Hello everybody,
If I try to login via WebUI with an AD account , i get the following error:
'Your session has expired. Please log in again.' in the WebUI interface.
I the http access logs i have the following entry:
user(a)EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "POST /ipa/session/json
HTTP/1.1" 401 176
user(a)EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "GET
/ipa/session/login_kerberos?_=1643896292999 HTTP/1.1" 401 262
On the http error_log:
[Thu Feb 03 14:54:13.466436 2022] [wsgi:error] [pid 1835110:tid 140666734245632] [remote
10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
[Thu Feb 03 14:54:13.472887 2022] [:warn] [pid 1837963:tid 140666084521728] [client
10.8.137.41:58079] failed to set perms (3140) on file
(/run/ipa/ccaches/user(a)EXAMPLE.LOCAL)!, referer:
https://xxx.ipa.example.local/ipa/ui/
[Thu Feb 03 14:54:13.477997 2022] [wsgi:error] [pid 1835109:tid 140666733983488] [remote
10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (108962060): Credential cache is empty
In the krb5kdc.log :
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), ca
mellia128-cts-cmac(25)}) 10.30.200.220: REFERRAL: user\@EXAMPLE.local(a)IPA.EXAMPLE.LOCAL
for krbtgt/IPA.EXAMPLE.LOCAL(a)IPA.EXAMPLE.LOCAL, Realm not local to KDC
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, user(a)EXAMPLE.LOCAL for
HTTP/xxxipaprd04.ipa.example.local@IPA.
EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, HTTP/xxxipaprd04.ipa.example.local(a)IPA.EXAMPLE.LOCAL for
ldap/c
xxxipaprd04.ipa.example.local(a)IPA.EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): ...
CONSTRAINED-DELEGATION s4u-client=user(a)EXAMPLE.LOCAL
Any help would be really appreciated.
Regards,
iulian roman