[Freeipa-users] Web UI Authentication errors - revisited
Dmitri Pal
dpal at redhat.com
Thu Mar 5 22:55:20 UTC 2015
On 03/05/2015 05:51 PM, Dan Mossor wrote:
> On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor <danofsatx at gmail.com
> <mailto:danofsatx at gmail.com>> wrote:
>
>
>
> On Thu, Mar 5, 2015 at 4:16 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/05/2015 04:15 PM, Dan Mossor wrote:
>> Good day, folks.
>>
>> This time it is something different, yet the same. I have
>> re-deployed my IPA installation due to some underlying issues
>> with the host of the virtual machine. Even with the new
>> installation, I cannot authenticate through the web UI.
>>
>> So far, there is exactly one client in the domain (my
>> workstation), and exactly one user - admin. I am not
>> comfortable with the command line tools, and I have others
>> below my position that require a GUI for management purposes,
>> so I have to make this work to proceed any further.
>>
>> Following up with the information Martin asked for in my
>> previous thread, let me walk you through the process:
>>
>> I attempted to log in to https://vader.rez.lcl/, and received
>> the error "Your session has expired. Please re-login." At
>> this point, I clicked the link to configure Firefox. On the
>> command line, I obtained a kerberos ticket for admin (note -
>> I am root on this workstation for the time being):
>>
>> [root at dmfedora ~]# kinit admin
>> Password for admin at REZ.LCL <mailto:admin at REZ.LCL>:
>> [root at dmfedora ~]# klist
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: admin at REZ.LCL <mailto:admin at REZ.LCL>
>>
>> Valid starting Expires Service principal
>> 03/05/2015 14:46:22 03/06/2015 14:46:15
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>
>> I then finished the Firefox configuration, and attempted to
>> log in again. I still received the error. The Firefox console
>> shows:
>>
>> POST https://vader.rez.lcl/ipa/session/login_password
>> [HTTP/1.1 200 Success 756ms]
>> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
>> Unauthorized 3ms]
>> GET https://vader.rez.lcl/ipa/session/login_kerberos
>> [HTTP/1.1 401 Unauthorized 2ms]
>> GET https://vader.rez.lcl/ipa/session/login_kerberos
>> [HTTP/1.1 200 Success 26ms]
>> POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
>> Unauthorized 4ms]
>>
>> /var/log/krb5kdc.log during the process:
>> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL
>> <mailto:HTTP/vader.rez.lcl at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>> Additional pre-authentication required
>> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
>> HTTP/vader.rez.lcl at REZ.LCL
>> <mailto:HTTP/vader.rez.lcl at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>
>> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> NEEDED_PREAUTH: admin at REZ.LCL <mailto:admin at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>> Additional pre-authentication required
>> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
>> admin at REZ.LCL <mailto:admin at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>
>> /var/log/httpd/access_log shows the same thing as the Firefox
>> console:
>> 10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
>> /ipa/session/login_password HTTP/1.1" 200 25
>> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
>> /ipa/session/json HTTP/1.1" 401 -
>> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
>> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
>> 10.1.1.15 - admin at REZ.LCL <mailto:admin at REZ.LCL>
>> [05/Mar/2015:21:06:31 +0000] "GET
>> /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
>> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
>> /ipa/session/json HTTP/1.1" 401 -
>>
>> Nothing is entered into any error logs, the audit log, or the
>> system journal. I am at my wits end here, and lost. What
>> other information do you need to help me solve this problem?
>>
>> Thank you,
>> Dan Mossor
>>
>> --
>> Dan Mossor, RHCSA
>> Systems Engineer at Large
>> Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
>> Fedora Infrastructure Apprentice
>> FAS: dmossor IRC: danofsatx
>> San Antonio, Texas, USA
>>
>>
> Can you authenticate using UI from the server host?
> It seems that the Kerberos authentication goes through but
> then it is lost.
