I tried changing the password but that did not work.

 

When I ran

#ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen

I am getting

ipa: ERROR: attribute "ipanthas" not allowed

 

same Error when

 

dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test
changetype: modify
add: ipaNTHash
ipaNTHash: MagicRegen

 

From: Alexander Bokovoy
Sent: Thursday, February 3, 2022 12:32 AM
To: FreeIPA users list
Cc: code bugs
Subject: Re: [Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

 

On ke, 02 helmi 2022, Alexander Bokovoy via FreeIPA-users wrote:

>On ke, 02 helmi 2022, code bugs wrote:

>>After following the @Dan West

>><https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/>

>>solution

>>described at

>>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU

>>, users are able to login to IPA WebGUI.

>> 

>>My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.

>> 

>>Now the users are unable to login into the WIFI network using the radius

>>server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1

>>C=269d5124d7a4e4f1 v=1"

>>I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan

>>West solution this attribute was deleted.

> 

>That's most likely cause, yes.

> 

>There are two ways to recover iapNTHash attribute values. First one:

>change password. This will cause ipaNTHash to be generated if its

>generation is not disabled in IPA configuration (it is not by default).

> 

>Another path depends on whether your users' Kerberos keys have

>arcfour-hmac encryption keys already. If they do, you can trigger

>re-creation of ipaNTHash by adding it with a special value:

> 

>dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test

>changetype: modify

>add: ipaNTHash

>ipaNTHash: MagicRegen

> 

>You can do this either as cn=Directory Manager, or as an admin, or as a

>user themselves. Perhaps, doing this as cn=Directory Manager will be a

>bit easier. In case there is no arcfour-hmac encryption key in the

>Kerberos keys for the user in question, you would get LDAP error

>LDAP_UNWILLING_TO_PERFORM.

 

Just tried this on my test system, it works.

 

# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -Y EXTERNAL

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

dn: uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test

changetype: modify

delete: ipaNTHash

^D

modifying entry "uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test"

 

# ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen

 

# ipa -e in_server=true user-show mtest --all --raw |grep ipaNTHash

   ipaNTHash: some-value

 

> 

> 

>> 

>> 

>>On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <abokovoy@redhat.com>

>>wrote:

>> 

>>>On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:

>>>>Hello,

>>>> 

>>>>-IPA WebGUI login fails with "Login failed due to an unknown reason"

>>>>-After upgrading IPA, can no longer log into the WebGUI

>>>>Version/Release/Distribution

>>>> 

>>>>$ cat /etc/centos-release

>>>>CentOS Linux release 8.5.2111

>>>>$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base

>>>>pki-ca krb5-server

>>>>package freeipa-server is not installed

>>>>package freeipa-client is not installed

>>>>ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64

>>>>ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64

>>>>389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64

>>>>pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch

>>>>krb5-server-1.18.2-14.el8.x86_64

>>>>Additional info:

>>>> 

>>>>tail /var/log/httpd/error_log

>>>> 

>>>>[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:

>>>>INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor

>>>code

>>>>may provide more information, Minor (2598844948): TGT has been revoked

>>> 

>>>Please show entries in /var/log/krb5kdc.log corresponding to this

>>>timeframe. If TGT is revoked, it most likely is documented why in that

>>>log. Also, if possible, show other requests in httpd's error_log for the

>>>same timeframe -- if that was Web UI login, there would be few around

>>>this error.

>>> 

>>>One possible problem could be what is documented in

>>> 

>>>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU

>>>but then it would not be possible to get a Kerberos ticket in kinit as

>>>well. Perhaps, you have a problem with anonymous PKINIT on this host

>>>instead.

>>> 

>>>> 

>>>>further,

>>>> 

>>>>   1. default "admin" user can IPA WebGUIlogin

>>>>   2. other users cannot login  IPA WebGUIlogin, but can login using cli

>>>>   (kinit)

>>>>   3. when i create a new user, the new user can login IPA WebGUI.

>>> 

>>> 

>>> 

>>> 

>>>--

>>>/ Alexander Bokovoy

>>>Sr. Principal Software Engineer

>>>Security / Identity Management Engineering

>>>Red Hat Limited, Finland

>>> 

>>> 

> 

> 

> 

> 

>--

>/ Alexander Bokovoy

>Sr. Principal Software Engineer

>Security / Identity Management Engineering

>Red Hat Limited, Finland

>_______________________________________________

>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

>Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

 

 

 

--

/ Alexander Bokovoy

Sr. Principal Software Engineer

Security / Identity Management Engineering

Red Hat Limited, Finland