[Freeipa-users] Web UI Authentication errors - revisited
Dan Mossor
danofsatx at gmail.com
Thu Mar 5 21:15:14 UTC 2015
Good day, folks.
This time it is something different, yet the same. I have re-deployed my
IPA installation due to some underlying issues with the host of the virtual
machine. Even with the new installation, I cannot authenticate through the
web UI.
So far, there is exactly one client in the domain (my workstation), and
exactly one user - admin. I am not comfortable with the command line tools,
and I have others below my position that require a GUI for management
purposes, so I have to make this work to proceed any further.
Following up with the information Martin asked for in my previous thread,
let me walk you through the process:
I attempted to log in to https://vader.rez.lcl/, and received the error
"Your session has expired. Please re-login." At this point, I clicked the
link to configure Firefox. On the command line, I obtained a kerberos
ticket for admin (note - I am root on this workstation for the time being):
[root at dmfedora ~]# kinit admin
Password for admin at REZ.LCL:
[root at dmfedora ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin at REZ.LCL
Valid starting Expires Service principal
03/05/2015 14:46:22 03/06/2015 14:46:15 krbtgt/REZ.LCL at REZ.LCL
I then finished the Firefox configuration, and attempted to log in again. I
still received the error. The Firefox console shows:
POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200 Success
756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200 Success
26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 4ms]
/var/log/krb5kdc.log during the process:
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: admin at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
/var/log/httpd/access_log shows the same thing as the Firefox console:
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
10.1.1.15 - admin at REZ.LCL [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do you
need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/88a5ee59/attachment.htm>
More information about the Freeipa-users
mailing list