[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 15:34:09 UTC 2012
Nathan Lager wrote:
>
> On 09/19/2012 10:37 AM, Rob Crittenden wrote:
>> Lager, Nathan T. wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan Lager"
>>>> <lagern at lafayette.edu> Cc: freeipa-users at redhat.com Sent:
>>>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
>>>> [Freeipa-users] sudden ipa errors.
>>>>
>>>> Ok, what are the permissions on the keytab,
>>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode
>>>> 0600.
>>>
>>> [lagern at caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
>>> -rw-------. apache apache
>>> unconfined_u:object_r:httpd_config_t:s0
>>> /etc/httpd/conf/ipa.keytab
>>>
>>>>
>>>> Are you in SELinux enforcing mode? Can you try in permissive to
>>>> see if that works?
>>> I was enforcing at the start of all of this, but ive since
>>> switched to permissive for troubleshooting. It hasnt made a
>>> difference.
>>
>> Are you getting an HTTP service principal in the client?
>>
>> $ kdestroy $ kinit admin $ ipa user-show admin <fail> $ klist -fea
>>
>> Lets try to skip s4u2proxy. Does this work:
>>
>> $ ipa --delegate user-show admin
>>
>> Unfortunately the major and minor error codes are as generic as can
>> be so they aren't any help at all.
>>
>> rob
>
> Here's the output. The --delegate still failed.
>
> [root at caroline0 PROD ~]# klist -fea
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: lagern at SYSTEMS.LAFAYETTE.EDU
>
> Valid starting Expires Service principal
> 09/19/12 11:23:03 09/20/12 11:22:52
> krbtgt/SYSTEMS.LAFAYETTE.EDU at SYSTEMS.LAFAYETTE.EDU
> Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
> Addresses: (none)
> 09/19/12 11:23:11 09/20/12 11:22:52
> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
> Addresses: (none)
> [root at caroline0 PROD ~]# ipa --delegate user-show admin
> ipa: ERROR: cannot connect to
> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
> [root at caroline0 PROD ~]#
Is it the same major/minor error in gss_acquire_cred()?
Does GSSAPI over LDAP work?
$ ldapsearch -Y GSSAPI -h ipa.example.com -b
cn=users,cn=accounts,dc=example,dc=com admin
rob
More information about the Freeipa-users
mailing list