<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/05/2015 05:51 PM, Dan Mossor
wrote:<br>
</div>
<blockquote
cite="mid:CAMobkEMwguVVpmBt912tKLyPxSx9j-yZ0J53WGoWt6FwjATTdg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Mar 5, 2015 at 4:34 PM, Dan
Mossor <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:danofsatx@gmail.com" target="_blank">danofsatx@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On Thu, Mar 5,
2015 at 4:16 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
</span>
<div>
<div class="h5">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 03/05/2015 04:15 PM, Dan Mossor
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><span
style="font-family:monospace,monospace">Good
day, folks.<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">This
time it is
something
different, yet
the same. I have
re-deployed my
IPA installation
due to some
underlying
issues with the
host of the
virtual machine.
Even with the
new
installation, I
cannot
authenticate
through the web
UI.<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">So
far, there is
exactly one client
in the domain (my
workstation), and
exactly one user -
admin. I am not
comfortable with
the command line
tools, and I have
others below my
position that
require a GUI for
management
purposes, so I
have to make this
work to proceed
any further.<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">Following
up with the
information Martin
asked for in my
previous thread, let
me walk you through
the process:<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">I
attempted to log in to
<a
moz-do-not-send="true"
href="https://vader.rez.lcl/" target="_blank">https://vader.rez.lcl/</a>,
and received the error
"Your session has
expired. Please
re-login." At this
point, I clicked the
link to configure
Firefox. On the
command line, I
obtained a kerberos
ticket for admin (note
- I am root on this
workstation for the
time being):<br>
<br>
[root@dmfedora ~]#
kinit admin<br>
Password for <a
moz-do-not-send="true"
href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a>: <br>
[root@dmfedora ~]#
klist<br>
Ticket cache:
KEYRING:persistent:0:0<br>
Default principal: <a
moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a><br>
<br>
Valid starting
Expires
Service principal<br>
03/05/2015 14:46:22
03/06/2015 14:46:15 <a
moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">I
then finished the
Firefox configuration,
and attempted to log in
again. I still received
the error. The Firefox
console shows:<br>
<br>
POST <a
moz-do-not-send="true"
href="https://vader.rez.lcl/ipa/session/login_password" target="_blank">https://vader.rez.lcl/ipa/session/login_password</a>
[HTTP/1.1 200 Success
756ms]<br>
POST <a
moz-do-not-send="true"
href="https://vader.rez.lcl/ipa/session/json" target="_blank">https://vader.rez.lcl/ipa/session/json</a>
[HTTP/1.1 401
Unauthorized 3ms]<br>
GET <a
moz-do-not-send="true"
href="https://vader.rez.lcl/ipa/session/login_kerberos" target="_blank">https://vader.rez.lcl/ipa/session/login_kerberos</a>
[HTTP/1.1 401
Unauthorized 2ms]<br>
GET <a
moz-do-not-send="true"
href="https://vader.rez.lcl/ipa/session/login_kerberos" target="_blank">https://vader.rez.lcl/ipa/session/login_kerberos</a>
[HTTP/1.1 200 Success
26ms]<br>
POST <a
moz-do-not-send="true"
href="https://vader.rez.lcl/ipa/session/json" target="_blank">https://vader.rez.lcl/ipa/session/json</a>
[HTTP/1.1 401
Unauthorized 4ms]<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">/var/log/krb5kdc.log
during the process:<br>
Mar 05 21:06:30
vader.rez.lcl
krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16
23 25 26}) <a
moz-do-not-send="true"
href="http://10.1.0.1"
target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a
moz-do-not-send="true"
href="mailto:HTTP/vader.rez.lcl@REZ.LCL"
target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a>
for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional
pre-authentication
required<br>
Mar 05 21:06:30
vader.rez.lcl
krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16
23 25 26}) <a
moz-do-not-send="true"
href="http://10.1.0.1"
target="_blank">10.1.0.1</a>:
ISSUE: authtime
1425589590, etypes {rep=18
tkt=18 ses=18}, <a
moz-do-not-send="true"
href="mailto:HTTP/vader.rez.lcl@REZ.LCL"
