On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users wrote:
Hello, ipa-users!
Can't login into my FreeIpa system with admin user.
*On WebUi *
Login failed due to an unknown reason.
*In krb5kdc.log:*
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/
ANONYMOUS(a)MYDOMAIN.COM for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM, Additional
pre-authentication required
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
{rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS(a)MYDOMAIN.COM for krbtgt/
MYDOMAIN.COM(a)MYDOMAIN.COM
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: admin(a)MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM, Additional pre-authentication required
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
{rep=18 tkt=18 ses=18}, admin(a)MYDOMAIN.COM for krbtgt/
MYDOMAIN.COM(a)MYDOMAIN.COM
Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes
{rep=18 tkt=18 ses=18}, admin(a)MYDOMAIN.COM for HTTP/
myhost.mydomain(a)MYDOMAIN.COM
Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
myhost.mydomain(a)MYDOMAIN.COM for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM,
Additional pre-authentication required
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
myhost.mydomain(a)MYDOMAIN.COM for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM,
Preauthentication failed
It is not your authentication which failed but the authentication
attempt of the web server. I guess the keys on the server were updated
but not written into the keytab.
Can you try if
kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/myhost.mydomain(a)MYDOMAIN.COM
returns the same error ((preauth (encrypted_timestamp) verify failure:
Preauthentication failed)? In this case you should update the keytab
with ipa-getkeytab and restart httpd.
HTH
bye,
Sumit
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd
11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/
myhost.mydomain(a)MYDOMAIN.COM for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM,
Additional pre-authentication required
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11
Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes {18
17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/
myhost.mydomain(a)MYDOMAIN.COM for krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM,
Preauthentication failed
Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
*In httpd error log:*
[Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client
192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get
server creds: [Unspecified GSS failure. Minor code may provide more
information ( SPNEGO cannot find mechanisms to negotiate)]
[Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401
Unauthorized: No session cookie found
*In messages:*
Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
Preauthentication failed
Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
Preauthentication failed
*The password is correct 100%.*
*I can do kinit for admin.*
*Where to look next?*
*Restart didn't help.*
OS Red Hat Enterprise Linux Server release 7.4
[root@myhost ipa]# uname -a
Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 10:49:01
PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
Regards,
Andrey
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org