On 11/08/2013 08:17 AM, Jonathan Underwood wrote: > On 8 November 2013 12:50, Jonathan Underwood > <jonathan.underw...@gmail.com> wrote: >> On 7 November 2013 22:45, Rob Crittenden <rcrit...@redhat.com> wrote: >>> This is it trying to close a connection that was never made. >>> >>> Can you run ipa -vv ping? >> # ipa -vv ping >> ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml >> ipa: INFO: Forwarding 'ping' to server >> u'https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml' >> send: u'POST /ipa/xml HTTP/1.0\r\nHost: >> nirvana.asteroids.phys.ucl.ac.uk\r\nAccept-Language: en-gb\r\nReferer: >> https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml\r\nAuthorization: >> negotiate >> YIICjQYJKoZIhvcSAQICAQBuggJ8MIICeKADAgEFoQMCAQ6iBwMFACAAAACjggGDYYIBfzCCAXugAwIBBaEaGxhBU1RFUk9JRFMuUEhZUy5VQ0wuQUMuVUuiMzAxoAMCAQOhKjAoGwRIVFRQGyBuaXJ2YW5hLmFzdGVyb2lkcy5waHlzLnVjbC5hYy51a6OCASEwggEdoAMCARKhAwIBAqKCAQ8EggEL09s+S7cDtuzsWkvkvwYltApZCzFJ+fpEMB4Daw84x624iPeoIAeg9szUrU/V4h/nCB93rE5VRWP2N2abIEZfKiw6YzU+b4NXV7FftRWUuFI+YuHDPvtSoGkRIYpUebLOhBp+tdCly38u1EKPGqMX5EzcuqNCFaMWPKw14bc4DXZFGnKgO0vKWqT/OnBCfYhx9+5tNaJB7FHcKzzo4MA+NOooMKZCoPntLWAYCOA2IQjyX4FW6c+RkpDgq/NfG3JEEebHfZX50Cm5fYhjp2AqmZYdqZUfpuy/lcjmdBEAh0VkKa2+RPtz3fKS0KNuE23/ZJtR9zrd7i1QPQvb3m0oU4JP0xPdknV6KWowpIHbMIHYoAMCARKigdAEgc2S6M88mEbkZsIqK3dMsluzqtCiG23TTm1zLNh8cyJA9dQX0PaXXkf5NvPmpE2p9vsDmPvJCYHTNr2aKjBMp7FRTB1yaNuZWsxJXn7juqYa1paXTK7pLTHOt6QrkZM3PjvS9pYcHbpBBlgGTnGA0vr+ZthRr64gMTWIiRBtQ602R3DQokHKKYrWLrM97dOH5w4nw4GQ6z/tvUhvDVLtBwMJjNI6CUTtF/iA1j7CjEoUVC7y2kzIH6YjtNEn90DBWkT57rBCOJoF55+2TZF1\r\nUser-Agent: >> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: >> text/xml\r\nContent-Length: 228\r\n\r\n' >> ipa: ERROR: non-public: AttributeError: KerbTransport instance has no >> attribute '_conn' >> Traceback (most recent call last): >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129, >> in execute >> result = self.Command[_name](*args, **options) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line >> 435, in __call__ >> ret = self.run(*args, **options) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in >> run >> return self.forward(*args, **options) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line >> 769, in forward >> return self.Backend.xmlclient.forward(self.name, *args, **kw) >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward >> response = command(*xml_wrap(params)) >> File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__ >> return self.__send(self.__name, args) >> File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request >> verbose=self.__verbose >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request >> self.close() >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close >> self._conn.close() >> AttributeError: KerbTransport instance has no attribute '_conn' >> ipa: ERROR: an internal error has occurred > And with debug=True in default.conf: > > # ipa -vv ping > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > ipa: DEBUG: args=klist -V > ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 > > ipa: DEBUG: stderr= > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:ad...@asteroids.phys.ucl.ac.uk > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa: DEBUG: failed to find session_cookie in persistent storage for > principal 'ad...@asteroids.phys.ucl.ac.uk' > ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml > ipa: DEBUG: Created connection context.xmlclient > ipa: DEBUG: raw: ping() > ipa: DEBUG: ping() > ipa: INFO: Forwarding 'ping' to server > u'https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml' > ipa: DEBUG: NSSConnection init nirvana.asteroids.phys.ucl.ac.uk > ipa: DEBUG: Connecting: 128.40.7.50:0 > send: u'POST /ipa/xml HTTP/1.0\r\nHost: > nirvana.asteroids.phys.ucl.ac.uk\r\nAccept-Language: en-gb\r\nReferer: > https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml\r\nAuthorization: > negotiate > YIICjQYJKoZIhvcSAQICAQBuggJ8MIICeKADAgEFoQMCAQ6iBwMFACAAAACjggGDYYIBfzCCAXugAwIBBaEaGxhBU1RFUk9JRFMuUEhZUy5VQ0wuQUMuVUuiMzAxoAMCAQOhKjAoGwRIVFRQGyBuaXJ2YW5hLmFzdGVyb2lkcy5waHlzLnVjbC5hYy51a6OCASEwggEdoAMCARKhAwIBAqKCAQ8EggEL09s+S7cDtuzsWkvkvwYltApZCzFJ+fpEMB4Daw84x624iPeoIAeg9szUrU/V4h/nCB93rE5VRWP2N2abIEZfKiw6YzU+b4NXV7FftRWUuFI+YuHDPvtSoGkRIYpUebLOhBp+tdCly38u1EKPGqMX5EzcuqNCFaMWPKw14bc4DXZFGnKgO0vKWqT/OnBCfYhx9+5tNaJB7FHcKzzo4MA+NOooMKZCoPntLWAYCOA2IQjyX4FW6c+RkpDgq/NfG3JEEebHfZX50Cm5fYhjp2AqmZYdqZUfpuy/lcjmdBEAh0VkKa2+RPtz3fKS0KNuE23/ZJtR9zrd7i1QPQvb3m0oU4JP0xPdknV6KWowpIHbMIHYoAMCARKigdAEgc1nQEv6zQLi2IxdRVufVAAGfPKdkhCxtAczr+J0NnlOlabgMHmjD4oMBGuXAhxSFuNf/RDl1QlV3lG+dY/+ArSmqtYrXi8IiTva8iOaEHm0QZpOYv5e9qNcXR1sMtHlHixSV+cBORzkFDqcqGOUWLSRyPioq5OUBz97HhngAOZUWbRwbJc4bCU+jRHTIswMJsXP/NP+KF/SUYIxF76zbBxFCZ/R5Mq+uwVB0MahKyQ+PiPXxjb33O/VrhScxaTUMtNFkVDuT2kGYqjzoqPk\r\nUser-Agent: > xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: > text/xml\r\nContent-Length: 228\r\n\r\n' > ipa: ERROR: non-public: AttributeError: KerbTransport instance has no > attribute '_conn' > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129, > in execute > result = self.Command[_name](*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 435, in __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in run > return self.forward(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 769, in forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward > response = command(*xml_wrap(params)) > File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__ > return self.__send(self.__name, args) > File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request > verbose=self.__verbose > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request > self.close() > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close > self._conn.close() > AttributeError: KerbTransport instance has no attribute '_conn' > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: an internal error has occurred > > > Sooo.... I think that means the problem lies with apache and NSS, right?
Or in the negotiated authentication. Is there anything in the kerberos logs on the server side? Can you do an ldap connection using GSSAPI from the client? May be KDC is not accessible because FW does allow access to the KDC port? Just some ideas what to check... > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
