<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000066">
    try running 'kinit -R'?<br>
    <br>
    On 08/24/2012 11:56 AM, David Sastre wrote:
    <blockquote
cite="mid:CAMfsiJHMm+mHA1Z8HtiwQkZMXE7enDGqvA0E6618TU6oHwXQQA@mail.gmail.com"
      type="cite">
      <pre wrap="">Hello,

I'm having an issue with the web ui, it is returning "Kerberos ticket
is no longer valid" message regardless I have a valid ticket:

$ ssh sysadm@panoramix 'klist'

Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_500">FILE:/tmp/krb5cc_500</a>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a>

Valid starting     Expires            Service principal
08/24/12 10:42:57  08/25/12 10:42:53  <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DOMAIN.COM@DOMAIN.COM">krbtgt/DOMAIN.COM@DOMAIN.COM</a>
08/24/12 10:43:19  08/25/12 10:42:53  <a class="moz-txt-link-abbreviated" href="mailto:HTTP/panoramix.domain.com@DOMAIN.COM">HTTP/panoramix.domain.com@DOMAIN.COM</a>

Following the advice in:

<a class="moz-txt-link-freetext" href="https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html">https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html</a>

I have obtained this log:

$ ssh -X sysadm@panoramix 'export NSPR_LOG_MODULES=negotiateauth:5;
export NSPR_LOG_FILE=/tmp/moz.log; firefox'

973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]:   No output token to send, exiting
973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]:   using REQ_DELEGATE
973989664[7f8b38e5b040]:   service = panoramix.domain.com
973989664[7f8b38e5b040]:   using negotiate-gss
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
973989664[7f8b38e5b040]:   Sending a token of length 1375
973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
973989664[7f8b38e5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
973989664[7f8b38e5b040]:   No output token to send, exiting

Relevant portions of apache's access and error logs with LogLevel Debug are:

172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 <a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 401 1856
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "GET
/ipa/session/login_kerberos HTTP/1.1" 200 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
HTTP/1.1" 401 1856 <a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0
(X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
172.22.249.66 - <a class="moz-txt-link-abbreviated" href="mailto:admin@DOMAIN.COM">admin@DOMAIN.COM</a> [24/Aug/2012:11:43:52 +0200] "POST
/ipa/session/json HTTP/1.1" 401 -
<a class="moz-txt-link-rfc2396E" href="https://panoramix.domain.com/ipa/ui/">"https://panoramix.domain.com/ipa/ui/"</a> "Mozilla/5.0 (X11; Linux
x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"

[Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does
not exist: /var/www/htdocs/panoramix.domain.com/ca
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 194 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 196 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 197 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 198 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 199 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established
(server panoramix.domain.com:443, client 172.22.249.66)
[Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
received for child 200 (server panoramix.domain.com:443)
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
172.22.249.66] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
172.22.249.66] Acquiring creds for <a class="moz-txt-link-abbreviated" href="mailto:HTTP@panoramix.domain.com">HTTP@panoramix.domain.com</a>, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
172.22.249.66] Client delegated us their credential, referer:
<a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
172.22.249.66] GSS-API token of length 22 bytes will be sent back,
referer: <a class="moz-txt-link-freetext" href="https://panoramix.domain.com/ipa/ui/">https://panoramix.domain.com/ipa/ui/</a>
[Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed
(server panoramix.domain.com:443, client 172.22.249.66)

# lsb_release -a
LSB Version:
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.3 (Final)
Release:        6.3
Codename:       Final

# rpm -qa | egrep '(ipa-|sssd)'
ipa-pki-common-theme-9.0.3-7.el6.noarch
sssd-client-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
sssd-1.8.0-32.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64

Thanks in advance.

_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
    </blockquote>
  </body>
</html>