Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread, however that did not help. Hoping that issue is solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server # ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 krb5-libs-1.15.1-34.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core)
What could be the next troubleshooting step in my case?
Thanks in advance, Andrey
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread, however that did not help. Hoping that issue is solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server # ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 krb5-libs-1.15.1-34.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA packages selectively to a version from CentOS 7.6.1810 without updating whole distribution to that version, there is no guarantee everything is working.
What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt No request found that matched arguments. #
# ls -la /var/kerberos/krb5kdc/ total 16 drwxr-xr-x. 2 root root 82 Dec 3 22:56 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt -rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key #
I used following commands:
# yum upgrade ipa-server # ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of them).
Thanks, Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote: >Dear FreeIPA Team, > >I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. >Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine. > >I first spotted this issue in 4.5.0 and tried troubleshooting steps >from previous thread, however that did not help. Hoping that issue is >solved in higher versions I tried upgrading ipa-server packages via: > ># yum upgrade ipa-server ># ipa-server-upgrade > >However it did not solve the issue in 4.6.6 and exactly the same >behavior I saw in version 4.5.0 > ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 >ipa-server-4.6.4-10.el7.centos.x86_64 >krb5-libs-1.15.1-34.el7.x86_64 >krb5-server-1.15.1-34.el7.x86_64 >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 >sssd-krb5-1.16.2-13.el7.x86_64 >httpd-2.4.6-88.el7.centos.x86_64 > ># cat /etc/*release* >CentOS Linux release 7.4.1708 (Core) Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA packages selectively to a version from CentOS 7.6.1810 without updating whole distribution to that version, there is no guarantee everything is working.
>What could be the next troubleshooting step in my case? Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Thank you for your time,
# getcert list -f /var/kerberos/krb5kdc/kdc.crt No request found that matched arguments. #
# ls -la /var/kerberos/krb5kdc/ total 16 drwxr-xr-x. 2 root root 82 Dec 3 22:56 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt -rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key #
What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and kdc.key and run
ipa-pkinit-manage enable
I used following commands:
# yum upgrade ipa-server # ipa-server-upgrade
to upgrade packages, and agreed to any proposed dependencies (there were about 90 of them).
Thanks, Andrey
On 12/4/18, 01:28, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote:
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread, however that did not help. Hoping that issue is solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server # ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 krb5-libs-1.15.1-34.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release* CentOS Linux release 7.4.1708 (Core)
Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA packages selectively to a version from CentOS 7.6.1810 without updating whole distribution to that version, there is no guarantee everything is working.
What could be the next troubleshooting step in my case?
Please show
getcert list -f /var/kerberos/krb5kdc/kdc.crt
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM Validity Not Before: Nov 30 18:06:04 2017 GMT Not After : Nov 30 18:06:04 2018 GMT Subject: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e1:55:dc:8d:f5:0f:01:f1:75:dd:88:21:53:2e: ...output omitted... 49:b8:c6:59:c3:89:d7:5e:20:a9:81:fe:93:60:b2: 38:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: othername:<unsupported>, othername:<unsupported> X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 81:12:0E:48:6A:43:93:92:03:18:29:D3:3B:E2:71:8B:B4:A9:42:7E 1.3.6.1.4.1.311.20.2: .".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s Signature Algorithm: sha256WithRSAEncryption ba:01:72:0b:2f:9d:3f:39:cf:84:be:cd:85:70:08:79:60:9e: ...output omitted... f4:0d:27:9e:41:bd:71:c9:0d:51:e1:3c:1e:4f:8e:89:71:f3: e9:fe:40:74 -----BEGIN CERTIFICATE----- MIID5zCCAs+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRYwFAYDVQQKDA1OSVgu ...output omitted... ZYDW6cyjBkmRmaelKXZEm81ezY+s9A0nnkG9cckNUeE8Hk+OiXHz6f5AdA== -----END CERTIFICATE----- [root@ipa-server-01 ~]#
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt [root@ipa-server-01 krb5kdc]# rm -f kdc.key [root@ipa-server-01 krb5kdc]# [root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@ipa-server-01 krb5kdc]# ls -la total 20 drwxr-xr-x. 2 root root 82 Dec 4 08:16 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt -rw------- 1 root root 1704 Dec 4 08:16 kdc.key [root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
Thank you so much for your help!
Regards, Andrey
On 12/4/18, 02:02, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 04 joulu 2018, Andrey Ptashnik wrote: >Alexander, > >Thank you for your time, > ># getcert list -f /var/kerberos/krb5kdc/kdc.crt >No request found that matched arguments. ># > ># ls -la /var/kerberos/krb5kdc/ >total 16 >drwxr-xr-x. 2 root root 82 Dec 3 22:56 . >drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. >-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem >-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl >-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf >-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt >-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key ># What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?
Are you using integrated CA?
If you are using integrated CA, then please move away kdc.crt and kdc.key and run
ipa-pkinit-manage enable
> >I used following commands: > ># yum upgrade ipa-server ># ipa-server-upgrade > >to upgrade packages, and agreed to any proposed dependencies (there were about 90 of them). > >Thanks, >Andrey > > > >On 12/4/18, 01:28, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > > > On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote: > >Dear FreeIPA Team, > > > >I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. > >Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine. > > > >I first spotted this issue in 4.5.0 and tried troubleshooting steps > >from previous thread, however that did not help. Hoping that issue is > >solved in higher versions I tried upgrading ipa-server packages via: > > > ># yum upgrade ipa-server > ># ipa-server-upgrade > > > >However it did not solve the issue in 4.6.6 and exactly the same > >behavior I saw in version 4.5.0 > > > ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 > >ipa-server-4.6.4-10.el7.centos.x86_64 > >krb5-libs-1.15.1-34.el7.x86_64 > >krb5-server-1.15.1-34.el7.x86_64 > >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 > >sssd-krb5-1.16.2-13.el7.x86_64 > >httpd-2.4.6-88.el7.centos.x86_64 > > > ># cat /etc/*release* > >CentOS Linux release 7.4.1708 (Core) > Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA > packages selectively to a version from CentOS 7.6.1810 without updating > whole distribution to that version, there is no guarantee everything is > working. > > > >What could be the next troubleshooting step in my case? > Please show > > getcert list -f /var/kerberos/krb5kdc/kdc.crt > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Yep -- this is self-signed certificate instead of using the right one from IPA CA.
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt [root@ipa-server-01 krb5kdc]# rm -f kdc.key [root@ipa-server-01 krb5kdc]# [root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@ipa-server-01 krb5kdc]# ls -la total 20 drwxr-xr-x. 2 root root 82 Dec 4 08:16 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt -rw------- 1 root root 1704 Dec 4 08:16 kdc.key [root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
So, this is another version of https://pagure.io/freeipa/issue/7200
freeipa-users@lists.fedorahosted.org