<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/21/2012 11:13 AM, Nathan Lager wrote:<br>
<blockquote type="cite"><br>
<br>
On 09/21/2012 11:07 AM, Nathan Lager wrote:<br>
<br>
<br>
> On 09/21/2012 10:18 AM, Rob Crittenden wrote:<br>
>> Lager, Nathan T. wrote:<br>
>>> Well, after all of this, RedHat support just resolved
my<br>
>>> issue!<br>
>>><br>
>>> It came down the the domain_realm definitions in<br>
>>> /etc/krb5.conf.<br>
>>><br>
>>> They had me change:<br>
>>><br>
>>> [domain_realm] .systems.lafayette.edu =
SYSTEMS.LAFAYETTE.EDU <br>
>>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU<br>
>>><br>
>>> To: [domain_realm] .systems.lafayette.edu = <br>
>>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = <br>
>>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu =
SYSTEMS.LAFAYETTE.EDU <br>
>>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU<br>
>>><br>
>>> After doing so, i restarted IPA, and my commands are
working <br>
>>> properly now!<br>
>>><br>
>>> Now, to get my replica back in order...<br>
<br>
>> Wow. OK, I'm glad it's working. Do we have any idea how
this file<br>
>> changed? Is it wrong on all your clients or only on this
one <br>
>> master?<br>
<br>
> It appears wrong on my replica as well, caroline1. There are
no <br>
> clients currently, other than RHEV.<br>
<br>
> I only have one lingering issue, aside from my replica being<br>
> broken.<br>
<br>
> I still cant reset admin's password. It gives me the same
error it<br>
> was before.<br>
<br>
> [root@caroline0 PROD ~]# kinit admin Password for<br>
> <a class="moz-txt-link-abbreviated" href="mailto:admin@SYSTEMS.LAFAYETTE.EDU:">admin@SYSTEMS.LAFAYETTE.EDU:</a> Password expired. You must
change it<br>
> now. Enter new password: Enter it again: kinit: Password has<br>
> expired while getting initial credentials<br>
<br>
<br>
Fixed this, on a hunch. When the password expired, the pwpolicy
was<br>
set to 90 days. RedHat Support had me change it to 9999 days to<br>
effectively disable it so others wouldnt expire (because no one
could<br>
change passwords).<br>
<br>
I had a hunch that because the policy was now set greater than the<br>
time its been since admin last changed his password, that ipa was<br>
getting confused when i attempted to change the expired pass. So
i<br>
set it back to 90. It let me change the expired password.<br>
<br>
That, might be worthy of a bug report.<br>
<br>
<br>
</blockquote>
Can you please file one?<br>
<br>
<br>
<blockquote type="cite"><br>
<br>
>> rob<br>
<br>
>>><br>
>>><br>
>>> ----- Original Message -----<br>
>>>> From: "Nathan Lager" <a class="moz-txt-link-rfc2396E" href="mailto:lagern@lafayette.edu"><lagern@lafayette.edu></a>
To: "Rob <br>
>>>> Crittenden" <a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> Cc:<br>
>>>> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Sent: Thursday,
September 20, 2012<br>
>>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden
ipa errors. On<br>
>>>> 09/20/2012 02:28 PM, Rob Crittenden wrote:<br>
>>>>> Nathan Lager wrote:<br>
>>>>>><br>
>>>>>><br>
>>>>>> On 09/20/2012 11:43 AM, Rob Crittenden
wrote:<br>
>>>>>>> Lager, Nathan T. wrote:<br>
>>>>>>>><br>
>>>>>>>> ----- Original Message -----<br>
>>>>>>>>> From: "Rob Crittenden"
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> To: <br>
>>>>>>>>> "Nathan Lager"
<a class="moz-txt-link-rfc2396E" href="mailto:lagern@lafayette.edu"><lagern@lafayette.edu></a> Cc: <br>
>>>>>>>>> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>
Sent: Wednesday,<br>
>>>>>>>>> September 19, 2012 4:35:30 PM
Subject: Re:<br>
>>>>>>>>> [Freeipa-users] sudden ipa
errors. Nathan Lager<br>
>>>>>>>>> wrote:<br>
>>>>>>>>>> -----BEGIN PGP SIGNED
MESSAGE----- Hash: SHA1<br>
>>>>>>>>>><br>
>>>>>>>>>><br>
>>>>>>>>>><br>
>>>>>>>>>> On 09/19/2012 03:47 PM,
Rob Crittenden wrote:<br>
>>>>>>>>>>> Dmitri Pal wrote:<br>
>>>>>>>>>>>><br>
>>>>>>>>>>>> Rob, keytab and
kerberos part seems to be<br>
>>>>>>>>>>>> fine, ldap works
too. Can it be one of the<br>
>>>>>>>>>>>> certs? May be
some cert expired?<br>
>>>>>>>>>>><br>
>>>>>>>>>>> No, the error is
coming from GSSAPI, it is <br>
>>>>>>>>>>> unfortunately
completely useless. I think<br>
>>>>>>>>>>> we've pretty well
narrowed down the problem to <br>
>>>>>>>>>>> httpd/mod_auth_kerb
but I don't know yet if<br>
>>>>>>>>>>> this is a
configuration issue or a bug.<br>
>>>>>>>>>>><br>
>>>>>>>>>>> Nathan, can you show
me your <br>
>>>>>>>>>>>
/etc/httpd/conf.d/ipa.conf?<br>
>>>>>>>>>> Sure, as far as I know
its completely stock,<br>
>>>>>>>>>> aside from the krb
password auth change.<br>
>>>>>>>>><br>
>>>>>>>>> Yup, configuration looks
fine.<br>
>>>>>>>>><br>
>>>>>>>>> Ok, let's eliminate the ipa
tool as the problem<br>
>>>>>>>>> and try curl:<br>
>>>>>>>>><br>
>>>>>>>>> Create a file test.json with
these contents:<br>
>>>>>>>>><br>
>>>>>>>>> {"method":"batch","params":[[
<br>
>>>>>>>>>
{"method":"user_show","params":[["admin"],{"all":false}]}<br>
>>>>>>>>><br>
>>>>>>>>><br>
<br>
>>>>>>>>><br>
],{}],"id":1}<br>
>>>>>>>>><br>
>>>>>>>>> then run this:<br>
>>>>>>>>><br>
>>>>>>>>> curl -H
"Content-Type:application/json" -H <br>
>>>>>>>>> "Accept:application/json" -H
"Accept-Language:en"<br>
>>>>>>>>> -H "Referer:<br>
>>>>>>>>>
<a class="moz-txt-link-freetext" href="https://caroline0.lafayette.edu/ipa/xml">https://caroline0.lafayette.edu/ipa/xml</a>" <br>
>>>>>>>>> --negotiate -u : --cacert
/etc/ipa/ca.crt -d <br>
>>>>>>>>> @test.json -X POST <br>
>>>>>>>>>
<a class="moz-txt-link-freetext" href="https://caroline0.lafayette.edu/ipa/json">https://caroline0.lafayette.edu/ipa/json</a><br>
>>>>>>>>><br>
>>>>>>>> Seems to be running into the same
trouble.<br>
>>>>>>>><br>
>>>>>>>> [lagern@caroline0 PROD ~]$ curl
-H <br>
>>>>>>>> "Content-Type:application/json"
-H <br>
>>>>>>>> "Accept:application/json" -H
"Accept-Language:en" -H <br>
>>>>>>>> "Referer:
<a class="moz-txt-link-freetext" href="https://caroline0.lafayette.edu/ipa/xml">https://caroline0.lafayette.edu/ipa/xml</a>" <br>
>>>>>>>> --negotiate -u : --cacert
/etc/ipa/ca.crt -d<br>
>>>>>>>> @test.json -X POST<br>
>>>>>>>>
<a class="moz-txt-link-freetext" href="https://caroline0.lafayette.edu/ipa/json">https://caroline0.lafayette.edu/ipa/json</a> <!DOCTYPE<br>
>>>>>>>> HTML PUBLIC "-//IETF//DTD HTML
2.0//EN"> <html><head><br>
>>>>>>>> <title>500 Internal Server
Error</title> <br>
>>>>>>>> </head><body>
<h1>Internal Server Error</h1> <p>The <br>
>>>>>>>> server encountered an internal
error or <br>
>>>>>>>> misconfiguration and was unable
to complete your <br>
>>>>>>>> request.</p>
<p>Please contact the server <br>
>>>>>>>> administrator, root@localhost and
inform them of the <br>
>>>>>>>> time the error occurred, and
anything you might have <br>
>>>>>>>> done that may have caused the
error.</p> <p>More <br>
>>>>>>>> information about this error may
be available in the <br>
>>>>>>>> server error log.</p>
<hr> <address>Apache/2.2.15<br>
>>>>>>>> (Red Hat) Server at
caroline0.lafayette.edu Port <br>
>>>>>>>> 443</address>
