[Freeipa-users] ipa-* tools throws errors
Martin Kosek
mkosek at redhat.com
Tue Mar 5 15:25:38 UTC 2013
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
>
>
>
> I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
> Yesterday I started not being able to run any "ipa-" commands. Running kinit
> admin gives me the proper tickets, but when I run any ipa- command I get the
> following error:
>
>
>
> ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not
> found in Kerberos database/.
>
>
>
> I have no idea where the cyclone.esci.millersville.edu is coming from, as that
> used to be a Windows Domain server that was decommissioned years ago and is no
> longer in DNS, nor in /etc/hosts. I even grep –R all of the files in /etc and
> none refer to cyclone. I checked the ipa config and krb5.conf files and they
> are pointing at the proper ipa server.
>
>
>
> Checking log files I get these messages when I try to run ipa commands:
>
>
>
> /var/log/httpd/error log:
>
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>
>
>
> /var/log/ipa
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0,
> admin at LINUX.DIRSRV.LOCAL for
> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not found in
> Kerberos database
>
>
>
> I Googled these error messages, but none of the results seemed to apply to my
> situation or didn’t solve the problem Can anyone point me in the right
> direction? Any help is greatly appreciated.
>
>
>
> For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf
> files:
>
>
>
> /etc/krb5.conf:
>
>
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = LINUX.DIRSRV.LOCAL
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = false
>
> rdns = false
>
> ticket_lifetime = 24h
>
> forwardable = yes
>
>
>
> [realms]
>
> LINUX.DIRSRV.LOCAL = {
>
> kdc = aurora.esci.millersville.edu:88
>
> admin_server = aurora.esci.millersville.edu:749
>
> default_domain = esci.millersville.edu
>
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
>
> [domain_realm]
>
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
>
>
> [dbmodules]
>
> # LINUX.DIRSRV.LOCAL = {
>
> # db_library = kldap
>
> # ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> # ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>
> # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>
> # }
>
>
>
> LINUX.DIRSRV.LOCAL = {
>
> db_library = ipadb.so
>
> }
>
>
>
> /etc/ipa/default.conf
>
>
>
> [global]
>
> host=aurora.esci.millersville.edu
>
> basedn=dc=linux,dc=dirsrv,dc=local
>
> realm=LINUX.DIRSRV.LOCAL
>
> domain=esci.millersville.edu
>
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> enable_ra=True
>
> ra_plugin=dogtag
>
> mode=production
>
>
>
>
>
> +++++++++++++++++++++++
>
> David Fitzgerald
>
> Department of Earth Sciences
>
> Millersville University
>
> Millersville, PA 17551
>
>
>
> Phone: 717-871-2394
>
>
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.
What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct
hostname?
Martin
More information about the Freeipa-users
mailing list