Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Fri, Mar 6, 2015 at 1:53 PM, Martin Kosek mko...@redhat.com wrote:

 On 03/06/2015 05:59 PM, Dan Mossor wrote:


 IT WORKS! WOOT!

 In the steps of researching a small issue on another hypervisor, I
 discovered
 that my underlying network, while operational, was not properly
 configured. The
 IPA server and my workstation were supposed to be talking in VLAN 100 and
 110,
 respectively. The network is temporarily configured to route every packet
 it
 receives to the proper VLAN, no matter where it originates.

 My workstation is indeed on VLAN 110, and is tagging the packets
 appropriately.
 The server, however, due to a bridge misconfiguration on the host, was on
 VLAN
 1 and not sending tagged packets at all. But as the router is configured
 to
 route all appropriate packets it appeared to be operating normally.

 I blew away the network configuration on the host and rebuilt it again,
 this
 time ensuring that VLAN 1 was not available on that switch port, and that
 the
 packets leaving the host were tagged with VLAN 100. I brought the IPA
 server
 back up and was able to log in.

 So, chalk this one up to misrouted packets. I didn't even think to look
 there,
 the 401 error gave no clue that networking may be the issue.

 Regards,
 Dan Mossor


 Ugh, that one was nasty, I am glad you figured it out. Now, when you know
 what was the problem, would you maybe have some general Troubleshooting
 advice to

 http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

 that would help people like you uncover the root cause easier?

 Thanks,
 Martin

Martin,

I would love to. Let me think on an effective method to target networking
issues, and I'll write something up for the wiki.

Regards,
Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/06/2015 02:38 AM, Dan Mossor wrote:



 On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com wrote:

 http://i.imgur.com/mhX86Ng.png

 It should show up if you do not have a ticket. Destroy the ticket on
 the
 client and try  to access the server via browser, you should be
 redirected.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

 Ok then, that is the page that keeps returning. I've tried from this
 workstation using Konquerer, which does not support Kerberos, I've from
 from
 Internet Explorer on a Windows 7 Professional desktop, and I've tried
 from a
 Fedora 21 system that is not enrolled in the domain. I get the exact same
 response with every attempt.

 One additional step I attempted to take was to change the admin password
 on the
 IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown
 authentication
 method (-6) error back.

 I think this installation is hosed. I am ready to wipe and start over from
 scratch tomorrow. I've already wasted 16 hours on it.


 Sorry to hear that. But I think you should start taking gradual steps in
 your testing and trying to make Web UI over GSSAPI work. I would suggest
 this procedure:

 1) Can I kinit admin and run CLI command (ipa user-show admin)? If
 yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos.

 2) Can I login with form basic auth to my FreeIPA? If not, did you verify
 all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_
 authenticate_to_Web_UI ? Did you try logging with form based auth in
 FreeIPA public demo for example (user admin, password Secret123):

 https://ipa.demo1.freeipa.org/ipa/ui/

 If not, we can dig further. If yes, you can continue with kinit + SSO for
 the Web UI.

Martin, Dmitri,

Thanks for your help, but I've taken every step available on the page you
linked. I just checked this morning before I started over, and on the
server I can kinit as admin and run ipa user-show admin. The ipa tools are
not on my workstation. I then ran kdestroy on both the server and
workstation, and the error remains when logging in to the web UI - it
returns me to the screen I showed above in the link to the screenshot.

Regards,
Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dmitri Pal]

On 03/06/2015 09:26 AM, Dan Mossor wrote:
On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com 
mailto:mko...@redhat.com wrote:


On 03/06/2015 02:38 AM, Dan Mossor wrote:



On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com
mailto:d...@redhat.com mailto:d...@redhat.com wrote:

http://i.imgur.com/mhX86Ng.png

It should show up if you do not have a ticket. Destroy the
ticket on the
client and try  to access the server via browser, you
should be redirected.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Ok then, that is the page that keeps returning. I've tried
from this
workstation using Konquerer, which does not support Kerberos,
I've from from
Internet Explorer on a Windows 7 Professional desktop, and
I've tried from a
Fedora 21 system that is not enrolled in the domain. I get the
exact same
response with every attempt.

One additional step I attempted to take was to change the
admin password on the
IPA server. I am getting a ldap_sasl_interactive_bind_s:
Unknown authentication
method (-6) error back.

I think this installation is hosed. I am ready to wipe and
start over from
scratch tomorrow. I've already wasted 16 hours on it.


Sorry to hear that. But I think you should start taking gradual
steps in your testing and trying to make Web UI over GSSAPI work.
I would suggest this procedure:

1) Can I kinit admin and run CLI command (ipa user-show
admin)? If yes, basic FreeIPA is functioning. Run kdestroy to get
rid of Kerberos.

2) Can I login with form basic auth to my FreeIPA? If not, did you
verify all the items in
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
? Did you try logging with form based auth in FreeIPA public demo
for example (user admin, password Secret123):

https://ipa.demo1.freeipa.org/ipa/ui/

If not, we can dig further. If yes, you can continue with kinit +
SSO for the Web UI.

Martin, Dmitri,

Thanks for your help, but I've taken every step available on the page 
you linked. I just checked this morning before I started over, and on 
the server I can kinit as admin and run ipa user-show admin. The ipa 
tools are not on my workstation. I then ran kdestroy on both the 
server and workstation, and the error remains when logging in to the 
web UI - it returns me to the screen I showed above in the link to the 
screenshot.


Regards,
Dan


From your workstation can you use the demo instance 
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com wrote:

  On 03/06/2015 10:35 AM, Dan Mossor wrote:



 On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote:


  From your workstation can you use the demo instance
 https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

   Oh, sorry, I didn't realize I was supposed to check that. For the
 record, yes - I can log into the demo instance on Firefox from my
 workstation. For the sake of completeness, I checked with Konquerer also
 and can log in to the demo instance.

  Regards,
 Dan


 OK, so it seems that something is really broken on that server.
 May be it is easier to start over - up to you. If you want to continue
 troubleshooting we are here to help.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

  IT WORKS! WOOT!

In the steps of researching a small issue on another hypervisor, I
discovered that my underlying network, while operational, was not properly
configured. The IPA server and my workstation were supposed to be talking
in VLAN 100 and 110, respectively. The network is temporarily configured to
route every packet it receives to the proper VLAN, no matter where it
originates.

My workstation is indeed on VLAN 110, and is tagging the packets
appropriately. The server, however, due to a bridge misconfiguration on the
host, was on VLAN 1 and not sending tagged packets at all. But as the
router is configured to route all appropriate packets it appeared to be
operating normally.

I blew away the network configuration on the host and rebuilt it again,
this time ensuring that VLAN 1 was not available on that switch port, and
that the packets leaving the host were tagged with VLAN 100. I brought the
IPA server back up and was able to log in.

So, chalk this one up to misrouted packets. I didn't even think to look
there, the 401 error gave no clue that networking may be the issue.

Regards,
Dan Mossor
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote:


 From your workstation can you use the demo instance
 https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

  Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with Konquerer also
and can log in to the demo instance.

Regards,
Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dmitri Pal]

On 03/06/2015 11:59 AM, Dan Mossor wrote:



On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com wrote:


On 03/06/2015 10:35 AM, Dan Mossor wrote:



On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:


From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same
error?

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with
Konquerer also and can log in to the demo instance.

Regards,
Dan


OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to
continue troubleshooting we are here to help.

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

IT WORKS! WOOT!

In the steps of researching a small issue on another hypervisor, I 
discovered that my underlying network, while operational, was not 
properly configured. The IPA server and my workstation were supposed 
to be talking in VLAN 100 and 110, respectively. The network is 
temporarily configured to route every packet it receives to the proper 
VLAN, no matter where it originates.


My workstation is indeed on VLAN 110, and is tagging the packets 
appropriately. The server, however, due to a bridge misconfiguration 
on the host, was on VLAN 1 and not sending tagged packets at all. But 
as the router is configured to route all appropriate packets it 
appeared to be operating normally.


