Hi,
In order to login to the WebUI using an AD user, refer to the following
doc: *Web UI login for Active Directory users* [1].
An idoverride is required for each AD user that wants to connect to the
WebUI.
HTH,
flo
[1]
On Fri, Apr 21, 2023 at 1:20 PM iulian roman via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hello,
I have a FreeIPA setup with ad trust configured. Everything works, except
the login to the WEB UI with an Active Directory account. The only
possibility to login to the WEB UI is via the admin account.
In the /var/log/krb5kdc.log i have the following entries after i try to
connect to WEB UI:
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16:
NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for
krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Additional pre-authentication
required
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing
down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16:
ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for
krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing
down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16:
REFERRAL: ad_user\@example.corp(a)IPA.EXAMPLE.CORP for
krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Realm not local to KDC
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing
down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16:
ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
ad_user(a)EXAMPLE.CORP for HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing
down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16:
ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP for
ldap/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ...
CONSTRAINED-DELEGATION s4u-client=ad_user(a)EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down
fd 11
In the/var/log/httpd/error_log :
[Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG:
http://server1.ipa.example.corp:80 "GET /ipa/session/cookie HTTP/1.1" 301
264
[Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: Starting new
HTTPS connection (1): server1.ipa.example.corp:443
[Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG:
https://server1.ipa.example.corp:443 "GET /ipa/session/cookie HTTP/1.1"
200 0
[Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid
139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized:
Insufficient access: Invalid credentials
[Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864]
[client 10.30.93.93:55487] failed to set perms (3140) on file
(/run/ipa/ccaches/ad_user(a)EXAMPLE.CORP-EejFLz)!, referer:
https://server1.ipa.example.corp/ipa/ui/
[Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid
139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI
KerberosLogin.__call__:
[Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid
139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized:
Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (108962060): Credential cache is empty
From WEB UI i tri to connect with ad_user account with and without
appending the AD domain (EXAMPLE.CORP).
The error message i get on the UI is : Your session has expired. Please
log in again.
Does anyone have any suggestion or idea how can it be fixed ?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue