[Freeipa-users] ipa-* tools throws errors
David Fitzgerald
David.Fitzgerald at millersville.edu
Tue Mar 5 18:26:30 UTC 2013
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
>
>
>
> I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
> Yesterday I started not being able to run any "ipa-" commands.
> Running kinit admin gives me the proper tickets, but when I run any
> ipa- command I get the following error:
>
>
>
> ipa: ERROR: Kerberos error: Service
> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>
>
>
> I have no idea where the cyclone.esci.millersville.edu is coming from,
> as that used to be a Windows Domain server that was decommissioned
> years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R
> all of the files in /etc and none refer to cyclone. I checked the ipa
> config and krb5.conf files and they are pointing at the proper ipa server.
>
>
>
> Checking log files I get these messages when I try to run ipa commands:
>
>
>
> /var/log/httpd/error log:
>
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>
>
>
> /var/log/ipa
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
> 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
> authtime 0, admin at LINUX.DIRSRV.LOCAL for
> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not
> found in Kerberos database
>
>
>
> I Googled these error messages, but none of the results seemed to
> apply to my situation or didn't solve the problem Can anyone point me
> in the right direction? Any help is greatly appreciated.
>
>
>
> For what they are worth, here are my /etc/krb5.conf and
> /etc/ipa/default.conf
> files:
>
>
>
> /etc/krb5.conf:
>
>
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = LINUX.DIRSRV.LOCAL
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = false
>
> rdns = false
>
> ticket_lifetime = 24h
>
> forwardable = yes
>
>
>
> [realms]
>
> LINUX.DIRSRV.LOCAL = {
>
> kdc = aurora.esci.millersville.edu:88
>
> admin_server = aurora.esci.millersville.edu:749
>
> default_domain = esci.millersville.edu
>
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
>
> [domain_realm]
>
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
>
>
> [dbmodules]
>
> # LINUX.DIRSRV.LOCAL = {
>
> # db_library = kldap
>
> # ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> # ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>
> # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>
> # }
>
>
>
> LINUX.DIRSRV.LOCAL = {
>
> db_library = ipadb.so
>
> }
>
>
>
> /etc/ipa/default.conf
>
>
>
> [global]
>
> host=aurora.esci.millersville.edu
>
> basedn=dc=linux,dc=dirsrv,dc=local
>
> realm=LINUX.DIRSRV.LOCAL
>
> domain=esci.millersville.edu
>
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> enable_ra=True
>
> ra_plugin=dogtag
>
> mode=production
>
>
>
>
>
> +++++++++++++++++++++++
>
> David Fitzgerald
>
> Department of Earth Sciences
>
> Millersville University
>
> Millersville, PA 17551
>
>
>
> Phone: 717-871-2394
>
>
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
Martin
More information about the Freeipa-users
mailing list