I blew away the network configuration on the host and rebuilt it 
again, this time ensuring that VLAN 1 was not available on that switch 
port, and that the packets leaving the host were tagged with VLAN 100. 
I brought the IPA server back up and was able to log in.


So, chalk this one up to misrouted packets. I didn't even think to 
look there, the 401 error gave no clue that networking may be the issue.


Regards,
Dan Mossor


I am glad that this hunt is over :-)
Have a nice weekend!

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Martin Kosek]

On 03/06/2015 05:59 PM, Dan Mossor wrote:



On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:

On 03/06/2015 10:35 AM, Dan Mossor wrote:



On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:


From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Oh, sorry, I didn't realize I was supposed to check that. For the record,
yes - I can log into the demo instance on Firefox from my workstation.
For the sake of completeness, I checked with Konquerer also and can log
in to the demo instance.

Regards,
Dan


OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to continue
troubleshooting we are here to help.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

IT WORKS! WOOT!

In the steps of researching a small issue on another hypervisor, I discovered
that my underlying network, while operational, was not properly configured. The
IPA server and my workstation were supposed to be talking in VLAN 100 and 110,
respectively. The network is temporarily configured to route every packet it
receives to the proper VLAN, no matter where it originates.

My workstation is indeed on VLAN 110, and is tagging the packets appropriately.
The server, however, due to a bridge misconfiguration on the host, was on VLAN
1 and not sending tagged packets at all. But as the router is configured to
route all appropriate packets it appeared to be operating normally.

I blew away the network configuration on the host and rebuilt it again, this
time ensuring that VLAN 1 was not available on that switch port, and that the
packets leaving the host were tagged with VLAN 100. I brought the IPA server
back up and was able to log in.

So, chalk this one up to misrouted packets. I didn't even think to look there,
the 401 error gave no clue that networking may be the issue.

Regards,
Dan Mossor


Ugh, that one was nasty, I am glad you figured it out. Now, when you know what 
was the problem, would you maybe have some general Troubleshooting advice to


http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

that would help people like you uncover the root cause easier?

Thanks,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/05/2015 05:51 PM, Dan Mossor wrote:

  As an additional test, I created a new user on my workstation and
 switched to it. the first thing I did was kinit as admin, then started
 Firefox, went through the browser configuration provided by the IPA server,
 and attempted to log in. I received the same error[1].

 [1]http://i.imgur.com/mhX86Ng.png


  Have you checked times and time zones on the client and on the server?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 The server is set for GMT time, whereas the client is set for local time,
US Central Standard Time. Except for that difference, they are within 1
second of each other.

Dan

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote:



 On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/05/2015 05:51 PM, Dan Mossor wrote:

  As an additional test, I created a new user on my workstation and
 switched to it. the first thing I did was kinit as admin, then started
 Firefox, went through the browser configuration provided by the IPA server,
 and attempted to log in. I received the same error[1].

 [1]http://i.imgur.com/mhX86Ng.png


  Have you checked times and time zones on the client and on the server?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 The server is set for GMT time, whereas the client is set for local time,
 US Central Standard Time. Except for that difference, they are within 1
 second of each other.

 Dan

As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:

Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl


One thing I did determine is the authtime in the krb5kdc log is epoch time.
I checked it, and it translates directly to the standard time.

Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Rob Crittenden]

Dan Mossor wrote:
 On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com
 mailto:danofs...@gmail.com wrote:
  
 
 As an additional test, I created a new user on my workstation and
 switched to it. the first thing I did was kinit as admin, then started
 Firefox, went through the browser configuration provided by the IPA
 server, and attempted to log in. I received the same error[1].
 
 [1]http://i.imgur.com/mhX86Ng.png

I'd look for SELinux errors: ausearch -m AVC -ts recent

Perhaps we can't create a login session for some reason.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Thu, Mar 5, 2015 at 4:59 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Dan Mossor wrote:
  On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com
  mailto:danofs...@gmail.com wrote:
 
 
  As an additional test, I created a new user on my workstation and
  switched to it. the first thing I did was kinit as admin, then started
  Firefox, went through the browser configuration provided by the IPA
  server, and attempted to log in. I received the same error[1].
 
