When I try to load FreeIPA WebUI with he GSSAPI authentication and my account is locked I get:
'Runime Error: Web UI got in unrecoverable state during "metadata" phase'
Same with AJAX message boxes when I was already locked in and an account became locked.
pvom: reproducible, first attempt of login fails correctly with message, each next fails with error mentioned in ticket. There si problem that the GET method which uses krb_login_url fails.
Traceback from httpd/error_log, but this exception is raised even after first attemp of login.
[Sun Apr 17 22:26:33.719448 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] mod_wsgi (pid=1266): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Sun Apr 17 22:26:33.719525 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] Traceback (most recent call last): [Sun Apr 17 22:26:33.719548 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/share/ipa/wsgi.py", line 49, in application [Sun Apr 17 22:26:33.719586 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Apr 17 22:26:33.719597 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in call [Sun Apr 17 22:26:33.719616 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] return self.route(environ, start_response) [Sun Apr 17 22:26:33.719645 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route [Sun Apr 17 22:26:33.719670 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] return app(environ, start_response) [Sun Apr 17 22:26:33.719680 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 811, in call [Sun Apr 17 22:26:33.719695 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] self.create_context(ccache=ipa_ccache_name) [Sun Apr 17 22:26:33.719704 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 123, in create_context [Sun Apr 17 22:26:33.719719 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] self.Backend.ldap2.connect(ccache=ccache) [Sun Apr 17 22:26:33.719728 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect [Sun Apr 17 22:26:33.719742 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] conn = self.create_connection(*args, **kw) [Sun Apr 17 22:26:33.719751 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 202, in create_connection [Sun Apr 17 22:26:33.719767 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] client_controls=clientctrls) [Sun Apr 17 22:26:33.719776 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1082, in gssapi_bind [Sun Apr 17 22:26:33.719802 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] '', auth_tokens, server_controls, client_controls) [Sun Apr 17 22:26:33.719811 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib64/python2.7/contextlib.py", line 35, in exit [Sun Apr 17 22:26:33.719826 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] self.gen.throw(type, value, traceback) [Sun Apr 17 22:26:33.719835 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 995, in error_handler [Sun Apr 17 22:26:33.719848 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] raise errors.DatabaseError(desc=desc, info=info) [Sun Apr 17 22:26:33.719867 2016] [wsgi:error] [pid 1266] [remote 10.36.4.76:72] DatabaseError: Server is unwilling to perform: Too many failed logins.
4.4.0 was released, moving open tickets to 4.4.1
moving out tickets not implemented in 4.4.1
4.4.2 is a stabilization milestone. If this bug is important stabilization bug then please put it to NEEDS TRIAGE milestone for retriage.
Metadata Update from @jhejl: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @pvomacka: - Issue close_status updated to: None - Issue tagged with: webui
Running gssproxy-0.8.3-3.fc33.x86_64 with freeipa-server-4.9.3-1.fc33.x86_64 In a browser I get:
gssproxy-0.8.3-3.fc33.x86_64
freeipa-server-4.9.3-1.fc33.x86_64
Runtime error Web UI got in unrecoverable state during "metadata" phase.
auth_gssapi:error] [pid 3801:tid 3860] [client x.x.x.x:60120] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer: https://ourdomain.edu/ipa/ui/ Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: Connection matched service ipa-httpd Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", euid: 48,socket: (null) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 ) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } output_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } ) Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: Connection matched service ipa-httpd Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", euid: 48,socket: (null) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 ) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } output_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } ) Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: Connection matched service ipa-httpd Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", euid: 48,socket: (null) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 ) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } output_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } ) Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: Connection matched service ipa-httpd Apr 12 14:04:37 olddsm gssproxy[1385]: [CID 17][2021/04/12 18:04:37]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd", euid: 48,socket: (null) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH initiator_time_req: 0 acceptor_time_req: 0 ) Apr 12 14:04:37 olddsm gssproxy[1385]: GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } output_cred_handle: { "HTTP/ourdomain.edu@OURDOMAIN.EDU" [ { "HTTP/ourdomain.edu@OURDOMAIN.EDU" { 1 2 840 113554 1 2 2 } BOTH 86400 86400 } ] [ ...fN....z......... ] 0 } )
However in a private browser window, I get the username/password pop up but the logins fail there. However when the form fully loads, I can log in with any user. <img alt="ipa.PNG" src="/freeipa/issue/raw/files/e9c9b5f8a81f2d7bdb0cc465b7de577ac65d592a0e8c2fed8bc63a67ca6dba0b-ipa.PNG" /> <img alt="freeipa2.PNG" src="/freeipa/issue/raw/files/90cb80086ec47ab00b693ed0af7ae5e4752e03c8f026753b92440ba29851791b-freeipa2.PNG" />
Should I file a new issue?
Hi, in the sanitized logs, the principal shows as HTTP/ourdomain.edu@OURDOMAIN.EDU. Is this really what you have on your system? I would expect HTTP/server.ourdomain.edu@OURDOMAIN.EDU instead.
Metadata Update from @frenaud: - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
I believe I over sanitized, you are correct. I worked around the issue with this reddit comment suggestion
adding "BrowserMatch Windows gssapi-no-negotiate" into ..httpd/conf.d/ipa.conf
Side note/question, perhaps this CMS could provide some sanitizing with preview?
Login to comment on this ticket.