Re: [Freeipa-users] sudden ipa errors.

Fri, 21 Sep 2012 07:20:59 -0700 

Lager, Nathan T. wrote:

Well, after all of this, RedHat support just resolved my issue!

It came down the the domain_realm definitions in /etc/krb5.conf.

They had me change:

[domain_realm]
  .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU

To:
[domain_realm]
  .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  lafayette.edu = SYSTEMS.LAFAYETTE.EDU

After doing so, i restarted IPA, and my commands are working properly now!

Now, to get my replica back in order...
Wow. OK, I'm glad it's working. Do we have any idea how this file changed? Is it wrong on all your clients or only on this one master? 

rob




----- Original Message -----

From: "Nathan Lager" <lag...@lafayette.edu>
To: "Rob Crittenden" <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com
Sent: Thursday, September 20, 2012 2:46:20 PM
Subject: Re: [Freeipa-users] sudden ipa errors.
On 09/20/2012 02:28 PM, Rob Crittenden wrote:

Nathan Lager wrote:



On 09/20/2012 11:43 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


----- Original Message -----

From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan
Lager" <lag...@lafayette.edu> Cc: freeipa-users@redhat.com
Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap
works too. Can it be one of the certs? May be some
cert expired?


No, the error is coming from GSSAPI, it is
unfortunately completely useless. I think we've pretty
well narrowed down the problem to httpd/mod_auth_kerb
but I don't know yet if this is a configuration issue
or a bug.

Nathan, can you show me your
/etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from
the krb password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try
curl:

Create a file test.json with these contents:

{"method":"batch","params":[[
{"method":"user_show","params":[["admin"],{"all":false}]}
],{}],"id":1}

then run this:

curl -H "Content-Type:application/json" -H
"Accept:application/json" -H "Accept-Language:en" -H
"Referer: https://caroline0.lafayette.edu/ipa/xml";
--negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
POST https://caroline0.lafayette.edu/ipa/json


Seems to be running into the same trouble.

[lagern@caroline0 PROD ~]$ curl -H
"Content-Type:application/json" -H "Accept:application/json"
-H "Accept-Language:en" -H "Referer:
https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u :
--cacert /etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML
PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500
Internal Server Error</title> </head><body> <h1>Internal
Server Error</h1> <p>The server encountered an internal error
or misconfiguration and was unable to complete your
request.</p> <p>Please contact the server administrator,
root@localhost and inform them of the time the error
occurred, and anything you might have done that may have
caused the error.</p> <p>More information about this error
may be available in the server error log.</p> <hr>
<address>Apache/2.2.15 (Red Hat) Server at
caroline0.lafayette.edu Port 443</address> </body></html>


Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu # klist -kt
/etc/httpd/conf/ipa.keytab


[root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno = 3
[root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
Principal ---- -----------------
-------------------------------------------------------- 2
02/03/12 16:31:27
HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu 2
02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 2
02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 3
09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12
15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu 3
09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12
15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu



It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
only 4. Did you change the available encryption types?


I have not changed them, not intentionally anyway. Could it be that
an update did so? I installed Ipa round rhel 6.1 or so, and have been
updating it via yum periodically.


Can you re-run the klist command with -e as well? klist -ekt ...


[root@caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 02/03/12 16:31:27
HTTP/caroline0.lafayette....@systems.lafayette.edu
(aes256-cts-hmac-sha1-96)
2 02/03/12 16:31:27
HTTP/caroline0.lafayette....@systems.lafayette.edu
(aes128-cts-hmac-sha1-96)
2 02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu (des3-cbc-sha1)
2 02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu (arcfour-hmac)
2 02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu (des-hmac-sha1)
2 02/03/12 16:31:28
HTTP/caroline0.lafayette....@systems.lafayette.edu (des-cbc-md5)
3 09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu
(aes256-cts-hmac-sha1-96)
3 09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu
(aes128-cts-hmac-sha1-96)
3 09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu (des3-cbc-sha1)
3 09/19/12 15:33:53
HTTP/caroline0.lafayette....@systems.lafayette.edu (arcfour-hmac)



rob



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to