[Freeipa-users] WebUI authentication problems

[Simo Sorce]

On Fri, 2015-02-20 at 11:44 +0100, Gianluca Cecchi wrote:
> On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
> 
> > On 02/20/2015 09:44 AM, Martin Kosek wrote:
> >
> >> On 02/20/2015 02:00 AM, Dan Mossor wrote:
> >>
> >>> I just installed a new server on Fedora 21 Server, using the rolekit
> >>> deployment
> >>> tool. Everything was installed and configured (I hope) properly, but I'm
> >>> running into a problem. The version is
> >>> freeipa-server-4.1.2-1.fc21.x86_64, and
> >>> I can connect to the WebUI only after a restart of ipa.service.
> >>>
> >>
> Hello
> I actually have quite similar problems in CentOS 7 too,
> with ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 and related packages
> SO the same behavior that if I restart ipa service I'm able to connect
> (thanks btw, I didn't realize that, having big problems using the WebUI)
> and that my errors are of this type
> 
> [Fri Feb 20 10:32:15.850834 2015] [auth_kerb:error] [pid 2029] [client
> 192.168.1.128:50147] gss_accept_sec_context() failed: An unsupported
> mechanism was requested (, Unknown error), referer:
> https://c7server.localdomain.local/ipa/ui/
> [Fri Feb 20 10:32:22.670791 2015] [auth_kerb:error] [pid 15793] [client
> 192.168.1.128:50150] krb5_get_init_creds_password() failed: Decrypt
> integrity check failed, referer: https://c7server.localdomain.local/ipa/ui/
> 
> This happens both from an external browser (I enabled form authentication)
> and from a firefox session launched from the ipa server itself after
> configuring it for kerberos.
> 
> I don't want to mess with this thread so let me know if I have to open a
> dedicated thread specifying for example CentOS 7 or you think it is ok to
> get in here... so that I paste here other relevant info.

This is a completely different problem, it just means you do not have
appropriate tickets in your browser, which then probably prroceeds
trying to use the IAKERB mechanism, and fails.

Simo.