[Freeipa-users] Web UI Authentication errors - revisited

Thu Mar 5 22:16:56 UTC 2015

On 03/05/2015 04:15 PM, Dan Mossor wrote:
> Good day, folks.
>
> This time it is something different, yet the same. I have re-deployed 
> my IPA installation due to some underlying issues with the host of the 
> virtual machine. Even with the new installation, I cannot authenticate 
> through the web UI.
>
> So far, there is exactly one client in the domain (my workstation), 
> and exactly one user - admin. I am not comfortable with the command 
> line tools, and I have others below my position that require a GUI for 
> management purposes, so I have to make this work to proceed any further.
>
> Following up with the information Martin asked for in my previous 
> thread, let me walk you through the process:
>
> I attempted to log in to https://vader.rez.lcl/, and received the 
> error "Your session has expired. Please re-login." At this point, I 
> clicked the link to configure Firefox. On the command line, I obtained 
> a kerberos ticket for admin (note - I am root on this workstation for 
> the time being):
>
> [root at dmfedora ~]# kinit admin
> Password for admin at REZ.LCL:
> [root at dmfedora ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: admin at REZ.LCL
>
> Valid starting       Expires              Service principal
> 03/05/2015 14:46:22  03/06/2015 14:46:15 krbtgt/REZ.LCL at REZ.LCL
>
> I then finished the Firefox configuration, and attempted to log in 
> again. I still received the error. The Firefox console shows:
>
> POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200 
> Success 756ms]
> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 
> 3ms]
> GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401 
> Unauthorized 2ms]
> GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200 
> Success 26ms]
> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 
> 4ms]
>
> /var/log/krb5kdc.log during the process:
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: 
> HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 
> 1425589590, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez.lcl at REZ.LCL 
> for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: 
> admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 
> 1425589590, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL for 
> krbtgt/REZ.LCL at REZ.LCL
>
> /var/log/httpd/access_log shows the same thing as the Firefox console:
> 10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST 
> /ipa/session/login_password HTTP/1.1" 200 25
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json 
> HTTP/1.1" 401 -
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET 
> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
> 10.1.1.15 - admin at REZ.LCL [05/Mar/2015:21:06:31 +0000] "GET 
> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json 
> HTTP/1.1" 401 -
>
> Nothing is entered into any error logs, the audit log, or the system 
> journal. I am at my wits end here, and lost. What other information do 
> you need to help me solve this problem?
>
> Thank you,
> Dan Mossor
>
> --
> Dan Mossor, RHCSA
> Systems Engineer at Large
> Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
>
>
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
So here are some wild ideas:
- Is the browser properly configured? May be there is something with the 
browser that is not working? Have you cleaned the old IPA CA cert? It 
might not be related but I have seen issues in the past with it.
- Are you sure that server has all the components? For example session 
on the server side is stored in memcached. If it is not running or 
something is not right with it the ticket sharing might be broken.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/c7a399e5/attachment.htm>