[Freeipa-users] sudden ipa errors.
Dmitri Pal
dpal at redhat.com
Wed Sep 19 12:12:38 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/18/2012 03:06 PM, Nathan Lager wrote:
> Sorry for falling off like that.
> I opened a RedHat ticket on the issue, and have been running in
> circles with them. I forgot to check on the list for responses.
>
>
> I'm still having problems. Someone suggested I try:
>
> kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
>
> Which i just did, and it worked, or, at least it initialized my session.
>
> I'm still unable to execute ipa commands. In fact, im unable to
> execute almost any ipa commands.
>
> The web interface works, but only after RedHat had me enable kerberos
> password auth in the httpd config. So i can now auth to the web gui
> interactively, instead of requiring a kinit from my workstion.
>
> The only real client i have here is RHEV. And auth there still works
> except on accounts which have expired. Those accounts, cant even
> change their passwords.
>
> RedHat had me disable the password expiration via the web gui, however
> that hasnt helped accounts that are already expired.
>
> RedHat is currently blaming time skew, which i think is ridiculous.
Well this is probably my fault. I looked in the case (it is huge) and
saw that there are issues with the time in the log so I suggested they
ask you to check the times to rule that part out. I have not had a
chance to follow up. But time skew usually creates all sorts of strange
things and if the time skew was the problem in the past but some
passwords were created then there might be problems with the expiration.
I was also very concerned about the framework not being able to get
kerberos ticket for whatever reason and the reason was not clear.
> Im testing my ipa commands right on the ipa master. How could there
> possible be time skew.
This was not clear from the case and also I asked to ask you just to
check the time on the server.
> I did find that the time on my replica was
> off, but my replica isnt working anyway, which is a whole other issue.
> I think it needs to be flattened, and re-joined.
OK let us treat it as a separate issue.
>
>
> On 09/10/2012 08:54 AM, Dmitri Pal wrote:
> > On 08/24/2012 04:43 PM, Rob Crittenden wrote:
> >> Nathan Lager wrote:
> >>> This did not seem to help...
> >>>
> >>
> >> What else isn't working? Does the UI work? Do clients on other
> >> machines work? Does user lookup still work?
> >>
> >> rob
>
>
> > Was this issue ever resolved?
>
> >>
> >>>
> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote:
> >>>> Nathan Lager wrote:
> >>>>> [root at ipaserver PROD krb5kdc]# ipactl status Directory
> >>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service:
> >>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA
> >>>>> Service: RUNNING [root at ipaserver PROD krb5kdc]# rpm -qa |
> >>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64
> >>>>> ipa-server-2.2.0-16.el6.x86_64
> >>>>
> >>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by
> >>>> Apache for doing S4U2Proxy. No restart of httpd should be
> >>>> required.
> >>>>
> >>>> rob
> >>>>
> >>>>>
> >>>>>
> >>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote:
> >>>>>> Nathan Lager wrote:
> >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>>>>>>
> >>>>>>> I tried the same, kinit, and then ipa passwd commands
> >>>>>>> as before, here's the output:
> >>>>>>>
> >>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu
> >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
> >>>>>>> ipa-servers-ip: NEEDED_PREAUTH:
> >>>>>>> lagern at SYSTEMS.LAFAYETTE.EDU for
> >>>>>>> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU,
> >>>>>>> Additional pre-authentication required
> >>>>>>>
> >>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu
> >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
> >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
> >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU
> >>>>>>> for krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU
> >>>>>>>
> >>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu
> >>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23})
> >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
> >>>>>>> {rep=18 tkt=18 ses=18}, lagern at SYSTEMS.LAFAYETTE.EDU
> >>>>>>> for HTTP/ipaserver.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>>>>
> >>>>>> What version of IPA is this?
> >>>>>>
> >>>>>> Does ipactl status show all services up?
> >>>>>>
> >>>>>> rob
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >> _______________________________________________ Freeipa-users
> >> mailing list Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
- --
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
- -------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQWba1AAoJEKRjuMOPSn1YTJEH/RJ1gw28L5ml0XF8I3XWXLgY
49n2IWPGF8vIGC8pSx024F0hAGBBtrY9sQGROU53IkMpkmiJPPROmstCiEQBogbf
6wcVq9EXqG+oIZHZOL5KXla+9a1Xy1o1pEx8m61j7mFexLa8i3LejwdK0lZETGuy
Up21DWr1C1NBSPviD8IjRU1V8I15TL5skzO0BcAfzf7PNCFBsKzBJf5QO2ocb1WK
CPXT1HdR4l/q1X2iPV33EHI+JmwDREpFCewSoMy3bBJGl4T7rIZKKzcI/dLRy3sH
Wp8I3/e0bH0nm9mpkXday7qaxF1eepKEr+kJ5RpYUI2k8JJ7M3EKfFRGDORaQCU=
=LHdS
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120919/08661303/attachment.htm>
More information about the Freeipa-users
mailing list