[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 18:54:16 UTC 2012
Nathan Lager wrote:
>
>
> On 09/19/2012 11:34 AM, Rob Crittenden wrote:
>> Nathan Lager wrote:
>>>
>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote:
>>>> Lager, Nathan T. wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan
>>>>>> Lager" <lagern at lafayette.edu> Cc: freeipa-users at redhat.com
>>>>>> Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
>>>>>> [Freeipa-users] sudden ipa errors.
>>>>>>
>>>>>> Ok, what are the permissions on the keytab,
>>>>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache
>>>>>> mode 0600.
>>>>>
>>>>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
>>>>> -rw-------. apache apache
>>>>> unconfined_u:object_r:httpd_config_t:s0
>>>>> /etc/httpd/conf/ipa.keytab
>>>>>
>>>>>>
>>>>>> Are you in SELinux enforcing mode? Can you try in
>>>>>> permissive to see if that works?
>>>>> I was enforcing at the start of all of this, but ive since
>>>>> switched to permissive for troubleshooting. It hasnt made a
>>>>> difference.
>>>>
>>>> Are you getting an HTTP service principal in the client?
>>>>
>>>> $ kdestroy $ kinit admin $ ipa user-show admin <fail> $ klist
>>>> -fea
>>>>
>>>> Lets try to skip s4u2proxy. Does this work:
>>>>
>>>> $ ipa --delegate user-show admin
>>>>
>>>> Unfortunately the major and minor error codes are as generic as
>>>> can be so they aren't any help at all.
>>>>
>>>> rob
>>>
>>> Here's the output. The --delegate still failed.
>>>
>>> [root at caroline0 PROD ~]# klist -fea Ticket cache:
>>> FILE:/tmp/krb5cc_0 Default principal:
>>> lagern at SYSTEMS.LAFAYETTE.EDU
>>>
>>> Valid starting Expires Service principal 09/19/12
>>> 11:23:03 09/20/12 11:22:52
>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags: FIA,
>>> Etype (skey, tkt): aes256-cts-hmac-sha1-96,
>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
>>> 09/20/12 11:22:52
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags: FAT,
>>> Etype (skey, tkt): aes256-cts-hmac-sha1-96,
>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0 PROD
>>> ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to
>>> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
>>> [root at caroline0 PROD ~]#
>>
>> Is it the same major/minor error in gss_acquire_cred()?
>>
>> Does GSSAPI over LDAP work?
>>
>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b
>> cn=users,cn=accounts,dc=example,dc=com admin
>>
> This appears to work.
>
> [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
> caroline0.lafayette.edu -b
> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
> SASL/GSSAPI authentication started
> SASL username: lagern at SYSTEMS.LAFAYETTE.EDU
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu> with
> scope subtree
> # filter: (objectclass=*)
> # requesting: admin
> #
>
> # users, accounts, systems.lafayette.edu
> dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
>
> # admin, users, accounts, systems.lafayette.edu
> dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
>
> <-- a bunch of other users here -->
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 10
> # numEntries: 9
>
Ok, so it's JUST Apache then.
Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
If not, I'd try setting it to caroline0.lafayette.edu
If so, might be worth trying to refresh your Apache keytab. I made some
educated guesses on your hostnames/realm, please double-check:
# ipa-getkeytab -s caroline0.lafayette.edu -p
HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
/etc/httpd/conf/ipa.keytab
Should not be required to restart httpd but it shouldn't hurt. Run
kdestroy/kinit before trying ipa user-show again.
rob
More information about the Freeipa-users
mailing list