[Freeipa-users] WebUI authentication problems
Martin Kosek
mkosek at redhat.com
Fri Feb 20 08:44:26 UTC 2015
On 02/20/2015 02:00 AM, Dan Mossor wrote:
> I just installed a new server on Fedora 21 Server, using the rolekit deployment
> tool. Everything was installed and configured (I hope) properly, but I'm
> running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and
> I can connect to the WebUI only after a restart of ipa.service.
>
> After approximately 15 minutes, I am kicked out of the active session - while
> in the middle of using it - and cannot log back in. Login was attempted from 4
> browsers across two machines, and every time the login screen returns with
> "Your session has expired. Please re-login."
>
> /var/log/httpd/errors is showing the following:
> [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client
> 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client
> 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client
> 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client
> 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client
> 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client
> 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information (, ASN.1 structure is missing a
> required field), referer: https://vader.dom.net/ipa/ui/index.html
> [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client
> 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was
> requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/
>
> Restarting httpd, I can log in, and am immediately logged out again with the
> above errors.
>
> Restarting ipa.service, I was able to log in with my user account, and was
> notified that my password expires in 0 days - even though it was just created
> less than an hour ago.
>
> Is this a known issue, or is there a hidden problem with the rolekit deployment
> that I need to track down?
CCing Petr for Web UI and Simo for the Kerberos part. We know about several
common gotchas related to Web UI auth, having them documented on
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
But this seems as a new case. You can still check the pointers on this page
though. If none of them help, it may help to show us:
- the Kerberos ticket and default encryptions:
$ kinit
$ klist -e
- any related Kerberos errors from /var/log/krb5kdc.log
Martin
More information about the Freeipa-users
mailing list