  [1]http://i.imgur.com/mhX86Ng.png

 I'd look for SELinux errors: ausearch -m AVC -ts recent

 Perhaps we can't create a login session for some reason.

 rob

 I checked the /var/log/audit/audit.log, and selinux is not reporting
anything during the time I am attempting to access the gui.

But, for the sake of thoroughness:

[root@vader ipa]#  ausearch -m AVC -ts recent
no matches
[root@vader ipa]#

Dan

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com wrote:

 http://i.imgur.com/mhX86Ng.png

 It should show up if you do not have a ticket. Destroy the ticket on the
 client and try  to access the server via browser, you should be redirected.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

  Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos, I've from
from Internet Explorer on a Windows 7 Professional desktop, and I've tried
from a Fedora 21 system that is not enrolled in the domain. I get the exact
same response with every attempt.

One additional step I attempted to take was to change the admin password on
the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown
authentication method (-6) error back.

I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.

Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dan Mossor]

On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/05/2015 07:36 PM, Dan Mossor wrote:

  On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote:



 On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:

   On 03/05/2015 05:51 PM, Dan Mossor wrote:

  As an additional test, I created a new user on my workstation and
 switched to it. the first thing I did was kinit as admin, then started
 Firefox, went through the browser configuration provided by the IPA server,
 and attempted to log in. I received the same error[1].

 [1]http://i.imgur.com/mhX86Ng.png


   Have you checked times and time zones on the client and on the server?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


  The server is set for GMT time, whereas the client is set for local
 time, US Central Standard Time. Except for that difference, they are within
 1 second of each other.

  Dan

  As an experiment after this email exchange, I switched the server to
 Central Standard Time using timedatctl. I then ran kinit again, and
 attempted to log into the GUI. There was no change - I still cannot access
 the GUI. Here is the krb5kdc.log from the period:

 Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl
 for krbtgt/rez@rez.lcl, Additional pre-authentication required
 Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
 Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for
 ldap/vader.rez@rez.lcl
 Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for
 krbtgt/rez@rez.lcl, Additional pre-authentication required
 Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
 Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
 (retransmitted?) request from 10.1.1.15, resending previous response
 Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for
 krbtgt/rez@rez.lcl, Additional pre-authentication required
 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
 ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl
 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for
 krbtgt/rez@rez.lcl, Additional pre-authentication required
 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl
 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
 tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl


  One thing I did determine is the authtime in the krb5kdc log is epoch
 time. I checked it, and it translates directly to the standard time.

  Dan


 Hm. OK.

 I do not think there was ever mentioned which version of the server and
 client you are running but based on the UI it seems like the latest.
 Also you are trying to log in after using kinit. Can you log using forms
 based authentication or it does not work too?


 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

  I can't seem to locate the form based authentication for 4.1.2-1 - I was
going to try that in order to add the information to this thread, but I can
find no reference as to where it is and I can't find it manually on the
file system. Can you give me the default URL for it?

freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64

Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dmitri Pal]

On 03/05/2015 08:09 PM, Dan Mossor wrote:



On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com wrote:


On 03/05/2015 07:36 PM, Dan Mossor wrote:

On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com
mailto:danofs...@gmail.com wrote:



On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:

On 03/05/2015 05:51 PM, Dan Mossor wrote:

As an additional test, I created a new user on my
workstation and switched to it. the first thing I did
was kinit as admin, then started Firefox, went through
the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].

[1]http://i.imgur.com/mhX86Ng.png



Have you checked times and time zones on the client and
on the server?

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that
difference, they are within 1 second of each other.

