[Freeipa-users] testing AD trust on Fedora 18

Sumit Bose sbose at redhat.com
Wed Dec 19 12:30:27 UTC 2012 

On Tue, Dec 18, 2012 at 03:56:27PM -0500, John Dennis wrote:
> On 12/18/2012 03:30 PM, Sumit Bose wrote:
> >On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote:
> >>On 12/18/2012 01:26 PM, Andre Rodrigues wrote:
> >>>Hi all,
> >>>I'm testing AD trust following this how to:
> >>>http://www.freeipa.org/page/IPAv3_testing_AD_trust
> >>>but when I set "ipa dnszone-add" I get this:
> >>>[root at m ~] ipa dnszone-add <AD.DOMAIN> --name-server=<AD.NAME
> >>><http://AD.NAME>> --admin-email=<MY.EMAIL> --force --forwarder=<AD.IP>
> >>>–forward-policy=only
> >>>ipa: ERROR: unable to parse cookie header
> >>>'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=<IPA.DOMAIN>;
> >>>Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly':
> >>>unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33'
> >>
> >>This is an error message from something I wrote. I can't explain why
> >>it can't parse the expires cookie attribute because using the value
> >>cited in the error message it parses just fine. The only thing I can
> >>think of is that the time module was not imported in cookie.py, but
> >>in my copy of the file it is imported.
> >>
> >>However one thing I did immediately notice, the cookie has
> >>Domain=<IPA.DOMAIN>, that's not valid, it's supposed to be a FQDN.
> >>What is the value of xmlrpc_uri in your /etc/ipa/default.conf?
> >>
> >>>
> >>>and when I set "ipa trust-add" I get the following error:
> >>>[root at m ~] ipa trust-add --type=ad <AD.DOMAIN> --admin Adminstrator
> >>>--password
> >>>Active directory domain administrator's password:
> >>>ipa: ERROR: unable to parse cookie header
> >>>'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=<IPA.DOMAIN>;
> >>>Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly':
> >>>unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05'
> >>
> >>Sorry, someone else will have to help you with the below:
> >
> >I guess this error message is just triggered by the cookie error.
> 
> In theory no, the inability to process a cookie should do nothing
> other than log the fact, everything else should proceed as normal
> (without cookies you just get slower performance, but it should
> continue to work).

John you are right, there are some issues in the F18 spec file,
https://bugzilla.redhat.com/show_bug.cgi?id=888754 and
https://bugzilla.redhat.com/show_bug.cgi?id=866969. 

Andre, as a workaround until the packages are fixed please call

yum install m2crypto
service httpd restart

HTH

bye,
Sumit
> 
> However, the values in the cookie show something is very wrong with
> the configuration.
> 
> Please provide the contents of /etc/ipa/default.conf.
> 
> Do you have a .ipa/default.conf file set? If so that overrides the
> values in /etc/ipa/default.conf. If you have that as well please
> provide that as well.
> 
> Adding verbose debugging information will help. Add the -d option to
> the ipa command to turn on debug level information and capture the
> output. Those messages will help us diagnose the problem.
> 
> >
> >bye,
> >Sumit
> >
> >>
> >>>ipa: ERROR: Cannot perform join operation without Samba 4 support installed.
> >>>                               Make sure you have installed
> >>>server-trust-ad sub-package of IPA
> >>>
> >>>but I have the server-trust-ad installed:--
> 
> 
> -- 
> John Dennis <jdennis at redhat.com>
> 
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list