Hi, we just upgraded one of our FreeIPA 4.4 to FreeIPA 4.5 (running on RHEL) and wanted to put this here before creating a bug report with RedHat.

After upgrading we are unable to log into web-ui but everything else seems to be working OK.

WBR-UI gives us an: "Login failed due to an unknown reason"

I see this in the httpd error log:

[Mon Aug 07 15:27:55.404965 2017] [:error] [pid 1963] [remote 10.112.4.164:120] mod_wsgi (pid=1963): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Aug 07 15:27:55.405090 2017] [:error] [pid 1963] [remote 10.112.4.164:120] Traceback (most recent call last):
[Mon Aug 07 15:27:55.405155 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Mon Aug 07 15:27:55.405341 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     return api.Backend.wsgi_dispatch(environ, start_response)
[Mon Aug 07 15:27:55.405384 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Mon Aug 07 15:27:55.405985 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     return self.route(environ, start_response)
[Mon Aug 07 15:27:55.406040 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Mon Aug 07 15:27:55.406097 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     return app(environ, start_response)
[Mon Aug 07 15:27:55.406127 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Mon Aug 07 15:27:55.406153 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     self.kinit(user_principal, password, ipa_ccache_name)
[Mon Aug 07 15:27:55.406178 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Mon Aug 07 15:27:55.406200 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Mon Aug 07 15:27:55.406218 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Mon Aug 07 15:27:55.406368 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     run(args, env=env, raiseonerr=True, capture_error=True)
[Mon Aug 07 15:27:55.406402 2017] [:error] [pid 1963] [remote 10.112.4.164:120]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Mon Aug 07 15:27:55.407040 2017] [:error] [pid 1963] [remote 10.112.4.164:120]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Mon Aug 07 15:27:55.407135 2017] [:error] [pid 1963] [remote 10.112.4.164:120] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1963 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

Natually, first thing I tried was disabling SELinux, and reboot, but same result.

IPA is version: ipa-server-4.5.0-21.el7.x86_64

(replica being latest 4.4 on RHEL but not sure we dare updating this).

Problem seems much like this: https://bugzilla.redhat.com/show_bug.cgi?id=1452215

But Again, not entirely and that seemes SELinux related and things doesn't seems to be SELinux related here.

Also, trying the kinit listed in the error log asks for password. I suspect that this should succeed?

/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1982 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
Password for WELLKNOWN/ANONYMOUS@DOMAIN: