<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 4:16 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 03/05/2015 04:15 PM, Dan Mossor
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><span style="font-family:monospace,monospace">Good
day, folks.<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">This
time it is something different, yet the
same. I have re-deployed my IPA installation
due to some underlying issues with the host
of the virtual machine. Even with the new
installation, I cannot authenticate through
the web UI.<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">So
far, there is exactly one client in the domain
(my workstation), and exactly one user -
admin. I am not comfortable with the command
line tools, and I have others below my
position that require a GUI for management
purposes, so I have to make this work to
proceed any further.<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">Following
up with the information Martin asked for in my
previous thread, let me walk you through the
process:<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">I
attempted to log in to <a href="https://vader.rez.lcl/" target="_blank">https://vader.rez.lcl/</a>,
and received the error "Your session has expired.
Please re-login." At this point, I clicked the
link to configure Firefox. On the command line, I
obtained a kerberos ticket for admin (note - I am
root on this workstation for the time being):<br>
<br>
[root@dmfedora ~]# kinit admin<br>
Password for <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a>: <br>
[root@dmfedora ~]# klist<br>
Ticket cache: KEYRING:persistent:0:0<br>
Default principal: <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a><br>
<br>
Valid starting Expires Service
principal<br>
03/05/2015 14:46:22 03/06/2015 14:46:15
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
<br>
</span></div>
<span style="font-family:monospace,monospace">I then
finished the Firefox configuration, and attempted to
log in again. I still received the error. The
Firefox console shows:<br>
<br>
POST <a href="https://vader.rez.lcl/ipa/session/login_password" target="_blank">https://vader.rez.lcl/ipa/session/login_password</a>
[HTTP/1.1 200 Success 756ms]<br>
POST <a href="https://vader.rez.lcl/ipa/session/json" target="_blank">https://vader.rez.lcl/ipa/session/json</a>
[HTTP/1.1 401 Unauthorized 3ms]<br>
GET <a href="https://vader.rez.lcl/ipa/session/login_kerberos" target="_blank">https://vader.rez.lcl/ipa/session/login_kerberos</a>
[HTTP/1.1 401 Unauthorized 2ms]<br>
GET <a href="https://vader.rez.lcl/ipa/session/login_kerberos" target="_blank">https://vader.rez.lcl/ipa/session/login_kerberos</a>
[HTTP/1.1 200 Success 26ms]<br>
POST <a href="https://vader.rez.lcl/ipa/session/json" target="_blank">https://vader.rez.lcl/ipa/session/json</a>
[HTTP/1.1 401 Unauthorized 4ms]<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">/var/log/krb5kdc.log
during the process:<br>
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication
required<br>
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, <a href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication
required<br>
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
<br>
</span></div>
<span style="font-family:monospace,monospace">/var/log/httpd/access_log
shows the same thing as the Firefox console:<br>
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25<br>
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -<br>
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1"
401 1469<br>
10.1.1.15 - <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> [05/Mar/2015:21:06:31 +0000]
"GET /ipa/session/login_kerberos?_=1425587158134
HTTP/1.1" 200 20<br>
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">Nothing is
entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other
information do you need to help me solve this problem?<br>
<br>
</span></div>
<span style="font-family:monospace,monospace">Thank you,<br>
</span></div>
<span style="font-family:monospace,monospace">Dan Mossor<br>
<br>
--<br>
</span>
<pre style="margin:0em">Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA</pre>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div></div>
Can you authenticate using UI from the server host?<br>
It seems that the Kerberos authentication goes through but then it
is lost.<br>
So here are some wild ideas:<br>
- Is the browser properly configured? May be there is something with
the browser that is not working? Have you cleaned the old IPA CA
cert? It might not be related but I have seen issues in the past
with it.<br>
- Are you sure that server has all the components? For example
session on the server side is stored in memcached. If it is not
running or something is not right with it the ticket sharing might
be broken. <br><span class=""><font color="#888888">
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div></blockquote><div><font face="monospace,monospace">First off, apologies if the thread is broken - I am stuck using the Gmail interface temporarily.<br><br></font><div class="gmail_extra"><font face="monospace,monospace">The
server host - both the actual host and the IPA server - do not have
GUIs on them, so I cannot launch a web browser from them. The old IPA CA
cert was never on this workstation - this workstation was built
Tuesday, and the IPA server deployed yesterday. The previous one I was
having issues with had already been wiped - so this is starting off from
scratch with both the server and the client. I did check the
ipa_memcached service as suggested by Martin in my previous thread.<br><br>[root@vader ipa]# systemctl status httpd.service dirsrv@REZ-LCL.service ipa_memcached.service <br>● httpd.service - The Apache HTTP Server<br> Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)<br> Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h left<br> Main PID: 1103 (httpd)<br> Status: "Total requests: 150; Idle/Busy workers 100/0;Requests/sec: 3.49e-08; Bytes served/sec: 0 B/sec"<br> CGroup: /system.slice/httpd.service<br> ├─1103 /usr/sbin/httpd -DFOREGROUND<br> ├─1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias<br> ├─1105 /usr/sbin/httpd -DFOREGROUND<br> ├─1107 /usr/sbin/httpd -DFOREGROUND<br> ├─1108 /usr/sbin/httpd -DFOREGROUND<br> ├─1111 /usr/sbin/httpd -DFOREGROUND<br> ├─1113 /usr/sbin/httpd -DFOREGROUND<br> ├─1339 /usr/sbin/httpd -DFOREGROUND<br> ├─1471 /usr/sbin/httpd -DFOREGROUND<br> ├─1473 /usr/sbin/httpd -DFOREGROUND<br> ├─1474 /usr/sbin/httpd -DFOREGROUND<br> ├─1475 /usr/sbin/httpd -DFOREGROUND<br> ├─1926 /usr/sbin/httpd -DFOREGROUND<br> └─1927 /usr/sbin/httpd -DFOREGROUND<br><br>Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1<br>Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2<br>Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1<br>Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1<br>Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1<br>Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2<br>Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1<br>Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1<br>Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1<br>Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2<br><br>● dirsrv@REZ-LCL.service - 389 Directory Server REZ-LCL.<br> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)<br> Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h left<br>
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)<br> Main PID: 1020 (ns-slapd)<br> CGroup: /system.slice/system-dirsrv.slice/dirsrv@REZ-LCL.service<br> └─1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL -i /var/run/dirsrv/slapd-REZ-LCL.pid -w /var/run/dirsrv/slapd-REZ-LCL.startpid<br><br>Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3<br>Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1<br>Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2<br>Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3<br>Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1<br>Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2<br>Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3<br>Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1<br>Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2<br>Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3<br><br>● ipa_memcached.service - IPA memcached daemon, increases IPA server performance<br> Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled)<br> Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h left<br>
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER
-m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS (code=exited, status=0/SUCCESS)<br> Main PID: 1095 (memcached)<br> CGroup: /system.slice/ipa_memcached.service<br> └─1095 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid<br>[root@vader ipa]#<br><br></font></div><div class="gmail_extra"><span style="font-family:monospace,monospace">Thanks,<br></span></div><div class="gmail_extra"><span style="font-family:monospace,monospace">Dan<div class=""><div id=":2h0" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div></span></div><div class=""><span class="im"><div class="gmail_extra"><pre style="margin:0em">--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA</pre></div></span></div> </div></div></div></div>