[Freeipa-users] ipa command line tools failure
Nick Gresham
n.gresham at manchester.ac.uk
Thu May 7 11:50:02 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob Crittenden wrote:
| Nick Gresham wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Hi
|>
|> We've been using freeipa on Centos 5 successfully at our medium-scale
|> research site for several months now.
|>
|> We're currently running freeipa-1.2.1, installed via RPMs built from
|> source.
|>
|> However, after the recent upgrade Centos 5.2 ---> Centos 5.3 the ipa
|> command line utilities are broken, e.g.
|>
|> $ ipa-finduser -v testuser
|> Connecting to IPA server: https://xxx.yyy.ac.uk/ipa/xml
|> Did not receive Kerberos credentials.
|>
|> The web-interface is fine.
|>
|> Has anyone else had this problem? Is there a fix or workaround?
|>
|> Thanks in advance
|>
|> [NG]
|
| See if you have a forwardable ticket:
|
| % klist -f
|
| The flags for your TGT should include F.
|
| Another option is to look in the Apache error log
| (/var/log/httpd/error_log). You may have to set LogLevel debug in
| /etc/httpd/conf/httpd.conf to get more details.
|
| rob
sorry about the delay in responding, unfortunately the problem persists:
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at XXX.YYY.AC.UK
Valid starting Expires Service principal
05/07/09 12:11:04 05/08/09 12:11:00
krbtgt/XXX.YYY.AC.UK at XXX.YYY.AC.UK
Flags: FIA
05/07/09 12:11:08 05/08/09 12:11:00
HTTP/ZZZ.XXX.YYY.ac.uk at XXX.YYY.AC.UK
Flags: FAT
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Meanwhile turning up the apache LogLevel to debug and issuing
$ ipa-finduser -v testuser
produces a single entry in the error_log like:
nn.mm.rr.ss - admin at XX.YY.AC.UK [07/May/2009:12:11:16 +0100] "POST
/ipa/xml HTTP/1.0" 200 292
- --and that's all. It's the same story on our Centos 5.3 replica machine.
On the other hand on a Fedora-9 replica machine the same query succeeds
and provokes many more entries in the httpd error_log in addition to
some TGS_REQs in krb5kdc.log.
I'm still guessing that the problem is due to a careless update on my
part, but any pointers to debugging would be very welcome.
Many thanks again in advance,
[NG]
- --
N.J. Gresham
FLS/IS AIO
Systems Administration and Support
University of Manchester
Faculty of Life Sciences
int: 7759349
ext: 0790-989-3684
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkoCyuoACgkQoqZzfMI0UdmQHgCfesTcfRCdYVJz9zgLdwF3sLCf
s7QAn1t68NLMBMuwKwaPCIgYjzW/5SXt
=0NyC
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list