[Freeipa-users] sudden ipa errors.

Nathan Lager lagern at lafayette.edu
Wed Sep 19 15:26:09 UTC 2012 

On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> 
>> ----- Original Message -----
>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan Lager"
>>> <lagern at lafayette.edu> Cc: freeipa-users at redhat.com Sent:
>>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
>>> [Freeipa-users] sudden ipa errors.
>>> 
>>> Ok, what are the permissions on the keytab, 
>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode
>>> 0600.
>> 
>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab 
>> -rw-------. apache apache
>> unconfined_u:object_r:httpd_config_t:s0 
>> /etc/httpd/conf/ipa.keytab
>> 
>>> 
>>> Are you in SELinux enforcing mode? Can you try in permissive to
>>> see if that works?
>> I was enforcing at the start of all of this, but ive since
>> switched to permissive for troubleshooting.  It hasnt made a
>> difference.
> 
> Are you getting an HTTP service principal in the client?
> 
> $ kdestroy $ kinit admin $ ipa user-show admin <fail> $ klist -fea
> 
> Lets try to skip s4u2proxy. Does this work:
> 
> $ ipa --delegate user-show admin
> 
> Unfortunately the major and minor error codes are as generic as can
> be so they aren't any help at all.
> 
> rob

Here's the output. The --delegate still failed.

[root at caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lagern at SYSTEMS.LAFAYETTE.EDU

Valid starting     Expires            Service principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU
	Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
	Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
	Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
	Addresses: (none)
[root at caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root at caroline0 PROD ~]#




-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

More information about the Freeipa-users mailing list