[Freeipa-users] ipa command line tools failure

[Nick Gresham]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
| Nick Gresham wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Hi
|>
|> We've been using freeipa on Centos 5 successfully at our medium-scale
|> research site for several months now.
|>
|> We're currently running freeipa-1.2.1, installed via RPMs built from
|> source.
|>
|> However, after the recent upgrade Centos 5.2 ---> Centos 5.3 the ipa
|> command line utilities are broken, e.g.
|>
|> $ ipa-finduser -v testuser
|> Connecting to IPA server: https://xxx.yyy.ac.uk/ipa/xml
|> Did not receive Kerberos credentials.
|>
|> The web-interface is fine.
|>
|> Has anyone else had this problem? Is there a fix or workaround?
|>
|> Thanks in advance
|>
|> [NG]
|
| See if you have a forwardable ticket:
|
| % klist -f
|
| The flags for your TGT should include F.
|
| Another option is to look in the Apache error log
| (/var/log/httpd/error_log). You may have to set LogLevel debug in
| /etc/httpd/conf/httpd.conf to get more details.
|
| rob

sorry about the delay in responding, unfortunately the problem persists:

$ klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at XXX.YYY.AC.UK

Valid starting     Expires            Service principal
05/07/09 12:11:04  05/08/09 12:11:00
			krbtgt/XXX.YYY.AC.UK at XXX.YYY.AC.UK
			Flags: FIA

05/07/09 12:11:08  05/08/09 12:11:00 				    				
HTTP/ZZZ.XXX.YYY.ac.uk at XXX.YYY.AC.UK
			Flags: FAT

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Meanwhile turning up the apache LogLevel to debug and issuing

$ ipa-finduser -v testuser

produces a single entry in the error_log like:

nn.mm.rr.ss - admin at XX.YY.AC.UK [07/May/2009:12:11:16 +0100] "POST
/ipa/xml HTTP/1.0" 200 292

- --and that's all. It's the same story on our Centos 5.3 replica machine.

On the other hand on a Fedora-9 replica machine the same query succeeds
and  provokes many more entries in the httpd error_log in addition to
some TGS_REQs in krb5kdc.log.

I'm still guessing that the problem is due to a careless update on my
part, but any pointers to debugging would be very welcome.

Many thanks again in advance,

[NG]

- --
N.J. Gresham
FLS/IS AIO
Systems Administration and Support

University of Manchester
Faculty of Life Sciences

int: 7759349
ext: 0790-989-3684
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkoCyuoACgkQoqZzfMI0UdmQHgCfesTcfRCdYVJz9zgLdwF3sLCf
s7QAn1t68NLMBMuwKwaPCIgYjzW/5SXt
=0NyC
-----END PGP SIGNATURE-----