On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
>Hello,
>
>-IPA WebGUI login fails with "Login failed due to an unknown reason"
>-After upgrading IPA, can no longer log into the WebGUI
>Version/Release/Distribution
>
>$ cat /etc/centos-release
>CentOS Linux release 8.5.2111
>$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
>pki-ca krb5-server
>package freeipa-server is not installed
>package freeipa-client is not installed
>ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
>pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
>krb5-server-1.18.2-14.el8.x86_64
>Additional info:
>
>tail /var/log/httpd/error_log
>
>[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
>INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code
>may provide more information, Minor (2598844948): TGT has been revoked

Please show entries in /var/log/krb5kdc.log corresponding to this
timeframe. If TGT is revoked, it most likely is documented why in that
log. Also, if possible, show other requests in httpd's error_log for the
same timeframe -- if that was Web UI login, there would be few around
this error.

One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
but then it would not be possible to get a Kerberos ticket in kinit as
well. Perhaps, you have a problem with anonymous PKINIT on this host
instead.

>
>further,
>
>   1. default "admin" user can IPA WebGUIlogin
>   2. other users cannot login  IPA WebGUIlogin, but can login using cli
>   (kinit)
>   3. when i create a new user, the new user can login IPA WebGUI.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland