[Freeipa-users] sudden ipa errors.
Dmitri Pal
dpal at redhat.com
Fri Sep 21 15:19:40 UTC 2012
On 09/21/2012 11:13 AM, Nathan Lager wrote:
>
>
> On 09/21/2012 11:07 AM, Nathan Lager wrote:
>
>
> > On 09/21/2012 10:18 AM, Rob Crittenden wrote:
> >> Lager, Nathan T. wrote:
> >>> Well, after all of this, RedHat support just resolved my
> >>> issue!
> >>>
> >>> It came down the the domain_realm definitions in
> >>> /etc/krb5.conf.
> >>>
> >>> They had me change:
> >>>
> >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> >>>
> >>> To: [domain_realm] .systems.lafayette.edu =
> >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
> >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU
> >>>
> >>> After doing so, i restarted IPA, and my commands are working
> >>> properly now!
> >>>
> >>> Now, to get my replica back in order...
>
> >> Wow. OK, I'm glad it's working. Do we have any idea how this file
> >> changed? Is it wrong on all your clients or only on this one
> >> master?
>
> > It appears wrong on my replica as well, caroline1. There are no
> > clients currently, other than RHEV.
>
> > I only have one lingering issue, aside from my replica being
> > broken.
>
> > I still cant reset admin's password. It gives me the same error it
> > was before.
>
> > [root at caroline0 PROD ~]# kinit admin Password for
> > admin at SYSTEMS.LAFAYETTE.EDU: Password expired. You must change it
> > now. Enter new password: Enter it again: kinit: Password has
> > expired while getting initial credentials
>
>
> Fixed this, on a hunch. When the password expired, the pwpolicy was
> set to 90 days. RedHat Support had me change it to 9999 days to
> effectively disable it so others wouldnt expire (because no one could
> change passwords).
>
> I had a hunch that because the policy was now set greater than the
> time its been since admin last changed his password, that ipa was
> getting confused when i attempted to change the expired pass. So i
> set it back to 90. It let me change the expired password.
>
> That, might be worthy of a bug report.
>
>
Can you please file one?
>
>
> >> rob
>
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Nathan Lager" <lagern at lafayette.edu> To: "Rob
> >>>> Crittenden" <rcritten at redhat.com> Cc:
> >>>> freeipa-users at redhat.com Sent: Thursday, September 20, 2012
> >>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On
> >>>> 09/20/2012 02:28 PM, Rob Crittenden wrote:
> >>>>> Nathan Lager wrote:
> >>>>>>
> >>>>>>
> >>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
> >>>>>>> Lager, Nathan T. wrote:
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>>> From: "Rob Crittenden" <rcritten at redhat.com> To:
> >>>>>>>>> "Nathan Lager" <lagern at lafayette.edu> Cc:
> >>>>>>>>> freeipa-users at redhat.com Sent: Wednesday,
> >>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re:
> >>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager
> >>>>>>>>> wrote:
> >>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
> >>>>>>>>>>> Dmitri Pal wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Rob, keytab and kerberos part seems to be
> >>>>>>>>>>>> fine, ldap works too. Can it be one of the
> >>>>>>>>>>>> certs? May be some cert expired?
> >>>>>>>>>>>
> >>>>>>>>>>> No, the error is coming from GSSAPI, it is
> >>>>>>>>>>> unfortunately completely useless. I think
> >>>>>>>>>>> we've pretty well narrowed down the problem to
> >>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if
> >>>>>>>>>>> this is a configuration issue or a bug.
> >>>>>>>>>>>
> >>>>>>>>>>> Nathan, can you show me your
> >>>>>>>>>>> /etc/httpd/conf.d/ipa.conf?
> >>>>>>>>>> Sure, as far as I know its completely stock,
> >>>>>>>>>> aside from the krb password auth change.
> >>>>>>>>>
> >>>>>>>>> Yup, configuration looks fine.
