[Freeipa-users] ipa-* tools throws errors

Martin Kosek mkosek at redhat.com
Mon Mar 11 11:01:02 UTC 2013 

Hello David,

I am still not convinced that this issue is not caused by a DNS. This is what 
we do in "ipa" command:

1) We try to primarily connect to server that is defined in 
/etc/ipa/default.conf in "server" option
2) If it is not available, we try to fallback to other IPA servers which are 
resolved via DNS SRV query "_ldap._tcp.DOMAIN" where DOMAIN is also read from 
/etc/ipa/default.con

I do not see any other path how this server could get to "ipa". This is why I 
suggested running the DNS query on the machine where you run the client:

# dig -t srv _ldap._tcp.esci.millersville.edu

It could help us see if the server is getting from this direction.



As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this 
environment variable is set by "mod_auth_kerb" plugin for httpd (we configure 
it in /etc/httpd/conf.d/ipa.conf, "KrbSaveCredentials" should be "on" so that 
we can get the KRB5CCNAME. You can also try restarting httpd and see if that 
changes anything.

Martin

On 03/08/2013 06:03 PM, David Fitzgerald wrote:
> Thanks for getting back to me!
>
> I don't think the problem has anything to do with DNS.  I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from).   I am getting an 'Internal Server Error' in the output when connecting to aurora.  Here is the output:
>
> 	% ipa -vv passwd
> 	ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
> 	send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: 	https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
> 		 <SNIPPED OUT THE KEY STRING> ...
> 	send: "<?xml version='1.0' encoding='UTF-8'?	>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
> 	reply: 'HTTP/1.1 500 Internal Server Error\r\n'
> 	header: Date: Fri, 08 Mar 2013 16:52:48 GMT
> 	header: Server: Apache/2.2.15 (Scientific Linux)
> 	header: WWW-Authenticate: Negotiate 	YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz	pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
> 	header: Content-Length: 311
> 	header: Connection: close
> 	header: Content-Type: text/html; charset=utf-8
> 	ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
> 	ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/
>
> The apache error log gives this:
> 	 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
>
> I have no idea what that means.  Can you help?
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Wednesday, March 06, 2013 3:05 AM
> To: David Fitzgerald
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands?
>
> # dig -t srv _ldap._tcp.esci.millersville.edu
>
> Does it return the right results?
>
> Martin
>
> On 03/05/2013 07:26 PM, David Fitzgerald wrote:
>> The host command returns the correct name:
>> #host 166.66.65.39
>> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>>
>> -----Original Message-----
>> From: Martin Kosek [mailto:mkosek at redhat.com]
>> Sent: Tuesday, March 05, 2013 10:26 AM
>> To: David Fitzgerald
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>>
>> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>>> Hello everyone,
>>>
>>>
>>>
>>> I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
>>> Yesterday I  started not being able to run any "ipa-" commands.
>>> Running kinit admin gives me the proper tickets, but when I run any
>>> ipa- command I get the following error:
>>>
>>>
>>>
>>> ipa: ERROR: Kerberos error: Service
>>> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>>>
>>>
>>>
>>> I have no idea where the cyclone.esci.millersville.edu is coming
>>> from, as that used to be a Windows Domain server that was
>>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>>> I even grep -R all of the files in /etc and none refer to cyclone.  I
>>> checked the ipa config and krb5.conf files and they are pointing at the proper ipa server.
>>>
>>>
>>>
>>> Checking log files I get these messages when I try to run ipa commands:
>>>
>>>
>>>
>>> /var/log/httpd/error log:
>>>
>>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>>> environment
>>>
>>>
>>>
>>> /var/log/ipa
>>>
>>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>>> 1362491436, etypes {rep=18
>>> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
>>> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>>>
>>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>>> authtime 0, admin at LINUX.DIRSRV.LOCAL for
>>> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not
>>> found in Kerberos database
>>>
>>>
>>>
>>> I Googled these error messages, but none of the results seemed to
>>> apply to my situation or didn't solve the problem  Can anyone point
>>> me in the right direction? Any help is greatly appreciated.
>>>
>>>
>>>
>>> For what they are worth, here are my /etc/krb5.conf and
>>> /etc/ipa/default.conf
>>> files:
>>>
>>>
>>>
>>> /etc/krb5.conf:
>>>
>>>
>>>
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [logging]
>>>
>>> default = FILE:/var/log/krb5libs.log
>>>
>>> kdc = FILE:/var/log/krb5kdc.log
>>>
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>>
>>>
>>> [libdefaults]
>>>
>>> default_realm = LINUX.DIRSRV.LOCAL
>>>
>>> dns_lookup_realm = false
>>>
>>> dns_lookup_kdc = false
>>>
>>> rdns = false
>>>
>>> ticket_lifetime = 24h
>>>
>>> forwardable = yes
>>>
>>>
>>>
>>> [realms]
>>>
>>> LINUX.DIRSRV.LOCAL = {
>>>
>>>    kdc = aurora.esci.millersville.edu:88
>>>
>>>    admin_server = aurora.esci.millersville.edu:749
>>>
>>>    default_domain = esci.millersville.edu
>>>
>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>
>>> }
>>>
>>>
>>>
>>> [domain_realm]
>>>
>>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>>
>>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>>
>>>
>>>
>>> [dbmodules]
>>>
>>> #  LINUX.DIRSRV.LOCAL = {
>>>
>>> #    db_library = kldap
>>>
>>> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>>
>>> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>>
>>> #  }
>>>
>>>
>>>
>>>    LINUX.DIRSRV.LOCAL = {
>>>
>>>      db_library = ipadb.so
>>>
>>>    }
>>>
>>>
>>>
>>> /etc/ipa/default.conf
>>>
>>>
>>>
>>> [global]
>>>
>>> host=aurora.esci.millersville.edu
>>>
>>> basedn=dc=linux,dc=dirsrv,dc=local
>>>
>>> realm=LINUX.DIRSRV.LOCAL
>>>
>>> domain=esci.millersville.edu
>>>
>>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>>
>>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>>
>>> enable_ra=True
>>>
>>> ra_plugin=dogtag
>>>
>>> mode=production
>>>
>>>
>>>
>>>
>>>
>>> +++++++++++++++++++++++
>>>
>>> David Fitzgerald
>>>
>>> Department of Earth Sciences
>>>
>>> Millersville University
>>>
>>> Millersville, PA 17551
>>>
>>>
>>>
>>> Phone: 717-871-2394
>>>
>>>
>>
>> Hello David,
>>
>> I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
>>
>> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
>>
>> Martin
>>
>

More information about the Freeipa-users mailing list