[Freeipa-users] sudden ipa errors.

Thu Sep 20 18:46:20 UTC 2012


On 09/20/2012 02:28 PM, Rob Crittenden wrote:
> Nathan Lager wrote:
>> 
>> 
>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>>> Lager, Nathan T. wrote:
>>>> 
>>>> ----- Original Message -----
>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan
>>>>> Lager" <lagern at lafayette.edu> Cc: freeipa-users at redhat.com
>>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
>>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>>> Dmitri Pal wrote:
>>>>>>>> 
>>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap 
>>>>>>>> works too. Can it be one of the certs? May be some
>>>>>>>> cert expired?
>>>>>>> 
>>>>>>> No, the error is coming from GSSAPI, it is
>>>>>>> unfortunately completely useless. I think we've pretty
>>>>>>> well narrowed down the problem to httpd/mod_auth_kerb
>>>>>>> but I don't know yet if this is a configuration issue
>>>>>>> or a bug.
>>>>>>> 
>>>>>>> Nathan, can you show me your
>>>>>>> /etc/httpd/conf.d/ipa.conf?
>>>>>> Sure, as far as I know its completely stock, aside from
>>>>>> the krb password auth change.
>>>>> 
>>>>> Yup, configuration looks fine.
>>>>> 
>>>>> Ok, let's eliminate the ipa tool as the problem and try
>>>>> curl:
>>>>> 
>>>>> Create a file test.json with these contents:
>>>>> 
>>>>> {"method":"batch","params":[[ 
>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} 
>>>>> ],{}],"id":1}
>>>>> 
>>>>> then run this:
>>>>> 
>>>>> curl -H "Content-Type:application/json" -H 
>>>>> "Accept:application/json" -H "Accept-Language:en" -H
>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
>>>>> POST https://caroline0.lafayette.edu/ipa/json
>>>>> 
>>>> Seems to be running into the same trouble.
>>>> 
>>>> [lagern at caroline0 PROD ~]$ curl -H 
>>>> "Content-Type:application/json" -H "Accept:application/json"
>>>> -H "Accept-Language:en" -H "Referer: 
>>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : 
>>>> --cacert /etc/ipa/ca.crt -d  @test.json -X POST 
>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML
>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500
>>>> Internal Server Error</title> </head><body> <h1>Internal
>>>> Server Error</h1> <p>The server encountered an internal error
>>>> or misconfiguration and was unable to complete your
>>>> request.</p> <p>Please contact the server administrator,
>>>> root at localhost and inform them of the time the error
>>>> occurred, and anything you might have done that may have
>>>> caused the error.</p> <p>More information about this error
>>>> may be available in the server error log.</p> <hr>
>>>> <address>Apache/2.2.15 (Red Hat) Server at 
>>>> caroline0.lafayette.edu Port 443</address> </body></html>
>>> 
>>> Ok, need to gather some more info:
>>> 
>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt 
>>> /etc/httpd/conf/ipa.keytab
>>> 
>> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3 
>> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab 
>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
>> Principal ---- ----------------- 
>> -------------------------------------------------------- 2
>> 02/03/12 16:31:27 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>> 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>> 02/03/12 16:31:28 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>> 02/03/12 16:31:28 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>> 09/19/12 15:33:53 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12
>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>> 09/19/12 15:33:53 
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12
>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>> 
> 
> It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
> only 4. Did you change the available encryption types?
> 
I have not changed them, not intentionally anyway.  Could it be that
an update did so?  I installed Ipa round rhel 6.1 or so, and have been
updating it via yum periodically.

> Can you re-run the klist command with -e as well? klist -ekt ...
> 
[root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   2 02/03/12 16:31:27
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
(aes256-cts-hmac-sha1-96)
   2 02/03/12 16:31:27
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
(aes128-cts-hmac-sha1-96)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-hmac-sha1)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-cbc-md5)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
(aes256-cts-hmac-sha1-96)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
(aes128-cts-hmac-sha1-96)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac)


> rob
> 

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042