Hello everybody, If I try to login via WebUI with an AD account , i get the following error:
'Your session has expired. Please log in again.' in the WebUI interface. I the http access logs i have the following entry: [email protected] [03/Feb/2022:14:54:13 +0100] "POST /ipa/session/json HTTP/1.1" 401 176 [email protected] [03/Feb/2022:14:54:13 +0100] "GET /ipa/session/login_kerberos?_=1643896292999 HTTP/1.1" 401 262 On the http error_log: [Thu Feb 03 14:54:13.466436 2022] [wsgi:error] [pid 1835110:tid 140666734245632] [remote 10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Thu Feb 03 14:54:13.472887 2022] [:warn] [pid 1837963:tid 140666084521728] [client 10.8.137.41:58079] failed to set perms (3140) on file (/run/ipa/ccaches/[email protected])!, referer: https://xxx.ipa.example.local/ipa/ui/ [Thu Feb 03 14:54:13.477997 2022] [wsgi:error] [pid 1835109:tid 140666733983488] [remote 10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (108962060): Credential cache is empty In the krb5kdc.log : Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), ca mellia128-cts-cmac(25)}) 10.30.200.220: REFERRAL: user\@[email protected] for krbtgt/[email protected], Realm not local to KDC Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12 Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for HTTP/xxxipaprd04.ipa.example.local@IPA. EXAMPLE.LOCAL Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12 Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, HTTP/[email protected] for ldap/c [email protected] Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): ... CONSTRAINED-DELEGATION [email protected] Any help would be really appreciated. Regards, iulian roman _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
