[Freeipa-users] ipa-* tools throws errors

Tue Mar 5 18:26:30 UTC 2013

The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
> 
>  
> 
> I have been running a freeIPA server on Scientific Linux 6.2 for about a year. 
> Yesterday I  started not being able to run any "ipa-" commands.  
> Running kinit admin gives me the proper tickets, but when I run any 
> ipa- command I get the following error:
> 
>  
> 
> ipa: ERROR: Kerberos error: Service 
> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
> 
>  
> 
> I have no idea where the cyclone.esci.millersville.edu is coming from, 
> as that used to be a Windows Domain server that was decommissioned 
> years ago and is no longer in DNS, nor in /etc/hosts.  I even grep -R  
> all of the files in /etc and none refer to cyclone.  I checked the ipa 
> config and krb5.conf files and they are pointing at the proper ipa server.
> 
>  
> 
> Checking log files I get these messages when I try to run ipa commands:
> 
>  
> 
> /var/log/httpd/error log:  
> 
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
> 
>  
> 
> /var/log/ipa
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
> 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for 
> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
> 
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
> authtime 0, admin at LINUX.DIRSRV.LOCAL for 
> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not 
> found in Kerberos database
> 
>  
> 
> I Googled these error messages, but none of the results seemed to 
> apply to my situation or didn't solve the problem  Can anyone point me 
> in the right direction? Any help is greatly appreciated.
> 
>  
> 
> For what they are worth, here are my /etc/krb5.conf and 
> /etc/ipa/default.conf
> files:
> 
>  
> 
> /etc/krb5.conf:
> 
>  
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> 
> kdc = FILE:/var/log/krb5kdc.log
> 
> admin_server = FILE:/var/log/kadmind.log
> 
>  
> 
> [libdefaults]
> 
> default_realm = LINUX.DIRSRV.LOCAL
> 
> dns_lookup_realm = false
> 
> dns_lookup_kdc = false
> 
> rdns = false
> 
> ticket_lifetime = 24h
> 
> forwardable = yes
> 
>  
> 
> [realms]
> 
> LINUX.DIRSRV.LOCAL = {
> 
>   kdc = aurora.esci.millersville.edu:88
> 
>   admin_server = aurora.esci.millersville.edu:749
> 
>   default_domain = esci.millersville.edu
> 
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
> }
> 
>  
> 
> [domain_realm]
> 
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
> 
>  
> 
> [dbmodules]
> 
> #  LINUX.DIRSRV.LOCAL = {
> 
> #    db_library = kldap
> 
> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
> 
> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
> 
> #  }
> 
>  
> 
>   LINUX.DIRSRV.LOCAL = {
> 
>     db_library = ipadb.so
> 
>   }
> 
>  
> 
> /etc/ipa/default.conf
> 
>  
> 
> [global]
> 
> host=aurora.esci.millersville.edu
> 
> basedn=dc=linux,dc=dirsrv,dc=local
> 
> realm=LINUX.DIRSRV.LOCAL
> 
> domain=esci.millersville.edu
> 
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
> 
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
> 
> enable_ra=True
> 
> ra_plugin=dogtag
> 
> mode=production
> 
>  
> 
>  
> 
> +++++++++++++++++++++++
> 
> David Fitzgerald
> 
> Department of Earth Sciences
> 
> Millersville University
> 
> Millersville, PA 17551
> 
>  
> 
> Phone: 717-871-2394
> 
>  

Hello David,

I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.

What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?

Martin