Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV 0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate <SNIPPED OUT THE KEY STRING> ... send: "<?xml version='1.0' encoding='UTF-8'? >\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -----Original Message----- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: > The host command returns the correct name: > #host 166.66.65.39 > 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. > > -----Original Message----- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, March 05, 2013 10:26 AM > To: David Fitzgerald > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-* tools throws errors > > On 03/05/2013 04:21 PM, David Fitzgerald wrote: >> Hello everyone, >> >> >> >> I have been running a freeIPA server on Scientific Linux 6.2 for about a >> year. >> Yesterday I started not being able to run any "ipa-" commands. >> Running kinit admin gives me the proper tickets, but when I run any >> ipa- command I get the following error: >> >> >> >> ipa: ERROR: Kerberos error: Service >> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. >> >> >> >> I have no idea where the cyclone.esci.millersville.edu is coming >> from, as that used to be a Windows Domain server that was >> decommissioned years ago and is no longer in DNS, nor in /etc/hosts. >> I even grep -R all of the files in /etc and none refer to cyclone. I >> checked the ipa config and krb5.conf files and they are pointing at the >> proper ipa server. >> >> >> >> Checking log files I get these messages when I try to run ipa commands: >> >> >> >> /var/log/httpd/error log: >> >> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: >> xmlserver.__call__: KRB5CCNAME not defined in HTTP request >> environment >> >> >> >> /var/log/ipa >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime >> 1362491436, etypes {rep=18 >> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for >> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: >> authtime 0, admin@LINUX.DIRSRV.LOCAL for >> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not >> found in Kerberos database >> >> >> >> I Googled these error messages, but none of the results seemed to >> apply to my situation or didn't solve the problem Can anyone point >> me in the right direction? Any help is greatly appreciated. >> >> >> >> For what they are worth, here are my /etc/krb5.conf and >> /etc/ipa/default.conf >> files: >> >> >> >> /etc/krb5.conf: >> >> >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> >> >> [libdefaults] >> >> default_realm = LINUX.DIRSRV.LOCAL >> >> dns_lookup_realm = false >> >> dns_lookup_kdc = false >> >> rdns = false >> >> ticket_lifetime = 24h >> >> forwardable = yes >> >> >> >> [realms] >> >> LINUX.DIRSRV.LOCAL = { >> >> kdc = aurora.esci.millersville.edu:88 >> >> admin_server = aurora.esci.millersville.edu:749 >> >> default_domain = esci.millersville.edu >> >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> >> [domain_realm] >> >> .esci.millersville.edu = LINUX.DIRSRV.LOCAL >> >> esci.millersville.edu = LINUX.DIRSRV.LOCAL >> >> >> >> [dbmodules] >> >> # LINUX.DIRSRV.LOCAL = { >> >> # db_library = kldap >> >> # ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket >> >> # ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local >> >> # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local >> >> # ldap_kadmind_dn = >> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local >> >> # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd >> >> # } >> >> >> >> LINUX.DIRSRV.LOCAL = { >> >> db_library = ipadb.so >> >> } >> >> >> >> /etc/ipa/default.conf >> >> >> >> [global] >> >> host=aurora.esci.millersville.edu >> >> basedn=dc=linux,dc=dirsrv,dc=local >> >> realm=LINUX.DIRSRV.LOCAL >> >> domain=esci.millersville.edu >> >> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml >> >> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket >> >> enable_ra=True >> >> ra_plugin=dogtag >> >> mode=production >> >> >> >> >> >> +++++++++++++++++++++++ >> >> David Fitzgerald >> >> Department of Earth Sciences >> >> Millersville University >> >> Millersville, PA 17551 >> >> >> >> Phone: 717-871-2394 >> >> > > Hello David, > > I suspect this is caused by broken DNS reverse resoltion as Keberos client > software often use the result of reverse record (PTR RR) resolution as a > hostname and not the actual hostname configured on your system. > > What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct > hostname? > > Martin > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users