After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason"
Issue
After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason".
I see the following errors in /var/log/httpd/error_logs
mod_wsgi (pid=2182): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
File "/usr/share/ipa/wsgi.py", line 51, in application
return api.Backend.wsgi_dispatch(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
return self.route(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
return app(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
self.kinit(user_principal, password, ipa_ccache_name)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
run(args, env=env, raiseonerr=True, capture_error=True)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_2182 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
Following commands failed when attempted to run manually.
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[102964] 1503042566.205480: Getting initial credentials for WELLKNOWN/ANONYMOUS@EXAMPLE.COM
[102964] 1503042566.205629: Sending request (200 bytes) to EXAMPLE.COM
[102964] 1503042566.205836: Initiating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.205938: Sending TCP request to stream 10.7.4.5:88
[102964] 1503042566.208261: Received answer (311 bytes) from stream 10.7.4.5:88
[102964] 1503042566.208270: Terminating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.208311: Response was from master KDC
[102964] 1503042566.208330: Received error from KDC: -1765328359/Additional pre-authentication required
[102964] 1503042566.208357: Processing preauth types: 136, 19, 2, 133
[102964] 1503042566.208368: Selected etype info: etype aes256-cts, salt "IDM.INFRA.MACIF.FRWELLKNOWNANONYMOUS", params ""
[102964] 1503042566.208372: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS@EXAMPLE.COM:
[102964] 1503042585.93877: AS key obtained for encrypted timestamp: aes256-cts/4048
[102964] 1503042585.93946: Encrypted timestamp (for 1503042585.93706): plain 301AA011180F32303137303831383037343934355AA1050203016E0A, encrypted 91D898BC4138193BA68F8B57C8025E5102759C26CDF81FA92AA7CF36F5419812F0E3950A9787C0C30BCC025F792BE73BE88E0E5FD15EC0B7
[102964] 1503042585.93991: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [102964] 1503042585.93995: Produced preauth for next request: 133, 2
[102964] 1503042585.94015: Sending request (295 bytes) to EXAMPLE.COM
[102964] 1503042585.94144: Initiating TCP connection to stream 10.7.4.5:88
[102964] 1503042585.94217: Sending TCP request to stream 10.7.4.5:88
[102964] 1503042585.102238: Received answer (311 bytes) from stream 10.7.4.5:88
[102964] 1503042585.102248: Terminating TCP connection to stream 10.7.4.5:88
[102964] 1503042585.102304: Response was from master KDC
[102964] 1503042585.102324: Received error from KDC: -1765328360/Preauthentication failed
[102964] 1503042585.102343: Preauth tryagain input types: 136, 19, 2, 133 kinit: Password incorrect while getting initial credentials
Environment
- ipa-server-4.5.0-21.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.