<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 09/19/2012 03:37 PM, Nathan Lager wrote:<br>
<span style="white-space: pre;">><br>
><br>
> On 09/19/2012 02:54 PM, Rob Crittenden wrote:<br>
> > Nathan Lager wrote:<br>
> >><br>
> >><br>
> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote:<br>
> >>> Nathan Lager wrote:<br>
> >>>><br>
> >>>> On 09/19/2012 10:37 AM, Rob Crittenden
wrote:<br>
> >>>>> Lager, Nathan T. wrote:<br>
> >>>>>><br>
> >>>>>> ----- Original Message -----<br>
> >>>>>>> From: "Rob Crittenden"
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> To:<br>
> >>>>>>> "Nathan Lager"
<a class="moz-txt-link-rfc2396E" href="mailto:lagern@lafayette.edu"><lagern@lafayette.edu></a> Cc:<br>
> >>>>>>> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Sent:
Tuesday, September 18,<br>
> >>>>>>> 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa<br>
> >>>>>>> errors.<br>
> >>>>>>><br>
> >>>>>>> Ok, what are the permissions on
the keytab,<br>
> >>>>>>> /etc/httpd/conf/ipa.keytab? They
should be<br>
> >>>>>>> apache:apache mode 0600.<br>
> >>>>>><br>
> >>>>>> [lagern@caroline0 PROD ~]$ ls -lZ<br>
> >>>>>> /etc/httpd/conf/ipa.keytab
-rw-------. apache apache<br>
> >>>>>>
unconfined_u:object_r:httpd_config_t:s0<br>
> >>>>>> /etc/httpd/conf/ipa.keytab<br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>> Are you in SELinux enforcing
mode? Can you try in<br>
> >>>>>>> permissive to see if that works?<br>
> >>>>>> I was enforcing at the start of all
of this, but ive<br>
> >>>>>> since switched to permissive for
troubleshooting. It<br>
> >>>>>> hasnt made a difference.<br>
> >>>>><br>
> >>>>> Are you getting an HTTP service
principal in the client?<br>
> >>>>><br>
> >>>>> $ kdestroy $ kinit admin $ ipa user-show
admin <fail> $<br>
> >>>>> klist -fea<br>
> >>>>><br>
> >>>>> Lets try to skip s4u2proxy. Does this
work:<br>
> >>>>><br>
> >>>>> $ ipa --delegate user-show admin<br>
> >>>>><br>
> >>>>> Unfortunately the major and minor error
codes are as<br>
> >>>>> generic as can be so they aren't any
help at all.<br>
> >>>>><br>
> >>>>> rob<br>
> >>>><br>
> >>>> Here's the output. The --delegate still
failed.<br>
> >>>><br>
> >>>> [root@caroline0 PROD ~]# klist -fea Ticket
cache:<br>
> >>>> <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a> Default principal:<br>
> >>>> <a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU">lagern@SYSTEMS.LAFAYETTE.EDU</a><br>
> >>>><br>
> >>>> Valid starting Expires Service principal<br>
> >>>> 09/19/12 11:23:03 09/20/12 11:22:52<br>
> >>>>
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU">krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU</a> Flags:<br>
> >>>> FIA, Etype (skey, tkt):
aes256-cts-hmac-sha1-96,<br>
> >>>> aes256-cts-hmac-sha1-96 Addresses: (none)
09/19/12 11:23:11<br>
> >>>> 09/20/12 11:22:52<br>
> >>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> Flags:<br>
> >>>> FAT, Etype (skey, tkt):
aes256-cts-hmac-sha1-96,<br>
> >>>> aes256-cts-hmac-sha1-96 Addresses: (none)
[root@caroline0<br>
> >>>> PROD ~]# ipa --delegate user-show admin ipa:
ERROR: cannot<br>
> >>>> connect to
u'<a class="moz-txt-link-freetext" href="http://caroline0.lafayette.edu/ipa/xml':">http://caroline0.lafayette.edu/ipa/xml':</a><br>
> >>>> Internal Server Error [root@caroline0 PROD
~]#<br>
> >>><br>
> >>> Is it the same major/minor error in
gss_acquire_cred()?<br>
> >>><br>
> >>> Does GSSAPI over LDAP work?<br>
> >>><br>
> >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b<br>
> >>> cn=users,cn=accounts,dc=example,dc=com admin<br>
> >>><br>
> >> This appears to work.<br>
> >><br>
> >> [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h<br>
