[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Fri Oct 2 14:06:00 UTC 2015
Well, I think I messed up when trying to configure cockpit to use kerberos.
What should I do to fix this?
I have this on the ipa server:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> More info:
>>
>> I can initiate a ticket:
>> $ kdestroy
>> $ kinit admin
>>
>> but cannot view user admin:
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>> $ ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> /var/log/messages:
>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>> check
>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>
> What did you do?
>
> This and the log below about HTTP/zaira2.opera at OPERA show that you have
> different keys in LDAP and in your keytab files for host/zaira2.opera
> and HTTP/zaira2.opera principals. This might happen if somebody removed
> the principals from LDAP (ipa service-del/ipa service-add, or ipa
> host-del/ipa host-add) so that they become non-synchronized with
> whatever you have in the keytab files.
>
>
> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>> Hello,
>>>
>>> I cannot login to the web UI anymore.
>>>
>>> The password or username you entered is incorrect.
>>>
>>> Log says:
>>>
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>
>>>
>>> I have no idea what went wrong.
>>>
>>> What can I do?
>>>
>>> Regards,
>>> Fuji
>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151002/01d1a2e7/attachment.htm>
More information about the Freeipa-users
mailing list