Bug 1451733

Summary:	Unable to login to IPA Web UI
Product:	Red Hat Enterprise Linux 7	Reporter:	Abhijeet Kasurde <akasurde>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED DUPLICATE	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.4	CC:	mbabinsk, pvoborni, rcritten, sebastian.greco, sumenon, tscherf
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-05-25 15:34:44 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Abhijeet Kasurde 2017-05-17 12:02:45 UTC

Description of problem:
Admin user is unable to login into Web UI with Correct password.

Getting error message in /var/log/httpd/error_log

[Wed May 17 16:02:05.624941 2017] [:error] [pid 28655] [remote 10.10.10.48:148] mod_wsgi (pid=28655): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 17 16:02:05.625006 2017] [:error] [pid 28655] [remote 10.10.10.48:148] Traceback (most recent call last):
[Wed May 17 16:02:05.625032 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed May 17 16:02:05.625084 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed May 17 16:02:05.625098 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed May 17 16:02:05.625119 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     return self.route(environ, start_response)
[Wed May 17 16:02:05.625129 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed May 17 16:02:05.625145 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     return app(environ, start_response)
[Wed May 17 16:02:05.625153 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 914, in __call__
[Wed May 17 16:02:05.625168 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed May 17 16:02:05.625178 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 948, in kinit
[Wed May 17 16:02:05.625192 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM)
[Wed May 17 16:02:05.625204 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 121, in kinit_armor
[Wed May 17 16:02:05.625222 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed May 17 16:02:05.625232 2017] [:error] [pid 28655] [remote 10.10.10.48:148]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run
[Wed May 17 16:02:05.625248 2017] [:error] [pid 28655] [remote 10.10.10.48:148]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed May 17 16:02:05.625312 2017] [:error] [pid 28655] [remote 10.10.10.48:148] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_28655 -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem' returned non-zero exit status 1


Version-Release number of selected component (if applicable):
# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.5.0-11.el7.x86_64
ipa-client-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


How reproducible:
100%

Steps to Reproduce:
1. Install IPA server
2. Login into web ui using Admin user

Actual results:
Admin user fails to login to Web UI with error "Login failed due to an unknown reason."

Expected results:
Admin user should be able to login using Web UI.

Comment 3 Sudhir Menon 2017-05-17 14:15:46 UTC

[Wed May 17 10:12:06.015576 2017] [:error] [pid 30971] [remote ] mod_wsgi (pid=30971): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed May 17 10:12:06.015618 2017] [:error] [pid 30971] [remote ] Traceback (most recent call last):
[Wed May 17 10:12:06.015639 2017] [:error] [pid 30971] [remote ]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed May 17 10:12:06.015676 2017] [:error] [pid 30971] [remote ]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed May 17 10:12:06.015688 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed May 17 10:12:06.015705 2017] [:error] [pid 30971] [remote ]     return self.route(environ, start_response)
[Wed May 17 10:12:06.015712 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed May 17 10:12:06.015730 2017] [:error] [pid 30971] [remote ]     return app(environ, start_response)
[Wed May 17 10:12:06.015737 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 914, in __call__
[Wed May 17 10:12:06.015747 2017] [:error] [pid 30971] [remote ]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed May 17 10:12:06.015752 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 948, in kinit
[Wed May 17 10:12:06.015762 2017] [:error] [pid 30971] [remote ]     kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM)
[Wed May 17 10:12:06.015769 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 121, in kinit_armor
[Wed May 17 10:12:06.015794 2017] [:error] [pid 30971] [remote ]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed May 17 10:12:06.015800 2017] [:error] [pid 30971] [remote ]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run
[Wed May 17 10:12:06.015825 2017] [:error] [pid 30971] [remote ]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed May 17 10:12:06.015849 2017] [:error] [pid 30971] [remote ] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_30971 -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem' returned non-zero exit status 1

Comment 4 Petr Vobornik 2017-05-18 12:43:55 UTC

Martin, this looks to me as dup of issue in bug 1438729. If yes we can close is as dup. Do you want separate upstream ticket?

Comment 5 Martin Babinsky 2017-05-18 14:48:29 UTC

It most likely is a duplicate. I will make a separate BZ and upstream issue for the SELinux policy adjustment.

Comment 6 Petr Vobornik 2017-05-25 15:34:44 UTC


*** This bug has been marked as a duplicate of bug 1452215 ***

Comment 7 Sebastián Greco 2018-01-15 10:21:11 UTC

Hi,

I have same error with selinux either in permissive or enforcing modes. Could it be a different case than the one in bug 1452215 and not a duplicate?

[Wed Dec 27 10:14:24.279362 2017] [:error] [pid 1646] [remote 172.16.1.22:24] mod_wsgi (pid=1646): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed Dec 27 10:14:24.279838 2017] [:error] [pid 1646] [remote 172.16.1.22:24] Traceback (most recent call last):
[Wed Dec 27 10:14:24.280033 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed Dec 27 10:14:24.280556 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Dec 27 10:14:24.280607 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed Dec 27 10:14:24.281489 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return self.route(environ, start_response)
[Wed Dec 27 10:14:24.281526 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed Dec 27 10:14:24.281585 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return app(environ, start_response)
[Wed Dec 27 10:14:24.281643 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Wed Dec 27 10:14:24.281680 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed Dec 27 10:14:24.281708 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Wed Dec 27 10:14:24.281736 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Wed Dec 27 10:14:24.281777 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Wed Dec 27 10:14:24.281972 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Dec 27 10:14:24.282009 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run
[Wed Dec 27 10:14:24.282865 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed Dec 27 10:14:24.283031 2017] [:error] [pid 1646] [remote 172.16.1.22:24] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1646 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1


Packages installed are:
[root@ipa ~]# rpm -qa | grep -i selinux
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
libselinux-python-2.5-11.el7.x86_64

[root@ipa ~]# rpm -qa | grep -i ipa
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.15.2-50.el7_4.8.x86_64
ipa-common-4.5.0-22.el7_4.noarch
ipa-client-common-4.5.0-22.el7_4.noarch
libipa_hbac-1.15.2-50.el7_4.8.x86_64
sssd-ipa-1.15.2-50.el7_4.8.x86_64
python2-ipalib-4.5.0-22.el7_4.noarch
python2-ipaserver-4.5.0-22.el7_4.noarch
ipa-server-4.5.0-22.el7_4.x86_64
ipa-server-common-4.5.0-22.el7_4.noarch
python-iniparse-0.4-9.el7.noarch
python2-ipaclient-4.5.0-22.el7_4.noarch
ipa-client-4.5.0-22.el7_4.x86_64

Comment 8 Rob Crittenden 2018-01-15 16:04:40 UTC

FTR this was updated in the duplicate bug as well and it turned out to be a time sync issue.