[Freeipa-users] sudden ipa errors.

Rob Crittenden rcritten at redhat.com
Thu Sep 20 15:43:25 UTC 2012 

Lager, Nathan T. wrote:
>
> ----- Original Message -----
>> From: "Rob Crittenden" <rcritten at redhat.com>
>> To: "Nathan Lager" <lagern at lafayette.edu>
>> Cc: freeipa-users at redhat.com
>> Sent: Wednesday, September 19, 2012 4:35:30 PM
>> Subject: Re: [Freeipa-users] sudden ipa errors.
>> Nathan Lager wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>> Dmitri Pal wrote:
>>>>>
>>>>> Rob, keytab and kerberos part seems to be fine, ldap works too.
>>>>> Can it be one of the certs? May be some cert expired?
>>>>
>>>> No, the error is coming from GSSAPI, it is unfortunately
>>>> completely useless. I think we've pretty well narrowed down the
>>>> problem to httpd/mod_auth_kerb but I don't know yet if this is a
>>>> configuration issue or a bug.
>>>>
>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
>>> Sure, as far as I know its completely stock, aside from the krb
>>> password auth change.
>>
>> Yup, configuration looks fine.
>>
>> Ok, let's eliminate the ipa tool as the problem and try curl:
>>
>> Create a file test.json with these contents:
>>
>> {"method":"batch","params":[[
>> {"method":"user_show","params":[["admin"],{"all":false}]}
>> ],{}],"id":1}
>>
>> then run this:
>>
>> curl -H "Content-Type:application/json" -H "Accept:application/json"
>> -H
>> "Accept-Language:en" -H "Referer:
>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert
>> /etc/ipa/ca.crt -d @test.json -X POST
>> https://caroline0.lafayette.edu/ipa/json
>>
> Seems to be running into the same trouble.
>
> [lagern at caroline0 PROD ~]$ curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" -H "Referer: https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert /etc/ipa/ca.crt -d  @test.json -X POST https://caroline0.lafayette.edu/ipa/json
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>500 Internal Server Error</title>
> </head><body>
> <h1>Internal Server Error</h1>
> <p>The server encountered an internal error or
> misconfiguration and was unable to complete
> your request.</p>
> <p>Please contact the server administrator,
>   root at localhost and inform them of the time the error occurred,
> and anything you might have done that may have
> caused the error.</p>
> <p>More information about this error may be available
> in the server error log.</p>
> <hr>
> <address>Apache/2.2.15 (Red Hat) Server at caroline0.lafayette.edu Port 443</address>
> </body></html>

Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu
# klist -kt /etc/httpd/conf/ipa.keytab

rob

More information about the Freeipa-users mailing list