[Freeipa-users] Re: WEB UI access issues with AD account

Hello, I have a FreeIPA setup with ad trust configured. Everything works, except the login to the WEB UI with an Active Directory account. The only possibility to login to the WEB UI is via the admin account. In the /var/log/krb5kdc.log i have the following entries after i try to connect to WEB UI: Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Additional pre-authentication required Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11 Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11 Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: REFERRAL: ad_user\@example.corp(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Realm not local to KDC Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11 Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ad_user(a)EXAMPLE.CORP for HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11 Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP for ldap/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ... CONSTRAINED-DELEGATION s4u-client=ad_user(a)EXAMPLE.CORP Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down fd 11 In the/var/log/httpd/error_log : [Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: http://server1.ipa.example.corp:80 "GET /ipa/session/cookie HTTP/1.1" 301 264 [Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: Starting new HTTPS connection (1): server1.ipa.example.corp:443 [Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: https://server1.ipa.example.corp:443 "GET /ipa/session/cookie HTTP/1.1" 200 0 [Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI jsonserver_session.__call__: [Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864] [client 10.30.93.93:55487] failed to set perms (3140) on file (/run/ipa/ccaches/ad_user(a)EXAMPLE.CORP-EejFLz)!, referer: https://server1.ipa.example.corp/ipa/ui/ [Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI KerberosLogin.__call__: [Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (108962060): Credential cache is empty From WEB UI i tri to connect with ad_user account with and without appending the AD domain (EXAMPLE.CORP). The error message i get on the UI is : Your session has expired. Please log in again. Does anyone have any suggestion or idea how can it be fixed ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue