[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 2 15:01:45 UTC 2015 

On Fri, 02 Oct 2015, Fujisan wrote:
>I forgot to mention that
>
>$ ipa user-show admin
>ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
This is most likely because of the cached session to your server.

You can check if 
  keyctl list @s
returns you something like
[root at m1 ~]# keyctl list @s
2 keys in keyring:
496745412: --alswrv     0 65534 keyring: _uid.0
215779962: --alswrv     0     0 user: ipa_session_cookie:admin at EXAMPLE.COM

If so, then notice the key number (215779962) for the session cookie,
and do:
  keyctl purge 215779962
  keyctl reap

This should make a next 'ipa ...' command run to ask for new cookie.

>
>On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> I still cannot login to the web UI.
>>
>> Here is what I did:
>>
>>    1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>    2. kinit admin
>>    Password for admin at OPERA:
>>    3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>    /etc/krb5.keytab
>>    4. systemctl restart sssd.service
>>    5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>    6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>    /etc/httpd/conf/ipa.keytab
>>    7. systemctl restart httpd.service
>>
>> The log says now:
>>
>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>
>>
>>
>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> Well, I think I messed up when trying to configure cockpit to use
>>>> kerberos.
>>>>
>>>> What should I do to fix this?
>>>>
>>>> I have this on the ipa server:
>>>> $ klist -k
>>>> Keytab name: FILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ----
>>>>
>>>> --------------------------------------------------------------------------
>>>>   2 host/zaira2.opera at OPERA
>>>>   2 host/zaira2.opera at OPERA
>>>>   2 host/zaira2.opera at OPERA
>>>>   2 host/zaira2.opera at OPERA
>>>>   1 nfs/zaira2.opera at OPERA
>>>>   1 nfs/zaira2.opera at OPERA
>>>>   1 nfs/zaira2.opera at OPERA
>>>>   1 nfs/zaira2.opera at OPERA
>>>>   3 HTTP/zaira2.opera at OPERA
>>>>   3 HTTP/zaira2.opera at OPERA
>>>>   3 HTTP/zaira2.opera at OPERA
>>>>   3 HTTP/zaira2.opera at OPERA
>>>>
>>>> You can start by:
>>> 0. backup every file mentioned below
>>> 1. Move /etc/krb5.keytab somewhere
>>> 2. kinit as admin
>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>> 4. restart SSSD
>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>> /etc/httpd/conf/ipa.keytab
>>> 7. Restart httpd
>>>
>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>> specified by you is replaced on the server side so that keys in the
>>> keytabs become unusable.
>>>
>>> I guess cockpit instructions were for something that was not supposed to
>>> run on IPA master. On IPA master there are already all needed services
>>> (host/ and HTTP/) and their keytabs are in place.
>>>
>>>
>>>
>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>> wrote:
>>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>> More info:
>>>>>>
>>>>>> I can initiate a ticket:
>>>>>> $ kdestroy
>>>>>> $ kinit admin
>>>>>>
>>>>>> but cannot view user admin:
>>>>>> $ ipa user-show admin
>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>> Unauthorized
>>>>>>
>>>>>> $ ipactl status
>>>>>> Directory Service: RUNNING
>>>>>> krb5kdc Service: RUNNING
>>>>>> kadmin Service: RUNNING
>>>>>> named Service: RUNNING
>>>>>> ipa_memcached Service: RUNNING
>>>>>> httpd Service: RUNNING
>>>>>> pki-tomcatd Service: RUNNING
>>>>>> smb Service: RUNNING
>>>>>> winbind Service: RUNNING
>>>>>> ipa-otpd Service: RUNNING
>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>
>>>>>> /var/log/messages:
>>>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>>> check
>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>
>>>>>> What did you do?
>>>>>
>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>> whatever you have in the keytab files.
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>>
>>>>>>> I cannot login to the web UI anymore.
>>>>>>>
>>>>>>> The password or username you entered is incorrect.
>>>>>>>
>>>>>>> Log says:
>>>>>>>
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>
>>>>>>>
>>>>>>> I have no idea what went wrong.
>>>>>>>
>>>>>>> What can I do?
>>>>>>>
>>>>>>> ​Regards,
>>>>>>> Fuji​
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list