[Freeipa-users] ipa-* tools throws errors

Rob Crittenden rcritten at redhat.com
Tue Mar 12 02:11:04 UTC 2013 

David Fitzgerald wrote:
>
> Here is the output of the dig command.  Cyclone does show up here , but our networking people say there are no srv records in our current db.  I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands.

There are two problems here. The first is the server error which is 
causing the client to try the next server which is cyclone.  There are 
records for this somewhere.

I think the next place to look is /var/log/krb5kdc.log to see what is 
happening when you try to contact the web server. You may also want to 
add debug = True to /etc/ipa/default.conf and restart httpd. This will 
provide very verbose output on the client and server and may provide 
additional clues.

rob

>
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.esci.millersville.edu. IN	SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.esci.millersville.edu. 600 IN SRV	0 100 389 cyclone.esci.millersville.edu.
>
> ;; AUTHORITY SECTION:
> _tcp.esci.millersville.edu. 3600 IN	NS	corsair.millersville.edu.
> _tcp.esci.millersville.edu. 3600 IN	NS	garfield.millersville.edu.
>
> ;; ADDITIONAL SECTION:
> corsair.millersville.edu. 3600	IN	A	192.206.29.2
> garfield.millersville.edu. 3600	IN	A	166.66.86.144
>
> ;; Query time: 1 msec
> ;; SERVER: 166.66.86.144#53(166.66.86.144)
> ;; WHEN: Mon Mar 11 13:55:36 2013
> ;; MSG SIZE  rcvd: 176
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of David Fitzgerald
> Sent: Friday, March 08, 2013 12:04 PM
> To: Martin Kosek
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> Thanks for getting back to me!
>
> I don't think the problem has anything to do with DNS.  I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from).   I am getting an 'Internal Server Error' in the output when connecting to aurora.  Here is the output:
>
> 	% ipa -vv passwd
> 	ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
> 	send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: 	https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
> 		 <SNIPPED OUT THE KEY STRING> ...
> 	send: "<?xml version='1.0' encoding='UTF-8'?	>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
> 	reply: 'HTTP/1.1 500 Internal Server Error\r\n'
> 	header: Date: Fri, 08 Mar 2013 16:52:48 GMT
> 	header: Server: Apache/2.2.15 (Scientific Linux)
> 	header: WWW-Authenticate: Negotiate 	YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz	pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
> 	header: Content-Length: 311
> 	header: Connection: close
> 	header: Content-Type: text/html; charset=utf-8
> 	ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
> 	ipa: ERROR: Kerberos error: Service u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/
>
> The apache error log gives this:
> 	 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
>
> I have no idea what that means.  Can you help?
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Wednesday, March 06, 2013 3:05 AM
> To: David Fitzgerald
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands?
>
> # dig -t srv _ldap._tcp.esci.millersville.edu
>
> Does it return the right results?
>
> Martin
>
> On 03/05/2013 07:26 PM, David Fitzgerald wrote:
>> The host command returns the correct name:
>> #host 166.66.65.39
>> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>>
>> -----Original Message-----
>> From: Martin Kosek [mailto:mkosek at redhat.com]
>> Sent: Tuesday, March 05, 2013 10:26 AM
>> To: David Fitzgerald
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>>
>> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>>> Hello everyone,
>>>
>>>
>>>
>>> I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
>>> Yesterday I  started not being able to run any "ipa-" commands.
>>> Running kinit admin gives me the proper tickets, but when I run any
>>> ipa- command I get the following error:
>>>
>>>
>>>
>>> ipa: ERROR: Kerberos error: Service
>>> u'HTTP at cyclone.esci.millersville.edu' not found in Kerberos database/.
>>>
>>>
>>>
>>> I have no idea where the cyclone.esci.millersville.edu is coming
>>> from, as that used to be a Windows Domain server that was
>>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>>> I even grep -R all of the files in /etc and none refer to cyclone.  I
>>> checked the ipa config and krb5.conf files and they are pointing at the proper ipa server.
>>>
>>>
>>>
>>> Checking log files I get these messages when I try to run ipa commands:
>>>
>>>
>>>
>>> /var/log/httpd/error log:
>>>
>>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>>> environment
>>>
>>>
>>>
>>> /var/log/ipa
>>>
>>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>>> 1362491436, etypes {rep=18
>>> tkt=18 ses=18}, admin at LINUX.DIRSRV.LOCAL for
>>> krbtgt/LINUX.DIRSRV.LOCAL at LINUX.DIRSRV.LOCAL
>>>
>>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>>> authtime 0, admin at LINUX.DIRSRV.LOCAL for
>>> HTTP/cyclone.esci.millersville.edu at LINUX.DIRSRV.LOCAL, Server not
>>> found in Kerberos database
>>>
>>>
>>>
>>> I Googled these error messages, but none of the results seemed to
>>> apply to my situation or didn't solve the problem  Can anyone point
>>> me in the right direction? Any help is greatly appreciated.
>>>
>>>
>>>
>>> For what they are worth, here are my /etc/krb5.conf and
>>> /etc/ipa/default.conf
>>> files:
>>>
>>>
>>>
>>> /etc/krb5.conf:
>>>
>>>
>>>
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [logging]
>>>
>>> default = FILE:/var/log/krb5libs.log
>>>
>>> kdc = FILE:/var/log/krb5kdc.log
>>>
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>>
>>>
>>> [libdefaults]
>>>
>>> default_realm = LINUX.DIRSRV.LOCAL
>>>
>>> dns_lookup_realm = false
>>>
>>> dns_lookup_kdc = false
>>>
>>> rdns = false
>>>
>>> ticket_lifetime = 24h
>>>
>>> forwardable = yes
>>>
>>>
>>>
>>> [realms]
>>>
>>> LINUX.DIRSRV.LOCAL = {
>>>
>>>    kdc = aurora.esci.millersville.edu:88
>>>
>>>    admin_server = aurora.esci.millersville.edu:749
>>>
>>>    default_domain = esci.millersville.edu
>>>
>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>
>>> }
>>>
>>>
>>>
>>> [domain_realm]
>>>
>>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>>
>>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>>
>>>
>>>
>>> [dbmodules]
>>>
>>> #  LINUX.DIRSRV.LOCAL = {
>>>
>>> #    db_library = kldap
>>>
>>> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>>
>>> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>>
>>> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>>
>>> #  }
>>>
>>>
>>>
>>>    LINUX.DIRSRV.LOCAL = {
>>>
>>>      db_library = ipadb.so
>>>
>>>    }
>>>
>>>
>>>
>>> /etc/ipa/default.conf
>>>
>>>
>>>
>>> [global]
>>>
>>> host=aurora.esci.millersville.edu
>>>
>>> basedn=dc=linux,dc=dirsrv,dc=local
>>>
>>> realm=LINUX.DIRSRV.LOCAL
>>>
>>> domain=esci.millersville.edu
>>>
>>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>>
>>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>>
>>> enable_ra=True
>>>
>>> ra_plugin=dogtag
>>>
>>> mode=production
>>>
>>>
>>>
>>>
>>>
>>> +++++++++++++++++++++++
>>>
>>> David Fitzgerald
>>>
>>> Department of Earth Sciences
>>>
>>> Millersville University
>>>
>>> Millersville, PA 17551
>>>
>>>
>>>
>>> Phone: 717-871-2394
>>>
>>>
>>
>> Hello David,
>>
>> I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system.
>>
>> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname?
>>
>> Martin
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list