[Freeipa-users] ipa-* tools throws errors
John Dennis
jdennis at redhat.com
Mon Mar 11 18:31:55 UTC 2013
On 03/11/2013 02:05 PM, David Fitzgerald wrote:
>
> Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands.
>
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.esci.millersville.edu. IN SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.esci.millersville.edu. 600 IN SRV 0 100 389 cyclone.esci.millersville.edu.
>
> ;; AUTHORITY SECTION:
> _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu.
> _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu.
>
> ;; ADDITIONAL SECTION:
> corsair.millersville.edu. 3600 IN A 192.206.29.2
> garfield.millersville.edu. 3600 IN A 166.66.86.144
>
> ;; Query time: 1 msec
> ;; SERVER: 166.66.86.144#53(166.66.86.144)
> ;; WHEN: Mon Mar 11 13:55:36 2013
> ;; MSG SIZE rcvd: 176
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of David Fitzgerald
> Sent: Friday, March 08, 2013 12:04 PM
> To: Martin Kosek
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> Thanks for getting back to me!
>
> I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output:
>
> % ipa -vv passwd
> ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
> send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
> <SNIPPED OUT THE KEY STRING> ...
> send: "<?xml version='1.0' encoding='UTF-8'? >\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
> reply: 'HTTP/1.1 500 Internal Server Error\r\n'
> header: Date: Fri, 08 Mar 2013 16:52:48 GMT
> header: Server: Apache/2.2.15 (Scientific Linux)
> header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
> header: Content-Length: 311
> header: Connection: close
> header: Content-Type: text/html; charset=utf-8
> ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
> ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/
>
> The apache error log gives this:
> Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
>
> I have no idea what that means. Can you help?
It looks like the web server on aurora isn't configured for kerberos
auth on the ipa/xml location. If it were it would have created a
KRBCCAME before handing the request to IPA. IPA is complaining it can't
find the kerberos credentials. Your client then falls back the server it
found in your dns srv record. I can't explain that srv record or whether
you've got a valid IPA server running there or not.
I would check the apache config on aurora.
Do you have a:
/etc/httpd/conf.d/ipa.conf
file?
Are there any .rpmew files under /etc/httpd?
Have you restarted httpd on aurora?
What are the contents of /etc/httpd/conf.d/ipa.conf?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list