Thank you Rob, I am having exactly the same problem. On Tue, Feb 1, 2022 at 12:55 AM Rob Crittenden <rcrit...@redhat.com> wrote:
> code bugs via FreeIPA-users wrote: > > Thank you for your prompt response. > > here is the out put of /var/log/krb5kdc.log during my login attempt. > [snip] > > Feb 01 00:25:44 ipa1.example.com <http://ipa1.example.com/> > > krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different > > to local domain SID or any trusted domain SID: local > > [S-1-5-21-4170108275-2486169439-623049963], PAC > > [S-1-5-21-4279381677-1236361367-2895659079] > > This is the problem. > > See > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6 > > rob > > > > > > > There is not much activity log in /var/log/httpd/error_log: > > > > [Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid > > 139780524480256] [remote 10.2.3.188:49652 <http://10.2.3.188:49652/>] > > ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: > > i18n_messages(version='2.245'): SUCCESS > > [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid > > 139780524480256] [remote 10.2.3.188:49753 <http://10.2.3.188:49753/>] > > ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. > > Minor code may provide more information, Minor (2598844948): TGT has > > been revoked > > > > On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <aboko...@redhat.com > > <mailto:aboko...@redhat.com>> wrote: > > > > On la, 29 tammi 2022, code bugs via FreeIPA-users wrote: > > >Hello, > > > > > >-IPA WebGUI login fails with "Login failed due to an unknown reason" > > >-After upgrading IPA, can no longer log into the WebGUI > > >Version/Release/Distribution > > > > > >$ cat /etc/centos-release > > >CentOS Linux release 8.5.2111 > > >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client > > 389-ds-base > > >pki-ca krb5-server > > >package freeipa-server is not installed > > >package freeipa-client is not installed > > >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 > > >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 > > >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64 > > >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch > > >krb5-server-1.18.2-14.el8.x86_64 > > >Additional info: > > > > > >tail /var/log/httpd/error_log > > > > > >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404 > > <http://10.2.3.80:51404>] ipa: > > >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. > > Minor code > > >may provide more information, Minor (2598844948): TGT has been > revoked > > > > Please show entries in /var/log/krb5kdc.log corresponding to this > > timeframe. If TGT is revoked, it most likely is documented why in > that > > log. Also, if possible, show other requests in httpd's error_log for > the > > same timeframe -- if that was Web UI login, there would be few around > > this error. > > > > One possible problem could be what is documented in > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU > > but then it would not be possible to get a Kerberos ticket in kinit > as > > well. Perhaps, you have a problem with anonymous PKINIT on this host > > instead. > > > > > > > >further, > > > > > > 1. default "admin" user can IPA WebGUIlogin > > > 2. other users cannot login IPA WebGUIlogin, but can login > > using cli > > > (kinit) > > > 3. when i create a new user, the new user can login IPA WebGUI. > > > > > > > > > > -- > > / Alexander Bokovoy > > Sr. Principal Software Engineer > > Security / Identity Management Engineering > > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure