Discussion:
[Freeipa-users] Web UI Authentication errors - revisited
Dan Mossor
2015-03-05 21:15:14 UTC
Permalink
Good day, folks.

This time it is something different, yet the same. I have re-deployed my
IPA installation due to some underlying issues with the host of the virtual
machine. Even with the new installation, I cannot authenticate through the
web UI.

So far, there is exactly one client in the domain (my workstation), and
exactly one user - admin. I am not comfortable with the command line tools,
and I have others below my position that require a GUI for management
purposes, so I have to make this work to proceed any further.

Following up with the information Martin asked for in my previous thread,
let me walk you through the process:

I attempted to log in to https://vader.rez.lcl/, and received the error
"Your session has expired. Please re-login." At this point, I clicked the
link to configure Firefox. On the command line, I obtained a kerberos
ticket for admin (note - I am root on this workstation for the time being):

[***@dmfedora ~]# kinit admin
Password for ***@REZ.LCL:
[***@dmfedora ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ***@REZ.LCL

Valid starting Expires Service principal
03/05/2015 14:46:22 03/06/2015 14:46:15 krbtgt/***@REZ.LCL

I then finished the Firefox configuration, and attempted to log in again. I
still received the error. The Firefox console shows:

POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200 Success
756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200 Success
26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 4ms]

/var/log/krb5kdc.log during the process:
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, HTTP/***@REZ.LCL for krbtgt/***@REZ.LCL
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
ses=18}, ***@REZ.LCL for krbtgt/***@REZ.LCL

/var/log/httpd/access_log shows the same thing as the Firefox console:
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
10.1.1.15 - ***@REZ.LCL [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -

Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do you
need to help me solve this problem?

Thank you,
Dan Mossor

--

Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Dmitri Pal
2015-03-05 22:16:56 UTC
Permalink
Post by Dan Mossor
Good day, folks.
This time it is something different, yet the same. I have re-deployed
my IPA installation due to some underlying issues with the host of the
virtual machine. Even with the new installation, I cannot authenticate
through the web UI.
So far, there is exactly one client in the domain (my workstation),
and exactly one user - admin. I am not comfortable with the command
line tools, and I have others below my position that require a GUI for
management purposes, so I have to make this work to proceed any further.
Following up with the information Martin asked for in my previous
I attempted to log in to https://vader.rez.lcl/, and received the
error "Your session has expired. Please re-login." At this point, I
clicked the link to configure Firefox. On the command line, I obtained
a kerberos ticket for admin (note - I am root on this workstation for
Ticket cache: KEYRING:persistent:0:0
Valid starting Expires Service principal
I then finished the Firefox configuration, and attempted to log in
POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200
Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200
Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 4ms]
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do
you need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
So here are some wild ideas:
- Is the browser properly configured? May be there is something with the
browser that is not working? Have you cleaned the old IPA CA cert? It
might not be related but I have seen issues in the past with it.
- Are you sure that server has all the components? For example session
on the server side is stored in memcached. If it is not running or
something is not right with it the ticket sharing might be broken.
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-05 22:34:37 UTC
Permalink
Post by Dan Mossor
Good day, folks.
This time it is something different, yet the same. I have re-deployed my
IPA installation due to some underlying issues with the host of the virtual
machine. Even with the new installation, I cannot authenticate through the
web UI.
So far, there is exactly one client in the domain (my workstation), and
exactly one user - admin. I am not comfortable with the command line tools,
and I have others below my position that require a GUI for management
purposes, so I have to make this work to proceed any further.
Following up with the information Martin asked for in my previous
I attempted to log in to https://vader.rez.lcl/, and received the error
"Your session has expired. Please re-login." At this point, I clicked the
link to configure Firefox. On the command line, I obtained a kerberos
Ticket cache: KEYRING:persistent:0:0
Valid starting Expires Service principal
I then finished the Firefox configuration, and attempted to log in
POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200
Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200
Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 4ms]
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18 tkt=18
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do you
need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
- Is the browser properly configured? May be there is something with the
browser that is not working? Have you cleaned the old IPA CA cert? It might
not be related but I have seen issues in the past with it.
- Are you sure that server has all the components? For example session on
the server side is stored in memcached. If it is not running or something
is not right with it the ticket sharing might be broken.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
First off, apologies if the thread is broken - I am stuck using the Gmail
interface temporarily.

