I tried changing the password but that did not work.
When I ran
#ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen
I am getting
ipa: ERROR: attribute "ipanthas" not allowed
same Error when
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test
changetype: modify
add: ipaNTHash
ipaNTHash: MagicRegen
From: Alexander Bokovoy
Sent: Thursday, February 3, 2022 12:32 AM
To: FreeIPA users list
Cc: code bugs
Subject: Re: [Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"
On ke, 02 helmi 2022, Alexander Bokovoy via FreeIPA-users wrote:
>On ke, 02 helmi 2022, code bugs wrote:
>>After following the @Dan West
>><https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/>
>>solution
>>described at
>>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
>>, users are able to login to IPA WebGUI.
>>
>>My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.
>>
>>Now the users are unable to login into the WIFI network using the radius
>>server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1
>>C=269d5124d7a4e4f1 v=1"
>>I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan
>>West solution this attribute was deleted.
>
>That's most likely cause, yes.
>
>There are two ways to recover iapNTHash attribute values. First one:
>change password. This will cause ipaNTHash to be generated if its
>generation is not disabled in IPA configuration (it is not by default).
>
>Another path depends on whether your users' Kerberos keys have
>arcfour-hmac encryption keys already. If they do, you can trigger
>re-creation of ipaNTHash by adding it with a special value:
>
>dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test
>changetype: modify
>add: ipaNTHash
>ipaNTHash: MagicRegen
>
>You can do this either as cn=Directory Manager, or as an admin, or as a
>user themselves. Perhaps, doing this as cn=Directory Manager will be a
>bit easier. In case there is no arcfour-hmac encryption key in the
>Kerberos keys for the user in question, you would get LDAP error
>LDAP_UNWILLING_TO_PERFORM.
Just tried this on my test system, it works.
# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test
changetype: modify
delete: ipaNTHash
^D
modifying entry "uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test"
# ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen
# ipa -e in_server=true user-show mtest --all --raw |grep ipaNTHash
ipaNTHash: some-value
>
>
>>
>>
>>On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <abokovoy@redhat.com>
>>wrote:
>>
>>>On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
>>>>Hello,
>>>>
>>>>-IPA WebGUI login fails with "Login failed due to an unknown reason"
>>>>-After upgrading IPA, can no longer log into the WebGUI
>>>>Version/Release/Distribution
>>>>
>>>>$ cat /etc/centos-release
>>>>CentOS Linux release 8.5.2111
>>>>$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
>>>>pki-ca krb5-server
>>>>package freeipa-server is not installed
>>>>package freeipa-client is not installed
>>>>ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>>>>ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>>>>389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
>>>>pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
>>>>krb5-server-1.18.2-14.el8.x86_64
>>>>Additional info:
>>>>
>>>>tail /var/log/httpd/error_log
>>>>
>>>>[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
>>>>INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
>>>code
>>>>may provide more information, Minor (2598844948): TGT has been revoked
>>>
>>>Please show entries in /var/log/krb5kdc.log corresponding to this
>>>timeframe. If TGT is revoked, it most likely is documented why in that
>>>log. Also, if possible, show other requests in httpd's error_log for the
>>>same timeframe -- if that was Web UI login, there would be few around
>>>this error.
>>>
>>>One possible problem could be what is documented in
>>>
>>>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
>>>but then it would not be possible to get a Kerberos ticket in kinit as
>>>well. Perhaps, you have a problem with anonymous PKINIT on this host
>>>instead.
>>>
>>>>
>>>>further,
>>>>
>>>> 1. default "admin" user can IPA WebGUIlogin
>>>> 2. other users cannot login IPA WebGUIlogin, but can login using cli
>>>> (kinit)
>>>> 3. when i create a new user, the new user can login IPA WebGUI.
>>>
>>>
>>>
>>>
>>>--
>>>/ Alexander Bokovoy
>>>Sr. Principal Software Engineer
>>>Security / Identity Management Engineering
>>>Red Hat Limited, Finland
>>>
>>>
>
>
>
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland