<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 10/16/2012 07:30 PM, Brian Vetter wrote: <blockquote cite="mid:DD51E69C-132B-43D1-9EED-4E698A25AFA5@gmail.com" type="cite">I had a happy, working 2.2 FreeIPA installation humming along last week. I had to do some maintenance so I shut everything down. When I brought everything up, I can no longer log into the web admin tool. I get a "Kerberos ticket is no longer valid" error. <div><br> </div> <div>Using the troubleshooting pages on the wiki as a guide, I can kinit successfully and see the tickets using klist. I can use the ldapsearch tool using GSSAPI to authenticate as well and can return results from the ldap server. 'ldapsearch -Y GSSAPI -b "dc=dcc,dc=mobi" uid=admin' returns a valid ldap recors for my admin user. I ran this command kinit from multiple kerberos principals/users and each worked.</div> <div><br> </div> <div>I verified my config settings again with firefox and they are still set correctly (auth.delegation-uris, auth.trusted-users both set to my domain .dcc.mobi). The cert was accepted (no warnings about the cert not being trusted because I had already set it to trusted). I turned on the NSPR logging as described in the documents, and didn't see an error, although I can't tell if this is correct:</div> <div><br> </div> <blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"> <div> <div>492291904[7f4d1d31f6a0]: using REQ_DELEGATE</div> </div> <div> <div>492291904[7f4d1d31f6a0]: service = geonosis.dcc.mobi</div> </div> <div> <div>492291904[7f4d1d31f6a0]: using negotiate-gss</div> </div> <div> <div>492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::nsAuthGSSAPI()</div> </div> <div> <div>492291904[7f4d1d31f6a0]: Attempting to load gss functions</div> </div> <div> <div>492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::Init()</div> </div> <div> <div>492291904[7f4d1d31f6a0]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]</div> </div> <div> <div>492291904[7f4d1d31f6a0]: entering nsAuthGSSAPI::GetNextToken()</div> </div> <div> <div>492291904[7f4d1d31f6a0]: leaving nsAuthGSSAPI::GetNextToken [rv=0]</div> </div> <div> <div>492291904[7f4d1d31f6a0]: Sending a token of length 1394</div> </div> </blockquote> <div><br> </div> <div>There is nothing in /var/log/httpd/error_log. /var/log/httpd/access_log does have a few entries:</div> <div><br> </div> <blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"> <div> <div>10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ca/ocsp HTTP/1.1" 200 2298 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"</div> </div> <div> <div>10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ipa/session/json HTTP/1.1" 401 -</div> </div> <div> <div>10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "GET /ipa/session/login_kerberos HTTP/1.1" 401 1861</div> </div> <div> <div>10.1.1.10 - <a moz-do-not-send="true" href="mailto:admin@DCC.MOBI">admin@DCC.MOBI</a> [16/Oct/2012:18:05:26 -0500] "GET /ipa/session/login_kerberos HTTP/1.1" 200 -</div> </div> <div> <div>10.1.1.10 - - [16/Oct/2012:18:05:26 -0500] "POST /ipa/session/json HTTP/1.1" 401 -</div> </div> </blockquote> <div><br> </div> <div>The 401's aren't surprising here since somehow, something is not properly authenticating.</div> <div><br> </div> <div>I also looked in /var/log/krb5kdc.log and see the following line when authenticating:</div> <div><br> </div> <blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"> <div> <div>Oct 16 18:12:17 geonosis.dcc.mobi krb5kdc[1193](info): TGS_REQ (1 etypes {18}) 10.1.1.10: ISSUE: authtime 1350424404, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:admin@DCC.MOBI">admin@DCC.MOBI</a> for <a moz-do-not-send="true" href="mailto:krbtgt/DCC.MOBI@DCC.MOBI">krbtgt/DCC.MOBI@DCC.MOBI</a></div> </div> </blockquote> <div><br> </div> <div>I don't believe this describes an error, but I'm not an expert reading that log type.</div> <div><br> </div> <div>From what I can tell, the problems seem to be between the apache server and the browser. Both worked fine together last week. Is there something I can turn on in Apache (perhaps in the ipa.conf or auth_kerb.conf files) that can help debug this? Or better yet, anyone else seen this and have an answer? Is there some key/ticket/etc associated with the http server that might be "wrong" now (somehow whacked during the reboot)?</div> </blockquote> <br> Just to reiterate.<br> 1) You have a server that got rebooted.<br> 2) After reboot "kinit admin" works<br> 3) klist shows tickets<br> 4) logs show no errors<br> 5) You can do ldap search - no problem<br> 6) You stop FF and start it and it says "Kerberos ticket is no longer valid"<br> <br> <br> This is very similar to thread started by David Sastre with title "Problem with webui: kerberos ticket no longer valid".<br> The start of the thread is in August and the end is in September archive.<br> It might have an answer for you.<br> <br> HTH <br> <br> <br> <br> <blockquote cite="mid:DD51E69C-132B-43D1-9EED-4E698A25AFA5@gmail.com" type="cite"> <div><br> </div> <div>Thanks,</div> <div><br> </div> <div>Brian</div> <div><br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>