(I registered internal account, can't login via openid for some reason) Ty for thread link, this will definitely help I have been investigating a problem I'm facing further and it seems to stem from the gssproxy.service. However, it appears in two forms.
The first is a clear error form. When attempting to log in, it shows a message "Login failed due to an unknown reason". When doing a request via ipa cli, it shows the following error message: [root@sandbox-dev-01 ~]# ipa ping ipa: ERROR: Could not create log_dir '/root/.ipa/log' ipa: ERROR: No valid Negotiate header in server response In the httpd error_log, I can see a clear error: [Mon Apr 17 19:31:36.132659 2023] [auth_gssapi:error] [pid 2539:tid 140105910048512] [client 172.28.46.83:38428] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [Unspecified GSS failure. Minor code may provide more information ( No such file or directory (filename: /var/lib/gssproxy/rcache/krb5_0.rcache2))], referer: https://sandbox-dev-01.test.ipa.gtp/ipa/xml There is actually no file /var/lib/gssproxy/rcache/krb5_0.rcache2, or even an 'rcache' directory for some reason I'm not sure of right now. I believe the problem will be resolved if the missing file is in place. The second form is obscure because there is no log of the problem in the httpd error_log. When attempting to log in, it shows a message "Your session has expired. Please log in again". When using the ipa cli tool, the first request fails with a GSS type of error, but the second one succeeds. If I do "kdestroy -A" and try again, there will be an error on the first attempt again: [root@ipa-test-server /]# ipa ping ipa: ERROR: Could not create log_dir '/root/.ipa/log' ipa: ERROR: Ticket expired [root@ipa-test-server /]# kinit admin Password for ad...@test.ipa.gtp: [root@ipa-test-server /]# ipa ping ipa: ERROR: Could not create log_dir '/root/.ipa/log' ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (69206018): gss_display_status call returned failure (major 327680, minor 100007). Decoding code: 69206018 [root@ipa-test-server /]# ipa ping ipa: ERROR: Could not create log_dir '/root/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 2] No such file or directory: '/root/.cache/ipa' ipa: WARNING: Failed to write server info: [Errno 2] No such file or directory: '/root/.cache/ipa' IPA server version 4.9.10. API version 2.248 [root@ipa-test-server /]# kdestroy -A [root@ipa-test-server /]# kinit admin Password for ad...@test.ipa.gtp: [root@ipa-test-server /]# ipa ping ipa: ERROR: Could not create log_dir '/root/.ipa/log' ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (69206018): gss_display_status call returned failure (major 327680, minor The file /var/lib/gssproxy/rcache/krb5_0.rcache2 is in place and in this case problem actually resolves with restart of gssproxy.service Can you shed some light on what the rcache2 file is? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
