Re: [Freeipa-users] WebUI authentication problems
On 02/20/2015 03:53 AM, Petr Vobornik wrote: On 02/20/2015 09:44 AM, Martin Kosek wrote: On 02/20/2015 02:00 AM, Dan Mossor wrote: <---snip---> After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Default FreeIPA session lifetime is 20mins. Expiration time is extended on each request. Session also expires when krb ticket expires. We have known issue that Web UI, if SSO is used, does not work if ticket expires in 5mins but it produces little bit different output. So, the oddity continues. Firefox was at fault here - once I cleaned up FF and configured it with the new certificate, these authentication problems cleared up. Login was attempted from 4 browsers across two machines, and every time the login screen returns with "Your session has expired. Please re-login." Does it work if you use forms-based authentication or if you use CLI tool? When I attempted to go to use the form based authentication from both Firefox and Chrome, it brought up the page to configure the browser - it did not present me with a login.[Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ This looks like a culprit to me, though IDK what's its cause. Simo may know more. In a meantime you could try to enable debugging to get more info from /var/log/httpd/error_log by creating /etc/ipa/server.conf and restarting httpd. # cat /etc/ipa/server.conf [global] debug=True You could also open browser develeper tools (press F12) and inspect XHR communication in network tab [1]. Check especially if some request to /ipa/session/json or ipa/session/login_kerberos or ipa/session/login_password does not end with 401 Unauthorized status code. And then what's the cause of next 401 after series of 200. It might contain some pointers. Like session expiration time and such. [1] https://pvoborni.fedorapeople.org/images/ff-dev-tools-xhr.png I was looking at the console last night, and unfortunately I didn't save any of the error messages displayed. I can't recall the exact wording, but the one clue I was able to get from the Firefox console was that the certificate wasn't trusted - it said it was because it was expired, but it was actually due to my not having granted the exception to the self-signed cert yet. I was unable to do this due to the Firefox glitches mentioned previously. Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Have you modified Kerberos Ticket Policy or any Password Policy? No, it was a default rolekit deployment - the only thing in my settings.json file was the admin password. Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? It's not a known issue. CCing Petr for Web UI and Simo for the Kerberos part. We know about several common gotchas related to Web UI auth, having them documented on http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI But this seems as a new case. You can still check the pointers on this page though. If none of them help, it may help to show us: - the Kerberos ticket and default encryptions: $ kinit $ klist -e - any related Kerberos errors from /var/log/krb5kdc.log Martin After much deliberation and many reboots, I finally figured out one key issue - I was using a Fedora 21 Cloud image to deploy, and converting the Cloud product to the Server product after the instance was created. For some reason, my original step of issuing 'systemctl disable cloud-init.service', while returning a successful message, was undone on the next reboot. The cloud-init tools were resetting the hostname on every boot to freeipa.localdomain, as that was what was used in the seed. This was causing pkinit to fail, so nothing would authenticate. The cloud-init services are all removed now, and the system is stable. I sent this original message out of frustration because I was stymied at the problem. I eventually figured it out, and apologize for not following up when I figured out the errors were all mine. Thank you all for the pointers, the help y'all dish out here on the list is phenomenal. Regards, Dan -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On Fri, 2015-02-20 at 11:44 +0100, Gianluca Cecchi wrote: > On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik wrote: > > > On 02/20/2015 09:44 AM, Martin Kosek wrote: > > > >> On 02/20/2015 02:00 AM, Dan Mossor wrote: > >> > >>> I just installed a new server on Fedora 21 Server, using the rolekit > >>> deployment > >>> tool. Everything was installed and configured (I hope) properly, but I'm > >>> running into a problem. The version is > >>> freeipa-server-4.1.2-1.fc21.x86_64, and > >>> I can connect to the WebUI only after a restart of ipa.service. > >>> > >> > Hello > I actually have quite similar problems in CentOS 7 too, > with ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 and related packages > SO the same behavior that if I restart ipa service I'm able to connect > (thanks btw, I didn't realize that, having big problems using the WebUI) > and that my errors are of this type > > [Fri Feb 20 10:32:15.850834 2015] [auth_kerb:error] [pid 2029] [client > 192.168.1.128:50147] gss_accept_sec_context() failed: An unsupported > mechanism was requested (, Unknown error), referer: > https://c7server.localdomain.local/ipa/ui/ > [Fri Feb 20 10:32:22.670791 2015] [auth_kerb:error] [pid 15793] [client > 192.168.1.128:50150] krb5_get_init_creds_password() failed: Decrypt > integrity check failed, referer: https://c7server.localdomain.local/ipa/ui/ > > This happens both from an external browser (I enabled form authentication) > and from a firefox session launched from the ipa server itself after > configuring it for kerberos. > > I don't want to mess with this thread so let me know if I have to open a > dedicated thread specifying for example CentOS 7 or you think it is ok to > get in here... so that I paste here other relevant info. This is a completely different problem, it just means you do not have appropriate tickets in your browser, which then probably prroceeds trying to use the IAKERB mechanism, and fails. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On Fri, 2015-02-20 at 10:53 +0100, Petr Vobornik wrote: > >> [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] > [client > >> 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported > >> mechanism was > >> requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ > > This looks like a culprit to me, though IDK what's its cause. Simo > may > know more. I do not know the cause of the above error, investigating. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik wrote: > On 02/20/2015 09:44 AM, Martin Kosek wrote: > >> On 02/20/2015 02:00 AM, Dan Mossor wrote: >> >>> I just installed a new server on Fedora 21 Server, using the rolekit >>> deployment >>> tool. Everything was installed and configured (I hope) properly, but I'm >>> running into a problem. The version is >>> freeipa-server-4.1.2-1.fc21.x86_64, and >>> I can connect to the WebUI only after a restart of ipa.service. >>> >> Hello I actually have quite similar problems in CentOS 7 too, with ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 and related packages SO the same behavior that if I restart ipa service I'm able to connect (thanks btw, I didn't realize that, having big problems using the WebUI) and that my errors are of this type [Fri Feb 20 10:32:15.850834 2015] [auth_kerb:error] [pid 2029] [client 192.168.1.128:50147] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://c7server.localdomain.local/ipa/ui/ [Fri Feb 20 10:32:22.670791 2015] [auth_kerb:error] [pid 15793] [client 192.168.1.128:50150] krb5_get_init_creds_password() failed: Decrypt integrity check failed, referer: https://c7server.localdomain.local/ipa/ui/ This happens both from an external browser (I enabled form authentication) and from a firefox session launched from the ipa server itself after configuring it for kerberos. I don't want to mess with this thread so let me know if I have to open a dedicated thread specifying for example CentOS 7 or you think it is ok to get in here... so that I paste here other relevant info. Thanks in advance Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On 02/20/2015 09:44 AM, Martin Kosek wrote: On 02/20/2015 02:00 AM, Dan Mossor wrote: I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Default FreeIPA session lifetime is 20mins. Expiration time is extended on each request. Session also expires when krb ticket expires. We have known issue that Web UI, if SSO is used, does not work if ticket expires in 5mins but it produces little bit different output. Login was attempted from 4 browsers across two machines, and every time the login screen returns with "Your session has expired. Please re-login." Does it work if you use forms-based authentication or if you use CLI tool? /var/log/httpd/errors is showing the following: [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ This looks like a culprit to me, though IDK what's its cause. Simo may know more. In a meantime you could try to enable debugging to get more info from /var/log/httpd/error_log by creating /etc/ipa/server.conf and restarting httpd. # cat /etc/ipa/server.conf [global] debug=True You could also open browser develeper tools (press F12) and inspect XHR communication in network tab [1]. Check especially if some request to /ipa/session/json or ipa/session/login_kerberos or ipa/session/login_password does not end with 401 Unauthorized status code. And then what's the cause of next 401 after series of 200. It might contain some pointers. Like session expiration time and such. [1] https://pvoborni.fedorapeople.org/images/ff-dev-tools-xhr.png Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Have you modified Kerberos Ticket Policy or any Password Policy? Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? It's not a known issue. CCing Petr for Web UI and Simo for the Kerberos part. We know about several common gotchas related to Web UI auth, having them documented on http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI But this seems as a new case. You can still check the pointers on this page though. If none of them help, it may help to show us: - the Kerberos ticket and default encryptions: $ kinit $ klist -e - any related Kerberos errors from /var/log/krb5kdc.log Martin -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On 02/20/2015 02:00 AM, Dan Mossor wrote: I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Login was attempted from 4 browsers across two machines, and every time the login screen returns with "Your session has expired. Please re-login." /var/log/httpd/errors is showing the following: [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? CCing Petr for Web UI and Simo for the Kerberos part. We know about several common gotchas related to Web UI auth, having them documented on http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI But this seems as a new case. You can still check the pointers on this page though. If none of them help, it may help to show us: - the Kerberos ticket and default encryptions: $ kinit $ klist -e - any related Kerberos errors from /var/log/krb5kdc.log Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] WebUI authentication problems
I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. After approximately 15 minutes, I am kicked out of the active session - while in the middle of using it - and cannot log back in. Login was attempted from 4 browsers across two machines, and every time the login screen returns with "Your session has expired. Please re-login." /var/log/httpd/errors is showing the following: [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ASN.1 structure is missing a required field), referer: https://vader.dom.net/ipa/ui/index.html [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/ Restarting httpd, I can log in, and am immediately logged out again with the above errors. Restarting ipa.service, I was able to log in with my user account, and was notified that my password expires in 0 days - even though it was just created less than an hour ago. Is this a known issue, or is there a hidden problem with the rolekit deployment that I need to track down? -- Dan Mossor, RHCSA Systems Engineer at Large Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
