On my fairly recently created replica, trying to sign on to the
webUI
fails both with a ticket and with username/password. The httpd error
log reports:
[Thu Feb 03 09:43:20.551081 2022] [wsgi:error] [pid 332932:tid
140681111185152] [remote
2001:123:aa:123:0:90cc:a629:cf42:5877:50870] ipa: INFO:
[jsonserver_i18n_messages]
UNKNOWN: i18n_messages(version='2.237'): SUCCESS
[Thu Feb 03 09:43:21.096431 2022] [auth_gssapi:error] [pid 332935:tid
140680940726016]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal
session data!,
referer:
https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.146884 2022] [auth_gssapi:error] [pid 332935:tid
140681090156288]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal
session data!,
referer:
https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.605055 2022] [auth_gssapi:error] [pid 332935:tid
140681090156288]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR
gss_acquire_cred[_from]()
failed to get server creds: [Unspecified GSS failure. Minor code may
provide more
information ( SPNEGO cannot find mechanisms to negotiate)], referer:
https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.621376 2022] [auth_gssapi:error] [pid 332935:tid
140680923940608]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal
session data!,
referer:
https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.672265 2022] [auth_gssapi:error] [pid 332935:tid
140680907155200]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to unseal
session data!,
referer:
https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:22.019527 2022] [auth_gssapi:error] [pid 332935:tid
140680907155200]
[client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR
gss_acquire_cred[_from]()
failed to get server creds: [Unspecified GSS failure. Minor code may
provide more
information ( SPNEGO cannot find mechanisms to negotiate)], referer:
https://server.example.com/ipa/ui/
I found some google hits on gssproxy being the culprit but I can't
seem
to find anything wrong with it. It's not logging any errors or such.
Any ideas on what the problem could be here?
Some additional information...
I get the same kinds of errors from ipa ping also:
# ipa ping
ipa: ERROR: No valid Negotiate header in server response
This seems to be the same issue as reported at:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Not being a kerberos and ldap expert, I'm not terribly comfortable with
trying to replicate the solution above: "pulled the value of
krbprincipalkey from the server and used ldapmodify to fix it on the
other servers".
There in fact seems to be a lot of google hits on "ipa: ERROR: No valid
Negotiate header in server response" with not much at all in the way of
solutions.
One google search result says the solution is:
# ipa-getkeytab -D "cn=directory manager" -w <Directory Manager Password>
-s <IPA master server FQDN> -p 'HTTP/<IPA server FQDN>' -r -k
/var/lib/ipa/gssproxy/http.keytab
When I do that, and then kinit admin again and try to ipa ping that
works as do other ipa commands such as {server,user,host}-find, etc.
However logging into the webUI still doesn't work. The only message in
the httpd error log is:
[wsgi:error] [pid 428864:tid 140609438590720] [remote
fd31:aeb1:48df:0:3b14:e643:83d8:7017:44824] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN:
i18n_messages(version='2.237'): SUCCESS
But that only logged once and doesn't log with each attempt to log into
the webUI.
The access log logs:
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:29 -0500] "GET /ipa/ui/
HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/js/libs/loader.js HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/js/libs/json2.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/css/patternfly.css?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/css/bootstrap-datepicker3.min.css?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/css/ipa.css?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:30 -0500] "GET
/ipa/ui/ipa.css?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/jquery.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/bootstrap.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/bootstrap-datepicker.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/patternfly.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/jquery.ordered-map.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/browser.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/dojo/dojo.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/qrcode.js?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/freeipa/app.js?40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/libs/d3.js?40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "POST
/ipa/i18n_messages HTTP/1.1" 200 13160
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/js/freeipa/plugins.js?40608 HTTP/1.1" 200 59
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/favicon.ico?v=40608 HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/images/header-logo.png HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:31 -0500] "GET
/ipa/ui/images/login-screen-background.jpg HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - brian(a)EXAMPLE.COM [04/Feb/2022:08:54:31 -0500]
"POST /ipa/session/json HTTP/1.1" 401 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - brian(a)EXAMPLE.COM [04/Feb/2022:08:54:32 -0500]
"GET /ipa/session/login_kerberos?_=1643982871287 HTTP/1.1" 401 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET
/ipa/ui/images/login-screen-logo.png HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET
/ipa/ui/images/product-name.png HTTP/1.1" 304 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:08:54:32 -0500] "GET
/ipa/ui/fonts/fontawesome/fontawesome-webfont.ttf?v=4.0.3 HTTP/1.1" 304 -
On each attempt and failure. The client is not even getting an HTTP
ticket for the IPA server when it's trying the above.
Trying to use username and password also doesn't work but with much
less logged:
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - - [04/Feb/2022:09:16:54 -0500] "POST
/ipa/session/login_password HTTP/1.1" 200 25
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - brian(a)EXAMPLE.COM [04/Feb/2022:09:16:55 -0500]
"POST /ipa/session/json HTTP/1.1" 401 -
fd31:aeb1:48df:0:3b14:e643:83d8:7017 - brian(a)EXAMPLE.COM [04/Feb/2022:09:16:55 -0500]
"GET /ipa/session/login_kerberos?_=1643984001538 HTTP/1.1" 401 -
Any ideas why the webUI doesn't authenticate?
Cheers,
b.