[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

Wed, 02 Feb 2022 11:15:35 -0800 

On ke, 02 helmi 2022, code bugs wrote:

After following the @Dan West
<https://lists.fedorahosted.org/archives/users/138940716030953366928314736264121067319/>
solution
described at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
, users are able to login to IPA WebGUI.

My setup uses this freeipa LDAP for Wi-Fi authentication using Freeradius.

Now the users are unable to login into the WIFI network using the radius
server (Freeradius). Free radius throwing MS-CHAP-Erro = "\000E=691 R=1
C=269d5124d7a4e4f1 v=1"
I guess since freeradius uses ipaNTHash attribute in maschap and in @Dan
West solution this attribute was deleted.


That's most likely cause, yes.

There are two ways to recover iapNTHash attribute values. First one:
change password. This will cause ipaNTHash to be generated if its
generation is not disabled in IPA configuration (it is not by default).
Another path depends on whether your users' Kerberos keys have arcfour-hmac encryption keys already. If they do, you can trigger 
re-creation of ipaNTHash by adding it with a special value:

dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=test
changetype: modify
add: ipaNTHash
ipaNTHash: MagicRegen

You can do this either as cn=Directory Manager, or as an admin, or as a
user themselves. Perhaps, doing this as cn=Directory Manager will be a
bit easier. In case there is no arcfour-hmac encryption key in the
Kerberos keys for the user in question, you would get LDAP error
LDAP_UNWILLING_TO_PERFORM.





On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:


On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
>Hello,
>
>-IPA WebGUI login fails with "Login failed due to an unknown reason"
>-After upgrading IPA, can no longer log into the WebGUI
>Version/Release/Distribution
>
>$ cat /etc/centos-release
>CentOS Linux release 8.5.2111
>$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
>pki-ca krb5-server
>package freeipa-server is not installed
>package freeipa-client is not installed
>ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
>389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
>pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
>krb5-server-1.18.2-14.el8.x86_64
>Additional info:
>
>tail /var/log/httpd/error_log
>
>[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
>INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor
code
>may provide more information, Minor (2598844948): TGT has been revoked

Please show entries in /var/log/krb5kdc.log corresponding to this
timeframe. If TGT is revoked, it most likely is documented why in that
log. Also, if possible, show other requests in httpd's error_log for the
same timeframe -- if that was Web UI login, there would be few around
this error.

One possible problem could be what is documented in

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
but then it would not be possible to get a Kerberos ticket in kinit as
well. Perhaps, you have a problem with anonymous PKINIT on this host
instead.

>
>further,
>
>   1. default "admin" user can IPA WebGUIlogin
>   2. other users cannot login  IPA WebGUIlogin, but can login using cli
>   (kinit)
>   3. when i create a new user, the new user can login IPA WebGUI.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland







--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to