[Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones Steven.Jones at vuw.ac.nz
Wed May 25 20:30:28 UTC 2011 

Outcome?, I couldnt see where the 401 or 500 "appeared".....

the screen output of curl was as attached.

regards


________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 1:21 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> FYI....
>
> Think I did it right!
>
> :]

What was the outcome? Did you get a 401 or 500? I can't figure it out
based on the logs but I do see quite a few successful authentications.

Can you isolate the log data for this one curl request?

I'd run this on the 6.1 client that you're having problems with.

thanks

rob

>
> regards
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 3:33 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI
>
> Ok, this is very strange, it isn't really trying very hard to do the
> kerberos authentication.
>
> It should be requesting the HTTP service principal and then doing the
> Negotiate authentication but for some reason it is giving up.
>
> Here is something to try (obviously replacing ipa.example.com with your
> ipa server):
>
> % kdestroy
> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
> % export KRB5_CONFIG=`pwd`/test-krb5.conf
> % kinit admin
> % klist -f (send us this output)
> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
> % klist -f (send us this too)
> % unset KRB5_CONFIG
>
> You should get a 500 error and not a 401.
>
> Some logs to capture the tail of:
>
> Apache error and access logs
> /var/log/krb5kdc.log
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Logs.....
>>
>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Hi,
>>>>
>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>
>>>> Is there a solution to this?
>>>
>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>> and try the join again?
>>>
>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>> the credentials.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> I must be going blind in my old age.....anyway here they are.
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Hi,
>>>>
>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>
>>>> 2) ipa-install log
>>>>
>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>
>>>> 4) "Did you also run kinit before manually
>>>> running ipa-join in your testing?"  Yes....
>>>>
>>>> 5) For DNS I added,
>>>>
>>>>      allow query {any;};
>>>>
>>>> into /etc/named.conf clients were then not denied DNS.
>>>>
>>>> regards
>>>>
>>>>
>>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Steven Jones wrote:
>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>
>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>> completely different error message).
>>>>
>>>> A few things to note:
>>>>
>>>> - In general, when you reference any IPA server you should always use
>>>> the fully-qualified name. The SSL error you had was because the name did
>>>> not match the certificate.
>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>> you can always check the Apache error/access logs for diagnostic
>>>> information.
>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>> having no data in /var/named is not surprising.
>>>>
>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>> password. It definitely did one in the log you provided and you still
>>>> got a 401, which is strange. Did you also run kinit before manually
>>>> running ipa-join in your testing?
>>>>
>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>> lot more debugging information.
>>>>
>>>> I think the first place to check is the Apache error log to see why the
>>>> join call failed.
>>>>
>>>> rob
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: curl.out
Type: application/octet-stream
Size: 1682 bytes
Desc: curl.out
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/f9d6c444/attachment.obj>

More information about the Freeipa-users mailing list