[Freeipa-users] sudden ipa errors.
Nathan Lager
lagern at lafayette.edu
Fri Sep 21 15:07:33 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2012 10:18 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> Well, after all of this, RedHat support just resolved my issue!
>>
>> It came down the the domain_realm definitions in /etc/krb5.conf.
>>
>> They had me change:
>>
>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>
>> To: [domain_realm] .systems.lafayette.edu =
>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>
>> After doing so, i restarted IPA, and my commands are working
>> properly now!
>>
>> Now, to get my replica back in order...
>
> Wow. OK, I'm glad it's working. Do we have any idea how this file
> changed? Is it wrong on all your clients or only on this one
> master?
>
It appears wrong on my replica as well, caroline1. There are no
clients currently, other than RHEV.
I only have one lingering issue, aside from my replica being broken.
I still cant reset admin's password. It gives me the same error it was
before.
[root at caroline0 PROD ~]# kinit admin
Password for admin at SYSTEMS.LAFAYETTE.EDU:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials
> rob
>
>>
>>
>> ----- Original Message -----
>>> From: "Nathan Lager" <lagern at lafayette.edu> To: "Rob
>>> Crittenden" <rcritten at redhat.com> Cc: freeipa-users at redhat.com
>>> Sent: Thursday, September 20, 2012 2:46:20 PM Subject: Re:
>>> [Freeipa-users] sudden ipa errors. On 09/20/2012 02:28 PM, Rob
>>> Crittenden wrote:
>>>> Nathan Lager wrote:
>>>>>
>>>>>
>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>>>>>> Lager, Nathan T. wrote:
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To:
>>>>>>>> "Nathan Lager" <lagern at lafayette.edu> Cc:
>>>>>>>> freeipa-users at redhat.com Sent: Wednesday, September
>>>>>>>> 19, 2012 4:35:30 PM Subject: Re: [Freeipa-users]
>>>>>>>> sudden ipa errors. Nathan Lager wrote:
>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>>>>>> Dmitri Pal wrote:
>>>>>>>>>>>
>>>>>>>>>>> Rob, keytab and kerberos part seems to be fine,
>>>>>>>>>>> ldap works too. Can it be one of the certs? May
>>>>>>>>>>> be some cert expired?
>>>>>>>>>>
>>>>>>>>>> No, the error is coming from GSSAPI, it is
>>>>>>>>>> unfortunately completely useless. I think we've
>>>>>>>>>> pretty well narrowed down the problem to
>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if this
>>>>>>>>>> is a configuration issue or a bug.
>>>>>>>>>>
>>>>>>>>>> Nathan, can you show me your
>>>>>>>>>> /etc/httpd/conf.d/ipa.conf?
>>>>>>>>> Sure, as far as I know its completely stock, aside
>>>>>>>>> from the krb password auth change.
>>>>>>>>
>>>>>>>> Yup, configuration looks fine.
>>>>>>>>
>>>>>>>> Ok, let's eliminate the ipa tool as the problem and
>>>>>>>> try curl:
>>>>>>>>
>>>>>>>> Create a file test.json with these contents:
>>>>>>>>
>>>>>>>> {"method":"batch","params":[[
>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
>>>>>>>>
>>>>>>>>
],{}],"id":1}
>>>>>>>>
>>>>>>>> then run this:
>>>>>>>>
>>>>>>>> curl -H "Content-Type:application/json" -H
>>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H
>>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
>>>>>>>> @test.json -X POST
>>>>>>>> https://caroline0.lafayette.edu/ipa/json
>>>>>>>>
>>>>>>> Seems to be running into the same trouble.
>>>>>>>
>>>>>>> [lagern at caroline0 PROD ~]$ curl -H
>>>>>>> "Content-Type:application/json" -H
>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H
>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json
>>>>>>> -X POST https://caroline0.lafayette.edu/ipa/json
>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>> <html><head> <title>500 Internal Server Error</title>
>>>>>>> </head><body> <h1>Internal Server Error</h1> <p>The
>>>>>>> server encountered an internal error or
>>>>>>> misconfiguration and was unable to complete your
>>>>>>> request.</p> <p>Please contact the server
>>>>>>> administrator, root at localhost and inform them of the
>>>>>>> time the error occurred, and anything you might have
>>>>>>> done that may have caused the error.</p> <p>More
>>>>>>> information about this error may be available in the
>>>>>>> server error log.</p> <hr> <address>Apache/2.2.15 (Red
>>>>>>> Hat) Server at caroline0.lafayette.edu Port
>>>>>>> 443</address> </body></html>
>>>>>>
>>>>>> Ok, need to gather some more info:
>>>>>>
>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>
>>>>> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno =
>>>>> 3 [root at caroline0 PROD ~]# klist -kt
>>>>> /etc/httpd/conf/ipa.keytab Keytab name:
>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal
>>>>> ---- -----------------
>>>>> -------------------------------------------------------- 2
>>>>> 02/03/12 16:31:27
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>> 02/03/12 16:31:27
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>> 02/03/12 16:31:28
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>> 02/03/12 16:31:28
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>> 02/03/12 16:31:28
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>> 02/03/12 16:31:28
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>> 09/19/12 15:33:53
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>> 09/19/12 15:33:53
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>> 09/19/12 15:33:53
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>> 09/19/12 15:33:53
>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>>>
>>>>
>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and 3
>>>> has only 4. Did you change the available encryption types?
>>>>
>>> I have not changed them, not intentionally anyway. Could it be
>>> that an update did so? I installed Ipa round rhel 6.1 or so,
>>> and have been updating it via yum periodically.
>>>
>>>> Can you re-run the klist command with -e as well? klist -ekt
>>>> ...
>>>>
>>> [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
>>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
>>> Principal ---- -----------------
>>> -------------------------------------------------------- 2
>>> 02/03/12 16:31:27
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (des3-cbc-sha1) 2 02/03/12 16:31:28
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (arcfour-hmac) 2 02/03/12 16:31:28
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (des-hmac-sha1) 2 02/03/12 16:31:28
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (des-cbc-md5) 3 09/19/12 15:33:53
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (des3-cbc-sha1) 3 09/19/12 15:33:53
>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>> (arcfour-hmac)
>>>
>>>
>>>> rob
>>>>
>>>
>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager,
>>> RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall
>>> Lafayette College, Easton, PA 18042
>>>
>>> _______________________________________________ Freeipa-users
>>> mailing list Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBcgrUACgkQsZqG4IN3sul3SACfdzbDnaCmS5KMCwycHfhzUTok
jWcAn1ROnFUFmGKNLug9oI2RtK4F3aH4
=dQZ+
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list