8:07 a.m.
Hello everybody,
If I try to login via WebUI with an AD account , i get the following error:
'Your session has expired. Please log in again.' in the WebUI interface.
I the http access logs i have the following entry:
user(a)EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "POST /ipa/session/json
HTTP/1.1" 401 176
user(a)EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "GET
/ipa/session/login_kerberos?_=1643896292999 HTTP/1.1" 401 262
On the http error_log:
[Thu Feb 03 14:54:13.466436 2022] [wsgi:error] [pid 1835110:tid 140666734245632] [remote
10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
[Thu Feb 03 14:54:13.472887 2022] [:warn] [pid 1837963:tid 140666084521728] [client
10.8.137.41:58079] failed to set perms (3140) on file
(/run/ipa/ccaches/user(a)EXAMPLE.LOCAL)!, referer: https://xxx.ipa.example.local/ipa/ui/
[Thu Feb 03 14:54:13.477997 2022] [wsgi:error] [pid 1835109:tid 140666733983488] [remote
10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (108962060): Credential cache is empty
In the krb5kdc.log :
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), ca
mellia128-cts-cmac(25)}) 10.30.200.220: REFERRAL: user\@EXAMPLE.local(a)IPA.EXAMPLE.LOCAL
for krbtgt/IPA.EXAMPLE.LOCAL(a)IPA.EXAMPLE.LOCAL, Realm not local to KDC
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, user(a)EXAMPLE.LOCAL for
HTTP/xxxipaprd04.ipa.example.local@IPA.
EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, HTTP/xxxipaprd04.ipa.example.local(a)IPA.EXAMPLE.LOCAL for
ldap/c
xxxipaprd04.ipa.example.local(a)IPA.EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): ...
CONSTRAINED-DELEGATION s4u-client=user(a)EXAMPLE.LOCAL
Any help would be really appreciated.
Regards,
iulian roman
8:40 a.m.
Hi iulian,
Have you tried:
1. Login to your idm
2. kinit admin
3. Restart ipa: ipactl restart
Additionally, can you see any users when logged in as admin you browse to
https://youripaserver.example.local/ipa/ui/#/e/idview/idoverrideuser/Defa...
?
Regards,
Pedro.
8:49 a.m.
Hi Pedro,
I've tried and restart several times, without any success. I have to mention that this
issue is only with the ActiveDirectory users, with IPA defined users it works properly.
Regards,
iulian roman
11:27 a.m.
Hi,
did you define an idoverride-user for your AD user as described in
Authenticating
to the IdM Web UI as an AD User
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
?
flo
On Thu, Feb 3, 2022 at 3:50 PM iulian roman via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Pedro,
I've tried and restart several times, without any success. I have to
mention that this issue is only with the ActiveDirectory users, with IPA
defined users it works properly.
Regards,
iulian roman
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
6:49 a.m.
Hi Florence,
Thank you for the hint. Indeed, after i added the override I can authenticate via WebUI.
Nevertheless, after I added the public key to my profile I still cannot authenticate to
ipa clients without password. Any idea where should I look into ?
Regards,
iulian roman
821
days inactive
822
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Florence Blanc-Renaud -
iulian roman -
Pedro Bezunartea López