[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Mon Oct 5 10:13:21 UTC 2015

I uninstalled the ipa server and reinstalled it. Then restored the backup.
And then the following:

$ keyctl list @s
3 keys in keyring:
437165764: --alswrv     0 65534 keyring: _uid.0
556579409: --alswrv     0     0 user:
ipa_session_cookie:host/zaira2.opera at OPERA
286806445: ---lswrv     0 65534 keyring: _persistent.0
$ keyctl purge 556579409
purged 0 keys
$ keyctl reap
0 keys reaped
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv     0 65534 keyring: _uid.0
556579409: --alswrv     0     0 user:
ipa_session_cookie:host/zaira2.opera at OPERA
286806445: ---lswrv     0 65534 keyring: _persistent.0

It doesn't seem to purge or to reap.

On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisan43 at gmail.com> wrote:

> Good morning,
> 
> Any suggestion what I should do?
>
> I still have
>
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> Regards.
>
>
> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> I only have this:
>>
>> $ keyctl list @s
>> 1 key in keyring:
>> 641467419: --alswrv     0 65534 keyring: _uid.0
>> $
>>
>>
>>
>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> I forgot to mention that
>>>>
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>> This is most likely because of the cached session to your server.
>>>
>>> You can check if  keyctl list @s
>>> returns you something like
>>> [root at m1 ~]# keyctl list @s
>>> 2 keys in keyring:
>>> 496745412: --alswrv     0 65534 keyring: _uid.0
>>> 215779962: --alswrv     0     0 user:
>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>
>>> If so, then notice the key number (215779962) for the session cookie,
>>> and do:
>>>  keyctl purge 215779962
>>>  keyctl reap
>>>
>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>
>>>
>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>
>>>> I still cannot login to the web UI.
>>>>>
>>>>> Here is what I did:
>>>>>
>>>>>    1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>    2. kinit admin
>>>>>    Password for admin at OPERA:
>>>>>    3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>    /etc/krb5.keytab
>>>>>    4. systemctl restart sssd.service
>>>>>    5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>    6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>    /etc/httpd/conf/ipa.keytab
>>>>>    7. systemctl restart httpd.service
>>>>>
>>>>>
>>>>> The log says now:
>>>>>
>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com
>>>>> >
>>>>> wrote:
>>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>> kerberos.
>>>>>>>
>>>>>>> What should I do to fix this?
>>>>>>>
>>>>>>> I have this on the ipa server:
>>>>>>> $ klist -k
>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>> KVNO Principal
>>>>>>> ----
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------------------------------
>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>
>>>>>>> You can start by:
>>>>>>>
>>>>>> 0. backup every file mentioned below
>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>> 2. kinit as admin
>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>>> 4. restart SSSD
>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>> 7. Restart httpd
>>>>>>
>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>> keytabs become unusable.
>>>>>>
>>>>>> I guess cockpit instructions were for something that was not supposed
>>>>>> to
>>>>>> run on IPA master. On IPA master there are already all needed services
>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>> abokovoy at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> More info:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I can initiate a ticket:
>>>>>>>>> $ kdestroy
>>>>>>>>> $ kinit admin
>>>>>>>>>
>>>>>>>>> but cannot view user admin:
>>>>>>>>> $ ipa user-show admin
>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>> Unauthorized
>>>>>>>>>
>>>>>>>>> $ ipactl status
>>>>>>>>> Directory Service: RUNNING
>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>> named Service: RUNNING
>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>> httpd Service: RUNNING
>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>> smb Service: RUNNING
>>>>>>>>> winbind Service: RUNNING
>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>
>>>>>>>>> /var/log/messages:
>>>>>>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>> initialize
>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>> integrity
>>>>>>>>> check
>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>
>>>>>>>>> What did you do?
>>>>>>>>>
>>>>>>>>
>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>>>> have
>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>> host/zaira2.opera
>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>> removed
>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>> whatever you have in the keytab files.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>
>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>
>>>>>>>>>> Log says:
>>>>>>>>>>
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>>> {18 17
>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>>> 12
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>> failed
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>>> {18 17
>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>>> 12
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>
>>>>>>>>>> What can I do?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Fuji
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> / Alexander Bokovoy
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>
>>>>>>
>>>>>
>>>>>
>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151005/985c6b72/attachment.htm>