[Freeipa-users] ipa-* tools throws errors

David Fitzgerald David.Fitzgerald at millersville.edu
Mon Mar 11 18:05:58 UTC 2013 

Here is the output of the dig command.  Cyclone does show up here , but our networking people say there are no srv records in our current db.  I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN	SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV	0 100 389 cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN	NS	corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN	NS	garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600	IN	A	192.206.29.2
garfield.millersville.edu. 3600	IN	A	166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from).   I am getting an 'Internal Server Error' in the output when connecting to aurora.  Here is the output:

	% ipa -vv passwd
	ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
	send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: 	https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
		 <SNIPPED OUT THE KEY STRING> ...
	send: "<?xml version='1.0' encoding='UTF-8'?	>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
	reply: 'HTTP/1.1 500 Internal Server Error\r\n'
	header: Date: Fri, 08 Mar 2013 16:52:48 GMT
	header: Server: Apache/2.2.15 (Scientific Linux)
	header: WWW-Authenticate: Negotiate 	YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz	pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
	header: Content-Length: 311
	header: Connection: close
	header: Content-Type: text/html; charset=utf-8
	ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
	ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:  
	 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service
>> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming 
>> from, as that used to be a Windows Domain server that was 
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>> I even grep -R all of the files in /etc and none refer to cyclone.  I 
>> checked the ipa config and krb5.conf files and they are pointing at the proper ipa server.
>>
>>  
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>  
>>
>> /var/log/httpd/error log:  
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request 
>> environment
>>
>>  
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for 
>> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
>> authtime 0, admin at LINUX.DIRSRV.LOCAL for 
>> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not 
>> found in Kerberos database
>>
>>  
>>
>> I Googled these error messages, but none of the results seemed to 
>> apply to my situation or didn't solve the problem  Can anyone point 
>> me in the right direction? Any help is greatly appreciated.
>>
>>  
>>
>> For what they are worth, here are my /etc/krb5.conf and 
>> /etc/ipa/default.conf
>> files:
>>
>>  
>>
>> /etc/krb5.conf:
>>
>>  
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>  
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_lookup_realm = false
>>
>> dns_lookup_kdc = false
>>
>> rdns = false
>>
>> ticket_lifetime = 24h
>>
>> forwardable = yes
>>
>>  
>>
>> [realms]
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>>   kdc = aurora.esci.millersville.edu:88
>>
>>   admin_server = aurora.esci.millersville.edu:749
>>
>>   default_domain = esci.millersville.edu
>>
>>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>  
>>
>> [domain_realm]
>>
>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>>  
>>
>> [dbmodules]
>>
>> #  LINUX.DIRSRV.LOCAL = {
>>
>> #    db_library = kldap
>>
>> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>
>> #  }
>>
>>  
>>
>>   LINUX.DIRSRV.LOCAL = {
>>
>>     db_library = ipadb.so
>>
>>   }
>>
>>  
>>
>> /etc/ipa/default.conf
>>
>>  
>>
>> [global]
>>
>> host=aurora.esci.millersville.edu
>>
>> basedn=dc=linux,dc=dirsrv,dc=local
>>
>> realm=LINUX.DIRSRV.LOCAL
>>
>> domain=esci.millersville.edu
>>
>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>
>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> enable_ra=True
>>
>> ra_plugin=dogtag
>>
>> mode=production
>>
>>  
>>
>>  
>>
>> +++++++++++++++++++++++
>>
>> David Fitzgerald
>>
>> Department of Earth Sciences
>>
>> Millersville University
>>
>> Millersville, PA 17551
>>
>>  
>>
>> Phone: 717-871-2394
>>
>>  
> 
> Hello David,
> 
> I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
> 
> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
> 
> Martin
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list