[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Mon Oct 5 07:17:41 UTC 2015
Good morning,
Any suggestion what I should do?
I still have
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
Regards.
On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
> I only have this:
>
> $ keyctl list @s
> 1 key in keyring:
> 641467419: --alswrv 0 65534 keyring: _uid.0
> $
>
>
>
> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> I forgot to mention that
>>>
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>> This is most likely because of the cached session to your server.
>>
>> You can check if keyctl list @s
>> returns you something like
>> [root at m1 ~]# keyctl list @s
>> 2 keys in keyring:
>> 496745412: --alswrv 0 65534 keyring: _uid.0
>> 215779962: --alswrv 0 0 user:
>> ipa_session_cookie:admin at EXAMPLE.COM
>>
>> If so, then notice the key number (215779962) for the session cookie,
>> and do:
>> keyctl purge 215779962
>> keyctl reap
>>
>> This should make a next 'ipa ...' command run to ask for new cookie.
>>
>>
>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>> I still cannot login to the web UI.
>>>>
>>>> Here is what I did:
>>>>
>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>> 2. kinit admin
>>>> Password for admin at OPERA:
>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>> /etc/krb5.keytab
>>>> 4. systemctl restart sssd.service
>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>> /etc/httpd/conf/ipa.keytab
>>>> 7. systemctl restart httpd.service
>>>>
>>>>
>>>> The log says now:
>>>>
>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>> 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>> wrote:
>>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>> kerberos.
>>>>>>
>>>>>> What should I do to fix this?
>>>>>>
>>>>>> I have this on the ipa server:
>>>>>> $ klist -k
>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>> KVNO Principal
>>>>>> ----
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------------
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>
>>>>>> You can start by:
>>>>>>
>>>>> 0. backup every file mentioned below
>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>> 2. kinit as admin
>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>> 4. restart SSSD
>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>> /etc/httpd/conf/ipa.keytab
>>>>> 7. Restart httpd
>>>>>
>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>> specified by you is replaced on the server side so that keys in the
>>>>> keytabs become unusable.
>>>>>
>>>>> I guess cockpit instructions were for something that was not supposed
>>>>> to
>>>>> run on IPA master. On IPA master there are already all needed services
>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com
>>>>>> >
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>>>
>>>>>>> More info:
>>>>>>>
>>>>>>>>
>>>>>>>> I can initiate a ticket:
>>>>>>>> $ kdestroy
>>>>>>>> $ kinit admin
>>>>>>>>
>>>>>>>> but cannot view user admin:
>>>>>>>> $ ipa user-show admin
>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>> Unauthorized
>>>>>>>>
>>>>>>>> $ ipactl status
>>>>>>>> Directory Service: RUNNING
>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>> kadmin Service: RUNNING
>>>>>>>> named Service: RUNNING
>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>> httpd Service: RUNNING
>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>> smb Service: RUNNING
>>>>>>>> winbind Service: RUNNING
>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>
>>>>>>>> /var/log/messages:
>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>> initialize
>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>> integrity
>>>>>>>> check
>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>
>>>>>>>> What did you do?
>>>>>>>>
>>>>>>>
>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>>> have
>>>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>> removed
>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>> whatever you have in the keytab files.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>>
>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>
>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>
>>>>>>>>> Log says:
>>>>>>>>>
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>> {18 17
>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>> 12
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>> failed
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>> {18 17
>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>> 12
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>
>>>>>>>>> What can I do?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Fuji
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> / Alexander Bokovoy
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151005/72a0fb35/attachment.htm>
More information about the Freeipa-users
mailing list