12:47 a.m.
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown
reason" when login through Web interface.
Other functionality like directory service, DNS and authentication with ipa-clients seems
to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread,
however that did not help.
Hoping that issue is solved in higher versions I tried upgrading ipa-server packages
via:
# yum upgrade ipa-server
# ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version
4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64
sssd-krb5.x86_64 httpd.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
krb5-libs-1.15.1-34.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release*
CentOS Linux release 7.4.1708 (Core)
What could be the next troubleshooting step in my case?
Thanks in advance,
Andrey
1:28 a.m.
New subject: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown
reason" when login through Web interface.
Other functionality like directory service, DNS and authentication with ipa-clients seems
to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps
from previous thread, however that did not help. Hoping that issue is
solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server
# ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same
behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64
sssd-krb5.x86_64 httpd.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
krb5-libs-1.15.1-34.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release*
CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS
7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.
What could be the next troubleshooting step in my case?
Please
show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1:47 a.m.
New subject: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt
No request found that matched arguments.
#
# ls -la /var/kerberos/krb5kdc/
total 16
drwxr-xr-x. 2 root root 82 Dec 3 22:56 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt
-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key
#
I used following commands:
# yum upgrade ipa-server
# ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of
them).
Thanks,
Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown
reason" when login through Web interface.
Other functionality like directory service, DNS and authentication with ipa-clients seems
to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps
from previous thread, however that did not help. Hoping that issue is
solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server
# ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same
behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64
sssd-krb5.x86_64 httpd.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
krb5-libs-1.15.1-34.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release*
CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.
What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2:02 a.m.
New subject: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt
No request found that matched arguments.
#
# ls -la /var/kerberos/krb5kdc/
total 16
drwxr-xr-x. 2 root root 82 Dec 3 22:56 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt
-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key
#
What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and
kdc.key and run
ipa-pkinit-manage enable
I used following commands:
# yum upgrade ipa-server
# ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of
them).
Thanks,
Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
>Dear FreeIPA Team,
>
>I have an issue with Web GUI throwing error message "Login failed due to an
unknown reason" when login through Web interface.
>Other functionality like directory service, DNS and authentication with
ipa-clients seems to work fine.
>
>I first spotted this issue in 4.5.0 and tried troubleshooting steps
>from previous thread, however that did not help. Hoping that issue is
>solved in higher versions I tried upgrading ipa-server packages via:
>
># yum upgrade ipa-server
># ipa-server-upgrade
>
>However it did not solve the issue in 4.6.6 and exactly the same
>behavior I saw in version 4.5.0
>
># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
>ipa-server-4.6.4-10.el7.centos.x86_64
>krb5-libs-1.15.1-34.el7.x86_64
>krb5-server-1.15.1-34.el7.x86_64
>cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
>sssd-krb5-1.16.2-13.el7.x86_64
>httpd-2.4.6-88.el7.centos.x86_64
>
># cat /etc/*release*
>CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.
>What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
8:23 a.m.
New subject: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Validity
Not Before: Nov 30 18:06:04 2017 GMT
Not After : Nov 30 18:06:04 2018 GMT
Subject: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:55:dc:8d:f5:0f:01:f1:75:dd:88:21:53:2e:
...output omitted...
49:b8:c6:59:c3:89:d7:5e:20:a9:81:fe:93:60:b2:
38:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>, othername:<unsupported>
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
81:12:0E:48:6A:43:93:92:03:18:29:D3:3B:E2:71:8B:B4:A9:42:7E
1.3.6.1.4.1.311.20.2:
.".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
Signature Algorithm: sha256WithRSAEncryption
ba:01:72:0b:2f:9d:3f:39:cf:84:be:cd:85:70:08:79:60:9e:
...output omitted...
f4:0d:27:9e:41:bd:71:c9:0d:51:e1:3c:1e:4f:8e:89:71:f3:
e9:fe:40:74
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRYwFAYDVQQKDA1OSVgu
...output omitted...
ZYDW6cyjBkmRmaelKXZEm81ezY+s9A0nnkG9cckNUeE8Hk+OiXHz6f5AdA==
-----END CERTIFICATE-----
[root@ipa-server-01 ~]#
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root 82 Dec 4 08:16 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt
-rw------- 1 root root 1704 Dec 4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
Thank you so much for your help!
Regards,
Andrey
On 12/4/18, 02:02, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt
No request found that matched arguments.
#
# ls -la /var/kerberos/krb5kdc/
total 16
drwxr-xr-x. 2 root root 82 Dec 3 22:56 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt
-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key
#
What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and
kdc.key and run
ipa-pkinit-manage enable
I used following commands:
# yum upgrade ipa-server
# ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of
them).
Thanks,
Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
>Dear FreeIPA Team,
>
>I have an issue with Web GUI throwing error message "Login failed due to an
unknown reason" when login through Web interface.
>Other functionality like directory service, DNS and authentication with
ipa-clients seems to work fine.
>
>I first spotted this issue in 4.5.0 and tried troubleshooting steps
>from previous thread, however that did not help. Hoping that issue is
>solved in higher versions I tried upgrading ipa-server packages via:
>
># yum upgrade ipa-server
># ipa-server-upgrade
>
>However it did not solve the issue in 4.6.6 and exactly the same
>behavior I saw in version 4.5.0
>
># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64
cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
>ipa-server-4.6.4-10.el7.centos.x86_64
>krb5-libs-1.15.1-34.el7.x86_64
>krb5-server-1.15.1-34.el7.x86_64
>cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
>sssd-krb5-1.16.2-13.el7.x86_64
>httpd-2.4.6-88.el7.centos.x86_64
>
># cat /etc/*release*
>CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA
packages selectively to a version from CentOS 7.6.1810 without updating
whole distribution to that version, there is no guarantee everything is
working.
>What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
8:45 a.m.
New subject: FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Yep -- this is
self-signed certificate instead of using the right one
from IPA CA.
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root 82 Dec 4 08:16 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt
-rw------- 1 root root 1704 Dec 4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
So, this is another
version of https://pagure.io/freeipa/issue/7200
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1978
days inactive
1978
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Andrey Ptashnik