Alexander,

Thank you for your time,

# getcert list -f /var/kerberos/krb5kdc/kdc.crt No request found that matched arguments. #

# ls -la /var/kerberos/krb5kdc/ total 16 drwxr-xr-x. 2 root root 82 Dec 3 22:56 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt -rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key #

I used following commands:

# yum upgrade ipa-server # ipa-server-upgrade

to upgrade packages, and agreed to any proposed dependencies (there were about 90 of them).

Thanks, Andrey

On 12/4/18, 01:28, "Alexander Bokovoy" abokovoy@redhat.com wrote:

On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote: >Dear FreeIPA Team, > >I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. >Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine. > >I first spotted this issue in 4.5.0 and tried troubleshooting steps >from previous thread, however that did not help. Hoping that issue is >solved in higher versions I tried upgrading ipa-server packages via: > ># yum upgrade ipa-server ># ipa-server-upgrade > >However it did not solve the issue in 4.6.6 and exactly the same >behavior I saw in version 4.5.0 > ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 >ipa-server-4.6.4-10.el7.centos.x86_64 >krb5-libs-1.15.1-34.el7.x86_64 >krb5-server-1.15.1-34.el7.x86_64 >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 >sssd-krb5-1.16.2-13.el7.x86_64 >httpd-2.4.6-88.el7.centos.x86_64 > ># cat /etc/*release* >CentOS Linux release 7.4.1708 (Core) Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA packages selectively to a version from CentOS 7.6.1810 without updating whole distribution to that version, there is no guarantee everything is working.

>What could be the next troubleshooting step in my case? Please show

getcert list -f /var/kerberos/krb5kdc/kdc.crt

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Alexander,

Please find output below:

[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM Validity Not Before: Nov 30 18:06:04 2017 GMT Not After : Nov 30 18:06:04 2018 GMT Subject: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e1:55:dc:8d:f5:0f:01:f1:75:dd:88:21:53:2e: ...output omitted... 49:b8:c6:59:c3:89:d7:5e:20:a9:81:fe:93:60:b2: 38:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: othername:<unsupported>, othername:<unsupported> X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 81:12:0E:48:6A:43:93:92:03:18:29:D3:3B:E2:71:8B:B4:A9:42:7E 1.3.6.1.4.1.311.20.2: .".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s Signature Algorithm: sha256WithRSAEncryption ba:01:72:0b:2f:9d:3f:39:cf:84:be:cd:85:70:08:79:60:9e: ...output omitted... f4:0d:27:9e:41:bd:71:c9:0d:51:e1:3c:1e:4f:8e:89:71:f3: e9:fe:40:74 -----BEGIN CERTIFICATE----- MIID5zCCAs+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRYwFAYDVQQKDA1OSVgu ...output omitted... ZYDW6cyjBkmRmaelKXZEm81ezY+s9A0nnkG9cckNUeE8Hk+OiXHz6f5AdA== -----END CERTIFICATE----- [root@ipa-server-01 ~]#

[root@ipa-server-01 krb5kdc]# rm -f kdc.crt [root@ipa-server-01 krb5kdc]# rm -f kdc.key [root@ipa-server-01 krb5kdc]# [root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@ipa-server-01 krb5kdc]# ls -la total 20 drwxr-xr-x. 2 root root 82 Dec 4 08:16 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt -rw------- 1 root root 1704 Dec 4 08:16 kdc.key [root@ipa-server-01 krb5kdc]#

After certificate update it looks like Web GUI is working.

Thank you so much for your help!

Regards, Andrey

On 12/4/18, 02:02, "Alexander Bokovoy" abokovoy@redhat.com wrote:

On ti, 04 joulu 2018, Andrey Ptashnik wrote: >Alexander, > >Thank you for your time, > ># getcert list -f /var/kerberos/krb5kdc/kdc.crt >No request found that matched arguments. ># > ># ls -la /var/kerberos/krb5kdc/ >total 16 >drwxr-xr-x. 2 root root 82 Dec 3 22:56 . >drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. >-rwxr-xr-x 1 root root 0 Nov 30 2017 cacert.pem >-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl >-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf >-rwxr-xr-x 1 root root 1415 Nov 30 2017 kdc.crt >-rwxr-xr-x 1 root root 1708 Nov 30 2017 kdc.key ># What does 'openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt' say?

Are you using integrated CA?

If you are using integrated CA, then please move away kdc.crt and kdc.key and run

ipa-pkinit-manage enable

> >I used following commands: > ># yum upgrade ipa-server ># ipa-server-upgrade > >to upgrade packages, and agreed to any proposed dependencies (there were about 90 of them). > >Thanks, >Andrey > > > >On 12/4/18, 01:28, "Alexander Bokovoy" abokovoy@redhat.com wrote: > > > > On ti, 04 joulu 2018, Andrey Ptashnik via FreeIPA-users wrote: > >Dear FreeIPA Team, > > > >I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. > >Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine. > > > >I first spotted this issue in 4.5.0 and tried troubleshooting steps > >from previous thread, however that did not help. Hoping that issue is > >solved in higher versions I tried upgrading ipa-server packages via: > > > ># yum upgrade ipa-server > ># ipa-server-upgrade > > > >However it did not solve the issue in 4.6.6 and exactly the same > >behavior I saw in version 4.5.0 > > > ># rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 > >ipa-server-4.6.4-10.el7.centos.x86_64 > >krb5-libs-1.15.1-34.el7.x86_64 > >krb5-server-1.15.1-34.el7.x86_64 > >cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 > >sssd-krb5-1.16.2-13.el7.x86_64 > >httpd-2.4.6-88.el7.centos.x86_64 > > > ># cat /etc/*release* > >CentOS Linux release 7.4.1708 (Core) > Just a note -- the above is not a CentOS 7.4.1708. If you updated IPA > packages selectively to a version from CentOS 7.6.1810 without updating > whole distribution to that version, there is no guarantee everything is > working. > > > >What could be the next troubleshooting step in my case? > Please show > > getcert list -f /var/kerberos/krb5kdc/kdc.crt > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland