[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

Mon, 31 Jan 2022 11:21:15 -0800 

On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:

Hello,

-IPA WebGUI login fails with "Login failed due to an unknown reason"
-After upgrading IPA, can no longer log into the WebGUI
Version/Release/Distribution

$ cat /etc/centos-release
CentOS Linux release 8.5.2111
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
krb5-server-1.18.2-14.el8.x86_64
Additional info:

tail /var/log/httpd/error_log

[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code
may provide more information, Minor (2598844948): TGT has been revoked


Please show entries in /var/log/krb5kdc.log corresponding to this
timeframe. If TGT is revoked, it most likely is documented why in that
log. Also, if possible, show other requests in httpd's error_log for the
same timeframe -- if that was Web UI login, there would be few around
this error.

One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
but then it would not be possible to get a Kerberos ticket in kinit as
well. Perhaps, you have a problem with anonymous PKINIT on this host
instead.



further,

  1. default "admin" user can IPA WebGUIlogin
  2. other users cannot login  IPA WebGUIlogin, but can login using cli
  (kinit)
  3. when i create a new user, the new user can login IPA WebGUI.





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to