Hello, ipa-users!
Can't login into my FreeIpa system with admin user.
*On WebUi *
Login failed due to an unknown reason.
*In krb5kdc.log:*
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/ ANONYMOUS@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: admin@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for HTTP/ myhost.mydomain@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
*In httpd error log:*
[Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401 Unauthorized: No session cookie found
*In messages:*
Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed
*The password is correct 100%.* *I can do kinit for admin.* *Where to look next?* *Restart didn't help.*
OS Red Hat Enterprise Linux Server release 7.4 [root@myhost ipa]# uname -a Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 10:49:01 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
Regards, Andrey
On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users wrote:
Hello, ipa-users!
Can't login into my FreeIpa system with admin user.
*On WebUi *
Login failed due to an unknown reason.
*In krb5kdc.log:*
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/ ANONYMOUS@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: admin@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904, etypes {rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for HTTP/ myhost.mydomain@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed
It is not your authentication which failed but the authentication attempt of the web server. I guess the keys on the server were updated but not written into the keytab.
Can you try if
kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/myhost.mydomain@MYDOMAIN.COM
returns the same error ((preauth (encrypted_timestamp) verify failure: Preauthentication failed)? In this case you should update the keytab with ipa-getkeytab and restart httpd.
HTH
bye, Sumit
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
*In httpd error log:*
[Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401 Unauthorized: No session cookie found
*In messages:*
Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed
*The password is correct 100%.* *I can do kinit for admin.* *Where to look next?* *Restart didn't help.*
OS Red Hat Enterprise Linux Server release 7.4 [root@myhost ipa]# uname -a Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 10:49:01 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
Regards, Andrey
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Sumit!
Thank you very much!!! This worked!
Regards, Andrey
2017-10-09 16:16 GMT+03:00 Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users wrote:
Hello, ipa-users!
Can't login into my FreeIpa system with admin user.
*On WebUi *
Login failed due to an unknown reason.
*In krb5kdc.log:*
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: WELLKNOWN/ ANONYMOUS@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
etypes
{rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH:
admin@MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication
required
Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
etypes
{rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24787](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): TGS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: ISSUE: authtime 1507550904,
etypes
{rep=18 tkt=18 ses=18}, admin@MYDOMAIN.COM for HTTP/ myhost.mydomain@MYDOMAIN.COM Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed
It is not your authentication which failed but the authentication attempt of the web server. I guess the keys on the server were updated but not written into the keytab.
Can you try if
kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/myhost.mydomain@MYDOMAIN.COM
returns the same error ((preauth (encrypted_timestamp) verify failure: Preauthentication failed)? In this case you should update the keytab with ipa-getkeytab and restart httpd.
HTH
bye, Sumit
Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: NEEDED_PREAUTH: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication required Oct 09 08:08:24 myhost.mydomain krb5kdc[24786](info): closing down fd 11 Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): AS_REQ (8 etypes
{18
17 20 19 16 23 25 26}) 192.168.110.26: PREAUTH_FAILED: HTTP/ myhost.mydomain@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Preauthentication failed Oct 09 08:08:24 myhost.mydomain krb5kdc[24785](info): closing down fd 11
*In httpd error log:*
[Mon Oct 09 08:10:31.746129 2017] [auth_gssapi:error] [pid 24813] [client 192.168.110.26:45594] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] [Mon Oct 09 08:10:31.749411 2017] [:error] [pid 24806] ipa: INFO: 401 Unauthorized: No session cookie found
*In messages:*
Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554
1
2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed Oct 9 08:11:40 myhost gssproxy: gssproxy[13658]: (OID: { 1 2 840 113554
1
2 2 }) Unspecified GSS failure. Minor code may provide more information, Preauthentication failed
*The password is correct 100%.* *I can do kinit for admin.* *Where to look next?* *Restart didn't help.*
OS Red Hat Enterprise Linux Server release 7.4 [root@myhost ipa]# uname -a Linux myhost.mydomain 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
10:49:01
PDT 2017 x86_64 x86_64 x86_64 GNU/Linux
Regards, Andrey
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Markovich -
Sumit Bose