[Freeipa-users] Cannot connect to FreeIPA web UI anymore
Fujisan
fujisan43 at gmail.com
Mon Oct 5 15:07:04 UTC 2015
I was going to ask about the ipa command error on the ipa server and how to
fix it. But then I just tried again and it works.
$ ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/zaira/admin
Login shell: /bin/bash
UID: 1000
GID: 1000
Account disabled: False
Password: True
Member of groups: stagiaires, opera, ipausers, trust admins, admins,
oldstaff
Kerberos keys available: True
SSH public key fingerprint:
FA:76:85:EF:2A:D1:12:B9:A8:A4:F4:AE:45:B2:63:05 admin at ipasrv (ssh-dss)
Before trying again, I just ran a 'dnf update' and rebooted the server on
the new kernel (4.1.8-200.fc22.x86_64).
On Mon, Oct 5, 2015 at 4:07 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 10/05/2015 12:55 PM, Fujisan wrote:
>
>> It is actually on the ipa server that ipa commands are not working. On ipa
>> clients, I do not have errors.
>>
>>
>>
>> On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>
>> I just noticed I can log in to the web UI with user admin and his
>>> password.
>>>
>>> But when I try to configure firefox to use kerberos, I click on "Install
>>> Kerberos Configuration Firefox Extension" button, a message appears
>>> saying
>>> "Firefox prevented this site from asking you to install software on your
>>> computer", so I click on the "Allow" button and then another message
>>> appears "The add-on downloaded from this site could not be installed
>>> because it appears to be corrupt.".
>>>
>>
> Here you hit https://fedorahosted.org/freeipa/ticket/4906
>
> Fix(will be in 4.2.2 release) for this ticket changes the procedure for
> new versions of Firefox to a manual configuration. Basically the steps for
> Firefox which are described on page
> http://your-ipa.example.test/ipa/config/ssbrowser.html
>
>
>
>>> And the ipa commands are still not working.
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>>
>>> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>
>>> I uninstalled the ipa server and reinstalled it. Then restored the
>>>> backup.
>>>> And then the following:
>>>>
>>>> $ keyctl list @s
>>>> 3 keys in keyring:
>>>> 437165764: --alswrv 0 65534 keyring: _uid.0
>>>> 556579409: --alswrv 0 0 user:
>>>> ipa_session_cookie:host/zaira2.opera at OPERA
>>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>>> $ keyctl purge 556579409
>>>> purged 0 keys
>>>> $ keyctl reap
>>>> 0 keys reaped
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>> $ keyctl list @s
>>>> 3 keys in keyring:
>>>> 437165764: --alswrv 0 65534 keyring: _uid.0
>>>> 556579409: --alswrv 0 0 user:
>>>> ipa_session_cookie:host/zaira2.opera at OPERA
>>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>>>
>>>> It doesn't seem to purge or to reap.
>>>>
>>>>
>>>>
>>>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>
>>>> Good morning,
>>>>>
>>>>> Any suggestion what I should do?
>>>>>
>>>>> I still have
>>>>>
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>
>>>>> I only have this:
>>>>>>
>>>>>> $ keyctl list @s
>>>>>> 1 key in keyring:
>>>>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>>>>> $
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <
>>>>>> abokovoy at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>> I forgot to mention that
>>>>>>>>
>>>>>>>> $ ipa user-show admin
>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>> Unauthorized
>>>>>>>>
>>>>>>>> This is most likely because of the cached session to your server.
>>>>>>>
>>>>>>> You can check if keyctl list @s
>>>>>>> returns you something like
>>>>>>> [root at m1 ~]# keyctl list @s
>>>>>>> 2 keys in keyring:
>>>>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>>>>> 215779962: --alswrv 0 0 user:
>>>>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>>>>
>>>>>>> If so, then notice the key number (215779962) for the session cookie,
>>>>>>> and do:
>>>>>>> keyctl purge 215779962
>>>>>>> keyctl reap
>>>>>>>
>>>>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisan43 at gmail.com> wrote:
>>>>>>>>
>>>>>>>> I still cannot login to the web UI.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here is what I did:
>>>>>>>>>
>>>>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>>>> 2. kinit admin
>>>>>>>>> Password for admin at OPERA:
>>>>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>>>>> /etc/krb5.keytab
>>>>>>>>> 4. systemctl restart sssd.service
>>>>>>>>> 5. mv /etc/httpd/conf/ipa.keytab
>>>>>>>>> /etc/httpd/conf/ipa.keytab.save
>>>>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>>> 7. systemctl restart httpd.service
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The log says now:
>>>>>>>>>
>>>>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>>>>> {18 17
>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>>>>> abokovoy at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>>>>
>>>>>>>>>>> kerberos.
>>>>>>>>>>>
>>>>>>>>>>> What should I do to fix this?
>>>>>>>>>>>
>>>>>>>>>>> I have this on the ipa server:
>>>>>>>>>>> $ klist -k
>>>>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>>>>> KVNO Principal
>>>>>>>>>>> ----
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>>>
>>>>>>>>>>> You can start by:
>>>>>>>>>>>
>>>>>>>>>>> 0. backup every file mentioned below
>>>>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>>>>> 2. kinit as admin
>>>>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>> 4. restart SSSD
>>>>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>>>> 7. Restart httpd
>>>>>>>>>>
>>>>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>>>>> specified by you is replaced on the server side so that keys in
>>>>>>>>>> the
>>>>>>>>>> keytabs become unusable.
>>>>>>>>>>
>>>>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>>>>> supposed to
>>>>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>>>>> services
>>>>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>>>>
>>>>>>>>>>> abokovoy at redhat.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> More info:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>>>>> $ kdestroy
>>>>>>>>>>>>> $ kinit admin
>>>>>>>>>>>>>
>>>>>>>>>>>>> but cannot view user admin:
>>>>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>>>>> Unauthorized
>>>>>>>>>>>>>
>>>>>>>>>>>>> $ ipactl status
>>>>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>>>> named Service: RUNNING
>>>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>>>
>>>>>>>>>>>>> /var/log/messages:
>>>>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>>>>> initialize
>>>>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>>>>> integrity
>>>>>>>>>>>>> check
>>>>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What did you do?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>>>>> you have
>>>>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>>>>> host/zaira2.opera
>>>>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>>>>> removed
>>>>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or
>>>>>>>>>>>> ipa
>>>>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisan43 at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Log says:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>>>> etypes
>>>>>>>>>>>>>> {18 17
>>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication
>>>>>>>>>>>>>> required
>>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>>>> fd 12
>>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>>>>> failed
>>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>>>> etypes
>>>>>>>>>>>>>> {18 17
>>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>>>> fd 12
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What can I do?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>> Fuji
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> / Alexander Bokovoy
>>>>>>>
>>>>>>>
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151005/69fc4123/attachment.htm>
More information about the Freeipa-users
mailing list