[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Fri Sep 21 14:18:51 UTC 2012
Lager, Nathan T. wrote:
> Well, after all of this, RedHat support just resolved my issue!
>
> It came down the the domain_realm definitions in /etc/krb5.conf.
>
> They had me change:
>
> [domain_realm]
> .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>
> To:
> [domain_realm]
> .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>
> After doing so, i restarted IPA, and my commands are working properly now!
>
> Now, to get my replica back in order...
Wow. OK, I'm glad it's working. Do we have any idea how this file
changed? Is it wrong on all your clients or only on this one master?
rob
>
>
> ----- Original Message -----
>> From: "Nathan Lager" <lagern at lafayette.edu>
>> To: "Rob Crittenden" <rcritten at redhat.com>
>> Cc: freeipa-users at redhat.com
>> Sent: Thursday, September 20, 2012 2:46:20 PM
>> Subject: Re: [Freeipa-users] sudden ipa errors.
>> On 09/20/2012 02:28 PM, Rob Crittenden wrote:
>>> Nathan Lager wrote:
>>>>
>>>>
>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>>>>> Lager, Nathan T. wrote:
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan
>>>>>>> Lager" <lagern at lafayette.edu> Cc: freeipa-users at redhat.com
>>>>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
>>>>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>>>>> Dmitri Pal wrote:
>>>>>>>>>>
>>>>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap
>>>>>>>>>> works too. Can it be one of the certs? May be some
>>>>>>>>>> cert expired?
>>>>>>>>>
>>>>>>>>> No, the error is coming from GSSAPI, it is
>>>>>>>>> unfortunately completely useless. I think we've pretty
>>>>>>>>> well narrowed down the problem to httpd/mod_auth_kerb
>>>>>>>>> but I don't know yet if this is a configuration issue
>>>>>>>>> or a bug.
>>>>>>>>>
>>>>>>>>> Nathan, can you show me your
>>>>>>>>> /etc/httpd/conf.d/ipa.conf?
>>>>>>>> Sure, as far as I know its completely stock, aside from
>>>>>>>> the krb password auth change.
>>>>>>>
>>>>>>> Yup, configuration looks fine.
>>>>>>>
>>>>>>> Ok, let's eliminate the ipa tool as the problem and try
>>>>>>> curl:
>>>>>>>
>>>>>>> Create a file test.json with these contents:
>>>>>>>
>>>>>>> {"method":"batch","params":[[
>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
>>>>>>> ],{}],"id":1}
>>>>>>>
>>>>>>> then run this:
>>>>>>>
>>>>>>> curl -H "Content-Type:application/json" -H
>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H
>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
>>>>>>> POST https://caroline0.lafayette.edu/ipa/json
>>>>>>>
>>>>>> Seems to be running into the same trouble.
>>>>>>
>>>>>> [lagern at caroline0 PROD ~]$ curl -H
>>>>>> "Content-Type:application/json" -H "Accept:application/json"
>>>>>> -H "Accept-Language:en" -H "Referer:
>>>>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u :
>>>>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST
>>>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML
>>>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500
>>>>>> Internal Server Error</title> </head><body> <h1>Internal
>>>>>> Server Error</h1> <p>The server encountered an internal error
>>>>>> or misconfiguration and was unable to complete your
>>>>>> request.</p> <p>Please contact the server administrator,
>>>>>> root at localhost and inform them of the time the error
>>>>>> occurred, and anything you might have done that may have
>>>>>> caused the error.</p> <p>More information about this error
>>>>>> may be available in the server error log.</p> <hr>
>>>>>> <address>Apache/2.2.15 (Red Hat) Server at
>>>>>> caroline0.lafayette.edu Port 443</address> </body></html>
>>>>>
>>>>> Ok, need to gather some more info:
>>>>>
>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
>>>>> /etc/httpd/conf/ipa.keytab
>>>>>
>>>> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3
>>>> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
>>>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
>>>> Principal ---- -----------------
>>>> -------------------------------------------------------- 2
>>>> 02/03/12 16:31:27
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>>>> 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>> 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>>>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
>>>> 02/03/12 16:31:28
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2 02/03/12
>>>> 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>> 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12
>>>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
>>>> 09/19/12 15:33:53
>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3 09/19/12
>>>> 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>>>>
>>>
>>> It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
>>> only 4. Did you change the available encryption types?
>>>
>> I have not changed them, not intentionally anyway. Could it be that
>> an update did so? I installed Ipa round rhel 6.1 or so, and have been
>> updating it via yum periodically.
>>
>>> Can you re-run the klist command with -e as well? klist -ekt ...
>>>
>> [root at caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
>> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 2 02/03/12 16:31:27
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>> (aes256-cts-hmac-sha1-96)
>> 2 02/03/12 16:31:27
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>> (aes128-cts-hmac-sha1-96)
>> 2 02/03/12 16:31:28
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1)
>> 2 02/03/12 16:31:28
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac)
>> 2 02/03/12 16:31:28
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-hmac-sha1)
>> 2 02/03/12 16:31:28
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des-cbc-md5)
>> 3 09/19/12 15:33:53
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>> (aes256-cts-hmac-sha1-96)
>> 3 09/19/12 15:33:53
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>> (aes128-cts-hmac-sha1-96)
>> 3 09/19/12 15:33:53
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (des3-cbc-sha1)
>> 3 09/19/12 15:33:53
>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU (arcfour-hmac)
>>
>>
>>> rob
>>>
>>
>> --
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> Nathan Lager, RHCSA, RHCE (#110-011-426)
>> System Administrator
>> 11 Pardee Hall
>> Lafayette College, Easton, PA 18042
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list