[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 2 13:45:58 UTC 2015 

On Fri, 02 Oct 2015, Fujisan wrote:
>More info:
>
>I can initiate a ticket:
>$ kdestroy
>$ kinit admin
>
>but cannot view user admin:
>$ ipa user-show admin
>ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
>
>$ ipactl status
>Directory Service: RUNNING
>krb5kdc Service: RUNNING
>kadmin Service: RUNNING
>named Service: RUNNING
>ipa_memcached Service: RUNNING
>httpd Service: RUNNING
>pki-tomcatd Service: RUNNING
>smb Service: RUNNING
>winbind Service: RUNNING
>ipa-otpd Service: RUNNING
>ipa-dnskeysyncd Service: RUNNING
>ipa: INFO: The ipactl command was successful
>
>/var/log/messages:
>Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
>failed. Unable to create GSSAPI-encrypted LDAP connection.
What did you do?

This and the log below about HTTP/zaira2.opera at OPERA show that you have
different keys in LDAP and in your keytab files for host/zaira2.opera
and HTTP/zaira2.opera principals. This might happen if somebody removed
the principals from LDAP (ipa service-del/ipa service-add, or ipa
host-del/ipa host-add) so that they become non-synchronized with
whatever you have in the keytab files.

>On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> Hello,
>>
>> I cannot login to the web UI anymore.
>>
>> The password or username you entered is incorrect.
>>
>> Log says:
>>
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>
>>
>> I have no idea what went wrong.
>>
>> What can I do?
>>
>> ​Regards,
>> Fuji​
>>
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list