The server host - both the actual host and the IPA server - do not have
GUIs on them, so I cannot launch a web browser from them. The old IPA CA
cert was never on this workstation - this workstation was built Tuesday,
and the IPA server deployed yesterday. The previous one I was having issues
with had already been wiped - so this is starting off from scratch with
both the server and the client. I did check the ipa_memcached service as
suggested by Martin in my previous thread.

[***@vader ipa]# systemctl status httpd.service ***@REZ-LCL.service
ipa_memcached.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h left
Main PID: 1103 (httpd)
Status: "Total requests: 150; Idle/Busy workers 100/0;Requests/sec:
3.49e-08; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
├─1103 /usr/sbin/httpd -DFOREGROUND
├─1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
├─1105 /usr/sbin/httpd -DFOREGROUND
├─1107 /usr/sbin/httpd -DFOREGROUND
├─1108 /usr/sbin/httpd -DFOREGROUND
├─1111 /usr/sbin/httpd -DFOREGROUND
├─1113 /usr/sbin/httpd -DFOREGROUND
├─1339 /usr/sbin/httpd -DFOREGROUND
├─1471 /usr/sbin/httpd -DFOREGROUND
├─1473 /usr/sbin/httpd -DFOREGROUND
├─1474 /usr/sbin/httpd -DFOREGROUND
├─1475 /usr/sbin/httpd -DFOREGROUND
├─1926 /usr/sbin/httpd -DFOREGROUND
└─1927 /usr/sbin/httpd -DFOREGROUND

Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2

● ***@REZ-LCL.service - 389 Directory Server REZ-LCL.
Loaded: loaded (/usr/lib/systemd/system/***@.service; enabled)
Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h left
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=0/SUCCESS)
Main PID: 1020 (ns-slapd)
CGroup: /system.slice/system-dirsrv.slice/***@REZ-LCL.service
└─1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL -i
/var/run/dirsrv/slapd-REZ-LCL.pid -w /var/run/dirsrv/slapd-REZ-LCL.startpid

Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3

● ipa_memcached.service - IPA memcached daemon, increases IPA server
performance
Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h left
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m
$CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
(code=exited, status=0/SUCCESS)
Main PID: 1095 (memcached)
CGroup: /system.slice/ipa_memcached.service
└─1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
[***@vader ipa]#

Thanks,
Dan

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Dan Mossor
2015-03-05 22:51:52 UTC
Permalink
Post by Dan Mossor
Post by Dan Mossor
Good day, folks.
This time it is something different, yet the same. I have re-deployed
my IPA installation due to some underlying issues with the host of the
virtual machine. Even with the new installation, I cannot authenticate
through the web UI.
So far, there is exactly one client in the domain (my workstation), and
exactly one user - admin. I am not comfortable with the command line tools,
and I have others below my position that require a GUI for management
purposes, so I have to make this work to proceed any further.
Following up with the information Martin asked for in my previous
I attempted to log in to https://vader.rez.lcl/, and received the error
"Your session has expired. Please re-login." At this point, I clicked the
link to configure Firefox. On the command line, I obtained a kerberos
Ticket cache: KEYRING:persistent:0:0
Valid starting Expires Service principal
I then finished the Firefox configuration, and attempted to log in
POST https://vader.rez.lcl/ipa/session/login_password [HTTP/1.1 200
Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 401
Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos [HTTP/1.1 200
Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401 Unauthorized 4ms]
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425589590, etypes {rep=18
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST /ipa/session/json
HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the system
journal. I am at my wits end here, and lost. What other information do you
need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
- Is the browser properly configured? May be there is something with the
browser that is not working? Have you cleaned the old IPA CA cert? It might
not be related but I have seen issues in the past with it.
- Are you sure that server has all the components? For example session on
the server side is stored in memcached. If it is not running or something
is not right with it the ticket sharing might be broken.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
First off, apologies if the thread is broken - I am stuck using the Gmail
interface temporarily.
The server host - both the actual host and the IPA server - do not have
GUIs on them, so I cannot launch a web browser from them. The old IPA CA
cert was never on this workstation - this workstation was built Tuesday,
and the IPA server deployed yesterday. The previous one I was having issues
with had already been wiped - so this is starting off from scratch with
both the server and the client. I did check the ipa_memcached service as
suggested by Martin in my previous thread.
ipa_memcached.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h left
Main PID: 1103 (httpd)
3.49e-08; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
├─1103 /usr/sbin/httpd -DFOREGROUND
├─1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
├─1105 /usr/sbin/httpd -DFOREGROUND
├─1107 /usr/sbin/httpd -DFOREGROUND
├─1108 /usr/sbin/httpd -DFOREGROUND
├─1111 /usr/sbin/httpd -DFOREGROUND
├─1113 /usr/sbin/httpd -DFOREGROUND
├─1339 /usr/sbin/httpd -DFOREGROUND
├─1471 /usr/sbin/httpd -DFOREGROUND
├─1473 /usr/sbin/httpd -DFOREGROUND
├─1474 /usr/sbin/httpd -DFOREGROUND
├─1475 /usr/sbin/httpd -DFOREGROUND
├─1926 /usr/sbin/httpd -DFOREGROUND
└─1927 /usr/sbin/httpd -DFOREGROUND
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h left
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=0/SUCCESS)
Main PID: 1020 (ns-slapd)
└─1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL -i
/var/run/dirsrv/slapd-REZ-LCL.pid -w /var/run/dirsrv/slapd-REZ-LCL.startpid
Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
● ipa_memcached.service - IPA memcached daemon, increases IPA server
performance
Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h left
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER
-m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid
$OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1095 (memcached)
CGroup: /system.slice/ipa_memcached.service
└─1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
Thanks,
Dan
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
As an additional test, I created a new user on my workstation and switched
to it. the first thing I did was kinit as admin, then started Firefox, went
through the browser configuration provided by the IPA server, and attempted
to log in. I received the same error[1].