target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a>
for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 21:06:30
vader.rez.lcl
krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16
23 25 26}) <a
moz-do-not-send="true"
href="http://10.1.0.1"
target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a
moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a>
for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional
pre-authentication
required<br>
Mar 05 21:06:30
vader.rez.lcl
krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16
23 25 26}) <a
moz-do-not-send="true"
href="http://10.1.0.1"
target="_blank">10.1.0.1</a>:
ISSUE: authtime
1425589590, etypes {rep=18
tkt=18 ses=18}, <a
moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a>
for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">/var/log/httpd/access_log
shows the same thing as the
Firefox console:<br>
10.1.1.15 - -
[05/Mar/2015:21:06:30 +0000]
"POST
/ipa/session/login_password
HTTP/1.1" 200 25<br>
10.1.1.15 - -
[05/Mar/2015:21:06:31 +0000]
"POST /ipa/session/json
HTTP/1.1" 401 -<br>
10.1.1.15 - -
[05/Mar/2015:21:06:31 +0000]
"GET
/ipa/session/login_kerberos?_=1425587158134
HTTP/1.1" 401 1469<br>
10.1.1.15 - <a
moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a>
[05/Mar/2015:21:06:31 +0000]
"GET
/ipa/session/login_kerberos?_=1425587158134
HTTP/1.1" 200 20<br>
10.1.1.15 - -
[05/Mar/2015:21:06:31 +0000]
"POST /ipa/session/json
HTTP/1.1" 401 -<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">Nothing
is entered into any error
logs, the audit log, or the
system journal. I am at my
wits end here, and lost. What
other information do you need
to help me solve this problem?<br>
<br>
</span></div>
<span
style="font-family:monospace,monospace">Thank
you,<br>
</span></div>
<span
style="font-family:monospace,monospace">Dan
Mossor<br>
<br>
--<br>
</span>
<pre style="margin:0em">Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA</pre>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
Can you authenticate using UI from the
server host?<br>
It seems that the Kerberos authentication
goes through but then it is lost.<br>
So here are some wild ideas:<br>
- Is the browser properly configured? May be
there is something with the browser that is
not working? Have you cleaned the old IPA CA
cert? It might not be related but I have
seen issues in the past with it.<br>
- Are you sure that server has all the
components? For example session on the
server side is stored in memcached. If it is
not running or something is not right with
it the ticket sharing might be broken. <br>
<span><font color="#888888"> <br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
</blockquote>
</div>
</div>
<div><font face="monospace,monospace">First off,
apologies if the thread is broken - I am stuck
using the Gmail interface temporarily.<br>
<br>
</font>
<div>
<div class="h5">
<div class="gmail_extra"><font
face="monospace,monospace">The server host
- both the actual host and the IPA server
- do not have GUIs on them, so I cannot
launch a web browser from them. The old
IPA CA cert was never on this workstation
- this workstation was built Tuesday, and
the IPA server deployed yesterday. The
previous one I was having issues with had
already been wiped - so this is starting
off from scratch with both the server and
the client. I did check the ipa_memcached
service as suggested by Martin in my
previous thread.<br>
<br>
[root@vader ipa]# systemctl status
httpd.service <a class="moz-txt-link-abbreviated" href="mailto:dirsrv@REZ-LCL.service">dirsrv@REZ-LCL.service</a>
ipa_memcached.service <br>
● httpd.service - The Apache HTTP Server<br>
Loaded: loaded
(/usr/lib/systemd/system/httpd.service;
disabled)<br>
Active: active (running) since Fri
2015-03-06 18:19:16 GMT; 19h left<br>
Main PID: 1103 (httpd)<br>
Status: "Total requests: 150; Idle/Busy
workers 100/0;Requests/sec: 3.49e-08;
Bytes served/sec: 0 B/sec"<br>
CGroup: /system.slice/httpd.service<br>
├─1103 /usr/sbin/httpd
-DFOREGROUND<br>
├─1104 /usr/libexec/nss_pcache
98307 off /etc/httpd/alias<br>
├─1105 /usr/sbin/httpd
-DFOREGROUND<br>
├─1107 /usr/sbin/httpd
-DFOREGROUND<br>
├─1108 /usr/sbin/httpd
-DFOREGROUND<br>
├─1111 /usr/sbin/httpd
-DFOREGROUND<br>
├─1113 /usr/sbin/httpd
-DFOREGROUND<br>
