On 03/05/2015 04:15 PM, Dan Mossor wrote:
Good day, folks.
This time it is something different, yet the same. I have re-deployed
my IPA installation due to some underlying issues with the host of the
virtual machine. Even with the new installation, I cannot authenticate
through the web UI.
So far, there is exactly one client in the domain (my workstation),
and exactly one user - admin. I am not comfortable with the command
line tools, and I have others below my position that require a GUI for
management purposes, so I have to make this work to proceed any further.
Following up with the information Martin asked for in my previous
thread, let me walk you through the process:
I attempted to log in to https://vader.rez.lcl/, and received the
error "Your session has expired. Please re-login." At this point, I
clicked the link to configure Firefox. On the command line, I obtained
a kerberos ticket for admin (note - I am root on this workstation for
the time being):
[root@dmfedora ~]# kinit admin
Password for ad...@rez.lcl:
[root@dmfedora ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@rez.lcl
Valid starting Expires Service principal
03/05/2015 14:46:22 03/06/2015 14:46:15 krbtgt/rez....@rez.lcl
I then finished the Firefox configuration, and attempted to log in
again. I still received the error. The Firefox console shows:
POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200
Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized
3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200
Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized
4ms]
/var/log/krb5kdc.log during the process:
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH:
HTTP/vader.rez....@rez.lcl for krbtgt/rez....@rez.lcl, Additional
pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
1425589590, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez....@rez.lcl
for krbtgt/rez....@rez.lcl
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH:
ad...@rez.lcl for krbtgt/rez....@rez.lcl, Additional
pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
1425589590, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for
krbtgt/rez....@rez.lcl
/var/log/httpd/access_log shows the same thing as the Firefox console:
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
10.1.1.15 - ad...@rez.lcl [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do
you need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
So here are some wild ideas:
- Is the browser properly configured? May be there is something with the
browser that is not working? Have you cleaned the old IPA CA cert? It
might not be related but I have seen issues in the past with it.
- Are you sure that server has all the components? For example session
on the server side is stored in memcached. If it is not running or
something is not right with it the ticket sharing might be broken.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