[1]Loading Image...
Dmitri Pal
2015-03-05 22:55:20 UTC
Permalink
Post by Dmitri Pal
Post by Dan Mossor
Good day, folks.
This time it is something different, yet the same. I have
re-deployed my IPA installation due to some underlying issues
with the host of the virtual machine. Even with the new
installation, I cannot authenticate through the web UI.
So far, there is exactly one client in the domain (my
workstation), and exactly one user - admin. I am not
comfortable with the command line tools, and I have others
below my position that require a GUI for management purposes,
so I have to make this work to proceed any further.
Following up with the information Martin asked for in my
I attempted to log in to https://vader.rez.lcl/, and received
the error "Your session has expired. Please re-login." At
this point, I clicked the link to configure Firefox. On the
command line, I obtained a kerberos ticket for admin (note -
Ticket cache: KEYRING:persistent:0:0
Valid starting Expires Service principal
03/05/2015 14:46:22 03/06/2015 14:46:15
I then finished the Firefox configuration, and attempted to
log in again. I still received the error. The Firefox console
POST https://vader.rez.lcl/ipa/session/login_password
[HTTP/1.1 200 Success 756ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
Unauthorized 3ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos
[HTTP/1.1 401 Unauthorized 2ms]
GET https://vader.rez.lcl/ipa/session/login_kerberos
[HTTP/1.1 200 Success 26ms]
POST https://vader.rez.lcl/ipa/session/json [HTTP/1.1 401
Unauthorized 4ms]
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
Additional pre-authentication required
Mar 05 21:06:30 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
ISSUE: authtime 1425589590, etypes {rep=18 tkt=18 ses=18},
10.1.1.15 - - [05/Mar/2015:21:06:30 +0000] "POST
/ipa/session/login_password HTTP/1.1" 200 25
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 401 1469
[05/Mar/2015:21:06:31 +0000] "GET
/ipa/session/login_kerberos?_=1425587158134 HTTP/1.1" 200 20
10.1.1.15 - - [05/Mar/2015:21:06:31 +0000] "POST
/ipa/session/json HTTP/1.1" 401 -
Nothing is entered into any error logs, the audit log, or the
system journal. I am at my wits end here, and lost. What
other information do you need to help me solve this problem?
Thank you,
Dan Mossor
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Can you authenticate using UI from the server host?
It seems that the Kerberos authentication goes through but then it is lost.
- Is the browser properly configured? May be there is
something with the browser that is not working? Have you
cleaned the old IPA CA cert? It might not be related but I
have seen issues in the past with it.
- Are you sure that server has all the components? For example
session on the server side is stored in memcached. If it is
not running or something is not right with it the ticket
sharing might be broken.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
First off, apologies if the thread is broken - I am stuck using
the Gmail interface temporarily.
The server host - both the actual host and the IPA server - do not
have GUIs on them, so I cannot launch a web browser from them. The
old IPA CA cert was never on this workstation - this workstation
was built Tuesday, and the IPA server deployed yesterday. The
previous one I was having issues with had already been wiped - so
this is starting off from scratch with both the server and the
client. I did check the ipa_memcached service as suggested by
Martin in my previous thread.
? httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:16 GMT; 19h left
Main PID: 1103 (httpd)
Status: "Total requests: 150; Idle/Busy workers
100/0;Requests/sec: 3.49e-08; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
??1103 /usr/sbin/httpd -DFOREGROUND
??1104 /usr/libexec/nss_pcache 98307 off /etc/httpd/alias
??1105 /usr/sbin/httpd -DFOREGROUND
??1107 /usr/sbin/httpd -DFOREGROUND
??1108 /usr/sbin/httpd -DFOREGROUND
??1111 /usr/sbin/httpd -DFOREGROUND
??1113 /usr/sbin/httpd -DFOREGROUND
??1339 /usr/sbin/httpd -DFOREGROUND
??1471 /usr/sbin/httpd -DFOREGROUND
??1473 /usr/sbin/httpd -DFOREGROUND
??1474 /usr/sbin/httpd -DFOREGROUND
??1475 /usr/sbin/httpd -DFOREGROUND
??1926 /usr/sbin/httpd -DFOREGROUND
??1927 /usr/sbin/httpd -DFOREGROUND
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 1
Mar 05 19:58:34 vader.rez.lcl httpd[1105]: GSSAPI client step 2
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:35 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 1
Mar 05 19:58:36 vader.rez.lcl httpd[1107]: GSSAPI client step 2
Active: active (running) since Fri 2015-03-06 18:18:53 GMT; 19h left
Process: 1006 ExecStart=/usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w
/var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
Main PID: 1020 (ns-slapd)
??1020 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-REZ-LCL
-i /var/run/dirsrv/slapd-REZ-LCL.pid -w
/var/run/dirsrv/slapd-REZ-LCL.startpid
Mar 05 21:43:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 21:58:46 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 21:58:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:13:47 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 1
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 2
Mar 05 22:28:48 vader.rez.lcl ns-slapd[1020]: GSSAPI server step 3
? ipa_memcached.service - IPA memcached daemon, increases IPA
server performance
Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled)
Active: active (running) since Fri 2015-03-06 18:19:15 GMT; 19h left
Process: 1094 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u
$USER -m $CACHESIZE -c $MAXCONN -P
/var/run/ipa_memcached/ipa_memcached.pid $OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1095 (memcached)
CGroup: /system.slice/ipa_memcached.service
??1095 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
Thanks,
Dan
--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA
server, and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-05 23:17:10 UTC
Permalink
Post by Dan Mossor
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for local time,
US Central Standard Time. Except for that difference, they are within 1
second of each other.