Dan

As an experiment after this email exchange, I switched the server
to Central Standard Time using timedatctl. I then ran kinit
again, and attempted to log into the GUI. There was no change - I
still cannot access the GUI. Here is the krb5kdc.log from the period:

Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15:
NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl
mailto:host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
mailto:krbtgt/rez@rez.lcl, Additional pre-authentication
required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE:
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
host/dmfedora.rez@rez.lcl
mailto:host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
mailto:krbtgt/rez@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE:
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
host/dmfedora.rez@rez.lcl
mailto:host/dmfedora.rez@rez.lcl for
ldap/vader.rez@rez.lcl mailto:ldap/vader.rez@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15:
NEEDED_PREAUTH: ad...@rez.lcl mailto:ad...@rez.lcl for
krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl,
Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE:
authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl
mailto:krbtgt/rez@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
repeated (retransmitted?) request from 10.1.1.15, resending
previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1:
NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl
mailto:HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl
mailto:krbtgt/rez@rez.lcl, Additional pre-authentication
required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE:
authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
HTTP/vader.rez@rez.lcl mailto:HTTP/vader.rez@rez.lcl
for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1:
NEEDED_PREAUTH: ad...@rez.lcl mailto:ad...@rez.lcl for
krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl,
Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE:
authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl
mailto:krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE:
authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
mailto:ad...@rez.lcl for HTTP/vader.rez@rez.lcl
mailto:HTTP/vader.rez@rez.lcl


One thing I did determine is the authtime in the krb5kdc log is
epoch time. I checked it, and it translates directly to the
standard time.

Dan


Hm. OK.

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Dmitri Pal]

On 03/05/2015 07:36 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com 
mailto:danofs...@gmail.com wrote:




On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:

On 03/05/2015 05:51 PM, Dan Mossor wrote:

As an additional test, I created a new user on my workstation
and switched to it. the first thing I did was kinit as admin,
then started Firefox, went through the browser configuration
provided by the IPA server, and attempted to log in. I
received the same error[1].

[1]http://i.imgur.com/mhX86Ng.png



Have you checked times and time zones on the client and on the
server?

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that difference,
they are within 1 second of each other.

Dan

As an experiment after this email exchange, I switched the server to 
Central Standard Time using timedatctl. I then ran kinit again, and 
attempted to log into the GUI. There was no change - I still cannot 
access the GUI. Here is the krb5kdc.log from the period:


Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: 
host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional 
pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 
1425601734, etypes {rep=18 tkt=18 ses=18}, 
host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 
1425601734, etypes {rep=18 tkt=18 ses=18}, 
host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: 
ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional 
pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 
1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for 
krbtgt/rez@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated 
(retransmitted?) request from 10.1.1.15, resending previous response

Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: 
HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional 
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 
1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez@rez.lcl 
for krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: 
ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional 
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 
1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for 
krbtgt/rez@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 
1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for 
HTTP/vader.rez@rez.lcl



One thing I did determine is the authtime in the krb5kdc log is epoch 
time. I checked it, and it translates directly to the standard time.


Dan


Hm. OK.

I do not think there was ever mentioned which version of the server and 
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms 
based authentication or it does not work too?



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI Authentication errors - revisited

[Martin Kosek]

On 03/06/2015 02:38 AM, Dan Mossor wrote:



On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:

http://i.imgur.com/mhX86Ng.png

It should show up if you do not have a ticket. Destroy the ticket on the
client and try  to access the server via browser, you should be redirected.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos, I've from from
Internet Explorer on a Windows 7 Professional desktop, and I've tried from a
Fedora 21 system that is not enrolled in the domain. I get the exact same
response with every attempt.

One additional step I attempted to take was to change the admin password on the
IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication
method (-6) error back.

I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.


Sorry to hear that. But I think you should start taking gradual steps in your 
testing and trying to make Web UI over GSSAPI work. I would suggest this procedure:


1) Can I kinit admin and run CLI command (ipa user-show admin)? If yes, 
basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos.


2) Can I login with form basic auth to my FreeIPA? If not, did you verify all 
the items in 
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? Did 
you try logging with form based auth in FreeIPA public demo for example (user 
admin, password Secret123):


https://ipa.demo1.freeipa.org/ipa/ui/

If not, we can dig further. If yes, you can continue with kinit + SSO for the 
Web UI.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project