[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Fujisan fujisan43 at gmail.com
Fri Oct 2 14:44:50 UTC 2015 

I still cannot login to the web UI.

Here is what I did:

   1. mv /etc/krb5.keytab /etc/krb5.keytab.save
   2. kinit admin
   Password for admin at OPERA:
   3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
   /etc/krb5.keytab
   4. systemctl restart sssd.service
   5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
   6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
   /etc/httpd/conf/ipa.keytab
   7. systemctl restart httpd.service

The log says now:

Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA for
krbtgt/OPERA at OPERA, Additional pre-authentication required



On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> Well, I think I messed up when trying to configure cockpit to use
>> kerberos.
>>
>> What should I do to fix this?
>>
>> I have this on the ipa server:
>> $ klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>   2 host/zaira2.opera at OPERA
>>   2 host/zaira2.opera at OPERA
>>   2 host/zaira2.opera at OPERA
>>   2 host/zaira2.opera at OPERA
>>   1 nfs/zaira2.opera at OPERA
>>   1 nfs/zaira2.opera at OPERA
>>   1 nfs/zaira2.opera at OPERA
>>   1 nfs/zaira2.opera at OPERA
>>   3 HTTP/zaira2.opera at OPERA
>>   3 HTTP/zaira2.opera at OPERA
>>   3 HTTP/zaira2.opera at OPERA
>>   3 HTTP/zaira2.opera at OPERA
>>
>> You can start by:
> 0. backup every file mentioned below
> 1. Move /etc/krb5.keytab somewhere
> 2. kinit as admin
> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
> 4. restart SSSD
> 5. Move /etc/httpd/conf/ipa.keytab somewhere
> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
> /etc/httpd/conf/ipa.keytab
> 7. Restart httpd
>
> Every time you run 'ipa-getkeytab', Kerberos key for the service
> specified by you is replaced on the server side so that keys in the
> keytabs become unusable.
>
> I guess cockpit instructions were for something that was not supposed to
> run on IPA master. On IPA master there are already all needed services
> (host/ and HTTP/) and their keytabs are in place.
>
>
>
>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>> More info:
>>>>
>>>> I can initiate a ticket:
>>>> $ kdestroy
>>>> $ kinit admin
>>>>
>>>> but cannot view user admin:
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>>> $ ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> smb Service: RUNNING
>>>> winbind Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> /var/log/messages:
>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>> check
>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>
>>>> What did you do?
>>>
>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>> host-del/ipa host-add) so that they become non-synchronized with
>>> whatever you have in the keytab files.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>>>
>>>> Hello,
>>>>
>>>>>
>>>>> I cannot login to the web UI anymore.
>>>>>
>>>>> The password or username you entered is incorrect.
>>>>>
>>>>> Log says:
>>>>>
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>
>>>>>
>>>>> I have no idea what went wrong.
>>>>>
>>>>> What can I do?
>>>>>
>>>>> ​Regards,
>>>>> Fuji​
>>>>>
>>>>>
>>>>>
>>>>> --
>>>
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151002/659a9d23/attachment.htm>

More information about the Freeipa-users mailing list