Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 1:53 PM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 05:59 PM, Dan Mossor wrote: IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor Ugh, that one was nasty, I am glad you figured it out. Now, when you know what was the problem, would you maybe have some general Troubleshooting advice to http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI that would help people like you uncover the root cause easier? Thanks, Martin Martin, I would love to. Let me think on an effective method to target networking issues, and I'll write something up for the wiki. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Sorry to hear that. But I think you should start taking gradual steps in your testing and trying to make Web UI over GSSAPI work. I would suggest this procedure: 1) Can I kinit admin and run CLI command (ipa user-show admin)? If yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos. 2) Can I login with form basic auth to my FreeIPA? If not, did you verify all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_ authenticate_to_Web_UI ? Did you try logging with form based auth in FreeIPA public demo for example (user admin, password Secret123): https://ipa.demo1.freeipa.org/ipa/ui/ If not, we can dig further. If yes, you can continue with kinit + SSO for the Web UI. Martin, Dmitri, Thanks for your help, but I've taken every step available on the page you linked. I just checked this morning before I started over, and on the server I can kinit as admin and run ipa user-show admin. The ipa tools are not on my workstation. I then ran kdestroy on both the server and workstation, and the error remains when logging in to the web UI - it returns me to the screen I showed above in the link to the screenshot. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/06/2015 09:26 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 1:28 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Sorry to hear that. But I think you should start taking gradual steps in your testing and trying to make Web UI over GSSAPI work. I would suggest this procedure: 1) Can I kinit admin and run CLI command (ipa user-show admin)? If yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos. 2) Can I login with form basic auth to my FreeIPA? If not, did you verify all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? Did you try logging with form based auth in FreeIPA public demo for example (user admin, password Secret123): https://ipa.demo1.freeipa.org/ipa/ui/ If not, we can dig further. If yes, you can continue with kinit + SSO for the Web UI. Martin, Dmitri, Thanks for your help, but I've taken every step available on the page you linked. I just checked this morning before I started over, and on the server I can kinit as admin and run ipa user-show admin. The ipa tools are not on my workstation. I then ran kdestroy on both the server and workstation, and the error remains when logging in to the web UI - it returns me to the screen I showed above in the link to the screenshot. Regards, Dan From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan OK, so it seems that something is really broken on that server. May be it is easier to start over - up to you. If you want to continue troubleshooting we are here to help. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/06/2015 11:59 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan OK, so it seems that something is really broken on that server. May be it is easier to start over - up to you. If you want to continue troubleshooting we are here to help. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor I am glad that this hunt is over :-) Have a nice weekend! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/06/2015 05:59 PM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/06/2015 10:35 AM, Dan Mossor wrote: On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: From your workstation can you use the demo instance https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Oh, sorry, I didn't realize I was supposed to check that. For the record, yes - I can log into the demo instance on Firefox from my workstation. For the sake of completeness, I checked with Konquerer also and can log in to the demo instance. Regards, Dan OK, so it seems that something is really broken on that server. May be it is easier to start over - up to you. If you want to continue troubleshooting we are here to help. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. IT WORKS! WOOT! In the steps of researching a small issue on another hypervisor, I discovered that my underlying network, while operational, was not properly configured. The IPA server and my workstation were supposed to be talking in VLAN 100 and 110, respectively. The network is temporarily configured to route every packet it receives to the proper VLAN, no matter where it originates. My workstation is indeed on VLAN 110, and is tagging the packets appropriately. The server, however, due to a bridge misconfiguration on the host, was on VLAN 1 and not sending tagged packets at all. But as the router is configured to route all appropriate packets it appeared to be operating normally. I blew away the network configuration on the host and rebuilt it again, this time ensuring that VLAN 1 was not available on that switch port, and that the packets leaving the host were tagged with VLAN 100. I brought the IPA server back up and was able to log in. So, chalk this one up to misrouted packets. I didn't even think to look there, the 401 error gave no clue that networking may be the issue. Regards, Dan Mossor Ugh, that one was nasty, I am glad you figured it out. Now, when you know what was the problem, would you maybe have some general Troubleshooting advice to http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI that would help people like you uncover the root cause easier? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period: Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time. Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
Dan Mossor wrote: On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png I'd look for SELinux errors: ausearch -m AVC -ts recent Perhaps we can't create a login session for some reason. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 4:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Dan Mossor wrote: On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png I'd look for SELinux errors: ausearch -m AVC -ts recent Perhaps we can't create a login session for some reason. rob I checked the /var/log/audit/audit.log, and selinux is not reporting anything during the time I am attempting to access the gui. But, for the sake of thoroughness: [root@vader ipa]# ausearch -m AVC -ts recent no matches [root@vader ipa]# Dan -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period: Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time. Dan Hm. OK. I do not think there was ever mentioned which version of the server and client you are running but based on the UI it seems like the latest. Also you are trying to log in after using kinit. Can you log using forms based authentication or it does not work too? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. I can't seem to locate the form based authentication for 4.1.2-1 - I was going to try that in order to add the information to this thread, but I can find no reference as to where it is and I can't find it manually on the file system. Can you give me the default URL for it? freeipa-server-4.1.2-1.fc21.x86_64 freeipa-client-4.1.2-1.fc21.x86_64 Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/05/2015 08:09 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period: Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl mailto:host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl mailto:host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl mailto:host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl mailto:ldap/vader.rez@rez.lcl Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl mailto:HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez@rez.lcl mailto:HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl mailto:ad...@rez.lcl for krbtgt/rez@rez.lcl mailto:krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl mailto:ad...@rez.lcl for HTTP/vader.rez@rez.lcl mailto:HTTP/vader.rez@rez.lcl One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time. Dan Hm. OK.
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1]. [1]http://i.imgur.com/mhX86Ng.png Have you checked times and time zones on the client and on the server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other. Dan As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period: Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez@rez.lcl for ldap/vader.rez@rez.lcl Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 http://10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 http://10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez@rez.lcl One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time. Dan Hm. OK. I do not think there was ever mentioned which version of the server and client you are running but based on the UI it seems like the latest. Also you are trying to log in after using kinit. Can you log using forms based authentication or it does not work too? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI Authentication errors - revisited
On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Ok then, that is the page that keeps returning. I've tried from this workstation using Konquerer, which does not support Kerberos, I've from from Internet Explorer on a Windows 7 Professional desktop, and I've tried from a Fedora 21 system that is not enrolled in the domain. I get the exact same response with every attempt. One additional step I attempted to take was to change the admin password on the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication method (-6) error back. I think this installation is hosed. I am ready to wipe and start over from scratch tomorrow. I've already wasted 16 hours on it. Sorry to hear that. But I think you should start taking gradual steps in your testing and trying to make Web UI over GSSAPI work. I would suggest this procedure: 1) Can I kinit admin and run CLI command (ipa user-show admin)? If yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos. 2) Can I login with form basic auth to my FreeIPA? If not, did you verify all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? Did you try logging with form based auth in FreeIPA public demo for example (user admin, password Secret123): https://ipa.demo1.freeipa.org/ipa/ui/ If not, we can dig further. If yes, you can continue with kinit + SSO for the Web UI. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project