[Freeipa-users] Unable to authorize via HTTP

Hey guys, I set up my very first FreeIPA installation and I'm currently dealing with an issue I hope you can help me with. I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been working fine up until a few days ago (after a restart). I'm encountering several symptoms: The WebUI won't let me log in anymore ("Login failed due to an unknown reason.") This was the first error I noticed... since it only happened for users not already logged in, I suspected wrong password entries. After a server restart everyone got locked out though. Other post-restart commands that are not working any more: certutil -L certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. ipa ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection refused ipa-getkeytab -p HTTP/*(a)*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab Failed to load translations SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Failed to get keytab (works with binddn though) kinit, klist and other kerberos/ldap logins are working fine! Logfiles: /var/log/httpd/error_log [Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS [Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection refused',)) /var/log/krb5kdc.log Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: *(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for krbtgt/*.*(a)*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for HTTP/ipa.*.*(a)*.* Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12 I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all non-http authorizations seem to work. I have been working on a samba configuration for the same server; I have a feeling that some of my experiments (ipa-adtrust-install, authconfig, chmod on keytab, net sam provision) messed with the rest of the system... I tried to backtrack/revert as much as I could, but nothing helped so far. I also think the first WebUI errors occured before already. I'd be so happy if anyone could help! So far I've been able to find solutions for every issue, but this seems to be a tough one. Thanks! -Tristan