Hello all,
I have a problem with logging in to the web interface (username/pw) of one of my IPA servers, ipa2.
The installation is CA-less, without pkinit, and consists of master servers ipa1 and ipa2
Ipa1 works fine at this time, ipa2 fails with "Login failed due to an unknown reason." in the web ui.
In the httpd error log:
calledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_11164 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
If I try to run
/kinit -n - -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
for testing on ipa2, it asks me for a password (which I don't know).
Doing the same on ipa1 will not ask for a password, but simply adds the WELLKNOWN/ANONYMOUS principal to the keyring:
[root@charon run]# LANG=C klist -a
Ticket cache: KEYRING:persistent:0:krb_ccache_vscxoCZ
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
22.07.2024 17:21:34 23.07.2024 17:21:34 krbtgt/NET.IDA(a)NET.IDA
Addresses: (none)
So I guess this might be part of the problem.
Note that "kinit <user>" with a password I know works fine on ipa2.
What can I do to fix this?
I should say I had the same problem 2 years ago or so, but with reversed roles (ipa1 not allowing login, ipa2 working fine).
According to my notes from back then, a "systemctl restart sssd" fixed it that time. Unfortunately this does not seem to help this time.
Many thanks for any ideas,
Thomas Boroske