[Freeipa-users] Re: Cannot log in to the FreeIPA replica UI with AD credentials

[Alexander Bokovoy via FreeIPA-users]

On to, 19 loka 2017, Bart J via FreeIPA-users wrote:

Hi all,

I set up an instance of FreeIPA server and established trust with AD
domain. I configured AD users and they can successfully log in to the
web UI. Then, I set up a replica. Although the trust is visible for
that instance both in the web UI and CLI, AD users cannot log in to it,
nor can I execute su - for them. Upon unsuccessful login I get this
error message from web UI:

Runtime error
Web UI got in unrecoverable state during "profile" phase.

You need to show more logs. In particular, /var/log/httpd/error_log
would say what was wrong with a request to it.

Also, is this replica running as a trust agent or a trust controller? Did
you explicitly configured it to do so via ipa-adtrust-install? By
default, if you didn't use 'ipa-adtrust-install --add-agents' on
existing trust controller your other replicas aren't trust agents. If
you didn't run 'ipa-adtrust-install' on those replicas, they aren't
trust controllers either.

Technical details:

Cannot read property 'cn' of undefined
TypeError: Cannot read property 'cn' of undefined
   at Object.update_logged_in 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:18183)
   at Object.choose_profile 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:16656)
   at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:1190)
   at https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3478
   at Object.forEach 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:29752)
   at Object._run_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3442)
   at Object.next_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3904)
   at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3631)
   at c (https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:60960)
   at Object.then.t.then 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:62246)

When I try to verify trust on the replica server, it behaves exactly as 
described in the documentation:

[root@idm2 ~]# kinit testu...@domain.com
Password for testu...@domain.com:
[root@idm2 ~]# kvno -S host idm2.ipa.domain.com
host/idm2.ipa.domain....@ipa.domain.com: kvno = 1
[root@idm2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kwhpOWN
Default principal: testu...@domain.com

Valid starting       Expires              Service principal
10/19/2017 08:35:05  10/19/2017 18:34:55  
host/idm2.ipa.domain....@ipa.domain.com
        renew until 10/20/2017 08:34:49
10/19/2017 08:35:05  10/19/2017 18:34:55  krbtgt/ipa.domain.com....@domain.com
        renew until 10/20/2017 08:34:49
10/19/2017 08:34:55  10/19/2017 18:34:55  krbtgt/domain....@domain.com
        renew until 10/20/2017 08:34:49

What's more, FreeIPA can't seem to find testuser for idm2 host:

[root@idm2 ~]# su - testu...@domain.com
su: user testu...@domain.com does not exist

Whereas this works for idm1 - primary FreeIPA server.

Can you please advise on how to solve it?

Many thanks,
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org