├─1339 /usr/sbin/httpd
-DFOREGROUND<br>
├─1471 /usr/sbin/httpd
-DFOREGROUND<br>
├─1473 /usr/sbin/httpd
-DFOREGROUND<br>
├─1474 /usr/sbin/httpd
-DFOREGROUND<br>
├─1475 /usr/sbin/httpd
-DFOREGROUND<br>
├─1926 /usr/sbin/httpd
-DFOREGROUND<br>
└─1927 /usr/sbin/httpd
-DFOREGROUND<br>
<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1107]:
GSSAPI client step 1<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1107]:
GSSAPI client step 2<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1105]:
GSSAPI client step 1<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1105]:
GSSAPI client step 1<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1105]:
GSSAPI client step 1<br>
Mar 05 19:58:34 vader.rez.lcl httpd[1105]:
GSSAPI client step 2<br>
Mar 05 19:58:35 vader.rez.lcl httpd[1107]:
GSSAPI client step 1<br>
Mar 05 19:58:35 vader.rez.lcl httpd[1107]:
GSSAPI client step 1<br>
Mar 05 19:58:36 vader.rez.lcl httpd[1107]:
GSSAPI client step 1<br>
Mar 05 19:58:36 vader.rez.lcl httpd[1107]:
GSSAPI client step 2<br>
<br>
● <a class="moz-txt-link-abbreviated" href="mailto:dirsrv@REZ-LCL.service">dirsrv@REZ-LCL.service</a> - 389 Directory
Server REZ-LCL.<br>
Loaded: loaded
(/usr/lib/systemd/system/dirsrv@.service;
enabled)<br>
Active: active (running) since Fri
2015-03-06 18:18:53 GMT; 19h left<br>
Process: 1006
ExecStart=/usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w
/var/run/dirsrv/slapd-%i.startpid
(code=exited, status=0/SUCCESS)<br>
Main PID: 1020 (ns-slapd)<br>
CGroup:
/system.slice/system-dirsrv.slice/dirsrv@REZ-LCL.service<br>
└─1020 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-REZ-LCL -i
/var/run/dirsrv/slapd-REZ-LCL.pid -w
/var/run/dirsrv/slapd-REZ-LCL.startpid<br>
<br>
Mar 05 21:43:46 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 3<br>
Mar 05 21:58:46 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 1<br>
Mar 05 21:58:47 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 2<br>
Mar 05 21:58:47 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 3<br>
Mar 05 22:13:47 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 1<br>
Mar 05 22:13:47 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 2<br>
Mar 05 22:13:47 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 3<br>
Mar 05 22:28:48 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 1<br>
Mar 05 22:28:48 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 2<br>
Mar 05 22:28:48 vader.rez.lcl
ns-slapd[1020]: GSSAPI server step 3<br>
<br>
● ipa_memcached.service - IPA memcached
daemon, increases IPA server performance<br>
Loaded: loaded
(/usr/lib/systemd/system/ipa_memcached.service;
disabled)<br>
Active: active (running) since Fri
2015-03-06 18:19:15 GMT; 19h left<br>
Process: 1094
ExecStart=/usr/bin/memcached -d -s
$SOCKET_PATH -u $USER -m $CACHESIZE -c
$MAXCONN -P
/var/run/ipa_memcached/ipa_memcached.pid
$OPTIONS (code=exited, status=0/SUCCESS)<br>
Main PID: 1095 (memcached)<br>
CGroup:
/system.slice/ipa_memcached.service<br>
└─1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u
apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid<br>
[root@vader ipa]#<br>
<br>
</font></div>
<div class="gmail_extra"><span
style="font-family:monospace,monospace">Thanks,<br>
</span></div>
</div>
</div>
<div class="gmail_extra"><span
style="font-family:monospace,monospace">Dan
<div>
<div><img moz-do-not-send="true"
src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div>
</div>
</span></div>
<span class="">
<div><span>
<div class="gmail_extra">
<pre style="margin:0em">--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA</pre>
</div>
</span></div>
</span></div>
</div>
</div>
</div>
</blockquote>
</div>
<font face="monospace,monospace">As an additional test, I
created a new user on my workstation and switched to it. the
first thing I did was kinit as admin, then started Firefox,
went through the browser configuration provided by the IPA
server, and attempted to log in. I received the same
error[1].<br>
<br>
[1]<a moz-do-not-send="true"
href="http://i.imgur.com/mhX86Ng.png">http://i.imgur.com/mhX86Ng.png</a><br>
</font></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Have you checked times and time zones on the client and on the
server?<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>