search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.23k stars 1.11k forks source link

unable to authenticate with kerberos #12919

Closed tmdag closed 3 years ago

tmdag commented 5 years ago

Cockpit version: 194-2.fc29 OS: 5.2.17-100.fc29.x86_64

I have FreeIPA and Cockpit on the same machine. Unfortunately, I am unable to login to cockpit. Also cockpit website is loading without most of graphics (just pure white page with fedora logo and 'log in' button

Steps to reproduce

  1. Cockpit was installed with fedora server edition, but I've tried reinstalling package as well
  2. entering creditentials as kerberos user

I have only one keytab: /etc/krb5.keytab (no keytab in /etc/cockpit) Looks like I have HTTP there already as well

$ ipa service-add HTTP/myserver.mydomain.com(a)MYDOMAIN.COM
ipa: ERROR: service with name "HTTP/myserver.mydomain.com(a)MYDOMAIN.COM" already
exists

But cockpit is saying otherwise. Not sure how can I check which keytab file is cocpit trying to read from. I am also getting 'Unknown certificate' Not sure if there is anything I can/should do about it?

cockpit-ws loaded 1 certificates from /etc/cockpit/ws-certs.d/0-self-signed.cert
cockpit-ws Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
cockpit-ws couldn't read from connection: Peer sent fatal TLS alert: Unknown
certificate
cockpit-ws [34B blob data]
cockpit-ws received unknown/invalid credential cookie
cockpit-ws spawning /usr/libexec/cockpit-session
cockpit-ws received authorize challenge
cockpit-ws cockpit-session: gssapi auth failed: Request ticket server
HTTP/myserver.mydomain.com(a)MYDOMAIN.COM not found in keytab (ticket kvno 1)
cockpit-ws session initialized
cockpit-ws cockpit-session: authentication-failed Authentication failure
cockpit-ws web service closing
cockpit-session: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=10.0.1.4 user=myuser
cockpit-session: pam_ssh_add: Identity added: /home/myuser/.ssh/id_rsa
(myuser(a)mydomain.com)
cockpit-session: pam_unix(cockpit:session): session opened for user myuser by (uid=0)
cockpit-ws 3: Permission denied.
cockpit-session: pam_unix(cockpit:session): session closed for user myuser
cockpit-ws cockpit-session: authentication process exited: 256; problem access-denied
cockpit-ws web service closing
cockpit-ws auth is idle
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
2 host/myserver.mydomain.com(a)MYDOMAIN.COM
1 nfs/myserver.mydomain.com(a)MYDOMAIN.COM
1 nfs/myserver.mydomain.com(a)MYDOMAIN.COM
1 libvirt/myserver.mydomain.com(a)MYDOMAIN.COM
1 libvirt/myserver.mydomain.com(a)MYDOMAIN.COM
1 vnc/myserver.mydomain.com(a)MYDOMAIN.COM
1 vnc/myserver.mydomain.com(a)MYDOMAIN.COM

login

martinpitt commented 3 years ago

@tmdaag: Sorry for the really late reply, this fell through the cracks. This is the most interesting log message:

HTTP/myserver.mydomain.com(a)MYDOMAIN.COM not found in keytab (ticket kvno 1)

Did you join that machine to the domain using Cockpit's UI? That will automatically register the HTTP/ principal. If you used something else to join, you need to manually set up that principal as described here in the documentation.

Please follow up here if that still does not work with the current version, then I'm happy to reopen and investigate further.

Thanks, and sorry again for dropping this!