[Freeipa-users] Web UI Authentication errors - revisited
Martin Kosek
mkosek at redhat.com
Fri Mar 6 19:53:28 UTC 2015
On 03/06/2015 05:59 PM, Dan Mossor wrote:
>
>
> On Fri, Mar 6, 2015 at 9:43 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/06/2015 10:35 AM, Dan Mossor wrote:
>>
>>
>> On Fri, Mar 6, 2015 at 9:21 AM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>>
>> From your workstation can you use the demo instance
>> https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> Oh, sorry, I didn't realize I was supposed to check that. For the record,
>> yes - I can log into the demo instance on Firefox from my workstation.
>> For the sake of completeness, I checked with Konquerer also and can log
>> in to the demo instance.
>>
>> Regards,
>> Dan
>
> OK, so it seems that something is really broken on that server.
> May be it is easier to start over - up to you. If you want to continue
> troubleshooting we are here to help.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> IT WORKS! WOOT!
>
> In the steps of researching a small issue on another hypervisor, I discovered
> that my underlying network, while operational, was not properly configured. The
> IPA server and my workstation were supposed to be talking in VLAN 100 and 110,
> respectively. The network is temporarily configured to route every packet it
> receives to the proper VLAN, no matter where it originates.
>
> My workstation is indeed on VLAN 110, and is tagging the packets appropriately.
> The server, however, due to a bridge misconfiguration on the host, was on VLAN
> 1 and not sending tagged packets at all. But as the router is configured to
> route all appropriate packets it appeared to be operating normally.
>
> I blew away the network configuration on the host and rebuilt it again, this
> time ensuring that VLAN 1 was not available on that switch port, and that the
> packets leaving the host were tagged with VLAN 100. I brought the IPA server
> back up and was able to log in.
>
> So, chalk this one up to misrouted packets. I didn't even think to look there,
> the 401 error gave no clue that networking may be the issue.
>
> Regards,
> Dan Mossor
Ugh, that one was nasty, I am glad you figured it out. Now, when you know what
was the problem, would you maybe have some general Troubleshooting advice to
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
that would help people like you uncover the root cause easier?
Thanks,
Martin
More information about the Freeipa-users
mailing list