Dan

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Dan Mossor
2015-03-06 00:36:35 UTC
Permalink
Post by Dan Mossor
Post by Dan Mossor
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for local time,
US Central Standard Time. Except for that difference, they are within 1
second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:

Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/***@REZ.LCL for krbtgt/***@REZ.LCL
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/***@REZ.LCL for ldap/***@REZ.LCL
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ***@REZ.LCL for krbtgt/***@REZ.LCL
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/***@REZ.LCL for krbtgt/***@REZ.LCL
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ***@REZ.LCL for
krbtgt/***@REZ.LCL, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, ***@REZ.LCL for krbtgt/***@REZ.LCL
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ***@REZ.LCL for HTTP/***@REZ.LCL


One thing I did determine is the authtime in the krb5kdc log is epoch time.
I checked it, and it translates directly to the standard time.

Dan
Dmitri Pal
2015-03-06 00:44:31 UTC
Permalink
Post by Dmitri Pal
Post by Dan Mossor
As an additional test, I created a new user on my workstation
and switched to it. the first thing I did was kinit as admin,
then started Firefox, went through the browser configuration
provided by the IPA server, and attempted to log in. I
received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that difference,
they are within 1 second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
One thing I did determine is the authtime in the krb5kdc log is epoch
time. I checked it, and it translates directly to the standard time.
Dan
Hm. OK.

