I'm not sure exactly how to diagnose the actual cause of the issue. Every login, even as "admin" on the ipa/ui returns a "your session has expired. Please re-login". I can use kinit and login just fine - it seems authentication with the host key may be a fault.
Version: 4.5.0-22.el7_4 (RHEL7.4)
When I look at /var/log/sssd/sssd_nss.log I see several lines that looks like the cause of the issue:
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Mon Jan 1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from Data Provider
I'm also seeing a lot of these in krb5kdc.log but from what I gather from searching I can ignore those:
Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.10.10.70: NEEDED_PREAUTH: host/host.demo.net@DEMO.NET for krbtgt/DEMO.NET@DEMO.NET, Additional pre-authentication required
In /var/log/httpd/errors:
[Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client 71.63.27.120:55198] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@DEMO.NET)!, referer: https://host.demo.net/ipa/ui/ [Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
I'm trying to figure out how to diagnose the actual cause here. The file above (failed to set perms):
-rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 admin@DEMO.NET
Now, if apache tries to do something to these files then "duh" of course it's going to be denied. This used to work - so I'm not sure what's going on here? Again, trying to figure out a good process to diagnose to find the root cause.
On 01/01/2018 08:42 PM, Peter Larsen via FreeIPA-users wrote:
I'm not sure exactly how to diagnose the actual cause of the issue. Every login, even as "admin" on the ipa/ui returns a "your session has expired. Please re-login". I can use kinit and login just fine - it seems authentication with the host key may be a fault.
Version: 4.5.0-22.el7_4 (RHEL7.4)
When I look at /var/log/sssd/sssd_nss.log I see several lines that looks like the cause of the issue:
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Mon Jan 1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from Data Provider
I'm also seeing a lot of these in krb5kdc.log but from what I gather from searching I can ignore those:
Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.10.10.70: NEEDED_PREAUTH: host/host.demo.net@DEMO.NET for krbtgt/DEMO.NET@DEMO.NET, Additional pre-authentication required
In /var/log/httpd/errors:
[Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client 71.63.27.120:55198] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@DEMO.NET)!, referer: https://host.demo.net/ipa/ui/ [Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
I'm trying to figure out how to diagnose the actual cause here. The file above (failed to set perms):
-rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 admin@DEMO.NET
Now, if apache tries to do something to these files then "duh" of course it's going to be denied. This used to work - so I'm not sure what's going on here? Again, trying to figure out a good process to diagnose to find the root cause.
Hi,
just for the record, the warning "failed to set perms..." is a known issue (7032: Httpd log: Failed to set perm on ccache [1]) but does not cause any harm.
You can find troubleshooting tips related to the administration framework in the wiki page Troubleshooting [2].
HTH, Flo
[1] https://pagure.io/freeipa/issue/7032 [2] https://www.freeipa.org/page/Troubleshooting#Administration_Framework
On 01/02/2018 04:39 AM, Florence Blanc-Renaud wrote:
On 01/01/2018 08:42 PM, Peter Larsen via FreeIPA-users wrote:
I'm not sure exactly how to diagnose the actual cause of the issue. Every login, even as "admin" on the ipa/ui returns a "your session has expired. Please re-login". I can use kinit and login just fine - it seems authentication with the host key may be a fault.
Now, if apache tries to do something to these files then "duh" of course it's going to be denied. This used to work - so I'm not sure what's going on here? Again, trying to figure out a good process to diagnose to find the root cause.
Hi,
just for the record, the warning "failed to set perms..." is a known issue (7032: Httpd log: Failed to set perm on ccache [1]) but does not cause any harm.
If that means I can ignore it, I'm fine with that. Still, the installation is kaput :)
You can find troubleshooting tips related to the administration framework in the wiki page Troubleshooting [2].
Thanks - I'd seen those links before, and I don't understand why [2] is considered "troubleshooting" - I get errors running the commands but it doesn't get me any closer to find a root cause.
# ipa -vv user-show admin ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@DEMO.NET', cookie: 'ipa_session=MagBearerToken=YWIQGJVrLzlVCsBgW9t7tlaL1U1lIjB8ff6hlT9FChL8o97QqqvB97f2zIRdypjQ%2bkyTBbEauBeUmVv4A4S1JidafSIsWTf%2bTR%2fTX81QmLksP4EKLzrAQtWena1tcNohJb0NzqqpgN4UdANwDp8TnQ%2bgZMQCzo6ATH8mh20Z5ZD6R6ue2u6hUgs4nWlQs2KD' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=YWIQGJVrLzlVCsBgW9t7tlaL1U1lIjB8ff6hlT9FChL8o97QqqvB97f2zIRdypjQ%2bkyTBbEauBeUmVv4A4S1JidafSIsWTf%2bTR%2fTX81QmLksP4EKLzrAQtWena1tcNohJb0NzqqpgN4UdANwDp8TnQ%2bgZMQCzo6ATH8mh20Z5ZD6R6ue2u6hUgs4nWlQs2KD;' ipa: INFO: trying https://host.demo.net/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_34278480 ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://host.demo.net/ipa/session/json' ipa: DEBUG: New HTTP connection (host.demo.net) ipa: DEBUG: HTTP connection destroyed (host.demo.net) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 703, in single_request response.msg) ProtocolError: <ProtocolError for host.demo.net/ipa/session/json: 401 Unauthorized>
and the error_log still contains the same two messages:
[Tue Jan 02 12:53:45.766170 2018] [:error] [pid 20445] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Tue Jan 02 12:53:45.780124 2018] [:error] [pid 20444] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Tue Jan 02 12:53:45.799056 2018] [:warn] [pid 20986] [client 10.10.10.70:49104] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@DEMO.NET)!, referer: https://host.demo.net/ipa/xml
So if I can ignore the LAST message (which severity is warn - where as the invalid credentials is just INFO) any ideas where to look for a cause?
freeipa-users@lists.fedorahosted.org