Thanks Alexander, looks like the same problem.
On Tue, Feb 1, 2022 at 12:59 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:
> On Вт, 01 фев 2022, code bugs wrote:
> >Thank you for your prompt response.
> >here is the out put of /var/log/krb5kdc.log during my login attempt.
> >
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
> >aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
> >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
> 10.2.1.50:
> >NEEDED_PREAUTH: host/ipa1.example....@example.com for krbtgt/
> >example....@example.com, Additional pre-authentication required
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
> >aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
> >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
> 10.2.1.50:
> >ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
> >ipa1.example....@example.com for krbtgt/example....@example.com
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
> >ipa1.example....@example.com for ldap/ipa1.example....@example.com
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/
> >example....@example.com, Additional pre-authentication required
> >Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> >WELLKNOWN/anonym...@example.com for krbtgt/example....@example.com
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >NEEDED_PREAUTH: mukh...@example.com for krbtgt/example....@example.com,
> >Additional pre-authentication required
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> >mukh...@example.com for krbtgt/example....@example.com
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC
> >record claims domain SID different to local domain SID or any trusted
> >domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
> >S-1-5-21-4279381677-1236361367-2895659079]
>
> Ok, this looks exactly like a problem I referenced. Please follow that
> thread with solutions.
>
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ :
> >handle_authdata (-1765328364)
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)}
> >mukh...@example.com for HTTP/ipa1.example....@example.com, TGT has been
> >revoked
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC
> >record claims domain SID different to local domain SID or any trusted
> >domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
> >S-1-5-21-4279381677-1236361367-2895659079]
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ :
> >handle_authdata (-1765328364)
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)}
> >mukh...@example.com for HTTP/ipa1.example....@example.com, TGT has been
> >revoked
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >
> >
> >There is not much activity log in /var/log/httpd/error_log:
> >
> >[Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid
> >139780524480256] [remote 10.2.3.188:49652] ipa: INFO:
> >[jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.245'):
> SUCCESS
> >[Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid
> >139780524480256] [remote 10.2.3.188:49753] ipa: INFO: 401 Unauthorized:
> >Major (851968): Unspecified GSS failure. Minor code may provide more
> >information, Minor (2598844948): TGT has been revoked
> >
> >On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <aboko...@redhat.com>
> >wrote:
> >
> >> On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
> >> >Hello,
> >> >
> >> >-IPA WebGUI login fails with "Login failed due to an unknown reason"
> >> >-After upgrading IPA, can no longer log into the WebGUI
> >> >Version/Release/Distribution
> >> >
> >> >$ cat /etc/centos-release
> >> >CentOS Linux release 8.5.2111
> >> >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client
> 389-ds-base
> >> >pki-ca krb5-server
> >> >package freeipa-server is not installed
> >> >package freeipa-client is not installed
> >> >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> >> >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> >> >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
> >> >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
> >> >krb5-server-1.18.2-14.el8.x86_64
> >> >Additional info:
> >> >
> >> >tail /var/log/httpd/error_log
> >> >
> >> >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404]
> ipa:
> >> >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
> >> code
> >> >may provide more information, Minor (2598844948): TGT has been revoked
> >>
> >> Please show entries in /var/log/krb5kdc.log corresponding to this
> >> timeframe. If TGT is revoked, it most likely is documented why in that
> >> log. Also, if possible, show other requests in httpd's error_log for the
> >> same timeframe -- if that was Web UI login, there would be few around
> >> this error.
> >>
> >> One possible problem could be what is documented in
> >>
> >>
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
> >> but then it would not be possible to get a Kerberos ticket in kinit as
> >> well. Perhaps, you have a problem with anonymous PKINIT on this host
> >> instead.
> >>
> >> >
> >> >further,
> >> >
> >> > 1. default "admin" user can IPA WebGUIlogin
> >> > 2. other users cannot login IPA WebGUIlogin, but can login using
> cli
> >> > (kinit)
> >> > 3. when i create a new user, the new user can login IPA WebGUI.
> >>
> >>
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