I do not think there was ever mentioned which version of the server and
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms
based authentication or it does not work too?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-06 01:09:19 UTC
Permalink
Post by Dan Mossor
Post by Dan Mossor
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for local
time, US Central Standard Time. Except for that difference, they are within
1 second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
One thing I did determine is the authtime in the krb5kdc log is epoch
time. I checked it, and it translates directly to the standard time.
Dan
Hm. OK.
I do not think there was ever mentioned which version of the server and
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms
based authentication or it does not work too?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
I can't seem to locate the form based authentication for 4.1.2-1 - I was
going to try that in order to add the information to this thread, but I can
find no reference as to where it is and I can't find it manually on the
file system. Can you give me the default URL for it?

freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64

Dan
Dmitri Pal
2015-03-06 01:21:19 UTC
Permalink
Post by Dmitri Pal
Post by Dmitri Pal
Post by Dan Mossor
As an additional test, I created a new user on my
workstation and switched to it. the first thing I did
was kinit as admin, then started Firefox, went through
the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and
on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that
difference, they are within 1 second of each other.
Dan
As an experiment after this email exchange, I switched the server
to Central Standard Time using timedatctl. I then ran kinit
again, and attempted to log into the GUI. There was no change - I
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
repeated (retransmitted?) request from 10.1.1.15, resending
previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
One thing I did determine is the authtime in the krb5kdc log is
epoch time. I checked it, and it translates directly to the
standard time.
Dan
Hm. OK.
I do not think there was ever mentioned which version of the
server and client you are running but based on the UI it seems
like the latest.
Also you are trying to log in after using kinit. Can you log using
forms based authentication or it does not work too?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
I can't seem to locate the form based authentication for 4.1.2-1 - I
was going to try that in order to add the information to this thread,
but I can find no reference as to where it is and I can't find it
manually on the file system. Can you give me the default URL for it?
freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64
Dan
http://i.imgur.com/mhX86Ng.png

It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-06 01:38:24 UTC
Permalink
Post by Dan Mossor
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos, I've from
from Internet Explorer on a Windows 7 Professional desktop, and I've tried
from a Fedora 21 system that is not enrolled in the domain. I get the exact
same response with every attempt.

One additional step I attempted to take was to change the admin password on
the IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown
authentication method (-6) error back.

I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.

Dan
Martin Kosek
2015-03-06 07:28:48 UTC
Permalink
Post by Dan Mossor
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos, I've from from
Internet Explorer on a Windows 7 Professional desktop, and I've tried from a
Fedora 21 system that is not enrolled in the domain. I get the exact same
response with every attempt.
One additional step I attempted to take was to change the admin password on the
IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication
method (-6) error back.
I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.
Sorry to hear that. But I think you should start taking gradual steps in your
testing and trying to make Web UI over GSSAPI work. I would suggest this procedure:

1) Can I "kinit admin" and run CLI command ("ipa user-show admin")? If yes,
basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos.

2) Can I login with form basic auth to my FreeIPA? If not, did you verify all
the items in
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI ? Did
you try logging with form based auth in FreeIPA public demo for example (user
"admin", password "Secret123"):

https://ipa.demo1.freeipa.org/ipa/ui/

If not, we can dig further. If yes, you can continue with kinit + SSO for the
Web UI.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Dan Mossor
2015-03-06 14:26:29 UTC
Permalink
Post by Martin Kosek
Post by Dan Mossor
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos, I've from from
Internet Explorer on a Windows 7 Professional desktop, and I've tried from a
Fedora 21 system that is not enrolled in the domain. I get the exact same
response with every attempt.
One additional step I attempted to take was to change the admin password on the
IPA server. I am getting a ldap_sasl_interactive_bind_s: Unknown authentication
method (-6) error back.
I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.
Sorry to hear that. But I think you should start taking gradual steps in
your testing and trying to make Web UI over GSSAPI work. I would suggest
1) Can I "kinit admin" and run CLI command ("ipa user-show admin")? If
yes, basic FreeIPA is functioning. Run kdestroy to get rid of Kerberos.
2) Can I login with form basic auth to my FreeIPA? If not, did you verify
all the items in http://www.freeipa.org/page/Troubleshooting#Cannot_
authenticate_to_Web_UI ? Did you try logging with form based auth in
https://ipa.demo1.freeipa.org/ipa/ui/
If not, we can dig further. If yes, you can continue with kinit + SSO for
the Web UI.
Martin, Dmitri,

Thanks for your help, but I've taken every step available on the page you
linked. I just checked this morning before I started over, and on the
server I can kinit as admin and run ipa user-show admin. The ipa tools are
not on my workstation. I then ran kdestroy on both the server and
workstation, and the error remains when logging in to the web UI - it
returns me to the screen I showed above in the link to the screenshot.

Regards,
Dan
Dmitri Pal
2015-03-06 15:21:38 UTC
Permalink
Post by Dan Mossor
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the
ticket on the
client and try to access the server via browser, you
should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Ok then, that is the page that keeps returning. I've tried from this
workstation using Konquerer, which does not support Kerberos,
I've from from
Internet Explorer on a Windows 7 Professional desktop, and
I've tried from a
Fedora 21 system that is not enrolled in the domain. I get the exact same
response with every attempt.
One additional step I attempted to take was to change the
admin password on the
Unknown authentication
method (-6) error back.
I think this installation is hosed. I am ready to wipe and start over from
scratch tomorrow. I've already wasted 16 hours on it.
Sorry to hear that. But I think you should start taking gradual
steps in your testing and trying to make Web UI over GSSAPI work.
1) Can I "kinit admin" and run CLI command ("ipa user-show
admin")? If yes, basic FreeIPA is functioning. Run kdestroy to get
rid of Kerberos.
2) Can I login with form basic auth to my FreeIPA? If not, did you
verify all the items in
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
? Did you try logging with form based auth in FreeIPA public demo
https://ipa.demo1.freeipa.org/ipa/ui/
If not, we can dig further. If yes, you can continue with kinit +
SSO for the Web UI.
Martin, Dmitri,
Thanks for your help, but I've taken every step available on the page
you linked. I just checked this morning before I started over, and on
the server I can kinit as admin and run ipa user-show admin. The ipa
tools are not on my workstation. I then ran kdestroy on both the
server and workstation, and the error remains when logging in to the
web UI - it returns me to the screen I showed above in the link to the
screenshot.
Regards,
Dan
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-06 15:35:11 UTC
Permalink
Post by Dmitri Pal
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with Konquerer also
and can log in to the demo instance.

Regards,
Dan
Dmitri Pal
2015-03-06 15:43:47 UTC
Permalink
Post by Dmitri Pal
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with Konquerer
also and can log in to the demo instance.
Regards,
Dan
OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to continue
troubleshooting we are here to help.
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Dan Mossor
2015-03-06 16:59:53 UTC
Permalink
Post by Dan Mossor
Post by Dmitri Pal
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with Konquerer also
and can log in to the demo instance.
Regards,
Dan
OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to continue
troubleshooting we are here to help.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
IT WORKS! WOOT!
In the steps of researching a small issue on another hypervisor, I
discovered that my underlying network, while operational, was not properly
configured. The IPA server and my workstation were supposed to be talking
in VLAN 100 and 110, respectively. The network is temporarily configured to
route every packet it receives to the proper VLAN, no matter where it
originates.

My workstation is indeed on VLAN 110, and is tagging the packets
appropriately. The server, however, due to a bridge misconfiguration on the
host, was on VLAN 1 and not sending tagged packets at all. But as the
router is configured to route all appropriate packets it appeared to be
operating normally.

I blew away the network configuration on the host and rebuilt it again,
this time ensuring that VLAN 1 was not available on that switch port, and
that the packets leaving the host were tagged with VLAN 100. I brought the
IPA server back up and was able to log in.

So, chalk this one up to misrouted packets. I didn't even think to look
there, the 401 error gave no clue that networking may be the issue.

Regards,
Dan Mossor
Dmitri Pal
2015-03-06 18:09:25 UTC
Permalink
Post by Dmitri Pal
Post by Dmitri Pal
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Oh, sorry, I didn't realize I was supposed to check that. For the
record, yes - I can log into the demo instance on Firefox from my
workstation. For the sake of completeness, I checked with
Konquerer also and can log in to the demo instance.
Regards,
Dan
OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to
continue troubleshooting we are here to help.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
IT WORKS! WOOT!
In the steps of researching a small issue on another hypervisor, I
discovered that my underlying network, while operational, was not
properly configured. The IPA server and my workstation were supposed
to be talking in VLAN 100 and 110, respectively. The network is
temporarily configured to route every packet it receives to the proper
VLAN, no matter where it originates.
My workstation is indeed on VLAN 110, and is tagging the packets
appropriately. The server, however, due to a bridge misconfiguration
on the host, was on VLAN 1 and not sending tagged packets at all. But
as the router is configured to route all appropriate packets it
appeared to be operating normally.
I blew away the network configuration on the host and rebuilt it
again, this time ensuring that VLAN 1 was not available on that switch
port, and that the packets leaving the host were tagged with VLAN 100.
I brought the IPA server back up and was able to log in.
So, chalk this one up to misrouted packets. I didn't even think to
look there, the 401 error gave no clue that networking may be the issue.
Regards,
Dan Mossor
I am glad that this hunt is over :-)
Have a nice weekend!
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Martin Kosek
2015-03-06 19:53:28 UTC
Permalink
Post by Dmitri Pal
Post by Dmitri Pal
From your workstation can you use the demo instance
https://ipa.demo1.freeipa.org/ipa/ui/ or it returns the same error?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Oh, sorry, I didn't realize I was supposed to check that. For the record,
yes - I can log into the demo instance on Firefox from my workstation.
For the sake of completeness, I checked with Konquerer also and can log
in to the demo instance.
Regards,
Dan
OK, so it seems that something is really broken on that server.
May be it is easier to start over - up to you. If you want to continue
troubleshooting we are here to help.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
IT WORKS! WOOT!
In the steps of researching a small issue on another hypervisor, I discovered
that my underlying network, while operational, was not properly configured. The
IPA server and my workstation were supposed to be talking in VLAN 100 and 110,
respectively. The network is temporarily configured to route every packet it
receives to the proper VLAN, no matter where it originates.
My workstation is indeed on VLAN 110, and is tagging the packets appropriately.
The server, however, due to a bridge misconfiguration on the host, was on VLAN
1 and not sending tagged packets at all. But as the router is configured to
route all appropriate packets it appeared to be operating normally.
I blew away the network configuration on the host and rebuilt it again, this
time ensuring that VLAN 1 was not available on that switch port, and that the
packets leaving the host were tagged with VLAN 100. I brought the IPA server
back up and was able to log in.
So, chalk this one up to misrouted packets. I didn't even think to look there,
the 401 error gave no clue that networking may be the issue.
Regards,
Dan Mossor
Ugh, that one was nasty, I am glad you figured it out. Now, when you know what
was the problem, would you maybe have some general Troubleshooting advice to

http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

that would help people like you uncover the root cause easier?

Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dan Mossor
2015-03-10 16:06:38 UTC
Permalink
Post by Martin Kosek
Post by Dan Mossor
IT WORKS! WOOT!
In the steps of researching a small issue on another hypervisor, I discovered
that my underlying network, while operational, was not properly configured. The
IPA server and my workstation were supposed to be talking in VLAN 100 and 110,
respectively. The network is temporarily configured to route every packet it
receives to the proper VLAN, no matter where it originates.
My workstation is indeed on VLAN 110, and is tagging the packets appropriately.
The server, however, due to a bridge misconfiguration on the host, was on VLAN
1 and not sending tagged packets at all. But as the router is configured to
route all appropriate packets it appeared to be operating normally.
I blew away the network configuration on the host and rebuilt it again, this
time ensuring that VLAN 1 was not available on that switch port, and that the
packets leaving the host were tagged with VLAN 100. I brought the IPA server
back up and was able to log in.
So, chalk this one up to misrouted packets. I didn't even think to look there,
the 401 error gave no clue that networking may be the issue.
Regards,
Dan Mossor
Ugh, that one was nasty, I am glad you figured it out. Now, when you know
what was the problem, would you maybe have some general Troubleshooting
advice to
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
that would help people like you uncover the root cause easier?
Thanks,
Martin
Martin,

I would love to. Let me think on an effective method to target networking
issues, and I'll write something up for the wiki.

Regards,
Dan

Rob Crittenden
2015-03-05 22:59:53 UTC
Permalink
Post by Dan Mossor
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA
server, and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
I'd look for SELinux errors: ausearch -m AVC -ts recent

Perhaps we can't create a login session for some reason.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Dan Mossor
2015-03-05 23:19:15 UTC
Permalink
Post by Rob Crittenden
Post by Dan Mossor
As an additional test, I created a new user on my workstation and
switched to it. the first thing I did was kinit as admin, then started
Firefox, went through the browser configuration provided by the IPA
server, and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
I'd look for SELinux errors: ausearch -m AVC -ts recent
Perhaps we can't create a login session for some reason.
rob
I checked the /var/log/audit/audit.log, and selinux is not reporting
anything during the time I am attempting to access the gui.

But, for the sake of thoroughness:

[***@vader ipa]# ausearch -m AVC -ts recent
<no matches>
[***@vader ipa]#

Dan

--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Loading...