Hi folks,
Stuck in a catch-22 where I can't update our existing 4.4.0 production
servers nor can we stand up new working sandbox servers running IPA-4.5
In all cases (upgrade and new install) we end up with a WebUI that is
not functional when deployed on RHEL 7.4 or CentOS 7.4
However I think now I have the actual error and there were hints from
the mailing list archive about the culprit maybe being httpd and keytab
related. Or at least it seems tightly tied to the security changes
implemented between IPA 4.4 and 4.5 releases.
Here is the setup from a fresh install on RHEL 7.4
- CLI installation works perfectly
- AD trust setup works perfectly
- All CLI tools and commands seem to work just fine
- No errors in standard locations
- "ipactl status" reports no issues
- SELINUX is disabled
- Using Chrome browser for access and testing
However the WebUI is totally unusable. The front page just displays an
error box that says:
HTTP Error 404
Cannot connect to the server, please check API accesibility
(certificate, API, proxy, etc.)
Reading the lists archives this weekend I found the links that point to
the security changes between 4.4 and 4.5 and I also found the helpful
advice to set "debug=true" in /etc/ipa/server.conf
After setting the debug=true values now I see a new message in the httpd
error logs:
[Sun Dec 10 03:13:08.976509 2017] [:error] [pid 7821] ipa: INFO: ***
PROCESS START ***
[Mon Dec 11 11:55:07.102172 2017] [auth_gssapi:error] [pid 7824] [client
172.29.XX.XX:57976] NO AUTH DATA Client did not send any authentication
headers, referer: https://usaeilidmp010.XXX.org/ipa/ui/
[Mon Dec 11 11:55:07.298810 2017] [auth_gssapi:error] [pid 7824] [client
172.29.XX.XX:57976] GSS ERROR In Negotiate Auth:
gss_accept_sec_context() failed: [An unsupported mechanism was requested
(Unknown error)], referer: https://usaeilidmp010.XXX.org/ipa/ui/
[root@usaeilidmp010 ec2-user]#
Those error messages have come up in past forum messages but the thread
replies always led me into a maze of other URls or generic instructions
to "regenerate the keytab for HTTPD server"
I'm pretty sure the above web error is exactly why the webUI is failing
however I can't find clear or concise instructions on how to fix or
debug further ...
Has anyone dealt with this already? I may need an idiot's guide to
resolving that particular gss error as I failed at doing so myself this
weekend :) I pretty much do not understand that error nor how to
address it, heh.
Thanks!
-Chris
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org