On 03/05/2015 05:51 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor <[email protected]
<mailto:[email protected]>> wrote:
On Thu, Mar 5, 2015 at 4:16 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 03/05/2015 04:15 PM, Dan Mossor wrote:
Good day, folks.
This time it is something different, yet the same. I have
re-deployed my IPA installation due to some underlying issues
with the host of the virtual machine. Even with the new
installation, I cannot authenticate through the web UI.
So far, there is exactly one client in the domain (my
workstation), and exactly one user - admin. I am not
comfortable with the command line tools, and I have others
below my position that require a GUI for management purposes,
so I have to make this work to proceed any further.
Following up with the information Martin asked for in my
previous thread, let me walk you through the process:
I attempted to log in to https://vader.rez.lcl/, and received
the error "Your session has expired. Please re-login." At
this point, I clicked the link to configure Firefox. On the
command line, I obtained a kerberos ticket for admin (note -
I am root on this workstation for the time being):
[root@dmfedora ~]# kinit admin
Password for [email protected] <mailto:[email protected]>:
[root@dmfedora ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected] <mailto:[email protected]>
Valid starting Expires Service principal
03/05/2015 14:46:22 03/06/2015 14:46:15
krbtgt/[email protected] <mailto:krbtgt/[email protected]>
I then finished the Firefox configuration, and attempted to
log in again. I still received the error. The Firefox console
shows:
POST https://vader.rez.lcl/ipa/session/login_password
[HTTP/1.1 200 Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos
[HTTP/1.1 401 Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos
[HTTP/1.1 200 Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
Unauthorized 4ms]
/var/log/krb5kdc.log during the process:
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
NEEDED_PREAUTH: HTTP/[email protected]
<mailto:HTTP/[email protected]> for
krbtgt/[email protected] <mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
HTTP/[email protected]
<mailto:HTTP/[email protected]> for
krbtgt/[email protected] <mailto:krbtgt/[email protected]>
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
NEEDED_PREAUTH: [email protected] <mailto:[email protected]> for
krbtgt/[email protected] <mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
[email protected] <mailto:[email protected]> for
krbtgt/[email protected] <mailto:krbtgt/[email protected]>
/var/log/httpd/access_log shows the same thing as the Firefox
console:
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
10.1.1.15 - [email protected] <mailto:[email protected]>
[05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the
system journal. I am at my wits end here, and lost. What
other information do you need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but
then it is lost.
So here are some wild ideas:
- Is the browser properly configured? May be there is
something with the browser that is not working? Have you
cleaned the old IPA CA cert? It might not be related but I
have seen issues in the past with it.
- Are you sure that server has all the components? For example
session on the server side is stored in memcached. If it is
not running or something is not right with it the ticket
sharing might be broken.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
First off, apologies if the thread is broken - I am stuck using
the Gmail interface temporarily.
The server host - both the actual host and the IPA server - do not
have GUIs on them, so I cannot launch a web browser from them. The
old IPA CA cert was never on this workstation - this workstation
was built Tuesday, and the IPA server deployed yesterday. The
previous one I was having issues with had already been wiped - so
this is starting off from scratch with both the server and the
client. I did check the ipa_memcached service as suggested by
Martin in my previous thread.
[root@vader ipa]# systemctl status httpd.service
[email protected] ipa_memcached.service
? httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h
left
Main PID: 1103 (httpd)
Status: "Total requests: 150; Idle/Busy workers
100/0;Requests/sec: 3.49e-08; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
??1103 /usr/sbin/httpd -DFOREGROUND
??1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
??1105 /usr/sbin/httpd -DFOREGROUND
??1107 /usr/sbin/httpd -DFOREGROUND
??1108 /usr/sbin/httpd -DFOREGROUND
??1111 /usr/sbin/httpd -DFOREGROUND
??1113 /usr/sbin/httpd -DFOREGROUND
??1339 /usr/sbin/httpd -DFOREGROUND
??1471 /usr/sbin/httpd -DFOREGROUND
??1473 /usr/sbin/httpd -DFOREGROUND
??1474 /usr/sbin/httpd -DFOREGROUND
??1475 /usr/sbin/httpd -DFOREGROUND
??1926 /usr/sbin/httpd -DFOREGROUND
??1927 /usr/sbin/httpd -DFOREGROUND
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2
? [email protected] - 389 Directory Server REZ-LCL.
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled)
Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h
left
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w
/var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
Main PID: 1020 (ns-slapd)
CGroup: /system.slice/system-dirsrv.slice/[email protected]
??1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL
-i /var/run/dirsrv/slapd-REZ-LCL.pid -w
/var/run/dirsrv/slapd-REZ-LCL.startpid
Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
? ipa_memcached.service - IPA memcached daemon, increases IPA
server performance
Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service;
disabled)
Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h
left
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u
$USER -m $CACHESIZE -c $MAXCONN -P
/var/run/ipa_memcached/ipa_memcached.pid $OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1095 (memcached)
CGroup: /system.slice/ipa_memcached.service
??1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
[root@vader ipa]#
Thanks,
Dan
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA
server, and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
