[Freeipa-users] sudden ipa errors.

Nathan Lager lagern at lafayette.edu
Thu Sep 20 18:25:09 UTC 2012



On 09/20/2012 11:43 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> 
>> ----- Original Message -----
>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan Lager"
>>> <lagern at lafayette.edu> Cc: freeipa-users at redhat.com Sent:
>>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re:
>>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> 
>>>> 
>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>> Dmitri Pal wrote:
>>>>>> 
>>>>>> Rob, keytab and kerberos part seems to be fine, ldap
>>>>>> works too. Can it be one of the certs? May be some cert
>>>>>> expired?
>>>>> 
>>>>> No, the error is coming from GSSAPI, it is unfortunately 
>>>>> completely useless. I think we've pretty well narrowed down
>>>>> the problem to httpd/mod_auth_kerb but I don't know yet if
>>>>> this is a configuration issue or a bug.
>>>>> 
>>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
>>>> Sure, as far as I know its completely stock, aside from the
>>>> krb password auth change.
>>> 
>>> Yup, configuration looks fine.
>>> 
>>> Ok, let's eliminate the ipa tool as the problem and try curl:
>>> 
>>> Create a file test.json with these contents:
>>> 
>>> {"method":"batch","params":[[ 
>>> {"method":"user_show","params":[["admin"],{"all":false}]} 
>>> ],{}],"id":1}
>>> 
>>> then run this:
>>> 
>>> curl -H "Content-Type:application/json" -H
>>> "Accept:application/json" -H "Accept-Language:en" -H "Referer: 
>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u :
>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST 
>>> https://caroline0.lafayette.edu/ipa/json
>>> 
>> Seems to be running into the same trouble.
>> 
>> [lagern at caroline0 PROD ~]$ curl -H
>> "Content-Type:application/json" -H "Accept:application/json" -H
>> "Accept-Language:en" -H "Referer: 
>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u :
>> --cacert /etc/ipa/ca.crt -d  @test.json -X POST 
>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML PUBLIC
>> "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal
>> Server Error</title> </head><body> <h1>Internal Server
>> Error</h1> <p>The server encountered an internal error or 
>> misconfiguration and was unable to complete your request.</p> 
>> <p>Please contact the server administrator, root at localhost and
>> inform them of the time the error occurred, and anything you
>> might have done that may have caused the error.</p> <p>More
>> information about this error may be available in the server error
>> log.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at
>> caroline0.lafayette.edu Port 443</address> </body></html>
> 
> Ok, need to gather some more info:
> 
> # kvno HTTP/caroline0.lafayette.edu # klist -kt
> /etc/httpd/conf/ipa.keytab
> 
[root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3
[root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU



> rob

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042




More information about the Freeipa-users mailing list