[Freeipa-users] Web UI Authentication errors - revisited
Dan Mossor
danofsatx at gmail.com
Thu Mar 5 22:34:37 UTC 2015
On Thu, Mar 5, 2015 at 4:16 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 03/05/2015 04:15 PM, Dan Mossor wrote:
>
> Good day, folks.
>
> This time it is something different, yet the same. I have re-deployed my
> IPA installation due to some underlying issues with the host of the virtual
> machine. Even with the new installation, I cannot authenticate through the
> web UI.
>
> So far, there is exactly one client in the domain (my workstation), and
> exactly one user - admin. I am not comfortable with the command line tools,
> and I have others below my position that require a GUI for management
> purposes, so I have to make this work to proceed any further.
>
> Following up with the information Martin asked for in my previous
> thread, let me walk you through the process:
>
> I attempted to log in to https://vader.rez.lcl/, and received the error
> "Your session has expired. Please re-login." At this point, I clicked the
> link to configure Firefox. On the command line, I obtained a kerberos
> ticket for admin (note - I am root on this workstation for the time being):
>
> [root at dmfedora ~]# kinit admin
> Password for admin at REZ.LCL:
> [root at dmfedora ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: admin at REZ.LCL
>
> Valid starting Expires Service principal
> 03/05/2015 14:46:22 03/06/2015 14:46:15 krbtgt/REZ.LCL at REZ.LCL
>
> I then finished the Firefox configuration, and attempted to log in
> again. I still received the error. The Firefox console shows:
>
> POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200
> Success 756ms]
> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized
> 3ms]
> GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
> Unauthorized 2ms]
> GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200
> Success 26ms]
> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized
> 4ms]
>
> /var/log/krb5kdc.log during the process:
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL for
> krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
> ses=18}, HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: admin at REZ.LCL for
> krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
> ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
>
> /var/log/httpd/access_log shows the same thing as the Firefox console:
> 10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
> /ipa/session/login_password HTTP/1.1" 200 25
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
> HTTP/1.1" 401 -
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
> 10.1.1.15 - admin at REZ.LCL [05/Mar/2015:21:06:31 +0000] "GET
> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
> HTTP/1.1" 401 -
>
> Nothing is entered into any error logs, the audit log, or the system
> journal. I am at my wits end here, and lost. What other information do you
> need to help me solve this problem?
>
> Thank you,
> Dan Mossor
>
> --
>
> Dan Mossor, RHCSA
> Systems Engineer at Large
> Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
>
>
>
> Can you authenticate using UI from the server host?
> It seems that the Kerberos authentication goes through but then it is lost.
> So here are some wild ideas:
> - Is the browser properly configured? May be there is something with the
> browser that is not working? Have you cleaned the old IPA CA cert? It might
> not be related but I have seen issues in the past with it.
> - Are you sure that server has all the components? For example session on
> the server side is stored in memcached. If it is not running or something
> is not right with it the ticket sharing might be broken.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> First off, apologies if the thread is broken - I am stuck using the Gmail
interface temporarily.
The server host - both the actual host and the IPA server - do not have
GUIs on them, so I cannot launch a web browser from them. The old IPA CA
cert was never on this workstation - this workstation was built Tuesday,
and the IPA server deployed yesterday. The previous one I was having issues
with had already been wiped - so this is starting off from scratch with
both the server and the client. I did check the ipa_memcached service as
suggested by Martin in my previous thread.
[root at vader ipa]# systemctl status httpd.service dirsrv at REZ-LCL.service
ipa_memcached.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h left
Main PID: 1103 (httpd)
Status: "Total requests: 150; Idle/Busy workers 100/0;Requests/sec:
3.49e-08; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
├─1103 /usr/sbin/httpd -DFOREGROUND
├─1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
├─1105 /usr/sbin/httpd -DFOREGROUND
├─1107 /usr/sbin/httpd -DFOREGROUND
├─1108 /usr/sbin/httpd -DFOREGROUND
├─1111 /usr/sbin/httpd -DFOREGROUND
├─1113 /usr/sbin/httpd -DFOREGROUND
├─1339 /usr/sbin/httpd -DFOREGROUND
├─1471 /usr/sbin/httpd -DFOREGROUND
├─1473 /usr/sbin/httpd -DFOREGROUND
├─1474 /usr/sbin/httpd -DFOREGROUND
├─1475 /usr/sbin/httpd -DFOREGROUND
├─1926 /usr/sbin/httpd -DFOREGROUND
└─1927 /usr/sbin/httpd -DFOREGROUND
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2
● dirsrv at REZ-LCL.service - 389 Directory Server REZ-LCL.
Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled)
Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h left
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=0/SUCCESS)
Main PID: 1020 (ns-slapd)
CGroup: /system.slice/system-dirsrv.slice/dirsrv at REZ-LCL.service
└─1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL -i
/var/run/dirsrv/slapd-REZ-LCL.pid -w /var/run/dirsrv/slapd-REZ-LCL.startpid
Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
● ipa_memcached.service - IPA memcached daemon, increases IPA server
performance
Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h left
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m
$CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
(code=exited, status=0/SUCCESS)
Main PID: 1095 (memcached)
CGroup: /system.slice/ipa_memcached.service
└─1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
[root at vader ipa]#
Thanks,
Dan
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/782b40a3/attachment.htm>
More information about the Freeipa-users
mailing list