Re: [Freeipa-users] question on Active Directory and FreeIPA
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 19, 2015 3:15 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users and 90 Scientific Linux workstations, and everything works great. Unfortunately I have been told that I must now use the University's Active Directory to authenticate all of my users. I have read the documentation on FreeIPA / AD integration and am not sure if that will meet my requirements. All my Linux users' home directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles etc. run off that mount.From what I have read it seems to me that FreeIPA / AD integration is more focused on getting Windows users to be able to log into a Linux machine with access to their Windows folders and profiles (oddjob creating a local home directory on the Linux box, etc.) I don't want this. All I need is to simply authenticate the user using AD (BTW their IPA usernames and AD usernames are the same other than the domain) then use the info from FreeIPA as I do now. I don't need any folders mounted from the Windows servers. Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. This is exactly what I need. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] question on Active Directory and FreeIPA
Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users and 90 Scientific Linux workstations, and everything works great. Unfortunately I have been told that I must now use the University's Active Directory to authenticate all of my users. I have read the documentation on FreeIPA / AD integration and am not sure if that will meet my requirements. All my Linux users' home directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles etc. run off that mount. From what I have read it seems to me that FreeIPA / AD integration is more focused on getting Windows users to be able to log into a Linux machine with access to their Windows folders and profiles (oddjob creating a local home directory on the Linux box, etc.) I don't want this. All I need is to simply authenticate the user using AD (BTW their IPA usernames and AD usernames are the same other than the domain) then use the info from FreeIPA as I do now. I don't need any folders mounted from the Windows servers. Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. Thanks for your help! Dave ++ David Fitzgerald Department of Earth Science Millersville University Millersville, PA 17551 Phone: 717-871-7436 E-Mail: david.fitzger...@millersville.edu -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
Thanks for all the info. I think I will go the trust route with IPA 4.1 and see what happens (in a test environment first of course.) From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, February 17, 2015 6:25 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication Ok, So with winsync I will have the 2000+ users in IPA. Within IPA I have several high risk/impact groups of servers and many low. For the low risk/impact servers and most desktops they can trust what AD tells them. For the high risk/impact servers/applications we do not want to reply on AD for any authorisation so permissions for these will be isolated from AD inside IPA. The idea is if we lose AD or IPA we should not lose both via any cross-linking. regards Steven From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.commailto:d...@redhat.com Sent: Wednesday, 18 February 2015 11:51 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. That I get. I do not understand how trust helps you in this case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] question about Active Directory authentication
Hello, I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server. I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions. 1. The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients? 2. Do I even need to set up a full trust relationship just to authenticate my users with AD? 3. Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 E-Mail: david.fitzger...@millersville.edu -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa 3.0 expired cert renewal
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Wednesday, May 28, 2014 8:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa 3.0 expired cert renewal On 05/28/2014 10:40 AM, David Fitzgerald wrote: Hello, My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated. When I try to start the ipa service on my server I get: root@aurora ~]# /sbin/service ipa start Starting Directory Service Starting dirsrv: LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: LINUX-DIRSRV-LOCAL... [ OK ] PKI-IPA... [ OK ] Aborting ipactl Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate. Thanks! Usually that happens when you do not have the original master any more. Is this the case for you? Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ? That was the info I needed. Sorry I didn't check the IPA 2x docs. It works just fine again. Thank You! --- David Fitzgerald Adjunct Professor Department of Earth Sciences Millersville University Millersville, PA 17551 E-mail: david.fitzger...@millersville.edumailto:david.fitzger...@millersville.edu PH: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa 3.0 expired cert renewal
Hello, My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated. When I try to start the ipa service on my server I get: root@aurora ~]# /sbin/service ipa start Starting Directory Service Starting dirsrv: LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: LINUX-DIRSRV-LOCAL... [ OK ] PKI-IPA... [ OK ] Aborting ipactl Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate. Thanks! --- David Fitzgerald Adjunct Professor Department of Earth Sciences Millersville University Millersville, PA 17551 E-mail: david.fitzger...@millersville.edu PH: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate SNIPPED OUT THE KEY STRING ... send: ?xml version='1.0' encoding='UTF-8'? \nmethodCall\nmethodNameping/methodName\nparams\n/params\n/methodCall\n reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any ipa- commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. I have no idea where the cyclone.esci.millersville.edu is coming from, as that used to be a Windows Domain server that was decommissioned years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and none refer to cyclone. I checked the ipa config and krb5.conf files and they are pointing at the proper ipa server. Checking log files I get
Re: [Freeipa-users] ipa-* tools throws errors
Thanks for getting back to me!
I don't think the problem has anything to do with DNS. I (finally) ran an ipa
command with the verbose flags -vv and found that it IS trying to contact
aurora.esci.millersville.edu, it fails then tries to contact
cyclone.esci.millersville.edu (still don't know where that comes from). I am
getting an 'Internal Server Error' in the output when connecting to aurora.
