one of my IPA servers, ipa2.
The installation is CA-less, without pkinit, and consists of master servers ipa1 and ipa2 Ipa1 works fine at this time, ipa2 fails with "Login failed due to an unknown reason." in the web ui. In the httpd error log: calledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_11164 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 If I try to run /kinit -n - -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem for testing on ipa2, it asks me for a password (which I don't know). Doing the same on ipa1 will not ask for a password, but simply adds the WELLKNOWN/ANONYMOUS principal to the keyring: [root@charon run]# LANG=C klist -a Ticket cache: KEYRING:persistent:0:krb_ccache_vscxoCZ Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 22.07.2024 17:21:34 23.07.2024 17:21:34 krbtgt/[email protected] Addresses: (none) So I guess this might be part of the problem. Note that "kinit <user>" with a password I know works fine on ipa2. What can I do to fix this? I should say I had the same problem 2 years ago or so, but with reversed roles (ipa1 not allowing login, ipa2 working fine). According to my notes from back then, a "systemctl restart sssd" fixed it that time. Unfortunately this does not seem to help this time. Many thanks for any ideas, Thomas Boroske -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
