[Freeipa-users] ipa-* tools throws errors

Martin Kosek mkosek at redhat.com
Tue Mar 5 15:25:38 UTC 2013 

On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
> 
>  
> 
> I have been running a freeIPA server on Scientific Linux 6.2 for about a year. 
> Yesterday I  started not being able to run any "ipa-" commands.  Running kinit
> admin gives me the proper tickets, but when I run any ipa- command I get the
> following error:
> 
>  
> 
> ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not
> found in Kerberos database/.
> 
>  
> 
> I have no idea where the cyclone.esci.millersville.edu is coming from, as that
> used to be a Windows Domain server that was decommissioned years ago and is no
> longer in DNS, nor in /etc/hosts.  I even grep –R  all of the files in /etc and
> none refer to cyclone.  I checked the ipa config and krb5.conf files and they
> are pointing at the proper ipa server.
> 
>  
> 
> Checking log files I get these messages when I try to run ipa commands:
> 
>  
> 
> /var/log/httpd/error log:  
> 
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
> 
>  
> 
> /var/log/ipa
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0, 
> admin at LINUX.DIRSRV.LOCAL for
> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not found in
> Kerberos database
> 
>  
> 
> I Googled these error messages, but none of the results seemed to apply to my
> situation or didn’t solve the problem  Can anyone point me in the right
> direction? Any help is greatly appreciated. 
> 
>  
> 
> For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf
> files:
> 
>  
> 
> /etc/krb5.conf:
> 
>  
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> 
> kdc = FILE:/var/log/krb5kdc.log
> 
> admin_server = FILE:/var/log/kadmind.log
> 
>  
> 
> [libdefaults]
> 
> default_realm = LINUX.DIRSRV.LOCAL
> 
> dns_lookup_realm = false
> 
> dns_lookup_kdc = false
> 
> rdns = false
> 
> ticket_lifetime = 24h
> 
> forwardable = yes
> 
>  
> 
> [realms]
> 
> LINUX.DIRSRV.LOCAL = {
> 
>   kdc = aurora.esci.millersville.edu:88
> 
>   admin_server = aurora.esci.millersville.edu:749
> 
>   default_domain = esci.millersville.edu
> 
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
> }
> 
>  
> 
> [domain_realm]
> 
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
>  
> 
> [dbmodules]
> 
> #  LINUX.DIRSRV.LOCAL = {
> 
> #    db_library = kldap
> 
> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
> 
> #  }
> 
>  
> 
>   LINUX.DIRSRV.LOCAL = {
> 
>     db_library = ipadb.so
> 
>   }
> 
>  
> 
> /etc/ipa/default.conf
> 
>  
> 
> [global]
> 
> host=aurora.esci.millersville.edu
> 
> basedn=dc=linux,dc=dirsrv,dc=local
> 
> realm=LINUX.DIRSRV.LOCAL
> 
> domain=esci.millersville.edu
> 
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
> 
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> enable_ra=True
> 
> ra_plugin=dogtag
> 
> mode=production
> 
>  
> 
>  
> 
> +++++++++++++++++++++++
> 
> David Fitzgerald
> 
> Department of Earth Sciences
> 
> Millersville University
> 
> Millersville, PA 17551
> 
>  
> 
> Phone: 717-871-2394
> 
>  

Hello David,

I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.

What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct
hostname?

Martin

More information about the Freeipa-users mailing list