[Freeipa-users] WebUI authentication problems

Dan Mossor danofsatx at gmail.com
Fri Feb 20 01:00:25 UTC 2015 

I just installed a new server on Fedora 21 Server, using the rolekit 
deployment tool. Everything was installed and configured (I hope) 
properly, but I'm running into a problem. The version is 
freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only 
after a restart of ipa.service.

After approximately 15 minutes, I am kicked out of the active session - 
while in the middle of using it - and cannot log back in. Login was 
attempted from 4 browsers across two machines, and every time the login 
screen returns with "Your session has expired. Please re-login."

/var/log/httpd/errors is showing the following:
[Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 
10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 
10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 
10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 
10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 
10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 
10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 
10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported 
mechanism was requested (, Unknown error), referer: 
https://vader.dom.net/ipa/ui/

Restarting httpd, I can log in, and am immediately logged out again with 
the above errors.

Restarting ipa.service, I was able to log in with my user account, and 
was notified that my password expires in 0 days - even though it was 
just created less than an hour ago.

Is this a known issue, or is there a hidden problem with the rolekit 
deployment that I need to track down?



-- 
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

More information about the Freeipa-users mailing list