[Freeipa-users] Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

Hi, I recently deployed a new FreeIPA domain running on CentOS 7.4 and FreeIPA 4.5 The installation went without hiccups but the WebUI isn't working as expected. Logging in with admin failed with this error: Login failed due to an unknow reason. I've seen this issue with every FreeIPA 4.5 replica I've built. As you may know this is pretty common error with 4.5. I usually just chmod 444 /var/lib/ipa-client/pki/* as pointed out in https://access.redhat.com/solutions/3178971 and the logging start working again but not this time with a brand new domain installation. Permissions are correct for the PEM ll /var/lib/pki/* -r--r--r-- 1 root root 4406 Jan 9 14:49 ca-bundle.pem -r--r--r-- 1 root root 4406 Jan 9 14:49 kdc-ca-bundle.pem Here's the output of /var/log/httpd/error_log [Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537] AH01757: generating secret for digest authentication ... [Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid 12537] AH02282: No slotmem from mod_heartmonitor [Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: *** PROCESS START *** [Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: *** PROCESS START *** [Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401 Unauthorized: [Errno 13] Permission denied Output of /var/log/messages show weird errors: Jan 18 01:14:36 bo2-tnt-ipa-001 ipa-dnskeysyncd: ipa : ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"}) Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.102629780 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.115268733 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.116680963 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.117878580 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.119338367 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.120503775 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.122000132 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.123149308 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.124282277 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.125837472 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.126966928 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.128085824 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.129501796 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.130686657 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.132301267 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.134575956 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.135778559 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.142405173 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.143655721 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.233078350 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.238586332 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definitcomn cn=Password Policy,cn=accounts,dc=ipa,dc=domain,dc=com--no CoS Templates found, which should be added before the CoS Definitcomn. Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.261575767 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.268319379 +0000] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.272302862 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.279547839 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=com Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.285336505 +0000] - ERR - schema-compat-plugin - Finished plugin initializatcomn. Any ideas why ? Thanks Alexandre Pitre