[Freeipa-users] web admin tool will not login with kerberos ticket

Dmitri Pal dpal at redhat.com
Tue Oct 16 23:46:32 UTC 2012 

On 10/16/2012 07:30 PM, Brian Vetter wrote:
> I had a happy, working 2.2 FreeIPA installation humming along last
> week. I had to do some maintenance so I shut everything down. When I
> brought everything up, I can no longer log into the web admin tool. I
> get a "Kerberos ticket is no longer valid" error.
>
> Using the troubleshooting pages on the wiki as a guide, I can kinit
> successfully and see the tickets using klist. I can use the ldapsearch
> tool using GSSAPI to authenticate as well and can return results from
> the ldap server. 'ldapsearch -Y GSSAPI -b "dc=dcc,dc=mobi" uid=admin'
> returns a valid ldap recors for my admin user. I ran this command
> kinit from multiple kerberos principals/users and each worked.
>
> I verified my config settings again with firefox and they are still
> set correctly (auth.delegation-uris, auth.trusted-users both set to my
> domain .dcc.mobi). The cert was accepted (no warnings about the cert
> not being trusted because I had already set it to trusted). I turned
> on the NSPR logging as described in the documents, and didn't see an
> error, although I can't tell if this is correct:
>
>     492291904[7f4d1d31f6a0]:   using REQ_DELEGATE
>     492291904[7f4d1d31f6a0]:   service = geonosis.dcc.mobi
>     492291904[7f4d1d31f6a0]:   using negotiate-gss
>     492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>     492291904[7f4d1d31f6a0]: Attempting to load gss functions
>     492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::Init()
>     492291904[7f4d1d31f6a0]:
>     nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
>     492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::GetNextToken()
>     492291904[7f4d1d31f6a0]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
>     492291904[7f4d1d31f6a0]:   Sending a token of length 1394
>
>
> There is nothing in /var/log/httpd/error_log.
> /var/log/httpd/access_log does have a few entries:
>
>     10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ca/ocsp
>     HTTP/1.1" 200 2298 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0)
>     Gecko/20100101 Firefox/16.0"
>     10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ipa/session/json
>     HTTP/1.1" 401 -
>     10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "GET
>     /ipa/session/login_kerberos HTTP/1.1" 401 1861
>     10.1.1.10 - admin at DCC.MOBI <mailto:admin at DCC.MOBI>
>     [16/Oct/2012:18:05:26 -0500] "GET /ipa/session/login_kerberos
>     HTTP/1.1" 200 -
>     10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ipa/session/json
>     HTTP/1.1" 401 -
>
>
> The 401's aren't surprising here since somehow, something is not
> properly authenticating.
>
> I also looked in /var/log/krb5kdc.log and see the following line when
> authenticating:
>
>     Oct 16 18:12:17 geonosis.dcc.mobi krb5kdc[1193](info): TGS_REQ (1
>     etypes {18}) 10.1.1.10: ISSUE: authtime 1350424404, etypes {rep=18
>     tkt=18 ses=18}, admin at DCC.MOBI <mailto:admin at DCC.MOBI> for
>     krbtgt/DCC.MOBI at DCC.MOBI <mailto:krbtgt/DCC.MOBI at DCC.MOBI>
>
>
> I don't believe this describes an error, but I'm not an expert reading
> that log type.
>
> From what I can tell, the problems seem to be between the apache
> server and the browser. Both worked fine together last week. Is there
> something I can turn on in Apache (perhaps in the ipa.conf or
> auth_kerb.conf files) that can help debug this? Or better yet, anyone
> else seen this and have an answer? Is there some key/ticket/etc
> associated with the http server that might be "wrong" now (somehow
> whacked during the reboot)?

Just to reiterate.
1) You have a server that got rebooted.
2) After reboot "kinit admin" works
3) klist shows tickets
4) logs show no errors
5) You can do ldap search - no problem
6) You stop FF and start it and it says "Kerberos ticket is no longer valid"


This is very similar to thread started by David Sastre with title
"Problem with webui: kerberos ticket no longer valid".
The start of the thread is in August and the end is in September archive.
It might have an answer for you.

HTH



>
> Thanks,
>
> Brian
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121016/6fb98510/attachment.htm>

More information about the Freeipa-users mailing list