Hi, On Mon, Jan 20, 2025 at 3:44 PM Frederic Ayrault via FreeIPA-users < [email protected]> wrote:
> Bonjour, > > When I try the command 'ipa ping', I get on the console the error with > --debug (I am also unable to login in the gui) > > ipa: DEBUG: failed to find session_cookie in persistent storage for > principal '[email protected]' > ipa: INFO: trying https://ipa4.lix.polytechnique.fr/ipa/json > ipa: DEBUG: Created connection context.rpcclient_140138341763920 > ipa: INFO: [try 1]: Forwarding 'schema' to json server ' > https://ipa4.lix.polytechnique.fr/ipa/json' > ipa: DEBUG: New HTTP connection (ipa4.lix.polytechnique.fr) > ipa: DEBUG: HTTP connection destroyed (ipa4.lix.polytechnique.fr) > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 726, in > single_request > if not self._auth_complete(response): > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 679, in > _auth_complete > message=u"No valid Negotiate header in server response") > KerberosError: No valid Negotiate header in server response > ipa: DEBUG: Destroyed connection context.rpcclient_140138341763920 > ipa: ERROR: No valid Negotiate header in server response > > > and in the logs > > ==> /var/log/krb5kdc.log <== > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1848](info): AS_REQ (8 > etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: NEEDED_PREAUTH: > HTTP/[email protected] for > krbtgt/[email protected], Additional > pre-authentication required > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1848](info): closing > down fd 11 > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): AS_REQ (8 > etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: PREAUTH_FAILED: > HTTP/[email protected] for > krbtgt/[email protected], Preauthentication failed > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): closing > down fd 11 > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1847](info): AS_REQ (8 > etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: NEEDED_PREAUTH: > HTTP/[email protected] for > krbtgt/[email protected], Additional > pre-authentication required > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1847](info): closing > down fd 11 > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): AS_REQ (8 > etypes {18 17 16 23 20 19 25 26}) 193.55.176.152: PREAUTH_FAILED: > HTTP/[email protected] for > krbtgt/[email protected], Preauthentication failed > Jan 20 15:20:08 ipa4.lix.polytechnique.fr krb5kdc[1851](info): closing > down fd 11 > > ==> /var/log/httpd/error_log <== > [Mon Jan 20 15:20:08.754030 2025] [auth_gssapi:error] [pid 6735] [client > 193.55.176.152:51668] GSS ERROR gss_acquire_cred[_from]() failed to get > server creds: [Unspecified GSS failure. Minor code may provide more > information ( SPNEGO cannot find mechanisms to negotiate)], referer: > https://ipa4.lix.polytechnique.fr/ipa/xml > > > I am running 4.6.8-5 on CentOS in a CA less. I tried 'getcert resubmit -i' > according to what I found here > CA-less => did you install the server with a PKINIT certificate (with --pkinit-cert-file) or with --no-pkinit? You can also check if gssproxy service is up and running and follow the troubleshooting steps from https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation flo https://lists.fedorahosted.org/archives/list/[email protected]/thread/563G4GA6FVZNRQVBB2YHNVQSIPO73HET/ > , Unfortunately without success > > Thank you for your help > > Regards, > > Frédéric AYRAULT > Administrateur Systèmes et Réseaux > Laboratoire d'Informatique de l'Ecole polytechnique > <http://www.lix.polytechnique.fr> > [email protected] > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