> So here are some wild ideas:
> - Is the browser properly configured? May be there is
> something with the browser that is not working? Have you
> cleaned the old IPA CA cert? It might not be related but I
> have seen issues in the past with it.
> - Are you sure that server has all the components? For example
> session on the server side is stored in memcached. If it is
> not running or something is not right with it the ticket
> sharing might be broken.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> First off, apologies if the thread is broken - I am stuck using
> the Gmail interface temporarily.
>
> The server host - both the actual host and the IPA server - do not
> have GUIs on them, so I cannot launch a web browser from them. The
> old IPA CA cert was never on this workstation - this workstation
> was built Tuesday, and the IPA server deployed yesterday. The
> previous one I was having issues with had already been wiped - so
> this is starting off from scratch with both the server and the
> client. I did check the ipa_memcached service as suggested by
> Martin in my previous thread.
>
> [root at vader ipa]# systemctl status httpd.service
> dirsrv at REZ-LCL.service ipa_memcached.service
> ? httpd.service - The Apache HTTP Server
> Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
> Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h
> left
> Main PID: 1103 (httpd)
> Status: "Total requests: 150; Idle/Busy workers
> 100/0;Requests/sec: 3.49e-08; Bytes served/sec: 0 B/sec"
> CGroup: /system.slice/httpd.service
> ??1103 /usr/sbin/httpd -DFOREGROUND
> ??1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
> ??1105 /usr/sbin/httpd -DFOREGROUND
> ??1107 /usr/sbin/httpd -DFOREGROUND
> ??1108 /usr/sbin/httpd -DFOREGROUND
> ??1111 /usr/sbin/httpd -DFOREGROUND
> ??1113 /usr/sbin/httpd -DFOREGROUND
> ??1339 /usr/sbin/httpd -DFOREGROUND
> ??1471 /usr/sbin/httpd -DFOREGROUND
> ??1473 /usr/sbin/httpd -DFOREGROUND
> ??1474 /usr/sbin/httpd -DFOREGROUND
> ??1475 /usr/sbin/httpd -DFOREGROUND
> ??1926 /usr/sbin/httpd -DFOREGROUND
> ??1927 /usr/sbin/httpd -DFOREGROUND
>
> Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
> Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
> Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
> Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
> Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
> Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
> Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
> Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
> Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
> Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2
>
> ? dirsrv at REZ-LCL.service - 389 Directory Server REZ-LCL.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled)
> Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h
> left
> Process: 1006 ExecStart=/usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w
> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
> Main PID: 1020 (ns-slapd)
> CGroup: /system.slice/system-dirsrv.slice/dirsrv at REZ-LCL.service
> ??1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL
> -i /var/run/dirsrv/slapd-REZ-LCL.pid -w
> /var/run/dirsrv/slapd-REZ-LCL.startpid
>
> Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
> Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
> Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
> Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
> Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
> Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
> Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
> Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
> Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
> Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
>
> ? ipa_memcached.service - IPA memcached daemon, increases IPA
> server performance
> Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service;
> disabled)
> Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h
> left
> Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u
> $USER -m $CACHESIZE -c $MAXCONN -P
> /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS (code=exited,
> status=0/SUCCESS)
> Main PID: 1095 (memcached)
> CGroup: /system.slice/ipa_memcached.service
> ??1095 /usr/bin/memcached -d -s
> /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
> /var/run/ipa_memcached/ipa_memcached.pid
> [root at vader ipa]#
>
> Thanks,
> Dan
>
> --
> Dan Mossor, RHCSA
> Systems Engineer at Large
> Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
>
> As an additional test, I created a new user on my workstation and
> switched to it. the first thing I did was kinit as admin, then started
> Firefox, went through the browser configuration provided by the IPA
> server, and attempted to log in. I received the same error[1].
>
> [1]http://i.imgur.com/mhX86Ng.png
>
>
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/89c4bcef/attachment.htm>
More information about the Freeipa-users
mailing list