[Freeipa-users] Problem with webui: kerberos ticket no longer valid
Ondrej Valousek
ondrejv at s3group.cz
Fri Aug 24 10:06:24 UTC 2012
try running 'kinit -R'?
On 08/24/2012 11:56 AM, David Sastre wrote:
> Hello,
>
> I'm having an issue with the web ui, it is returning "Kerberos ticket
> is no longer valid" message regardless I have a valid ticket:
>
> $ ssh sysadm at panoramix 'klist'
>
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: admin at DOMAIN.COM
>
> Valid starting Expires Service principal
> 08/24/12 10:42:57 08/25/12 10:42:53 krbtgt/DOMAIN.COM at DOMAIN.COM
> 08/24/12 10:43:19 08/25/12 10:42:53 HTTP/panoramix.domain.com at DOMAIN.COM
>
> Following the advice in:
>
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html
>
> I have obtained this log:
>
> $ ssh -X sysadm at panoramix 'export NSPR_LOG_MODULES=negotiateauth:5;
> export NSPR_LOG_FILE=/tmp/moz.log; firefox'
>
> 973989664[7f8b38e5b040]: using REQ_DELEGATE
> 973989664[7f8b38e5b040]: service = panoramix.domain.com
> 973989664[7f8b38e5b040]: using negotiate-gss
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
> 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
> 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
> 973989664[7f8b38e5b040]: Sending a token of length 1375
> 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
> 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
> 973989664[7f8b38e5b040]: No output token to send, exiting
> 973989664[7f8b38e5b040]: using REQ_DELEGATE
> 973989664[7f8b38e5b040]: service = panoramix.domain.com
> 973989664[7f8b38e5b040]: using negotiate-gss
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
> 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
> 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
> 973989664[7f8b38e5b040]: Sending a token of length 1375
> 973989664[7f8b38e5b040]: using REQ_DELEGATE
> 973989664[7f8b38e5b040]: service = panoramix.domain.com
> 973989664[7f8b38e5b040]: using negotiate-gss
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init()
> 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
> 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
> 973989664[7f8b38e5b040]: Sending a token of length 1375
> 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==]
> 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken()
> 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
> 973989664[7f8b38e5b040]: No output token to send, exiting
>
> Relevant portions of apache's access and error logs with LogLevel Debug are:
>
> 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
> HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0
> (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
> 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST
> /ipa/session/json HTTP/1.1" 401 -
> "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux
> x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
> 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "GET
> /ipa/session/login_kerberos HTTP/1.1" 401 1856
> "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux
> x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
> 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "GET
> /ipa/session/login_kerberos HTTP/1.1" 200 -
> "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux
> x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
> 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] "POST /ipa/session/json
> HTTP/1.1" 401 1856 "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0
> (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
> 172.22.249.66 - admin at DOMAIN.COM [24/Aug/2012:11:43:52 +0200] "POST
> /ipa/session/json HTTP/1.1" 401 -
> "https://panoramix.domain.com/ipa/ui/" "Mozilla/5.0 (X11; Linux
> x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6"
>
> [Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does
> not exist: /var/www/htdocs/panoramix.domain.com/ca
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 194 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 established
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 196 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
> 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
> 172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
> 172.22.249.66] Client delegated us their credential, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
> 172.22.249.66] GSS-API token of length 22 bytes will be sent back,
> referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 196 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 established
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 197 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 197 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 established
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 198 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
> 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
> 172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
> 172.22.249.66] Client delegated us their credential, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
> 172.22.249.66] GSS-API token of length 22 bytes will be sent back,
> referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 198 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 established
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 199 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 199 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 established
> (server panoramix.domain.com:443, client 172.22.249.66)
> [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request
> received for child 200 (server panoramix.domain.com:443)
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client
> 172.22.249.66] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1278): [client
> 172.22.249.66] Acquiring creds for HTTP at panoramix.domain.com, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1691): [client
> 172.22.249.66] Verifying client data using KRB5 GSS-API , referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1707): [client
> 172.22.249.66] Client delegated us their credential, referer:
> https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1726): [client
> 172.22.249.66] GSS-API token of length 22 bytes will be sent back,
> referer: https://panoramix.domain.com/ipa/ui/
> [Fri Aug 24 11:43:52 2012] [info] Connection to child 200 closed
> (server panoramix.domain.com:443, client 172.22.249.66)
>
> # lsb_release -a
> LSB Version:
> :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
> Distributor ID: CentOS
> Description: CentOS release 6.3 (Final)
> Release: 6.3
> Codename: Final
>
> # rpm -qa | egrep '(ipa-|sssd)'
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> sssd-client-1.8.0-32.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> sssd-1.8.0-32.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
>
> Thanks in advance.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120824/f70c5f64/attachment.htm>
More information about the Freeipa-users
mailing list