[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Mon Oct 5 10:27:04 UTC 2015

I just noticed I can log in to the web UI with user admin and his password.

But when I try to configure firefox to use kerberos, I click on "Install
Kerberos Configuration Firefox Extension" button, a message appears saying
"Firefox prevented this site from asking you to install software on your
computer", so I click on the "Allow" button and then another message
appears "The add-on downloaded from this site could not be installed
because it appears to be corrupt.".

And the ipa commands are still not working.
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized

On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisan43 at gmail.com> wrote:

> I uninstalled the ipa server and reinstalled it. Then restored the backup.
> And then the following:
>
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv     0 65534 keyring: _uid.0
> 556579409: --alswrv     0     0 user:
> ipa_session_cookie:host/zaira2.opera at OPERA
> 286806445: ---lswrv     0 65534 keyring: _persistent.0
> $ keyctl purge 556579409
> purged 0 keys
> $ keyctl reap
> 0 keys reaped
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv     0 65534 keyring: _uid.0
> 556579409: --alswrv     0     0 user:
> ipa_session_cookie:host/zaira2.opera at OPERA
> 286806445: ---lswrv     0 65534 keyring: _persistent.0
>
> It doesn't seem to purge or to reap.
>
>
>
> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> Good morning,
>> 
>> Any suggestion what I should do?
>>
>> I still have
>>
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>>
>> Regards.
>>
>>
>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>>> I only have this:
>>>
>>> $ keyctl list @s
>>> 1 key in keyring:
>>> 641467419: --alswrv     0 65534 keyring: _uid.0
>>> $
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>>> I forgot to mention that
>>>>>
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>> This is most likely because of the cached session to your server.
>>>>
>>>> You can check if  keyctl list @s
>>>> returns you something like
>>>> [root at m1 ~]# keyctl list @s
>>>> 2 keys in keyring:
>>>> 496745412: --alswrv     0 65534 keyring: _uid.0
>>>> 215779962: --alswrv     0     0 user:
>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>
>>>> If so, then notice the key number (215779962) for the session cookie,
>>>> and do:
>>>>  keyctl purge 215779962
>>>>  keyctl reap
>>>>
>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>
>>>>
>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>
>>>>> I still cannot login to the web UI.
>>>>>>
>>>>>> Here is what I did:
>>>>>>
>>>>>>    1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>    2. kinit admin
>>>>>>    Password for admin at OPERA:
>>>>>>    3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>>    /etc/krb5.keytab
>>>>>>    4. systemctl restart sssd.service
>>>>>>    5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>    6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>>    /etc/httpd/conf/ipa.keytab
>>>>>>    7. systemctl restart httpd.service
>>>>>>
>>>>>>
>>>>>> The log says now:
>>>>>>
>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>> abokovoy at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>> kerberos.
>>>>>>>>
>>>>>>>> What should I do to fix this?
>>>>>>>>
>>>>>>>> I have this on the ipa server:
>>>>>>>> $ klist -k
>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>> KVNO Principal
>>>>>>>> ----
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>>   2 host/zaira2.opera at OPERA
>>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>>   1 nfs/zaira2.opera at OPERA
>>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>>   3 HTTP/zaira2.opera at OPERA
>>>>>>>>
>>>>>>>> You can start by:
>>>>>>>>
>>>>>>> 0. backup every file mentioned below
>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>> 2. kinit as admin
>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>>>> 4. restart SSSD
>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>> 7. Restart httpd
>>>>>>>
>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>>> keytabs become unusable.
>>>>>>>
>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>> supposed to
>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>> services
>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>> abokovoy at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> More info:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>> $ kdestroy
>>>>>>>>>> $ kinit admin
>>>>>>>>>>
>>>>>>>>>> but cannot view user admin:
>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>> Unauthorized
>>>>>>>>>>
>>>>>>>>>> $ ipactl status
>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>> named Service: RUNNING
>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>
>>>>>>>>>> /var/log/messages:
>>>>>>>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>> initialize
>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>> integrity
>>>>>>>>>> check
>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>
>>>>>>>>>> What did you do?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>> you have
>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>> host/zaira2.opera
>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>> removed
>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>
>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>
>>>>>>>>>>> Log says:
>>>>>>>>>>>
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>> etypes
>>>>>>>>>>> {18 17
>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>> fd 12
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>> failed
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>> etypes
>>>>>>>>>>> {18 17
>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>> fd 12
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>
>>>>>>>>>>> What can I do?
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Fuji
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>> / Alexander Bokovoy
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151005/1fe1afee/attachment.htm>