Hey guys,
I set up my very first FreeIPA installation and I'm currently dealing with an issue I
hope you can help me with.
I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been
working fine up until a few days ago (after a restart).
I'm encountering several symptoms:
The WebUI won't let me log in anymore
("Login failed due to an unknown reason.")
This was the first error I noticed... since it only happened for users not already logged
in, I suspected wrong password entries. After a server restart everyone got locked out
though.
Other post-restart commands that are not working any more:
certutil -L
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
ipa
ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection
refused
ipa-getkeytab -p HTTP/*(a)*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab
Failed to load translations
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Ticket expired)!
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Ticket expired)!
Failed to bind to server!
Failed to get keytab
(works with binddn though)
kinit, klist and other kerberos/ldap logins are working fine!
Logfiles:
/var/log/httpd/error_log
[Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote
*.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN:
i18n_messages(version='2.230'): SUCCESS
[Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client
*.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer:
https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client
*.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer:
https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote
*.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*',
port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection
refused',))
/var/log/krb5kdc.log
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*, Additional
pre-authentication required
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18},
WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: NEEDED_PREAUTH: *(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication
required
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for
krbtgt/*.*(a)*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for
HTTP/ipa.*.*(a)*.*
Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12
I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all
non-http authorizations seem to work.
I have been working on a samba configuration for the same server; I have a feeling that
some of my experiments
(ipa-adtrust-install, authconfig, chmod on keytab, net sam provision)
messed with the rest of the system... I tried to backtrack/revert as much as I could, but
nothing helped so far. I also think the first WebUI errors occured before already.
I'd be so happy if anyone could help! So far I've been able to find solutions for
every issue, but this seems to be a tough one.
Thanks!
-Tristan