[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Tue Sep 18 19:22:00 UTC 2012
Nathan Lager wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sorry for falling off like that.
> I opened a RedHat ticket on the issue, and have been running in
> circles with them. I forgot to check on the list for responses.
>
>
> I'm still having problems. Someone suggested I try:
>
> kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
>
> Which i just did, and it worked, or, at least it initialized my session.
>
> I'm still unable to execute ipa commands. In fact, im unable to
> execute almost any ipa commands.
>
> The web interface works, but only after RedHat had me enable kerberos
> password auth in the httpd config. So i can now auth to the web gui
> interactively, instead of requiring a kinit from my workstion.
>
> The only real client i have here is RHEV. And auth there still works
> except on accounts which have expired. Those accounts, cant even
> change their passwords.
>
> RedHat had me disable the password expiration via the web gui, however
> that hasnt helped accounts that are already expired.
>
> RedHat is currently blaming time skew, which i think is ridiculous.
> Im testing my ipa commands right on the ipa master. How could there
> possible be time skew. I did find that the time on my replica was
> off, but my replica isnt working anyway, which is a whole other issue.
> I think it needs to be flattened, and re-joined.
I think we need to start with the basics, so here is a slew of
questions, things to try:
You said you enabled password auth? Did you do this by setting
KrbMethodK5Passwd to on?
You say that some commands work, which ones?
It seems that kinit works? kinit admin
Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the
httpd service, then:
$ kdestroy
$ kinit admin
$ ipa user-show admin
Provide the logs covering the restart of Apache until the error from
/var/log/httpd/error_log, /var/log/krb5kdc.log and
/var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30
seconds so it may be a while before it gets updated.
What are the versions of:
httpd
mod_auth_kerb
ipa-server
krb5-server
This is RHEL 6.3?
The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it
works with password authentication in the UI.
rob
More information about the Freeipa-users
mailing list