[Freeipa-users] sudden ipa errors.

Tue Sep 18 19:06:46 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for falling off like that.
I opened a RedHat ticket on the issue, and have been running in
circles with them.  I forgot to check on the list for responses.

I'm still having problems.  Someone suggested I try:

kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu

Which i just did, and it worked, or, at least it initialized my session.

I'm still unable to execute ipa commands.  In fact, im unable to
execute almost any ipa commands.

The web interface works, but only after RedHat had me enable kerberos
password auth in the httpd config.  So i can now auth to the web gui
interactively, instead of requiring a kinit from my workstion.

The only real client i have here is RHEV.  And auth there still works
except on accounts which have expired.  Those accounts, cant even
change their passwords.

RedHat had me disable the password expiration via the web gui, however
that hasnt helped accounts that are already expired.

RedHat is currently blaming time skew, which i think is ridiculous.
Im testing my ipa commands right on the ipa master. How could there
possible be time skew.  I did find that the time on my replica was
off, but my replica isnt working anyway, which is a whole other issue.
 I think it needs to be flattened, and re-joined.

On 09/10/2012 08:54 AM, Dmitri Pal wrote:
> On 08/24/2012 04:43 PM, Rob Crittenden wrote:
>> Nathan Lager wrote:
>>> This did not seem to help...
>>> 
>> 
>> What else isn't working? Does the UI work? Do clients on other 
>> machines work? Does user lookup still work?
>> 
>> rob
> 
> 
> Was this issue ever resolved?
> 
>> 
>>> 
>>> On 08/22/2012 06:02 PM, Rob Crittenden wrote:
>>>> Nathan Lager wrote:
>>>>> [root at ipaserver PROD krb5kdc]# ipactl status Directory
>>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service:
>>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA
>>>>> Service: RUNNING [root at ipaserver PROD krb5kdc]# rpm -qa |
>>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 
>>>>> ipa-server-2.2.0-16.el6.x86_64
>>>> 
>>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by
>>>> Apache for doing S4U2Proxy. No restart of httpd should be
>>>> required.
>>>> 
>>>> rob
>>>> 
>>>>> 
>>>>> 
>>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote:
>>>>>> Nathan Lager wrote:
>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>> 
>>>>>>> I tried the same, kinit, and then ipa passwd commands
>>>>>>> as before, here's the output:
>>>>>>> 
>>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu
>>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
>>>>>>> ipa-servers-ip: NEEDED_PREAUTH: 
>>>>>>> lagern at SYSTEMS.LAFAYETTE.EDU for 
>>>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU,
>>>>>>> Additional pre-authentication required
>>>>>>> 
>>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu
>>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
>>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
>>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU
>>>>>>> for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU
>>>>>>> 
>>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu
>>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23})
>>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
>>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU
>>>>>>> for HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>>>> 
>>>>>> What version of IPA is this?
>>>>>> 
>>>>>> Does ipactl status show all services up?
>>>>>> 
>>>>>> rob
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>> _______________________________________________ Freeipa-users
>> mailing list Freeipa-users at redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBYxkYACgkQsZqG4IN3sum8awCglRnww5OA84X8QbcNB/n1+e9w
lrIAn1WMdwzeGeGmG07po0P5Xk1AikN/
=PEKm
-----END PGP SIGNATURE-----