> >> caroline0.lafayette.edu -b<br>
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
admin<br>
> >> SASL/GSSAPI authentication started SASL username:<br>
> >> <a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU">lagern@SYSTEMS.LAFAYETTE.EDU</a> SASL SSF: 56 SASL data
security<br>
> >> layer installed. # extended LDIF # # LDAPv3 # base<br>
> >>
<cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu> with
scope<br>
> >> subtree # filter: (objectclass=*) # requesting:
admin #<br>
> >><br>
> >> # users, accounts, systems.lafayette.edu dn:<br>
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu<br>
> >><br>
> >> # admin, users, accounts, systems.lafayette.edu dn:<br>
> >>
uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu<br>
> >><br>
> >> <-- a bunch of other users here --><br>
> >><br>
> >> # search result search: 4 result: 0 Success<br>
> >><br>
> >> # numResponses: 10 # numEntries: 9<br>
> >><br>
><br>
> > Ok, so it's JUST Apache then.<br>
><br>
> > Is the hostname on caroline0 set as a FQDN
(/bin/hostname)?<br>
><br>
> > If not, I'd try setting it to caroline0.lafayette.edu<br>
><br>
> > If so, might be worth trying to refresh your Apache
keytab. I made<br>
> > some educated guesses on your hostnames/realm, please<br>
> > double-check:<br>
><br>
> > # ipa-getkeytab -s caroline0.lafayette.edu -p<br>
> > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k<br>
> > /etc/httpd/conf/ipa.keytab<br>
><br>
> > Should not be required to restart httpd but it shouldn't
hurt. Run<br>
> > kdestroy/kinit before trying ipa user-show again.<br>
><br>
> > rob<br>
><br>
> well, seems like we're at least narrowing things down. But
its still<br>
> no good.<br>
><br>
> The hostname is the fqdn. /bin/hostname returns it as such.<br>
><br>
><br>
> [root@caroline0 PROD ~]# ipa-getkeytab -s
caroline0.lafayette.edu -p<br>
> <a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> -k<br>
> /etc/httpd/conf/ipa.keytab<br>
> Keytab successfully retrieved and stored in:
/etc/httpd/conf/ipa.keytab<br>
> [root@caroline0 PROD ~]# service httpd restart<br>
> Stopping httpd: [ OK ]<br>
> Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker<br>
> ajp://localhost:9447/ already used by another worker<br>
> [Wed Sep 19 15:34:24 2012] [warn] worker
ajp://localhost:9447/ already<br>
> used by another worker<br>
> [ OK ]<br>
> [root@caroline0 PROD ~]# kdestroy<br>
> [root@caroline0 PROD ~]# kinit lagern<br>
> Password for <a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU:">lagern@SYSTEMS.LAFAYETTE.EDU:</a><br>
> [root@caroline0 PROD ~]# ipa pwpolicy-show<br>
> ipa: ERROR: cannot connect to<br>
> u'<a class="moz-txt-link-freetext" href="http://caroline0.lafayette.edu/ipa/xml':">http://caroline0.lafayette.edu/ipa/xml':</a> Internal Server
Error<br>
><br>
></span><br>
<br>
Rob, keytab and kerberos part seems to be fine, ldap works too.<br>
Can it be one of the certs? May be some cert expired?<br>
<br>
<span style="white-space: pre;">><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
- -- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
- -------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.14 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQEcBAEBAgAGBQJQWiAXAAoJEKRjuMOPSn1YKUcIAKkW/1Uc41rmvGUNbs5JzIqA<br>
2J+YxO/nuyr4p1Re8f49/FOdCBdXvxmeVgtFQS+zFMlk1/86c7Wh0CbZTO3Ob+XL<br>
zx7v19gT+CvJQ/fLrEcHhrBB0XnQvLkt+lyFP8A0xhyLNHe8ygw7Sz7d2fq2iwso<br>
bBEYlK7AR4jtOfRupIG5Rx4seunr45dsJWHYbVvrgXlYkTx8KrD271nkVnBj6LM1<br>
/BYYiWmMWwm0V5Lf9SMgl5LaOj08AgC3x+501b9++5DDV9icg8IqnMEXmlEDRvWE<br>
mh6t/mRWBDQxHNIbFW7OPgU/YPOfwvBfNndJusX9TSOBAdHyXl2kdC4Yccuv5+U=<br>
=OM2q<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>