After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason"

Solution Verified - Updated -

Issue

After upgrading from 7.3 to 7.4, Unable to access the IPA web GUI due to the error: "Login failed due to an unknown reason".

I see the following errors in /var/log/httpd/error_logs

mod_wsgi (pid=2182): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
File "/usr/share/ipa/wsgi.py", line 51, in application
return api.Backend.wsgi_dispatch(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
return self.route(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
return app(environ, start_response)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
self.kinit(user_principal, password, ipa_ccache_name)
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
run(args, env=env, raiseonerr=True, capture_error=True)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_2182 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

Following commands failed when attempted to run manually.

KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem

[102964] 1503042566.205480: Getting initial credentials for WELLKNOWN/ANONYMOUS@EXAMPLE.COM
[102964] 1503042566.205629: Sending request (200 bytes) to EXAMPLE.COM
[102964] 1503042566.205836: Initiating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.205938: Sending TCP request to stream 10.7.4.5:88
[102964] 1503042566.208261: Received answer (311 bytes) from stream 10.7.4.5:88
[102964] 1503042566.208270: Terminating TCP connection to stream 10.7.4.5:88
[102964] 1503042566.208311: Response was from master KDC
[102964] 1503042566.208330: Received error from KDC: -1765328359/Additional pre-authentication required
[102964] 1503042566.208357: Processing preauth types: 136, 19, 2, 133
[102964] 1503042566.208368: Selected etype info: etype aes256-cts, salt "IDM.INFRA.MACIF.FRWELLKNOWNANONYMOUS", params ""
[102964] 1503042566.208372: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS@EXAMPLE.COM:
[102964] 1503042585.93877: AS key obtained for encrypted timestamp: aes256-cts/4048
[102964] 1503042585.93946: Encrypted timestamp (for 1503042585.93706): plain 301AA011180F32303137303831383037343934355AA1050203016E0A, encrypted 91D898BC4138193BA68F8B57C8025E5102759C26CDF81FA92AA7CF36F5419812F0E3950A9787C0C30BCC025F792BE73BE88E0E5FD15EC0B7
[102964] 1503042585.93991: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [102964] 1503042585.93995: Produced preauth for next request: 133, 2 
[102964] 1503042585.94015: Sending request (295 bytes) to EXAMPLE.COM 
[102964] 1503042585.94144: Initiating TCP connection to stream 10.7.4.5:88 
[102964] 1503042585.94217: Sending TCP request to stream 10.7.4.5:88 
[102964] 1503042585.102238: Received answer (311 bytes) from stream 10.7.4.5:88 
[102964] 1503042585.102248: Terminating TCP connection to stream 10.7.4.5:88 
[102964] 1503042585.102304: Response was from master KDC 
[102964] 1503042585.102324: Received error from KDC: -1765328360/Preauthentication failed 
[102964] 1503042585.102343: Preauth tryagain input types: 136, 19, 2, 133 kinit: Password incorrect while getting initial credentials

Environment

  • ipa-server-4.5.0-21.el7.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content