Hi,
By default the web UI tries network authentication for users before the page displays.
The GSS error below indicates that initial negotiation fails, so no pop-up window appears, and the UI doesn't load after that.
Have you tried using different browsers?
Have you also tried an install without the AD trust? Maybe that is contributing to your problems?
If that works, you could try breaking the AD trust before upgrading and re-adding it after upgrade is done?
If you are using Google Chrome, try looking at whitelisting your FreeIPA server, or the command line option to enable negotiation to get around any browser issues.
I haven't had these issues using Chromium on Fedora, we run FreeIPA on CentOS 7 (recently patched to 7.4). We don't have any AD trust configured.
Cheers, Dagan McGregor
On 12 December 2017 6:02:49 AM NZDT, Chris Dagdigian via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi folks,
Stuck in a catch-22 where I can't update our existing 4.4.0 production servers nor can we stand up new working sandbox servers running IPA-4.5
In all cases (upgrade and new install) we end up with a WebUI that is not functional when deployed on RHEL 7.4 or CentOS 7.4
However I think now I have the actual error and there were hints from the mailing list archive about the culprit maybe being httpd and keytab
related. Or at least it seems tightly tied to the security changes implemented between IPA 4.4 and 4.5 releases.
Here is the setup from a fresh install on RHEL 7.4
- CLI installation works perfectly
- AD trust setup works perfectly
- All CLI tools and commands seem to work just fine
- No errors in standard locations
- "ipactl status" reports no issues
- SELINUX is disabled
- Using Chrome browser for access and testing
However the WebUI is totally unusable. The front page just displays an error box that says:
HTTP Error 404 Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)
Reading the lists archives this weekend I found the links that point to
the security changes between 4.4 and 4.5 and I also found the helpful advice to set "debug=true" in /etc/ipa/server.conf
After setting the debug=true values now I see a new message in the httpd error logs:
[Sun Dec 10 03:13:08.976509 2017] [:error] [pid 7821] ipa: INFO: *** PROCESS START *** [Mon Dec 11 11:55:07.102172 2017] [auth_gssapi:error] [pid 7824] [client 172.29.XX.XX:57976] NO AUTH DATA Client did not send any authentication
headers, referer: https://usaeilidmp010.XXX.org/ipa/ui/ [Mon Dec 11 11:55:07.298810 2017] [auth_gssapi:error] [pid 7824] [client 172.29.XX.XX:57976] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer: https://usaeilidmp010.XXX.org/ipa/ui/ [root@usaeilidmp010 ec2-user]#
Those error messages have come up in past forum messages but the thread
replies always led me into a maze of other URls or generic instructions
to "regenerate the keytab for HTTPD server"
I'm pretty sure the above web error is exactly why the webUI is failing
however I can't find clear or concise instructions on how to fix or debug further ...
Has anyone dealt with this already? I may need an idiot's guide to resolving that particular gss error as I failed at doing so myself this
weekend :) I pretty much do not understand that error nor how to address it, heh.
Thanks!
-Chris
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org