[Freeipa-users] Cannot connect to FreeIPA web UI anymore

Petr Vobornik pvoborni at redhat.com
Mon Oct 5 14:07:53 UTC 2015 

On 10/05/2015 12:55 PM, Fujisan wrote:
> It is actually on the ipa server that ipa commands are not working. On ipa
> clients, I do not have errors.
>
>
>
> On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisan43 at gmail.com> wrote:
>
>> I just noticed I can log in to the web UI with user admin and his password.
>>
>> But when I try to configure firefox to use kerberos, I click on "Install
>> Kerberos Configuration Firefox Extension" button, a message appears saying
>> "Firefox prevented this site from asking you to install software on your
>> computer", so I click on the "Allow" button and then another message
>> appears "The add-on downloaded from this site could not be installed
>> because it appears to be corrupt.".

Here you hit https://fedorahosted.org/freeipa/ticket/4906

Fix(will be in 4.2.2 release) for this ticket changes the procedure for 
new versions of Firefox to a manual configuration. Basically the steps 
for Firefox which are described on page 
http://your-ipa.example.test/ipa/config/ssbrowser.html

>>
>> And the ipa commands are still not working.
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>>
>> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>>> I uninstalled the ipa server and reinstalled it. Then restored the backup.
>>> And then the following:
>>>
>>> $ keyctl list @s
>>> 3 keys in keyring:
>>> 437165764: --alswrv     0 65534 keyring: _uid.0
>>> 556579409: --alswrv     0     0 user:
>>> ipa_session_cookie:host/zaira2.opera at OPERA
>>> 286806445: ---lswrv     0 65534 keyring: _persistent.0
>>> $ keyctl purge 556579409
>>> purged 0 keys
>>> $ keyctl reap
>>> 0 keys reaped
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>> $ keyctl list @s
>>> 3 keys in keyring:
>>> 437165764: --alswrv     0 65534 keyring: _uid.0
>>> 556579409: --alswrv     0     0 user:
>>> ipa_session_cookie:host/zaira2.opera at OPERA
>>> 286806445: ---lswrv     0 65534 keyring: _persistent.0
>>>
>>> ​It doesn't seem to purge or to reap.​
>>>
>>>
>>>
>>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>>> Good morning,
>>>>>>>> Any suggestion what I should do?​
>>>>
>>>> ​I still have
>>>>
>>>> ​$ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>>>
>>>> Regards.
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>
>>>>> I only have this:
>>>>>
>>>>> $ keyctl list @s
>>>>> 1 key in keyring:
>>>>> 641467419: --alswrv     0 65534 keyring: _uid.0
>>>>> $
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>>> I forgot to mention that
>>>>>>>
>>>>>>> $ ipa user-show admin
>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>> Unauthorized
>>>>>>>
>>>>>> This is most likely because of the cached session to your server.
>>>>>>
>>>>>> You can check if  keyctl list @s
>>>>>> returns you something like
>>>>>> [root at m1 ~]# keyctl list @s
>>>>>> 2 keys in keyring:
>>>>>> 496745412: --alswrv     0 65534 keyring: _uid.0
>>>>>> 215779962: --alswrv     0     0 user:
>>>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>>>
>>>>>> If so, then notice the key number (215779962) for the session cookie,
>>>>>> and do:
>>>>>>   keyctl purge 215779962
>>>>>>   keyctl reap
>>>>>>
>>>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>>>
>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>>>
>>>>>>> I still cannot login to the web UI.
>>>>>>>>
>>>>>>>> Here is what I did:
>>>>>>>>
>>>>>>>>     1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>>>     2. kinit admin
>>>>>>>>     Password for admin at OPERA:
>>>>>>>>     3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>>>>     /etc/krb5.keytab
>>>>>>>>     4. systemctl restart sssd.service
>>>>>>>>     5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>>>     6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>>>>     /etc/httpd/conf/ipa.keytab
>>>>>>>>     7. systemctl restart httpd.service
>>>>>>>>
>>>>>>>>
>>>>>>>> The log says now:
>>>>>>>>
>>>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>>>> {18 17
>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>>>> abokovoy at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>
>>>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>>>> kerberos.
>>>>>>>>>>
>>>>>>>>>> What should I do to fix this?
>>>>>>>>>>
>>>>>>>>>> I have this on the ipa server:
>>>>>>>>>> $ klist -k
>>>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>>>> KVNO Principal
>>>>>>>>>> ----
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>>>    2 host/zaira2.opera at OPERA
>>>>>>>>>>    2 host/zaira2.opera at OPERA
>>>>>>>>>>    2 host/zaira2.opera at OPERA
>>>>>>>>>>    2 host/zaira2.opera at OPERA
>>>>>>>>>>    1 nfs/zaira2.opera at OPERA
>>>>>>>>>>    1 nfs/zaira2.opera at OPERA
>>>>>>>>>>    1 nfs/zaira2.opera at OPERA
>>>>>>>>>>    1 nfs/zaira2.opera at OPERA
>>>>>>>>>>    3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>    3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>    3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>    3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>
>>>>>>>>>> You can start by:
>>>>>>>>>>
>>>>>>>>> 0. backup every file mentioned below
>>>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>>>> 2. kinit as admin
>>>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k
>>>>>>>>> /etc/krb5.keytab
>>>>>>>>> 4. restart SSSD
>>>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>>> 7. Restart httpd
>>>>>>>>>
>>>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>>>>> keytabs become unusable.
>>>>>>>>>
>>>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>>>> supposed to
>>>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>>>> services
>>>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>>>> abokovoy at redhat.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> More info:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>>>> $ kdestroy
>>>>>>>>>>>> $ kinit admin
>>>>>>>>>>>>
>>>>>>>>>>>> but cannot view user admin:
>>>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>>>> Unauthorized
>>>>>>>>>>>>
>>>>>>>>>>>> $ ipactl status
>>>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>> named Service: RUNNING
>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>
>>>>>>>>>>>> /var/log/messages:
>>>>>>>>>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>>>> initialize
>>>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>>>> integrity
>>>>>>>>>>>> check
>>>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>>>
>>>>>>>>>>>> What did you do?
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>>>> you have
>>>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>>>> host/zaira2.opera
>>>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>>>> removed
>>>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Log says:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>>> etypes
>>>>>>>>>>>>> {18 17
>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>>> fd 12
>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>>>> failed
>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>>> etypes
>>>>>>>>>>>>> {18 17
>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>>> fd 12
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What can I do?
>>>>>>>>>>>>>
>>>>>>>>>>>>> ​Regards,
>>>>>>>>>>>>> Fuji​
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>



-- 
Petr Vobornik

More information about the Freeipa-users mailing list