[Freeipa-users] ipa-* tools throws errors

Martin Kosek mkosek at redhat.com
Wed Mar 6 08:04:49 UTC 2013 

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any 
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service 
>> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming from, 
>> as that used to be a Windows Domain server that was decommissioned 
>> years ago and is no longer in DNS, nor in /etc/hosts.  I even grep -R  
>> all of the files in /etc and none refer to cyclone.  I checked the ipa 
>> config and krb5.conf files and they are pointing at the proper ipa server.
>>
>>  
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>  
>>
>> /var/log/httpd/error log:  
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>>
>>  
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for 
>> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
>> authtime 0, admin at LINUX.DIRSRV.LOCAL for 
>> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not 
>> found in Kerberos database
>>
>>  
>>
>> I Googled these error messages, but none of the results seemed to 
>> apply to my situation or didn't solve the problem  Can anyone point me 
>> in the right direction? Any help is greatly appreciated.
>>
>>  
>>
>> For what they are worth, here are my /etc/krb5.conf and 
>> /etc/ipa/default.conf
>> files:
>>
>>  
>>
>> /etc/krb5.conf:
>>
>>  
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>  
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_lookup_realm = false
>>
>> dns_lookup_kdc = false
>>
>> rdns = false
>>
>> ticket_lifetime = 24h
>>
>> forwardable = yes
>>
>>  
>>
>> [realms]
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>>   kdc = aurora.esci.millersville.edu:88
>>
>>   admin_server = aurora.esci.millersville.edu:749
>>
>>   default_domain = esci.millersville.edu
>>
>>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>  
>>
>> [domain_realm]
>>
>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>>  
>>
>> [dbmodules]
>>
>> #  LINUX.DIRSRV.LOCAL = {
>>
>> #    db_library = kldap
>>
>> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>
>> #  }
>>
>>  
>>
>>   LINUX.DIRSRV.LOCAL = {
>>
>>     db_library = ipadb.so
>>
>>   }
>>
>>  
>>
>> /etc/ipa/default.conf
>>
>>  
>>
>> [global]
>>
>> host=aurora.esci.millersville.edu
>>
>> basedn=dc=linux,dc=dirsrv,dc=local
>>
>> realm=LINUX.DIRSRV.LOCAL
>>
>> domain=esci.millersville.edu
>>
>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>
>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> enable_ra=True
>>
>> ra_plugin=dogtag
>>
>> mode=production
>>
>>  
>>
>>  
>>
>> +++++++++++++++++++++++
>>
>> David Fitzgerald
>>
>> Department of Earth Sciences
>>
>> Millersville University
>>
>> Millersville, PA 17551
>>
>>  
>>
>> Phone: 717-871-2394
>>
>>  
> 
> Hello David,
> 
> I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
> 
> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
> 
> Martin
>

More information about the Freeipa-users mailing list