[Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Wed May 25 03:59:41 UTC 2011

FYI....

Think I did it right!

:]

regards
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> FYI

Ok, this is very strange, it isn't really trying very hard to do the
kerberos authentication.

It should be requesting the HTTP service principal and then doing the
Negotiate authentication but for some reason it is giving up.

Here is something to try (obviously replacing ipa.example.com with your
ipa server):

% kdestroy
% scp ipa.example.com:/etc/krb5.conf test-krb5.conf
% export KRB5_CONFIG=`pwd`/test-krb5.conf
% kinit admin
% klist -f (send us this output)
% curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
% klist -f (send us this too)
% unset KRB5_CONFIG

You should get a 500 error and not a 401.

Some logs to capture the tail of:

Apache error and access logs
/var/log/krb5kdc.log

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 9:41 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Logs.....
>
> Sorry, had you set the level in the wrong file. Can you set LogLevel
> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>
>>> Is there a solution to this?
>>
>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>> and try the join again?
>>
>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>> the credentials.
>>
>> rob
>>
>>>
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> I must be going blind in my old age.....anyway here they are.
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Hi,
>>>
>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>
>>> 2) ipa-install log
>>>
>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>
>>> 4) "Did you also run kinit before manually
>>> running ipa-join in your testing?"  Yes....
>>>
>>> 5) For DNS I added,
>>>
>>>     allow query {any;};
>>>
>>> into /etc/named.conf clients were then not denied DNS.
>>>
>>> regards
>>>
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Steven Jones wrote:
>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>
>>> This is a different mismatch than you were seeing with 5.6 (and a
>>> completely different error message).
>>>
>>> A few things to note:
>>>
>>> - In general, when you reference any IPA server you should always use
>>> the fully-qualified name. The SSL error you had was because the name did
>>> not match the certificate.
>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>> you can always check the Apache error/access logs for diagnostic
>>> information.
>>> - The integrated DNS stores information in LDAP, not flat files, so
>>> having no data in /var/named is not surprising.
>>>
>>> ipa-join needs authentication in the form of a TGT or a one-time
>>> password. It definitely did one in the log you provided and you still
>>> got a 401, which is strange. Did you also run kinit before manually
>>> running ipa-join in your testing?
>>>
>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>> lot more debugging information.
>>>
>>> I think the first place to check is the Apache error log to see why the
>>> join call failed.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 84574 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 83114 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 154252 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment-0002.obj>