<div dir="ltr">for what it's worth, kinit on the command line of the ipa server works just fine, and detects the realm ok.<div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 27 November 2013 11:00, <a href="http://siology.io">siology.io</a> <span dir="ltr"><<a href="mailto:siology.io@gmail.com" target="_blank">siology.io@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">yeah maybe. I do see from the install log of the ipa-dns-install that it changed the /etc/resolv.conf to point to its own ip - which seems a little odd (and unwanted, more importantly). I've changed that back to how it should be and restarted ipa but still nothing. <div>
<br></div><div>There's no other KDC in the environment that i'm aware of. Certainly, the dns i was using only have the one set of SRV records for ldap and kdc.</div><div><br></div><div>The bit that puzzles me is how/why that would have affected the replica server also. I asume it's copied the ldap dns data to the replica, but i never installed bind there or bind-dyndb-ldap, or anything else - so i'd expect that to be unaffected but it's also broken now. :-(</div>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On 27 November 2013 10:47, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
On 11/26/2013 04:32 PM, <a href="http://siology.io" target="_blank">siology.io</a> wrote:
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 27 November 2013 10:21, Dmitri Pal
<span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 11/26/2013 03:37 PM, <a href="http://siology.io" target="_blank">siology.io</a>
wrote:
<blockquote type="cite">
<div dir="ltr">I'm seeing an issue with logging into
the web UI of ipa. I've been using IPA for 6
months or so in production, and all has been well
so far.
<div><br>
</div>
<div>The last thing i did in terms of IPA was run
ipa-dns-install, which completed successfully,
but i suspect this issue occured before that i
never noticed as it's been a few weeks since i
used the UI. I typically check the login page
works and ldapsearch works after upgrades, but
in this instance the login box is presented, and
after entering the credentials it sits doing
nothing for a while, then times out with
'internal server error'</div>
<div><br>
</div>
<div>The only useful log i've managed to find is
in /var/log/httpd/error_log</div>
<div><br>
</div>
<div>
<div>[Wed Nov 27 08:41:47 2013] [error] [client
(redacted)] Script timed out before returning
headers: wsgi.py, referer: <a href="https://%28redacted%29/ipa/ui/" target="_blank">https://(redacted)/ipa/ui/</a></div>
</div>
</div>
</blockquote>
<br>
</div>
What happens before that in the log?<br>
Any DNS lookup or some other lookup?
<div><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>doesn't appear so, no. what makes you suspect that ? I
never got as far as doing the ipa-dns-install on the
replica. I did it on the master, then went to login and
got this issue. It may well be that it (the UI) was broken
previously. I couldn't work out how to remove the
ipa-dns-install to find out if it magically resumes
working though.</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<br></div>
A pure speculation:<br>
If the UI presents you the form and you fill it then you are
definitely talking to the server. When you submit the form the
server tries to do kinit on your behalf. It might not be able to
determine where its KDC because the DNS configuration is broken in
some way and it is now looking at the wrong KDC (may be AD KDC or
there is a lack of the server records at all for some reason). <br><div><div>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br>
<blockquote type="cite">
<div dir="ltr">
<div> </div>
<div><br>
</div>
<div>I'm seeing this behaviour on both my master
and replica, but they are both identical in
terms of package versions and such, so it may
not be significant.</div>
<div><br>
</div>
<div>My system versions:</div>
<div>Centos 6.4 x64</div>
<div><br>
</div>
<div>
<div>ipa-python-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-server-selinux-3.0.0-26.el6_4.4.x86_64</div>
<div>python-iniparse-0.3.1-2.1.el6.noarch</div>
<div>libipa_hbac-1.9.2-82.10.el6_4.x86_64</div>
<div>libipa_hbac-python-1.9.2-82.10.el6_4.x86_64</div>
<div>ipa-client-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-server-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-pki-ca-theme-9.0.3-7.el6.noarch</div>
<div>ipa-admintools-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-pki-common-theme-9.0.3-7.el6.noarch</div>
</div>
<div><br>
</div>
<div>
<div>bind-dyndb-ldap-2.3-2.el6_4.1.x86_64<br>
</div>
<div>bind-9.8.2-0.17.rc1.el6_4.6.x86_64<br>
</div>
</div>
<div><br>
</div>
<div>which are (afaik) all latest for centos 6.4</div>
<div><br>
</div>
<div>Oddly, i'm not seeing this behaviour in my
virtualbox / vagrant IPA testbed, which has
identical version numbers, and wsgi.py in
/usr/share/ipa has identical md5sum.</div>
<div><br>
</div>
<div>Not really sure how to approach debugging
this further. Any ideas ? Has anyone else seen
this happen ?</div>
<div><br>
</div>
<div>The ldapsearch, bind dns and everything else
seem operational - just the GUI is out of
action.</div>
</div>
</blockquote>
<br>
<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div></div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>