After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason"
Issue
After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason".
I see the following errors in /var/log/httpd/error_logs
mod_wsgi (pid=2182): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
File "/usr/share/ipa/wsgi.py", line 51, in application
return api.Backend.wsgi_dispatch(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
return self.route(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
return app(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
self.kinit(user_principal, password, ipa_ccache_name)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
run(args, env=env, raiseonerr=True, capture_error=True)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_2182 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
Following commands failed when attempted to run manually.
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[102964] 1503042566.205480: Getting initial credentials for WELLKNOWN/ANONYMOUS@EXAMPLE.COM
[102964] 1503042566.205629: Sending request (200 bytes) to EXAMPLE.COM
[102964] 1503042566.205836: Initiating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.205938: Sending TCP request to stream 10.7.4.5:88
[102964] 1503042566.208261: Received answer (311 bytes) from stream 10.7.4.5:88
[102964] 1503042566.208270: Terminating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.208311: Response was from master KDC
[102964] 1503042566.208330: Received error from KDC: -1765328359/Additional pre-authentication required
[102964] 1503042566.208357: Processing preauth types: 136, 19, 2, 133
[102964] 1503042566.208368: Selected etype info: etype aes256-cts, salt "IDM.INFRA.MACIF.FRWELLKNOWNANONYMOUS", params ""
[102964] 1503042566.208372: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS@EXAMPLE.COM:
[102964] 1503042585.93877: AS key obtained for encrypted timestamp: aes256-cts/4048
[102964] 1503042585.93946: Encrypted timestamp (for 1503042585.93706): plain 301AA011180F32303137303831383037343934355AA1050203016E0A, encrypted 91D898BC4138193BA68F8B57C8025E5102759C26CDF81FA92AA7CF36F5419812F0E3950A9787C0C30BCC025F792BE73BE88E0E5FD15EC0B7
[102964] 1503042585.93991: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [102964] 1503042585.93995: Produced preauth for next request: 133, 2
[102964] 1503042585.94015: Sending request (295 bytes) to EXAMPLE.COM
[102964] 1503042585.94144: Initiating TCP connection to stream 10.7.4.5:88
[102964] 1503042585.94217: Sending TCP request to stream 10.7.4.5:88
[102964] 1503042585.102238: Received answer (311 bytes) from stream 10.7.4.5:88
[102964] 1503042585.102248: Terminating TCP connection to stream 10.7.4.5:88
[102964] 1503042585.102304: Response was from master KDC
[102964] 1503042585.102324: Received error from KDC: -1765328360/Preauthentication failed
[102964] 1503042585.102343: Preauth tryagain input types: 136, 19, 2, 133 kinit: Password incorrect while getting initial credentials
Environment
- ipa-server-4.5.0-21.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
