Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
further,
1. default "admin" user can IPA WebGUIlogin 2. other users cannot login IPA WebGUIlogin, but can login using cli (kinit) 3. when i create a new user, the new user can login IPA WebGUI.
Hello, I am having an issue after upgrading the IPA. details are as follows.
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
further,
1. default "admin" user can IPA WebGUIlogin 2. other users cannot login IPA WebGUIlogin, but can login using cli (kinit) 3. when i create a new user, the new user can login IPA WebGUI.
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
Thank you for your prompt response. here is the out put of /var/log/krb5kdc.log during my login attempt.
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50: NEEDED_PREAUTH: host/ipa1.example.com@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50: ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for ldap/ipa1.example.com@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079] Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079] Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
There is not much activity log in /var/log/httpd/error_log:
[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid 139780524480256] [remote 10.2.3.188:49652] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'): SUCCESS [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid 139780524480256] [remote 10.2.3.188:49753] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
code bugs via FreeIPA-users wrote:
Thank you for your prompt response. here is the out put of /var/log/krb5kdc.log during my login attempt.
[snip]
Feb 01 00:25:44 ipa1.example.com http://ipa1.example.com/ krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [S-1-5-21-4279381677-1236361367-2895659079]
This is the problem.
See https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
rob
There is not much activity log in /var/log/httpd/error_log:
[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid 139780524480256] [remote 10.2.3.188:49652 http://10.2.3.188:49652/] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'): SUCCESS [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid 139780524480256] [remote 10.2.3.188:49753 http://10.2.3.188:49753/] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote: >Hello, > >-IPA WebGUI login fails with "Login failed due to an unknown reason" >-After upgrading IPA, can no longer log into the WebGUI >Version/Release/Distribution > >$ cat /etc/centos-release >CentOS Linux release 8.5.2111 >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base >pki-ca krb5-server >package freeipa-server is not installed >package freeipa-client is not installed >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch >krb5-server-1.18.2-14.el8.x86_64 >Additional info: > >tail /var/log/httpd/error_log > >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404 <http://10.2.3.80:51404>] ipa: >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code >may provide more information, Minor (2598844948): TGT has been revoked Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error. One possible problem could be what is documented in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead. > >further, > > 1. default "admin" user can IPA WebGUIlogin > 2. other users cannot login IPA WebGUIlogin, but can login using cli > (kinit) > 3. when i create a new user, the new user can login IPA WebGUI. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Thank you Rob, I am having exactly the same problem.
On Tue, Feb 1, 2022 at 12:55 AM Rob Crittenden rcritten@redhat.com wrote:
code bugs via FreeIPA-users wrote:
Thank you for your prompt response. here is the out put of /var/log/krb5kdc.log during my login attempt.
[snip]
Feb 01 00:25:44 ipa1.example.com http://ipa1.example.com/ krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [S-1-5-21-4279381677-1236361367-2895659079]
This is the problem.
See
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
rob
There is not much activity log in /var/log/httpd/error_log:
[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid 139780524480256] [remote 10.2.3.188:49652 http://10.2.3.188:49652/] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'): SUCCESS [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid 139780524480256] [remote 10.2.3.188:49753 http://10.2.3.188:49753/] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote: >Hello, > >-IPA WebGUI login fails with "Login failed due to an unknown reason" >-After upgrading IPA, can no longer log into the WebGUI >Version/Release/Distribution > >$ cat /etc/centos-release >CentOS Linux release 8.5.2111 >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base >pki-ca krb5-server >package freeipa-server is not installed >package freeipa-client is not installed >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch >krb5-server-1.18.2-14.el8.x86_64 >Additional info: > >tail /var/log/httpd/error_log > >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404 <http://10.2.3.80:51404>] ipa: >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code >may provide more information, Minor (2598844948): TGT has beenrevoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why inthat
log. Also, if possible, show other requests in httpd's error_log forthe
same timeframe -- if that was Web UI login, there would be few around this error. One possible problem could be what is documented inhttps://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
but then it would not be possible to get a Kerberos ticket in kinitas
well. Perhaps, you have a problem with anonymous PKINIT on this host instead. > >further, > > 1. default "admin" user can IPA WebGUIlogin > 2. other users cannot login IPA WebGUIlogin, but can login using cli > (kinit) > 3. when i create a new user, the new user can login IPA WebGUI. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On Вт, 01 фев 2022, code bugs wrote:
Thank you for your prompt response. here is the out put of /var/log/krb5kdc.log during my login attempt.
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50: NEEDED_PREAUTH: host/ipa1.example.com@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50: ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for ldap/ipa1.example.com@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079]
Ok, this looks exactly like a problem I referenced. Please follow that thread with solutions.
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079] Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
There is not much activity log in /var/log/httpd/error_log:
[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid 139780524480256] [remote 10.2.3.188:49652] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'): SUCCESS [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid 139780524480256] [remote 10.2.3.188:49753] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Thanks Alexander, looks like the same problem.
On Tue, Feb 1, 2022 at 12:59 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On Вт, 01 фев 2022, code bugs wrote:
Thank you for your prompt response. here is the out put of /var/log/krb5kdc.log during my login attempt.
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
10.2.1.50:
NEEDED_PREAUTH: host/ipa1.example.com@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
10.2.1.50:
ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ ipa1.example.com@EXAMPLE.COM for ldap/ipa1.example.com@EXAMPLE.COM Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: NEEDED_PREAUTH: mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, mukhtar@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079]
Ok, this looks exactly like a problem I referenced. Please follow that thread with solutions.
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12 Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [ S-1-5-21-4279381677-1236361367-2895659079] Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ : handle_authdata (-1765328364) Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50: HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)} mukhtar@EXAMPLE.COM for HTTP/ipa1.example.com@EXAMPLE.COM, TGT has been revoked Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
There is not much activity log in /var/log/httpd/error_log:
[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid 139780524480256] [remote 10.2.3.188:49652] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'):
SUCCESS
[Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid 139780524480256] [remote 10.2.3.188:49753] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client
389-ds-base
pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404]
ipa:
INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using
cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
After following the @Dan West https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/ solution described at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... , users are able to login to IPA WebGUI.
My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.
Now the users are unable to login into the WIFI network using the radius server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1 C=269d5124d7a4e4f1 v=1" I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan West solution this attribute was deleted.
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 02 helmi 2022, code bugs wrote:
After following the @Dan West https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/ solution described at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... , users are able to login to IPA WebGUI.
My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.
Now the users are unable to login into the WIFI network using the radius server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1 C=269d5124d7a4e4f1 v=1" I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan West solution this attribute was deleted.
That's most likely cause, yes.
There are two ways to recover iapNTHash attribute values. First one: change password. This will cause ipaNTHash to be generated if its generation is not disabled in IPA configuration (it is not by default).
Another path depends on whether your users' Kerberos keys have arcfour-hmac encryption keys already. If they do, you can trigger re-creation of ipaNTHash by adding it with a special value:
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test changetype: modify add: ipaNTHash ipaNTHash: MagicRegen
You can do this either as cn=Directory Manager, or as an admin, or as a user themselves. Perhaps, doing this as cn=Directory Manager will be a bit easier. In case there is no arcfour-hmac encryption key in the Kerberos keys for the user in question, you would get LDAP error LDAP_UNWILLING_TO_PERFORM.
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 02 helmi 2022, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 02 helmi 2022, code bugs wrote:
After following the @Dan West https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/ solution described at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... , users are able to login to IPA WebGUI.
My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.
Now the users are unable to login into the WIFI network using the radius server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1 C=269d5124d7a4e4f1 v=1" I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan West solution this attribute was deleted.
That's most likely cause, yes.
There are two ways to recover iapNTHash attribute values. First one: change password. This will cause ipaNTHash to be generated if its generation is not disabled in IPA configuration (it is not by default).
Another path depends on whether your users' Kerberos keys have arcfour-hmac encryption keys already. If they do, you can trigger re-creation of ipaNTHash by adding it with a special value:
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test changetype: modify add: ipaNTHash ipaNTHash: MagicRegen
You can do this either as cn=Directory Manager, or as an admin, or as a user themselves. Perhaps, doing this as cn=Directory Manager will be a bit easier. In case there is no arcfour-hmac encryption key in the Kerberos keys for the user in question, you would get LDAP error LDAP_UNWILLING_TO_PERFORM.
Just tried this on my test system, it works.
# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test changetype: modify delete: ipaNTHash ^D modifying entry "uid=mtest,cn=users,cn=accounts,dc=ipa,dc=test"
# ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen
# ipa -e in_server=true user-show mtest --all --raw |grep ipaNTHash ipaNTHash: some-value
On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
Hello,
-IPA WebGUI login fails with "Login failed due to an unknown reason" -After upgrading IPA, can no longer log into the WebGUI Version/Release/Distribution
$ cat /etc/centos-release CentOS Linux release 8.5.2111 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch krb5-server-1.18.2-14.el8.x86_64 Additional info:
tail /var/log/httpd/error_log
[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
may provide more information, Minor (2598844948): TGT has been revoked
Please show entries in /var/log/krb5kdc.log corresponding to this timeframe. If TGT is revoked, it most likely is documented why in that log. Also, if possible, show other requests in httpd's error_log for the same timeframe -- if that was Web UI login, there would be few around this error.
One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... but then it would not be possible to get a Kerberos ticket in kinit as well. Perhaps, you have a problem with anonymous PKINIT on this host instead.
further,
- default "admin" user can IPA WebGUIlogin
- other users cannot login IPA WebGUIlogin, but can login using cli
(kinit) 3. when i create a new user, the new user can login IPA WebGUI.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On to, 03 helmi 2022, code bugs wrote:
I tried changing the password but that did not work.
When I ran
#ipa -e in_server=true user-mod mtest --addattr=ipanthash=MagicRegen
I am getting
ipa: ERROR: attribute "ipanthas" not allowed
same Error when
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test
changetype: modify
add: ipaNTHash
ipaNTHash: MagicRegen
You need to have objectclass ipaNTUserAttrs. The object class cannot be added alone because it requires (MUST) presence of ipaNTSecurityIdentifier attribute. So you need to generate SIDs for these users and then cause adding ipaNTHash attribute.
ipa config-mod --enable-sid --add-sids
would trigger adding SIDs to users and groups that miss them.
On to, 03 helmi 2022, code bugs wrote:
# ipa config-mod --enable-sid --add-sids
Executes without error. But User still has no objectclass ipaNTUserAttrs and ipaNTSecurityIdentifier attribute.
can you check dirsrv's error log to see if sidgen plugin considers something problematic? It would be /var/log/dirsrv/slapd-<INSTANCE>/errorlog.
On to, 03 helmi 2022, code bugs wrote:
[03/Feb/2022:02:00:35.465687122 +0500] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Feb/2022:02:00:35.966385266 +0500] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1196400016] into an unused SID.
[03/Feb/2022:02:00:35.967934170 +0500] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
This means there is no ID range available to carve RIDs from for POSIX ID in question.
Please see this thread from 2017 on how to proceed: https://listman.redhat.com/archives/freeipa-users/2017-February/msg00114.htm...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
code bugs -
Rob Crittenden