Began receiving the following error, when attempting to run any ipa commands from all idM servers as AD users, that are members via ext_group of Admin. The stack has been running for well over a year now with AD trust in place and first time seeing this issue. IPA Version 4.5.0 RHEL 7.4
# ipa hbactest ipa: ERROR: cannot connect to 'any of the configured servers': <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json> WebUI , replication, both AD and IPA user authentication, AD trust; all appear to be functioning as expected. The only updates that have been applied to the IdM servers since last known working were the below listed security updates. Packages Altered: Updated 389-ds-base-1.3.6.1-28.el7_4.x86_64 @rhui-REGION-rhel-server-releases Update 1.3.7.5-21.el7_5.x86_64 @rhui-REGION-rhel-server-releases Updated 389-ds-base-libs-1.3.6.1-28.el7_4.x86_64 @rhui-REGION-rhel-server-releases Update 1.3.7.5-21.el7_5.x86_64 @rhui-REGION-rhel-server-releases Updated dhclient-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Updated dhcp-common-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Updated dhcp-libs-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful The following log entries are created in the httpd error_log when AD user attempts to run ipa cli commands. [Fri Jun 01 20:17:14.442248 2018] [auth_gssapi:error] [pid 5717] [client 10.150.0.226:52676] Failed to unseal session data!, referer: https://server fqdn/ipa/xml [Fri Jun 01 20:17:14.442271 2018] [auth_gssapi:error] [pid 5717] [client 10.150.0.226:52676] NO AUTH DATA Client did not send any authentication headers, referer: https://server fqdn/ipa/xml [Fri Jun 01 20:17:14.468538 2018] [:error] [pid 1668] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Fri Jun 01 20:17:14.498108 2018] [:error] [pid 1669] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials Any help is appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5OWV3YTPG4ZETKJG2GVP2LDDTUUIAC2D/
