freeipa-container icon indicating copy to clipboard operation
freeipa-container copied to clipboard
verified publisher icon freeipa

Failing to login into FreeIPA WebUI after some time

Open vudex opened this issue 3 years ago • 1 comments

Hi. I know this probably not the right place to ask, but I need some help or advice. I'm using freeipa:centos-8-4.9.8-epn image, and encountering issue of inability to log in into the web interface after arbitrary amount of time.

  1. httpd error.log shows issue: [auth_gssapi:error] [pid 313:tid 139646043899648] [client 10.27.228.30:45830] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]

  2. And then if I try for example ipa -d ping command within working container:

ipa: DEBUG: New HTTP connection (***.local)
ipa: DEBUG: HTTP connection destroyed (***.local)
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 125, in get_package
    plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 725, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 675, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response

For now the solution is to wipe out container fully (including cache) and redeploy. I'm serving a small infrastructure of freeipa replicas based on that image and I see this problem from time to time on different hosts. I reported to CentOS bugzilla (I don't actually know if it was right place to address the issue) but I saw some similar issues with no answers there.

vudex avatar Aug 15 '22 01:08 vudex

@rcritten Would you have any hint what to look for?

adelton avatar Aug 16 '22 14:08 adelton

You might try to get a new keytab for the web server:

ipa-getkeytab -D "cn=directory manager" -w <Directory Manager Password> -s FQDN -p 'HTTP/FQDN' -r -k /var/lib/ipa/gssproxy/http.keytab

where FQDN is the full hostname of the IPA server exhibiting this behavior.

rcritten avatar Aug 17 '22 13:08 rcritten

@rcritten just tried this, unfortunately it didn't work. for now the only thought is to follow the trace message of ipa -d ping and dig some info from source code

vudex avatar Aug 22 '22 00:08 vudex

By the way, you say you use freeipa:centos-8-4.9.8-epn image. What is its Dockerfile / where does it come from? We haven't built such image to https://hub.docker.com/r/freeipa/freeipa-server/tags?page=1&name=centos-8 nor https://quay.io/repository/freeipa/freeipa-server?tab=tags as CentOS Linux 8 has been EOL for over half a year.

adelton avatar Aug 22 '22 07:08 adelton