[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 2 14:25:25 UTC 2015 

On Fri, 02 Oct 2015, Fujisan wrote:
>Well, I think I messed up when trying to configure cockpit to use kerberos.
>
>What should I do to fix this?
>
>I have this on the ipa server:
>$ klist -k
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
>----
>--------------------------------------------------------------------------
>   2 host/zaira2.opera at OPERA
>   2 host/zaira2.opera at OPERA
>   2 host/zaira2.opera at OPERA
>   2 host/zaira2.opera at OPERA
>   1 nfs/zaira2.opera at OPERA
>   1 nfs/zaira2.opera at OPERA
>   1 nfs/zaira2.opera at OPERA
>   1 nfs/zaira2.opera at OPERA
>   3 HTTP/zaira2.opera at OPERA
>   3 HTTP/zaira2.opera at OPERA
>   3 HTTP/zaira2.opera at OPERA
>   3 HTTP/zaira2.opera at OPERA
>
You can start by:
 0. backup every file mentioned below
 1. Move /etc/krb5.keytab somewhere
 2. kinit as admin
 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
 4. restart SSSD
 5. Move /etc/httpd/conf/ipa.keytab somewhere
 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k /etc/httpd/conf/ipa.keytab
 7. Restart httpd

Every time you run 'ipa-getkeytab', Kerberos key for the service
specified by you is replaced on the server side so that keys in the
keytabs become unusable.

I guess cockpit instructions were for something that was not supposed to
run on IPA master. On IPA master there are already all needed services
(host/ and HTTP/) and their keytabs are in place.

>
>On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> More info:
>>>
>>> I can initiate a ticket:
>>> $ kdestroy
>>> $ kinit admin
>>>
>>> but cannot view user admin:
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>> $ ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> smb Service: RUNNING
>>> winbind Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> /var/log/messages:
>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>> check
>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>
>> What did you do?
>>
>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>> different keys in LDAP and in your keytab files for host/zaira2.opera
>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>> host-del/ipa host-add) so that they become non-synchronized with
>> whatever you have in the keytab files.
>>
>>
>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>> Hello,
>>>>
>>>> I cannot login to the web UI anymore.
>>>>
>>>> The password or username you entered is incorrect.
>>>>
>>>> Log says:
>>>>
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>
>>>>
>>>> I have no idea what went wrong.
>>>>
>>>> What can I do?
>>>>
>>>> ​Regards,
>>>> Fuji​
>>>>
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list