[Freeipa-users] Web UI Authentication errors - revisited

Martin Kosek mkosek at redhat.com
Fri Mar 6 19:53:28 UTC 2015 

On 03/06/2015 05:59 PM, Dan Mossor wrote:
>
>
> On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 03/06/2015 10:35 AM, Dan Mossor wrote:
>>
>>
>>     On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal <dpal at redhat.com
>>     <mailto:dpal at redhat.com>> wrote:
>>
>>
>>         From your workstation can you use the demo instance
>>         https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
>>
>>         --
>>         Thank you,
>>         Dmitri Pal
>>
>>         Sr. Engineering Manager IdM portfolio
>>         Red Hat, Inc.
>>
>>     Oh, sorry, I didn't realize I was supposed to check that. For the record,
>>     yes - I can log into the demo instance on Firefox from my workstation.
>>     For the sake of completeness, I checked with Konquerer also and can log
>>     in to the demo instance.
>>
>>     Regards,
>>     Dan
>
>     OK, so it seems that something is really broken on that server.
>     May be it is easier to start over - up to you. If you want to continue
>     troubleshooting we are here to help.
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
> IT WORKS! WOOT!
>
> In the steps of researching a small issue on another hypervisor, I discovered
> that my underlying network, while operational, was not properly configured. The
> IPA server and my workstation were supposed to be talking in VLAN 100 and 110,
> respectively. The network is temporarily configured to route every packet it
> receives to the proper VLAN, no matter where it originates.
>
> My workstation is indeed on VLAN 110, and is tagging the packets appropriately.
> The server, however, due to a bridge misconfiguration on the host, was on VLAN
> 1 and not sending tagged packets at all. But as the router is configured to
> route all appropriate packets it appeared to be operating normally.
>
> I blew away the network configuration on the host and rebuilt it again, this
> time ensuring that VLAN 1 was not available on that switch port, and that the
> packets leaving the host were tagged with VLAN 100. I brought the IPA server
> back up and was able to log in.
>
> So, chalk this one up to misrouted packets. I didn't even think to look there,
> the 401 error gave no clue that networking may be the issue.
>
> Regards,
> Dan Mossor

Ugh, that one was nasty, I am glad you figured it out. Now, when you know what 
was the problem, would you maybe have some general Troubleshooting advice to

http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

that would help people like you uncover the root cause easier?

Thanks,
Martin

More information about the Freeipa-users mailing list