Hey guys,
I set up my very first FreeIPA installation and I'm currently dealing with an
issue I hope you can help me with.
I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago,
had been working fine up until a few days ago (after a restart).
I'm encountering several symptoms:
The WebUI won't let me log in anymore
("Login failed due to an unknown reason.")
This was the first error I noticed... since it only happened for users not
already logged in, I suspected wrong password entries. After a server restart
everyone got locked out though.
Other post-restart commands that are not working any more:
certutil -L
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
database.
ipa
ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection
refused
ipa-getkeytab -p HTTP/*@*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab
Failed to load translations
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Ticket
expired)!
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Ticket
expired)!
Failed to bind to server!
Failed to get keytab
(works with binddn though)
kinit, klist and other kerberos/ldap logins are working fine!
Logfiles:
/var/log/httpd/error_log
[Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136]
[remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN:
i18n_messages(version='2.230'): SUCCESS
[Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080]
[client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!,
referer: https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528]
[client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!,
referer: https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136]
[remote *.*.*.*:*] ipa: INFO: 401 Unauthorized:
HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url:
/ipa/session/cookie (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection
refused',))
/var/log/krb5kdc.log
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@*.* for
krbtgt/*.*@*.*, Additional pre-authentication required
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18
ses=18}, WELLKNOWN/ANONYMOUS@*.* for krbtgt/*.*@*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: NEEDED_PREAUTH: *@*.* for krbtgt/*.*@*.*, Additional
pre-authentication required
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18
ses=18}, *@*.* for krbtgt/*.*@*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18
ses=18}, *@*.* for HTTP/ipa.*.*@*.*
Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12
I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and
all non-http authorizations seem to work.
I have been working on a samba configuration for the same server; I have a
feeling that some of my experiments
(ipa-adtrust-install, authconfig, chmod on keytab, net sam provision)
messed with the rest of the system... I tried to backtrack/revert as much as I
could, but nothing helped so far. I also think the first WebUI errors occured
before already.
I'd be so happy if anyone could help! So far I've been able to find solutions
for every issue, but this seems to be a tough one.
Thanks!
-Tristan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
