<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 03/05/2015 04:15 PM, Dan Mossor wrote:<br> </div> <blockquote cite="mid:CAMobkEPyPELt2-3pGV3+_z+pnF8_heetoOW3=RJVrYB=Z-YSNw@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div><span style="font-family:monospace,monospace">Good day, folks.<br> <br> </span></div> <span style="font-family:monospace,monospace">This time it is something different, yet the same. I have re-deployed my IPA installation due to some underlying issues with the host of the virtual machine. Even with the new installation, I cannot authenticate through the web UI.<br> <br> </span></div> <span style="font-family:monospace,monospace">So far, there is exactly one client in the domain (my workstation), and exactly one user - admin. I am not comfortable with the command line tools, and I have others below my position that require a GUI for management purposes, so I have to make this work to proceed any further.<br> <br> </span></div> <span style="font-family:monospace,monospace">Following up with the information Martin asked for in my previous thread, let me walk you through the process:<br> <br> </span></div> <span style="font-family:monospace,monospace">I attempted to log in to <a moz-do-not-send="true" href="https://vader.rez.lcl/">https://vader.rez.lcl/</a>, and received the error "Your session has expired. Please re-login." At this point, I clicked the link to configure Firefox. On the command line, I obtained a kerberos ticket for admin (note - I am root on this workstation for the time being):<br> <br> [root@dmfedora ~]# kinit admin<br> Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a>: <br> [root@dmfedora ~]# klist<br> Ticket cache: KEYRING:persistent:0:0<br> Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a><br> <br> Valid starting Expires Service principal<br> 03/05/2015 14:46:22 03/06/2015 14:46:15 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br> <br> </span></div> <span style="font-family:monospace,monospace">I then finished the Firefox configuration, and attempted to log in again. I still received the error. The Firefox console shows:<br> <br> POST <a moz-do-not-send="true" href="https://vader.rez.lcl/ipa/session/login_password">https://vader.rez.lcl/ipa/session/login_password</a> [HTTP/1.1 200 Success 756ms]<br> POST <a moz-do-not-send="true" href="https://vader.rez.lcl/ipa/session/json">https://vader.rez.lcl/ipa/session/json</a> [HTTP/1.1 401 Unauthorized 3ms]<br> GET <a moz-do-not-send="true" href="https://vader.rez.lcl/ipa/session/login_kerberos">https://vader.rez.lcl/ipa/session/login_kerberos</a> [HTTP/1.1 401 Unauthorized 2ms]<br> GET <a moz-do-not-send="true" href="https://vader.rez.lcl/ipa/session/login_kerberos">https://vader.rez.lcl/ipa/session/login_kerberos</a> [HTTP/1.1 200 Success 26ms]<br> POST <a moz-do-not-send="true" href="https://vader.rez.lcl/ipa/session/json">https://vader.rez.lcl/ipa/session/json</a> [HTTP/1.1 401 Unauthorized 4ms]<br> <br> </span></div> <span style="font-family:monospace,monospace">/var/log/krb5kdc.log during the process:<br> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH: <a class="moz-txt-link-abbreviated" href="mailto:HTTP/vader.rez.lcl@REZ.LCL">HTTP/vader.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:HTTP/vader.rez.lcl@REZ.LCL">HTTP/vader.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH: <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br> <br> </span></div> <span style="font-family:monospace,monospace">/var/log/httpd/access_log shows the same thing as the Firefox console:<br> 10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST /ipa/session/login_password HTTP/1.1" 200 25<br> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json HTTP/1.1" 401 -<br> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469<br> 10.1.1.15 - <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> [05/Mar/2015:21:06:31 +0000] "GET /ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20<br> 10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json HTTP/1.1" 401 -<br> <br> </span></div> <span style="font-family:monospace,monospace">Nothing is entered into any error logs, the audit log, or the system journal. I am at my wits end here, and lost. What other information do you need to help me solve this problem?<br> <br> </span></div> <span style="font-family:monospace,monospace">Thank you,<br> </span></div> <span style="font-family:monospace,monospace">Dan Mossor<br> <br> --<br> </span> <pre style="margin:0em">Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA</pre> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> Can you authenticate using UI from the server host?<br> It seems that the Kerberos authentication goes through but then it is lost.<br> So here are some wild ideas:<br> - Is the browser properly configured? May be there is something with the browser that is not working? Have you cleaned the old IPA CA cert? It might not be related but I have seen issues in the past with it.<br> - Are you sure that server has all the components? For example session on the server side is stored in memcached. If it is not running or something is not right with it the ticket sharing might be broken. <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>