[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Mon Oct 5 10:55:50 UTC 2015
It is actually on the ipa server that ipa commands are not working. On ipa
clients, I do not have errors.
On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisan43 at gmail.com> wrote:
> I just noticed I can log in to the web UI with user admin and his password.
>
> But when I try to configure firefox to use kerberos, I click on "Install
> Kerberos Configuration Firefox Extension" button, a message appears saying
> "Firefox prevented this site from asking you to install software on your
> computer", so I click on the "Allow" button and then another message
> appears "The add-on downloaded from this site could not be installed
> because it appears to be corrupt.".
>
> And the ipa commands are still not working.
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> I uninstalled the ipa server and reinstalled it. Then restored the backup.
>> And then the following:
>>
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera at OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>> $ keyctl purge 556579409
>> purged 0 keys
>> $ keyctl reap
>> 0 keys reaped
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera at OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>
>> It doesn't seem to purge or to reap.
>>
>>
>>
>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>>> Good morning,
>>>
>>> Any suggestion what I should do?
>>>
>>> I still have
>>>
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>>
>>> Regards.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>>> I only have this:
>>>>
>>>> $ keyctl list @s
>>>> 1 key in keyring:
>>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>>> $
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>>> I forgot to mention that
>>>>>>
>>>>>> $ ipa user-show admin
>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>> Unauthorized
>>>>>>
>>>>> This is most likely because of the cached session to your server.
>>>>>
>>>>> You can check if keyctl list @s
>>>>> returns you something like
>>>>> [root at m1 ~]# keyctl list @s
>>>>> 2 keys in keyring:
>>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>>> 215779962: --alswrv 0 0 user:
>>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>>
>>>>> If so, then notice the key number (215779962) for the session cookie,
>>>>> and do:
>>>>> keyctl purge 215779962
>>>>> keyctl reap
>>>>>
>>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>>
>>>>>
>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>>
>>>>>> I still cannot login to the web UI.
>>>>>>>
>>>>>>> Here is what I did:
>>>>>>>
>>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>> 2. kinit admin
>>>>>>> Password for admin at OPERA:
>>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>>> /etc/krb5.keytab
>>>>>>> 4. systemctl restart sssd.service
>>>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>> 7. systemctl restart httpd.service
>>>>>>>
>>>>>>>
>>>>>>> The log says now:
>>>>>>>
>>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>>> abokovoy at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>
>>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>>> kerberos.
>>>>>>>>>
>>>>>>>>> What should I do to fix this?
>>>>>>>>>
>>>>>>>>> I have this on the ipa server:
>>>>>>>>> $ klist -k
>>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>>> KVNO Principal
>>>>>>>>> ----
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>
>>>>>>>>> You can start by:
>>>>>>>>>
>>>>>>>> 0. backup every file mentioned below
>>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>>> 2. kinit as admin
>>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k
>>>>>>>> /etc/krb5.keytab
>>>>>>>> 4. restart SSSD
>>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>> 7. Restart httpd
>>>>>>>>
>>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>>>> keytabs become unusable.
>>>>>>>>
>>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>>> supposed to
>>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>>> services
>>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>>> abokovoy at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> More info:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>>> $ kdestroy
>>>>>>>>>>> $ kinit admin
>>>>>>>>>>>
>>>>>>>>>>> but cannot view user admin:
>>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>>> Unauthorized
>>>>>>>>>>>
>>>>>>>>>>> $ ipactl status
>>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>> named Service: RUNNING
>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>
>>>>>>>>>>> /var/log/messages:
>>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>>> initialize
>>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>>> integrity
>>>>>>>>>>> check
>>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>>
>>>>>>>>>>> What did you do?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>>> you have
>>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>>> host/zaira2.opera
>>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>>> removed
>>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>>
>>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>>
>>>>>>>>>>>> Log says:
>>>>>>>>>>>>
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>> etypes
>>>>>>>>>>>> {18 17
>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>> fd 12
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>>> failed
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>> etypes
>>>>>>>>>>>> {18 17
>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>> fd 12
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>>
>>>>>>>>>>>> What can I do?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Fuji
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>> / Alexander Bokovoy
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151005/6e401df1/attachment.htm>
More information about the Freeipa-users
mailing list