[Freeipa-users] ipa-* tools throws errors

Mon Mar 11 18:31:55 UTC 2013

On 03/11/2013 02:05 PM, David Fitzgerald wrote:
>
> Here is the output of the dig command.  Cyclone does show up here , but our networking people say there are no srv records in our current db.  I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands.
>
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.esci.millersville.edu. IN	SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.esci.millersville.edu. 600 IN SRV	0 100 389 cyclone.esci.millersville.edu.
>
> ;; AUTHORITY SECTION:
> _tcp.esci.millersville.edu. 3600 IN	NS	corsair.millersville.edu.
> _tcp.esci.millersville.edu. 3600 IN	NS	garfield.millersville.edu.
>
> ;; ADDITIONAL SECTION:
> corsair.millersville.edu. 3600	IN	A	192.206.29.2
> garfield.millersville.edu. 3600	IN	A	166.66.86.144
>
> ;; Query time: 1 msec
> ;; SERVER: 166.66.86.144#53(166.66.86.144)
> ;; WHEN: Mon Mar 11 13:55:36 2013
> ;; MSG SIZE  rcvd: 176
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of David Fitzgerald
> Sent: Friday, March 08, 2013 12:04 PM
> To: Martin Kosek
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> Thanks for getting back to me!
>
> I don't think the problem has anything to do with DNS.  I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from).   I am getting an 'Internal Server Error' in the output when connecting to aurora.  Here is the output:
>
> 	% ipa -vv passwd
> 	ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
> 	send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: 	https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
> 		 <SNIPPED OUT THE KEY STRING> ...
> 	send: "<?xml version='1.0' encoding='UTF-8'?	>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
> 	reply: 'HTTP/1.1 500 Internal Server Error\r\n'
> 	header: Date: Fri, 08 Mar 2013 16:52:48 GMT
> 	header: Server: Apache/2.2.15 (Scientific Linux)
> 	header: WWW-Authenticate: Negotiate 	YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz	pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
> 	header: Content-Length: 311
> 	header: Connection: close
> 	header: Content-Type: text/html; charset=utf-8
> 	ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
> 	ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/
>
> The apache error log gives this:
> 	 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
>
> I have no idea what that means.  Can you help?

It looks like the web server on aurora isn't configured for kerberos 
auth on the ipa/xml location. If it were it would have created a 
KRBCCAME before handing the request to IPA. IPA is complaining it can't 
find the kerberos credentials. Your client then falls back the server it 
found in your dns srv record. I can't explain that srv record or whether 
you've got a valid IPA server running there or not.

I would check the apache config on aurora.

Do you have a:

/etc/httpd/conf.d/ipa.conf

file?

Are there any .rpmew files under /etc/httpd?

Have you restarted httpd on aurora?

What are the contents of /etc/httpd/conf.d/ipa.conf?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/