[Freeipa-users] sudden ipa errors.

Rob Crittenden rcritten at redhat.com
Tue Sep 18 19:22:00 UTC 2012 

Nathan Lager wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sorry for falling off like that.
> I opened a RedHat ticket on the issue, and have been running in
> circles with them.  I forgot to check on the list for responses.
>
>
> I'm still having problems.  Someone suggested I try:
>
> kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
>
> Which i just did, and it worked, or, at least it initialized my session.
>
> I'm still unable to execute ipa commands.  In fact, im unable to
> execute almost any ipa commands.
>
> The web interface works, but only after RedHat had me enable kerberos
> password auth in the httpd config.  So i can now auth to the web gui
> interactively, instead of requiring a kinit from my workstion.
>
> The only real client i have here is RHEV.  And auth there still works
> except on accounts which have expired.  Those accounts, cant even
> change their passwords.
>
> RedHat had me disable the password expiration via the web gui, however
> that hasnt helped accounts that are already expired.
>
> RedHat is currently blaming time skew, which i think is ridiculous.
> Im testing my ipa commands right on the ipa master. How could there
> possible be time skew.  I did find that the time on my replica was
> off, but my replica isnt working anyway, which is a whole other issue.
>   I think it needs to be flattened, and re-joined.

I think we need to start with the basics, so here is a slew of 
questions, things to try:

You said you enabled password auth? Did you do this by setting 
KrbMethodK5Passwd to on?

You say that some commands work, which ones?

It seems that kinit works? kinit admin

Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the 
httpd service, then:

$ kdestroy
$ kinit admin
$ ipa user-show admin

Provide the logs covering the restart of Apache until the error from 
/var/log/httpd/error_log, /var/log/krb5kdc.log and 
/var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 
seconds so it may be a while before it gets updated.

What are the versions of:

httpd
mod_auth_kerb
ipa-server
krb5-server

This is RHEL 6.3?

The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it 
works with password authentication in the UI.

rob

More information about the Freeipa-users mailing list