1476782 – Login to ipa-server UI fails with message "Login failed due to an unknown reason." when ipa configured from ipa-docker image is upgraded to latest version.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1476782 - Login to ipa-server UI fails with message "Login failed due to an unknown reason." when ipa configured from ipa-docker image is upgraded to latest version.

Summary: Login to ipa-server UI fails with message "Login failed due to an unknown rea...

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa-server-container
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Vobornik
QA Contact:	Nikhil Dehadrai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1405325
TreeView+	depends on / blocked

Reported:	2017-07-31 13:08 UTC by Nikhil Dehadrai
Modified:	2021-01-06 11:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-06 11:15:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Nikhil Dehadrai 2017-07-31 13:08:40 UTC

Description of problem:
Login to ipa-server UI fails with message "Login failed due to an unknown reason."  when ipa configured from ipa-docker image is upgraded to latest version. ( In my case RHEL 7.3.z to RHEL 7.4.z)

Version-Release number of selected component (if applicable):
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64

IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64

Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server and REPLICA server using ipa-docker image(4.4.0.45 i.e RHEL 7.3.z).
2. Upgrade the ipa-server and replica using latest image.(4.5.0.8)


Actual results:
After step2, Upgrade is successful, but, after upgrade the user is unable to login to server UI for IPA/Replica both and same error message "Login failed due to an unknown reason." is noticed. (In my case from rhel 7.3.z to rhel 7.4.z)

#httpd error log:
[Fri Jul 28 12:46:18.524602 2017] [:error] [pid 1207] [remote x.x.x.x:76] mod_wsgi (pid=1207): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Fri Jul 28 12:46:18.524663 2017] [:error] [pid 1207] [remote x.x.x.x:76] Traceback (most recent call last):
[Fri Jul 28 12:46:18.524688 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Fri Jul 28 12:46:18.524731 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return api.Backend.wsgi_dispatch(environ, start_response)
[Fri Jul 28 12:46:18.524741 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Fri Jul 28 12:46:18.524757 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return self.route(environ, start_response)
[Fri Jul 28 12:46:18.524763 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Fri Jul 28 12:46:18.524771 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return app(environ, start_response)
[Fri Jul 28 12:46:18.524789 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Fri Jul 28 12:46:18.524799 2017] [:error] [pid 1207] [remote x.x.x.x:76]     self.kinit(user_principal, password, ipa_ccache_name)
[Fri Jul 28 12:46:18.524804 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Fri Jul 28 12:46:18.524812 2017] [:error] [pid 1207] [remote x.x.x.x:76]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Fri Jul 28 12:46:18.524819 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Fri Jul 28 12:46:18.524830 2017] [:error] [pid 1207] [remote x.x.x.x:76]    run(args, env=env, raiseonerr=True, capture_error=True)
[Fri Jul 28 12:46:18.524836 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Fri Jul 28 12:46:18.524847 2017] [:error] [pid 1207] [remote x.x.x.x:76]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Fri Jul 28 12:46:18.524875 2017] [:error] [pid 1207] [remote x.x.x.x:76] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1207 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

Expected results:
User should be able to successfully login to IPA-server/ Replica after upgrade.

Additional info:
This issue is not observed for IPA server upgraded from RHEL 7.3.z to RHEL 7.4.z (rpm based installation)

Comment 3 binny 2017-08-11 14:37:03 UTC

I face the exact same issue. Any updates on how to resolve this ?

Comment 9 Petr Čech 2021-01-06 11:15:53 UTC

This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team

Note You need to log in before you can comment on or make changes to this bug.