[Freeipa-users] ipa-* tools throws errors
Martin Kosek
mkosek at redhat.com
Wed Mar 6 08:04:49 UTC 2013
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
>> Yesterday I started not being able to run any "ipa-" commands.
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>
>>
>> ipa: ERROR: Kerberos error: Service
>> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming from,
>> as that used to be a Windows Domain server that was decommissioned
>> years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R
>> all of the files in /etc and none refer to cyclone. I checked the ipa
>> config and krb5.conf files and they are pointing at the proper ipa server.
>>
>>
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>
>>
>> /var/log/httpd/error log:
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>>
>>
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
>> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>> authtime 0, admin at LINUX.DIRSRV.LOCAL for
>> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not
>> found in Kerberos database
>>
>>
>>
>> I Googled these error messages, but none of the results seemed to
>> apply to my situation or didn't solve the problem Can anyone point me
>> in the right direction? Any help is greatly appreciated.
>>
>>
>>
>> For what they are worth, here are my /etc/krb5.conf and
>> /etc/ipa/default.conf
>> files:
>>
>>
>>
>> /etc/krb5.conf:
>>
>>
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_lookup_realm = false
>>
>> dns_lookup_kdc = false
>>
>> rdns = false
>>
>> ticket_lifetime = 24h
>>
>> forwardable = yes
>>
>>
>>
>> [realms]
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>> kdc = aurora.esci.millersville.edu:88
>>
>> admin_server = aurora.esci.millersville.edu:749
>>
>> default_domain = esci.millersville.edu
>>
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>
>>
>> [domain_realm]
>>
>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>>
>>
>> [dbmodules]
>>
>> # LINUX.DIRSRV.LOCAL = {
>>
>> # db_library = kldap
>>
>> # ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> # ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>
>> # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>
>> # }
>>
>>
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>> db_library = ipadb.so
>>
>> }
>>
>>
>>
>> /etc/ipa/default.conf
>>
>>
>>
>> [global]
>>
>> host=aurora.esci.millersville.edu
>>
>> basedn=dc=linux,dc=dirsrv,dc=local
>>
>> realm=LINUX.DIRSRV.LOCAL
>>
>> domain=esci.millersville.edu
>>
>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>
>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> enable_ra=True
>>
>> ra_plugin=dogtag
>>
>> mode=production
>>
>>
>>
>>
>>
>> +++++++++++++++++++++++
>>
>> David Fitzgerald
>>
>> Department of Earth Sciences
>>
>> Millersville University
>>
>> Millersville, PA 17551
>>
>>
>>
>> Phone: 717-871-2394
>>
>>
>
> Hello David,
>
> I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
>
> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
>
> Martin
>
More information about the Freeipa-users
mailing list