<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
try running 'kinit -R'?<br>
<br>
On 08/24/2012 11:56 AM, David Sastre wrote:
<blockquote
cite="mid:CAMfsiJHMm+mHA1Z8HtiwQkZMXE7enDGqvA0E6618TU6oHwXQQA@mail.gmail.com"
type="cite">
<pre wrap="">Hello,
I'm having an issue with the web ui, it is returning "Kerberos ticket
is no longer valid" message regardless I have a valid ticket:
$ ssh sysadm@panoramix 'klist'
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_500">FILE:/tmp/krb5cc_500</a>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a>
Valid starting Expires Service principal
08/24/12 10:42:57 08/25/12 10:42:53 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DOMAIN.COM@DOMAIN.COM">krbtgt/DOMAIN.COM@DOMAIN.COM</a>
08/24/12 10:43:19 08/25/12 10:42:53 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/panoramix.domain.com@DOMAIN.COM">HTTP/panoramix.domain.com@DOMAIN.COM</a>
Following the advice in:
<a class="moz-txt-link-freetext" href="https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html">https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html</a>
I have obtained this log:
$ ssh -X sysadm@panoramix 'export NSPR_LOG_MODULES=negotiateauth:5;
export NSPR_LOG_FILE=/tmp/moz.log; firefox'
973989664[7f8b38e5b040]: using REQ_DELEGATE
973989664[7f8b38e5b040]: service = panoramix.domain.com
973989664[7f8b38e5b040]: using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]: Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]: No output token to send, exiting
973989664[7f8b38e5b040]: using REQ_DELEGATE
973989664[7f8b38e5b040]: service = panoramix.domain.com
973989664[7f8b38e5b040]: using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]: Sending a token of length 1375
973989664[7f8b38e5b040]: using REQ_DELEGATE
973989664[7f8b38e5b040]: service = panoramix.domain.com
973989664[7f8b38e5b040]: using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]: Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]: No output token to send, exiting
Relevant portions of apache's access and error logs with LogLevel Debug are:
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 <a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 401 1856
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 200 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 <a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
[Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does
not exist: /var/www/htdocs/panoramix.domain.com/ca
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 194 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 196 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 197 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 198 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 199 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 200 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed
(server panoramix.domain.com:443, client 172.22.249.66)
# lsb_release -a
LSB Version:
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.3 (Final)
Release: 6.3
Codename: Final
# rpm -qa | egrep '(ipa-|sssd)'
ipa-pki-common-theme-9.0.3-7.el6.noarch
sssd-client-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
sssd-1.8.0-32.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
Thanks in advance.
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
</blockquote>
</body>
</html>