[Freeipa-users] sudden ipa errors.

Dmitri Pal dpal at redhat.com
Wed Sep 19 19:42:15 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 03:37 PM, Nathan Lager wrote:
>
>
> On 09/19/2012 02:54 PM, Rob Crittenden wrote:
> > Nathan Lager wrote:
> >>
> >>
> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote:
> >>> Nathan Lager wrote:
> >>>>
> >>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> >>>>> Lager, Nathan T. wrote:
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To:
> >>>>>>> "Nathan Lager" <lagern at lafayette.edu> Cc:
> >>>>>>> freeipa-users at redhat.com Sent: Tuesday, September 18,
> >>>>>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
> >>>>>>> errors.
> >>>>>>>
> >>>>>>> Ok, what are the permissions on the keytab,
> >>>>>>> /etc/httpd/conf/ipa.keytab? They should be
> >>>>>>> apache:apache mode 0600.
> >>>>>>
> >>>>>> [lagern at caroline0 PROD ~]$ ls -lZ
> >>>>>> /etc/httpd/conf/ipa.keytab -rw-------. apache apache
> >>>>>> unconfined_u:object_r:httpd_config_t:s0
> >>>>>> /etc/httpd/conf/ipa.keytab
> >>>>>>
> >>>>>>>
> >>>>>>> Are you in SELinux enforcing mode? Can you try in
> >>>>>>> permissive to see if that works?
> >>>>>> I was enforcing at the start of all of this, but ive
> >>>>>> since switched to permissive for troubleshooting. It
> >>>>>> hasnt made a difference.
> >>>>>
> >>>>> Are you getting an HTTP service principal in the client?
> >>>>>
> >>>>> $ kdestroy $ kinit admin $ ipa user-show admin <fail> $
> >>>>> klist -fea
> >>>>>
> >>>>> Lets try to skip s4u2proxy. Does this work:
> >>>>>
> >>>>> $ ipa --delegate user-show admin
> >>>>>
> >>>>> Unfortunately the major and minor error codes are as
> >>>>> generic as can be so they aren't any help at all.
> >>>>>
> >>>>> rob
> >>>>
> >>>> Here's the output. The --delegate still failed.
> >>>>
> >>>> [root at caroline0 PROD ~]# klist -fea Ticket cache:
> >>>> FILE:/tmp/krb5cc_0 Default principal:
> >>>> lagern at SYSTEMS.LAFAYETTE.EDU
> >>>>
> >>>> Valid starting Expires Service principal
> >>>> 09/19/12 11:23:03 09/20/12 11:22:52
> >>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU Flags:
> >>>> FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> >>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
> >>>> 09/20/12 11:22:52
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU Flags:
> >>>> FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> >>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root at caroline0
> >>>> PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
> >>>> connect to u'http://caroline0.lafayette.edu/ipa/xml':
> >>>> Internal Server Error [root at caroline0 PROD ~]#
> >>>
> >>> Is it the same major/minor error in gss_acquire_cred()?
> >>>
> >>> Does GSSAPI over LDAP work?
> >>>
> >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b
> >>> cn=users,cn=accounts,dc=example,dc=com admin
> >>>
> >> This appears to work.
> >>
> >> [root at caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
> >> caroline0.lafayette.edu -b
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
> >> SASL/GSSAPI authentication started SASL username:
> >> lagern at SYSTEMS.LAFAYETTE.EDU SASL SSF: 56 SASL data security
> >> layer installed. # extended LDIF # # LDAPv3 # base
> >> <cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu> with scope
> >> subtree # filter: (objectclass=*) # requesting: admin #
> >>
> >> # users, accounts, systems.lafayette.edu dn:
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
> >>
> >> # admin, users, accounts, systems.lafayette.edu dn:
> >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
> >>
> >> <-- a bunch of other users here -->
> >>
> >> # search result search: 4 result: 0 Success
> >>
> >> # numResponses: 10 # numEntries: 9
> >>
>
> > Ok, so it's JUST Apache then.
>
> > Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
>
> > If not, I'd try setting it to caroline0.lafayette.edu
>
> > If so, might be worth trying to refresh your Apache keytab. I made
> > some educated guesses on your hostnames/realm, please
> > double-check:
>
> > # ipa-getkeytab -s caroline0.lafayette.edu -p
> > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
> > /etc/httpd/conf/ipa.keytab
>
> > Should not be required to restart httpd but it shouldn't hurt. Run
> > kdestroy/kinit before trying ipa user-show again.
>
> > rob
>
> well, seems like we're at least narrowing things down. But its still
> no good.
>
> The hostname is the fqdn. /bin/hostname returns it as such.
>
>
> [root at caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU -k
> /etc/httpd/conf/ipa.keytab
> Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
> [root at caroline0 PROD ~]# service httpd restart
> Stopping httpd: [ OK ]
> Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
> ajp://localhost:9447/ already used by another worker
> [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
> used by another worker
> [ OK ]
> [root at caroline0 PROD ~]# kdestroy
> [root at caroline0 PROD ~]# kinit lagern
> Password for lagern at SYSTEMS.LAFAYETTE.EDU:
> [root at caroline0 PROD ~]# ipa pwpolicy-show
> ipa: ERROR: cannot connect to
> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
>
>

Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?

>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


- -------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQWiAXAAoJEKRjuMOPSn1YKUcIAKkW/1Uc41rmvGUNbs5JzIqA
2J+YxO/nuyr4p1Re8f49/FOdCBdXvxmeVgtFQS+zFMlk1/86c7Wh0CbZTO3Ob+XL
zx7v19gT+CvJQ/fLrEcHhrBB0XnQvLkt+lyFP8A0xhyLNHe8ygw7Sz7d2fq2iwso
bBEYlK7AR4jtOfRupIG5Rx4seunr45dsJWHYbVvrgXlYkTx8KrD271nkVnBj6LM1
/BYYiWmMWwm0V5Lf9SMgl5LaOj08AgC3x+501b9++5DDV9icg8IqnMEXmlEDRvWE
mh6t/mRWBDQxHNIbFW7OPgU/YPOfwvBfNndJusX9TSOBAdHyXl2kdC4Yccuv5+U=
=OM2q
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120919/66fc6b74/attachment.htm>

More information about the Freeipa-users mailing list