Hello, looking for some help.
Weve recently noted that the majority of our web UIs have started to
fail to login. I have at least 1 thats still allowing log-ins at present.
When attempting to login, we get a 401 unauthorised in the networking
tab for the login POST request, and a banner appears: Your session has
expired. Please log in again.
In the kerbos logs I see the following:
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)INT.I-NEDA.COM
<mailto:WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>, Additional
pre-authentication required
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha384-192(20),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/ANONYMOUS(a)INT.I-NEDA.COM
<mailto:WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
NEEDED_PREAUTH: marc.admin(a)INT.I-NEDA.COM
<mailto:marc.admin@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>, Additional
pre-authentication required
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
marc.admin(a)INT.I-NEDA.COM <mailto:marc.admin@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE:
authtime 1707232119, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
marc.admin(a)INT.I-NEDA.COM <mailto:marc.admin@INT.I-NEDA.COM> for
HTTP/red-ipa01.int.i-neda.com(a)INT.I-NEDA.COM
<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
{rep=UNSUPPORTED:(0)} HTTP/red-ipa01.int.i-neda.com(a)INT.I-NEDA.COM
<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM> for
ldap/red-ipa01.int.i-neda.com(a)INT.I-NEDA.COM
<mailto:ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>, KDC policy
rejects request
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.13.3.111:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1707232119, etypes
{rep=UNSUPPORTED:(0)} HTTP/red-ipa01.int.i-neda.com(a)INT.I-NEDA.COM
<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM> for
ldap/red-ipa01.int.i-neda.com(a)INT.I-NEDA.COM
<mailto:ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>, KDC policy
rejects request
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing
down fd 12
We are not having issue with other parts of the authing system as we are
still able to ssh into servers, use sudo over shared auth etc. And we
can verify the issue isnt config on the cluster side. These hosts are
update regularly in a round robin. One host that is allowing web-ui
access was updated and restarted last night, so dont believe its a
package / code level issue either.
Any help or pointers would be greatly appreciated.
Please check this list archives. IPA now requires a PAC. This means
every user needs a SID. It is likely yours is missing it.
rob