Issue #8065: Cannot log into web ui - "Login failed due to an unknown reason." - freeipa

freeipa

#8065 Cannot log into web ui - "Login failed due to an unknown reason."

Closed: worksforme 5 years ago by abbra. Opened 5 years ago by tmdag.

Issue

Unable to log in into to FreeIpa web UI after running dnf upgrade

Steps to Reproduce

open freeipa web ui
login using admin or ipa user creditentials
3.

Actual behavior

"Login failed due to an unknown reason"

Expected behavior

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.7.3-2.fc29.x86_64
freeipa-client-4.7.3-2.fc29.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.27-1.fc29.x86_64
pki-ca-10.7.3-3.fc29.noarch
krb5-server-1.16.1-25.fc29.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

journalctl

gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[910]: gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed
gssproxy[951]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, Preauthentication failed

cat /var/log/httpd/error_log

[suexec:notice] [pid 5529:tid 139897184471296] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_module is already loaded, skipping
[so:warn] [pid 5529:tid 139897184471296] AH01574: module proxy_http_module is already loaded, skipping
[lbmethod_heartbeat:notice] [pid 5529:tid 139897184471296] AH02282: No slotmem from mod_heartmonitor
[mpm_event:notice] [pid 5529:tid 139897184471296] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1c mod_wsgi/4.6.4 Python/3.7 3.9 mod_perl/2.0.10 Perl/v5.28.2 configured -- resuming normal operations
[core:notice] [pid 5529:tid 139897184471296] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[wsgi:error] [pid 5833:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5837:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5832:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5839:tid 139897184471296] ipa: INFO: *** PROCESS START ***
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: CCESS
[:warn] [pid 5842:tid 139896429713152] [client 10.0.1.8:36236] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[:warn] [pid 5841:tid 139896561800960] [client 10.0.1.8:36238] KRB5CCNAME file (/run/ipa/ccaches/admin@HOME.MYDOMAIN.COM) lookup .home.mydomain.com/ipa/ui/
[auth_gssapi:error] [pid 5840:tid 139896236779264] [client 10.0.1.10:47164] GSS ERROR gss_acquire_cred[_from]() failed to get lure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
[wsgi:error] [pid 5833:tid 139896787969792] [remote 10.0.1.8:36236] ipa: INFO: 401 Unauthorized: No session cookie found

ipa-pkinit-manage status

PKINIT is enabled
The ipa-pkinit-manage command was successful

kinit myuser

Password for myuser@HOME.MYDOMAIN.COM: 
$ klist
Ticket cache: KEYRING:persistent:1907400001:krb_ccache_QYeLVmz
Default principal: myuser@HOME.MYDOMAIN.COM

Valid starting     Expires            Service principal
08/09/19 00:11:36  09/09/19 00:11:33  krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM

$ ipa -v ping

ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_139944946411792
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 649, in get_auth_info
    response = self._sec_context.step()
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-15>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 167, in check_last_err
    return func(self, *args, **kwargs)
  File "</usr/local/lib/python3.7/site-packages/decorator.py:decorator-gen-5>", line 2, in step
  File "/usr/lib64/python3.7/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
    return func(self, *args, **kwargs)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 521, in step
    return self._initiator_step(token=token)
  File "/usr/lib64/python3.7/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
    token)
  File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cache: KEYRING:persistent:0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 699, in single_request
    self.get_auth_info()
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception
    raise errors.CCacheError()
ipalib.errors.CCacheError: did not receive Kerberos credentials
ipa: DEBUG: Destroyed connection context.rpcclient_139944946411792
ipa: ERROR: did not receive Kerberos credentials

$ kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/$

ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM
kinit: Preauthentication failed while getting initial credentials

$ ipa -vv pwpolicy-show global_policy

ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@HOME.IBLVFX.COM'
ipa: DEBUG: trying https://$ ipaserver.home.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140652464016656
ipa: DEBUG: [try 1]: Forwarding 'schema' to json server 'https://$ ipaserver.home.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection ($ ipaserver.home.mydomain.com)
ipa: DEBUG: HTTP connection destroyed ($ ipaserver.home.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
ipa: DEBUG: Destroyed connection context.rpcclient_140652464016656
ipa: ERROR: No valid Negotiate header in server response

$ cat /var/log/krb5kdc.log

38:08 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:08 (info): closing down fd 11
38:11 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM
38:11 (info): closing down fd 11
38:21 (info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: ISSUE: authtime 1568572691, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@HOME.MYDOMAIN.COM for HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM
38:21 (info): closing down fd 11
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 (info): closing down fd 11
38:21 (info): preauth (spake) verify failure: Preauthentication failed
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 (info): closing down fd 11
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: NEEDED_PREAUTH: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Additional pre-authentication required
38:21 (info): closing down fd 11
38:21 (info): preauth (spake) verify failure: Preauthentication failed
38:21 (info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.1.10: PREAUTH_FAILED: HTTP/ipa.home.mydomain.com@HOME.MYDOMAIN.COM for krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM, Preauthentication failed
38:21 (info): closing down fd 11

$ kvno ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM

ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM: kvno = 2

$ klist -kte

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:des3-cbc-sha1) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (DEPRECATED:arcfour-hmac) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia128-cts-cmac) 
   2 2019-02-18 18:46:43 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (camellia256-cts-cmac) 
   4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   4 2019-02-19 00:33:12 host/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   1 2019-02-19 00:34:01 nfs/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)

Metadata Update from @pcech:
- Issue tagged with: Raven

5 years ago

abbra commented 5 years ago

@tmdag do you still experience this problem in Fedora?

abbra commented 5 years ago

No responses from the reporter, Fedora 29 is not supported anymore, closing.
If you have this bug still reproducible with the current Fedora (31 or 32), please open a new issue.

Metadata Update from @abbra:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

None

freeipa

Source Code

#8065 Cannot log into web ui - "Login failed due to an unknown reason." Closed: worksforme 5 years ago by abbra. Opened 5 years ago by tmdag.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

Raven

#8065 Cannot log into web ui - "Login failed due to an unknown reason."

Closed: worksforme 5 years ago by abbra. Opened 5 years ago by tmdag.