Here is the output:
% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
SNIPPED OUT THE KEY STRING ...
send: ?xml version='1.0' encoding='UTF-8'?
\nmethodCall\nmethodNameping/methodName\nparams\n/params\n/methodCall\n
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/
The apache error log gives this:
Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
I have no idea what that means. Can you help?
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a
year.
Yesterday I started not being able to run any ipa- commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming
from, as that used to be a Windows Domain server that was
decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
I even grep -R all of the files in /etc and none refer to cyclone. I
checked the ipa config and krb5.conf files and they are pointing at the
proper ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request
environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
authtime 0, admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
found in Kerberos database
I Googled these error messages, but none of the results seemed to
apply to my situation or didn't solve the problem Can anyone point
me in the right direction? Any help is greatly appreciated.
For what they are worth, here are my /etc/krb5.conf and
/etc/ipa/default.conf
files:
/etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
[Freeipa-users] ipa-* tools throws errors
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I started not being able to run any ipa- commands. Running kinit
admin gives me the proper tickets, but when I run any ipa- command I get the
following error:
ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not
found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming from, as that
used to be a Windows Domain server that was decommissioned years ago and is no
longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and
none refer to cyclone. I checked the ipa config and krb5.conf files and they
are pointing at the proper ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0,
admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in
Kerberos database
I Googled these error messages, but none of the results seemed to apply to my
situation or didn't solve the problem Can anyone point me in the right
direction? Any help is greatly appreciated.
For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf
files:
/etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.DIRSRV.LOCAL = {
kdc = aurora.esci.millersville.edu:88
admin_server = aurora.esci.millersville.edu:749
default_domain = esci.millersville.edu
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.esci.millersville.edu = LINUX.DIRSRV.LOCAL
esci.millersville.edu = LINUX.DIRSRV.LOCAL
[dbmodules]
# LINUX.DIRSRV.LOCAL = {
#db_library = kldap
#ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
#ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
#ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
# }
LINUX.DIRSRV.LOCAL = {
db_library = ipadb.so
}
/etc/ipa/default.conf
[global]
host=aurora.esci.millersville.edu
basedn=dc=linux,dc=dirsrv,dc=local
realm=LINUX.DIRSRV.LOCAL
domain=esci.millersville.edu
xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
enable_ra=True
ra_plugin=dogtag
mode=production
+++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551
Phone: 717-871-2394
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a
year.
Yesterday I started not being able to run any ipa- commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming from,
as that used to be a Windows Domain server that was decommissioned
years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R
all of the files in /etc and none refer to cyclone. I checked the ipa
config and krb5.conf files and they are pointing at the proper ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
authtime 0, admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
found in Kerberos database
I Googled these error messages, but none of the results seemed to
apply to my situation or didn't solve the problem Can anyone point me
in the right direction? Any help is greatly appreciated.
For what they are worth, here are my /etc/krb5.conf and
/etc/ipa/default.conf
files:
/etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.DIRSRV.LOCAL = {
kdc = aurora.esci.millersville.edu:88
admin_server = aurora.esci.millersville.edu:749
default_domain = esci.millersville.edu
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.esci.millersville.edu = LINUX.DIRSRV.LOCAL
esci.millersville.edu = LINUX.DIRSRV.LOCAL
[dbmodules]
# LINUX.DIRSRV.LOCAL = {
#db_library = kldap
#ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
#ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
#ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_kadmind_dn =
uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
# }
LINUX.DIRSRV.LOCAL = {
db_library = ipadb.so
}
/etc/ipa/default.conf
[global]
host=aurora.esci.millersville.edu
basedn=dc=linux,dc=dirsrv,dc=local
realm=LINUX.DIRSRV.LOCAL
domain=esci.millersville.edu
xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
enable_ra=True
ra_plugin=dogtag
mode=production
+++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551
Phone: 717-871-2394
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.
What does host $IP_ADDRESS_OF_YOUR_HOST returns? Does it return the correct
hostname?
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] clients very slow
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, September 13, 2012 6:50 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] clients very slow On 09/13/2012 09:54 AM, David Fitzgerald wrote: Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Do you use SSSD as a client or something else? If SSSD we would need the nsswitch, pam, krb5.conf, sssd.conf configuration files and SSSD logs set to debug_level=8 or 9. What operation they are freezing on? Is it login/authentication or just suddenly, which probably indicates identity lookup. So freezes might be related to the DNS or name resolution lookups that those machines do. They might be accessing a DNS server that is down or misconfigured before failing over to a correct one. So resolve.conf, /etc/hosts would be helpful. But you might need to check the DNS configuration yourself. HTH We do use SSSD as a client. The freeze occurs suddenly, after the user logs in. One process that always is at the top of 'top' when the systems freeze is 'xxx.xxx.xxx.xxx-ma', where the xxx's are the ip address of my freeIPA server. Watching the network during these freezes show that the clients are attempting to contact the freeIPA server but we don't see a reply. Is there a limit on the number of connections the server can handle? Thanks! Dave +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] clients very slow
Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Thanks! Dave +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
