[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Fri Oct 2 14:46:36 UTC 2015
I forgot to mention that
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
> I still cannot login to the web UI.
>
> Here is what I did:
>
> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
> 2. kinit admin
> Password for admin at OPERA:
> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
> /etc/krb5.keytab
> 4. systemctl restart sssd.service
> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
> /etc/httpd/conf/ipa.keytab
> 7. systemctl restart httpd.service
>
> The log says now:
>
> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>
>
>
> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> Well, I think I messed up when trying to configure cockpit to use
>>> kerberos.
>>>
>>> What should I do to fix this?
>>>
>>> I have this on the ipa server:
>>> $ klist -k
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ----
>>>
>>> --------------------------------------------------------------------------
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>>
>>> You can start by:
>> 0. backup every file mentioned below
>> 1. Move /etc/krb5.keytab somewhere
>> 2. kinit as admin
>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>> 4. restart SSSD
>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>> /etc/httpd/conf/ipa.keytab
>> 7. Restart httpd
>>
>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>> specified by you is replaced on the server side so that keys in the
>> keytabs become unusable.
>>
>> I guess cockpit instructions were for something that was not supposed to
>> run on IPA master. On IPA master there are already all needed services
>> (host/ and HTTP/) and their keytabs are in place.
>>
>>
>>
>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>> More info:
>>>>>
>>>>> I can initiate a ticket:
>>>>> $ kdestroy
>>>>> $ kinit admin
>>>>>
>>>>> but cannot view user admin:
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>>> $ ipactl status
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: RUNNING
>>>>> ipa_memcached Service: RUNNING
>>>>> httpd Service: RUNNING
>>>>> pki-tomcatd Service: RUNNING
>>>>> smb Service: RUNNING
>>>>> winbind Service: RUNNING
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>> ipa: INFO: The ipactl command was successful
>>>>>
>>>>> /var/log/messages:
>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>> check
>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>
>>>>> What did you do?
>>>>
>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>> whatever you have in the keytab files.
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>>
>>>>>> I cannot login to the web UI anymore.
>>>>>>
>>>>>> The password or username you entered is incorrect.
>>>>>>
>>>>>> Log says:
>>>>>>
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>
>>>>>>
>>>>>> I have no idea what went wrong.
>>>>>>
>>>>>> What can I do?
>>>>>>
>>>>>> Regards,
>>>>>> Fuji
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151002/2ad5acfd/attachment.htm>
More information about the Freeipa-users
mailing list