[Freeipa-users] Web UI Authentication errors - revisited

Dan Mossor danofsatx at gmail.com
Fri Mar 6 16:59:53 UTC 2015 

On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 03/06/2015 10:35 AM, Dan Mossor wrote:
>
>
>
> On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>
>>  From your workstation can you use the demo instance
>> https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>   Oh, sorry, I didn't realize I was supposed to check that. For the
> record, yes - I can log into the demo instance on Firefox from my
> workstation. For the sake of completeness, I checked with Konquerer also
> and can log in to the demo instance.
>
>  Regards,
> Dan
>
>
> OK, so it seems that something is really broken on that server.
> May be it is easier to start over - up to you. If you want to continue
> troubleshooting we are here to help.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>  IT WORKS! WOOT!

In the steps of researching a small issue on another hypervisor, I
discovered that my underlying network, while operational, was not properly
configured. The IPA server and my workstation were supposed to be talking
in VLAN 100 and 110, respectively. The network is temporarily configured to
route every packet it receives to the proper VLAN, no matter where it
originates.

My workstation is indeed on VLAN 110, and is tagging the packets
appropriately. The server, however, due to a bridge misconfiguration on the
host, was on VLAN 1 and not sending tagged packets at all. But as the
router is configured to route all appropriate packets it appeared to be
operating normally.

I blew away the network configuration on the host and rebuilt it again,
this time ensuring that VLAN 1 was not available on that switch port, and
that the packets leaving the host were tagged with VLAN 100. I brought the
IPA server back up and was able to log in.

So, chalk this one up to misrouted packets. I didn't even think to look
there, the 401 error gave no clue that networking may be the issue.

Regards,
Dan Mossor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/40db0a33/attachment.htm>

More information about the Freeipa-users mailing list