[Freeipa-users] sudden ipa errors.
Nathan Lager
lagern at lafayette.edu
Fri Sep 21 15:13:59 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2012 11:07 AM, Nathan Lager wrote:
>
>
> On 09/21/2012 10:18 AM, Rob Crittenden wrote:
>> Lager, Nathan T. wrote:
>>> Well, after all of this, RedHat support just resolved my
>>> issue!
>>>
>>> It came down the the domain_realm definitions in
>>> /etc/krb5.conf.
>>>
>>> They had me change:
>>>
>>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>>
>>> To: [domain_realm] .systems.lafayette.edu =
>>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
>>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>>
>>> After doing so, i restarted IPA, and my commands are working
>>> properly now!
>>>
>>> Now, to get my replica back in order...
>
>> Wow. OK, I'm glad it's working. Do we have any idea how this file
>> changed? Is it wrong on all your clients or only on this one
>> master?
>
> It appears wrong on my replica as well, caroline1. There are no
> clients currently, other than RHEV.
>
> I only have one lingering issue, aside from my replica being
> broken.
>
> I still cant reset admin's password. It gives me the same error it
> was before.
>
> [root at caroline0 PROD ~]# kinit admin Password for
> admin at SYSTEMS.LAFAYETTE.EDU: Password expired. You must change it
> now. Enter new password: Enter it again: kinit: Password has
> expired while getting initial credentials
>
>
Fixed this, on a hunch. When the password expired, the pwpolicy was
set to 90 days. RedHat Support had me change it to 9999 days to
effectively disable it so others wouldnt expire (because no one could
change passwords).
I had a hunch that because the policy was now set greater than the
time its been since admin last changed his password, that ipa was
getting confused when i attempted to change the expired pass. So i
set it back to 90. It let me change the expired password.
That, might be worthy of a bug report.
>
>
>> rob
>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Nathan Lager" <lagern at lafayette.edu> To: "Rob
>>>> Crittenden" <rcritten at redhat.com> Cc:
>>>> freeipa-users at redhat.com Sent: Thursday, September 20, 2012
>>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On
>>>> 09/20/2012 02:28 PM, Rob Crittenden wrote:
>>>>> Nathan Lager wrote:
>>>>>>
>>>>>>
>>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>>>>>>> Lager, Nathan T. wrote:
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To:
>>>>>>>>> "Nathan Lager" <lagern at lafayette.edu> Cc:
>>>>>>>>> freeipa-users at redhat.com Sent: Wednesday,
>>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re:
>>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager
>>>>>>>>> wrote:
>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>>>>>>> Dmitri Pal wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Rob, keytab and kerberos part seems to be
>>>>>>>>>>>> fine, ldap works too. Can it be one of the
>>>>>>>>>>>> certs? May be some cert expired?
>>>>>>>>>>>
>>>>>>>>>>> No, the error is coming from GSSAPI, it is
>>>>>>>>>>> unfortunately completely useless. I think
>>>>>>>>>>> we've pretty well narrowed down the problem to
>>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if
>>>>>>>>>>> this is a configuration issue or a bug.
>>>>>>>>>>>
>>>>>>>>>>> Nathan, can you show me your
>>>>>>>>>>> /etc/httpd/conf.d/ipa.conf?
>>>>>>>>>> Sure, as far as I know its completely stock,
>>>>>>>>>> aside from the krb password auth change.
>>>>>>>>>
>>>>>>>>> Yup, configuration looks fine.
>>>>>>>>>
>>>>>>>>> Ok, let's eliminate the ipa tool as the problem
>>>>>>>>> and try curl:
>>>>>>>>>
>>>>>>>>> Create a file test.json with these contents:
>>>>>>>>>
>>>>>>>>> {"method":"batch","params":[[
>>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
>>>>>>>>>
>>>>>>>>>
>
>>>>>>>>>
],{}],"id":1}
>>>>>>>>>
>>>>>>>>> then run this:
>>>>>>>>>
>>>>>>>>> curl -H "Content-Type:application/json" -H
>>>>>>>>> "Accept:application/json" -H "Accept-Language:en"
>>>>>>>>> -H "Referer:
>>>>>>>>> https://caroline0.lafayette.edu/ipa/xml"
>>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
>>>>>>>>> @test.json -X POST
>>>>>>>>> https://caroline0.lafayette.edu/ipa/json
>>>>>>>>>
>>>>>>>> Seems to be running into the same trouble.
>>>>>>>>
>>>>>>>> [lagern at caroline0 PROD ~]$ curl -H
>>>>>>>> "Content-Type:application/json" -H
>>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H
>>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
>>>>>>>> @test.json -X POST
>>>>>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE
>>>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
>>>>>>>> <title>500 Internal Server Error</title>
>>>>>>>> </head><body> <h1>Internal Server Error</h1> <p>The
>>>>>>>> server encountered an internal error or
>>>>>>>> misconfiguration and was unable to complete your
>>>>>>>> request.</p> <p>Please contact the server
>>>>>>>> administrator, root at localhost and inform them of the
>>>>>>>> time the error occurred, and anything you might have
>>>>>>>> done that may have caused the error.</p> <p>More
>>>>>>>> information about this error may be available in the
>>>>>>>> server error log.</p> <hr> <address>Apache/2.2.15
>>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port
>>>>>>>> 443</address> </body></html>
>>>>>>>
>>>>>>> Ok, need to gather some more info:
>>>>>>>
>>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>
>>>>>> [root at caroline0 PROD ~]# kvno
>>>>>> HTTP/caroline0.lafayette.edu
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno
>>>>>> = 3 [root at caroline0 PROD ~]# klist -kt
>>>>>> /etc/httpd/conf/ipa.keytab Keytab name:
>>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
>>>>>> Principal ---- -----------------
>>>>>> --------------------------------------------------------
>>>>>> 2 02/03/12 16:31:27
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>>> 02/03/12 16:31:27
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>>> 02/03/12 16:31:28
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>>> 02/03/12 16:31:28
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>>> 02/03/12 16:31:28
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>>>> 02/03/12 16:31:28
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>>> 09/19/12 15:33:53
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>>> 09/19/12 15:33:53
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>>> 09/19/12 15:33:53
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>>>> 09/19/12 15:33:53
>>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>>>>
>>>>>
>>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and
>>>>> 3 has only 4. Did you change the available encryption
>>>>> types?
>>>>>
>>>> I have not changed them, not intentionally anyway. Could it
>>>> be that an update did so? I installed Ipa round rhel 6.1 or
>>>> so, and have been updating it via yum periodically.
>>>>
>>>>> Can you re-run the klist command with -e as well? klist
>>>>> -ekt ...
>>>>>
>>>> [root at caroline0 PROD ~]# klist -kte
>>>> /etc/httpd/conf/ipa.keytab Keytab name:
>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal
>>>> ---- -----------------
>>>> -------------------------------------------------------- 2
>>>> 02/03/12 16:31:27
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (des3-cbc-sha1) 2 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (arcfour-hmac) 2 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (des-hmac-sha1) 2 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (des-cbc-md5) 3 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (des3-cbc-sha1) 3 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>> (arcfour-hmac)
>>>>
>>>>
>>>>> rob
>>>>>
>>>>
>>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan
>>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11
>>>> Pardee Hall Lafayette College, Easton, PA 18042
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________ Freeipa-users
> mailing list Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBchDYACgkQsZqG4IN3sukxCQCfeOoaiy3JIRfG10SgCcYYVvpj
mQMAoJzEiG0DZorcweyIhYwUPB9opHT9
=HM3I
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list