[Freeipa-users] Problem with webui: kerberos ticket no longer valid

David Sastre Fri, 24 Aug 2012 02:58:24 -0700

Hello,

I'm having an issue with the web ui, it is returning "Kerberos ticket
is no longer valid" message regardless I have a valid ticket:


$ ssh sysadm@panoramix 'klist'

Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]

Valid starting     Expires            Service principal
08/24/12 10:42:57  08/25/12 10:42:53  krbtgt/[email protected]
08/24/12 10:43:19  08/25/12 10:42:53  HTTP/[email protected]

Following the advice in:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html

I have obtained this log:

$ ssh -X sysadm@panoramix 'export NSPR_LOG_MODULES=negotiateauth:5;
export NSPR_LOG_FILE=/tmp/moz.log; firefox'

973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]:   No output token to send, exiting
973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]:   No output token to send, exiting

Relevant portions of apache's access and error logs with LogLevel Debug are:

172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - [email protected] [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
"https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 401 1856
"https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - [email protected] [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 200 -
"https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - [email protected] [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
"https://panoramix.domain.com/ipa/ui/"; "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"

[Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does
not exist: /var/www/htdocs/panoramix.domain.com/ca
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 194 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 196 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for [email protected], referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 197 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 198 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for [email protected], referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 199 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 200 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for [email protected], referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: https://panoramix.domain.com/ipa/ui/
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed
(server panoramix.domain.com:443, client 172.22.249.66)

# lsb_release -a
LSB Version:
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.3 (Final)
Release:        6.3
Codename:       Final

# rpm -qa | egrep '(ipa-|sssd)'
ipa-pki-common-theme-9.0.3-7.el6.noarch
sssd-client-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
sssd-1.8.0-32.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64

Thanks in advance.

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Problem with webui: kerberos ticket no longer valid

Reply via email to