> >>>>>>>>>
> >>>>>>>>> Ok, let's eliminate the ipa tool as the problem
> >>>>>>>>> and try curl:
> >>>>>>>>>
> >>>>>>>>> Create a file test.json with these contents:
> >>>>>>>>>
> >>>>>>>>> {"method":"batch","params":[[
> >>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
> >>>>>>>>>
> >>>>>>>>>
>
> >>>>>>>>>
> ],{}],"id":1}
> >>>>>>>>>
> >>>>>>>>> then run this:
> >>>>>>>>>
> >>>>>>>>> curl -H "Content-Type:application/json" -H
> >>>>>>>>> "Accept:application/json" -H "Accept-Language:en"
> >>>>>>>>> -H "Referer:
> >>>>>>>>> https://caroline0.lafayette.edu/ipa/xml"
> >>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
> >>>>>>>>> @test.json -X POST
> >>>>>>>>> https://caroline0.lafayette.edu/ipa/json
> >>>>>>>>>
> >>>>>>>> Seems to be running into the same trouble.
> >>>>>>>>
> >>>>>>>> [lagern at caroline0 PROD ~]$ curl -H
> >>>>>>>> "Content-Type:application/json" -H
> >>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H
> >>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"
> >>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
> >>>>>>>> @test.json -X POST
> >>>>>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE
> >>>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
> >>>>>>>> <title>500 Internal Server Error</title>
> >>>>>>>> </head><body> <h1>Internal Server Error</h1> <p>The
> >>>>>>>> server encountered an internal error or
> >>>>>>>> misconfiguration and was unable to complete your
> >>>>>>>> request.</p> <p>Please contact the server
> >>>>>>>> administrator, root at localhost and inform them of the
> >>>>>>>> time the error occurred, and anything you might have
> >>>>>>>> done that may have caused the error.</p> <p>More
> >>>>>>>> information about this error may be available in the
> >>>>>>>> server error log.</p> <hr> <address>Apache/2.2.15
> >>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port
> >>>>>>>> 443</address> </body></html>
> >>>>>>>
> >>>>>>> Ok, need to gather some more info:
> >>>>>>>
> >>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
> >>>>>>> /etc/httpd/conf/ipa.keytab
> >>>>>>>
> >>>>>> [root at caroline0 PROD ~]# kvno
> >>>>>> HTTP/caroline0.lafayette.edu
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno
> >>>>>> = 3 [root at caroline0 PROD ~]# klist -kt
> >>>>>> /etc/httpd/conf/ipa.keytab Keytab name:
> >>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
> >>>>>> Principal ---- -----------------
> >>>>>> --------------------------------------------------------
> >>>>>> 2 02/03/12 16:31:27
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
> >>>>>> 02/03/12 16:31:27
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
> >>>>>> 02/03/12 16:31:28
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
> >>>>>> 02/03/12 16:31:28
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
> >>>>>> 02/03/12 16:31:28
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 2
> >>>>>> 02/03/12 16:31:28
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
> >>>>>> 09/19/12 15:33:53
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
> >>>>>> 09/19/12 15:33:53
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
> >>>>>> 09/19/12 15:33:53
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU 3
> >>>>>> 09/19/12 15:33:53
> >>>>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>>>>
> >>>>>
> >>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and
> >>>>> 3 has only 4. Did you change the available encryption
> >>>>> types?
> >>>>>
> >>>> I have not changed them, not intentionally anyway. Could it
> >>>> be that an update did so? I installed Ipa round rhel 6.1 or
> >>>> so, and have been updating it via yum periodically.
> >>>>
> >>>>> Can you re-run the klist command with -e as well? klist
> >>>>> -ekt ...
> >>>>>
> >>>> [root at caroline0 PROD ~]# klist -kte
> >>>> /etc/httpd/conf/ipa.keytab Keytab name:
> >>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal
> >>>> ---- -----------------
> >>>> -------------------------------------------------------- 2
> >>>> 02/03/12 16:31:27
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (des3-cbc-sha1) 2 02/03/12 16:31:28
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (arcfour-hmac) 2 02/03/12 16:31:28
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (des-hmac-sha1) 2 02/03/12 16:31:28
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (des-cbc-md5) 3 09/19/12 15:33:53
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (des3-cbc-sha1) 3 09/19/12 15:33:53
> >>>> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> >>>> (arcfour-hmac)
> >>>>
> >>>>
> >>>>> rob
> >>>>>
> >>>>
> >>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan
> >>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11
> >>>> Pardee Hall Lafayette College, Easton, PA 18042
> >>>>
> >>>> _______________________________________________
> >>>> Freeipa-users mailing list Freeipa-users at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> > _______________________________________________ Freeipa-users
> > mailing list Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120921/1350f25e/attachment.htm>
More information about the Freeipa-users
mailing list