[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Fri Oct 2 15:04:46 UTC 2015
I only have this:
$ keyctl list @s
1 key in keyring:
641467419: --alswrv 0 65534 keyring: _uid.0
$
On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> I forgot to mention that
>>
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
> This is most likely because of the cached session to your server.
>
> You can check if keyctl list @s
> returns you something like
> [root at m1 ~]# keyctl list @s
> 2 keys in keyring:
> 496745412: --alswrv 0 65534 keyring: _uid.0
> 215779962: --alswrv 0 0 user: ipa_session_cookie:admin at EXAMPLE.COM
>
> If so, then notice the key number (215779962) for the session cookie,
> and do:
> keyctl purge 215779962
> keyctl reap
>
> This should make a next 'ipa ...' command run to ask for new cookie.
>
>
>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>> I still cannot login to the web UI.
>>>
>>> Here is what I did:
>>>
>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>> 2. kinit admin
>>> Password for admin at OPERA:
>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>> /etc/krb5.keytab
>>> 4. systemctl restart sssd.service
>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>> /etc/httpd/conf/ipa.keytab
>>> 7. systemctl restart httpd.service
>>>
>>>
>>> The log says now:
>>>
>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>> kerberos.
>>>>>
>>>>> What should I do to fix this?
>>>>>
>>>>> I have this on the ipa server:
>>>>> $ klist -k
>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------------
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>
>>>>> You can start by:
>>>>>
>>>> 0. backup every file mentioned below
>>>> 1. Move /etc/krb5.keytab somewhere
>>>> 2. kinit as admin
>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>> 4. restart SSSD
>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>> /etc/httpd/conf/ipa.keytab
>>>> 7. Restart httpd
>>>>
>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>> specified by you is replaced on the server side so that keys in the
>>>> keytabs become unusable.
>>>>
>>>> I guess cockpit instructions were for something that was not supposed to
>>>> run on IPA master. On IPA master there are already all needed services
>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>>> wrote:
>>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>>>
>>>>>> More info:
>>>>>>
>>>>>>>
>>>>>>> I can initiate a ticket:
>>>>>>> $ kdestroy
>>>>>>> $ kinit admin
>>>>>>>
>>>>>>> but cannot view user admin:
>>>>>>> $ ipa user-show admin
>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>> Unauthorized
>>>>>>>
>>>>>>> $ ipactl status
>>>>>>> Directory Service: RUNNING
>>>>>>> krb5kdc Service: RUNNING
>>>>>>> kadmin Service: RUNNING
>>>>>>> named Service: RUNNING
>>>>>>> ipa_memcached Service: RUNNING
>>>>>>> httpd Service: RUNNING
>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>> smb Service: RUNNING
>>>>>>> winbind Service: RUNNING
>>>>>>> ipa-otpd Service: RUNNING
>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>
>>>>>>> /var/log/messages:
>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>>>> check
>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>
>>>>>>> What did you do?
>>>>>>>
>>>>>>
>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>> have
>>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>> removed
>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>> whatever you have in the keytab files.
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>>
>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>
>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>
>>>>>>>> Log says:
>>>>>>>>
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>> {18 17
>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>> {18 17
>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>>
>>>>>>>>
>>>>>>>> I have no idea what went wrong.
>>>>>>>>
>>>>>>>> What can I do?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Fuji
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>
>>>>>>
>>>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151002/ee841adb/attachment.htm>
More information about the Freeipa-users
mailing list