Hello,
I have a FreeIPA setup with ad trust configured. Everything works, except the login to the
WEB UI with an Active Directory account. The only possibility to login to the WEB UI is
via the admin account.
In the /var/log/krb5kdc.log i have the following entries after i try to connect to WEB
UI:
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})
10.110.10.16: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for
krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Additional pre-authentication required
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})
10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})
10.110.10.16: REFERRAL: ad_user\@example.corp(a)IPA.EXAMPLE.CORP for
krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Realm not local to KDC
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})
10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ad_user(a)EXAMPLE.CORP
for HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})
10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP for
ldap/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ... CONSTRAINED-DELEGATION
s4u-client=ad_user(a)EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down fd 11
In the/var/log/httpd/error_log :
[Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG:
http://server1.ipa.example.corp:80 "GET
/ipa/session/cookie HTTP/1.1" 301 264
[Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG: Starting new HTTPS connection (1):
server1.ipa.example.corp:443
[Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG:
https://server1.ipa.example.corp:443 "GET
/ipa/session/cookie HTTP/1.1" 200 0
[Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote
10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
[Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864] [client
10.30.93.93:55487] failed to set perms (3140) on file
(/run/ipa/ccaches/ad_user(a)EXAMPLE.CORP-EejFLz)!, referer:
https://server1.ipa.example.corp/ipa/ui/
[Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote
10.30.93.93:55487] ipa: DEBUG: WSGI KerberosLogin.__call__:
[Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote
10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (108962060): Credential cache is empty
From WEB UI i tri to connect with ad_user account with and without appending the AD domain
(EXAMPLE.CORP).
The error message i get on the UI is : Your session has expired. Please log in again.
Does anyone have any suggestion or idea how can it be fixed ?