</body></html><br>
>>>>>>><br>
>>>>>>> Ok, need to gather some more info:<br>
>>>>>>><br>
>>>>>>> # kvno HTTP/caroline0.lafayette.edu #
klist -kt <br>
>>>>>>> /etc/httpd/conf/ipa.keytab<br>
>>>>>>><br>
>>>>>> [root@caroline0 PROD ~]# kvno<br>
>>>>>> HTTP/caroline0.lafayette.edu <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU:">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU:</a> kvno<br>
>>>>>> = 3 [root@caroline0 PROD ~]# klist -kt <br>
>>>>>> /etc/httpd/conf/ipa.keytab Keytab name: <br>
>>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO
Timestamp<br>
>>>>>> Principal ---- ----------------- <br>
>>>>>>
--------------------------------------------------------<br>
>>>>>> 2 02/03/12 16:31:27 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 2 <br>
>>>>>> 02/03/12 16:31:27 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 2 <br>
>>>>>> 02/03/12 16:31:28 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 2 <br>
>>>>>> 02/03/12 16:31:28 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 2 <br>
>>>>>> 02/03/12 16:31:28 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 2 <br>
>>>>>> 02/03/12 16:31:28 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 3 <br>
>>>>>> 09/19/12 15:33:53 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 3 <br>
>>>>>> 09/19/12 15:33:53 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 3 <br>
>>>>>> 09/19/12 15:33:53 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> 3 <br>
>>>>>> 09/19/12 15:33:53 <br>
>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a><br>
>>>>>><br>
>>>>><br>
>>>>> It may be nothing, but I wonder why kvno 2
has 6 keys and<br>
>>>>> 3 has only 4. Did you change the available
encryption<br>
>>>>> types?<br>
>>>>><br>
>>>> I have not changed them, not intentionally
anyway. Could it<br>
>>>> be that an update did so? I installed Ipa round
rhel 6.1 or<br>
>>>> so, and have been updating it via yum
periodically.<br>
>>>><br>
>>>>> Can you re-run the klist command with -e as
well? klist<br>
>>>>> -ekt ...<br>
>>>>><br>
>>>> [root@caroline0 PROD ~]# klist -kte<br>
>>>> /etc/httpd/conf/ipa.keytab Keytab name:<br>
>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
Principal<br>
>>>> ---- ----------------- <br>
>>>>
-------------------------------------------------------- 2 <br>
>>>> 02/03/12 16:31:27 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (des3-cbc-sha1) 2 02/03/12 16:31:28 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (arcfour-hmac) 2 02/03/12 16:31:28 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (des-hmac-sha1) 2 02/03/12 16:31:28 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (des-cbc-md5) 3 09/19/12 15:33:53 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (des3-cbc-sha1) 3 09/19/12 15:33:53 <br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/caroline0.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a> <br>
>>>> (arcfour-hmac)<br>
>>>><br>
>>>><br>
>>>>> rob<br>
>>>>><br>
>>>><br>
>>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan<br>
>>>> Lager, RHCSA, RHCE (#110-011-426) System
Administrator 11<br>
>>>> Pardee Hall Lafayette College, Easton, PA 18042<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <br>
>>>>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
> _______________________________________________ Freeipa-users<br>
> mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
</blockquote>
<span style="white-space: pre;">><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>