<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/26/2013 05:15 PM, siology.io wrote:
<blockquote
cite="mid:CAL8of0ESYiu62NMz9pNWxowLejU9icXb59UFA3_kmjtdVNXbew@mail.gmail.com"
type="cite">
<div dir="ltr">for what it's worth, kinit on the command line of
the ipa server works just fine, and detects the realm ok.</div>
</blockquote>
<br>
OK then let us rule out DNS for a moment. <br>
<br>
Have you checked the KDC log to see whether the authentication
actually occurred?<br>
If kinit works, I suspect it works too but worth checking.<br>
<br>
May be there are some problems with memcached after the form based
authentication to cache the authentication. KDC log would show
whether the kinit and follow up service ticket request for LDAP
access actually occurred.<br>
<br>
Also what about SELinux any suspicious AVC?<br>
<br>
<br>
<blockquote
cite="mid:CAL8of0ESYiu62NMz9pNWxowLejU9icXb59UFA3_kmjtdVNXbew@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 27 November 2013 11:00, <a
moz-do-not-send="true" href="http://siology.io">siology.io</a>
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:siology.io@gmail.com" target="_blank">siology.io@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">yeah maybe. I do see from the install log of
the ipa-dns-install that it changed the /etc/resolv.conf
to point to its own ip - which seems a little odd (and
unwanted, more importantly). I've changed that back to how
it should be and restarted ipa but still nothing.
<div>
<br>
</div>
<div>There's no other KDC in the environment that i'm
aware of. Certainly, the dns i was using only have the
one set of SRV records for ldap and kdc.</div>
<div><br>
</div>
<div>The bit that puzzles me is how/why that would have
affected the replica server also. I asume it's copied
the ldap dns data to the replica, but i never installed
bind there or bind-dyndb-ldap, or anything else - so i'd
expect that to be unaffected but it's also broken now.
:-(</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 27 November 2013 10:47,
Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 11/26/2013 04:32 PM, <a
moz-do-not-send="true"
href="http://siology.io" target="_blank">siology.io</a>
wrote:
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 27 November
2013 10:21, Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> On 11/26/2013 03:37 PM, <a
moz-do-not-send="true"
href="http://siology.io"
target="_blank">siology.io</a>
wrote:
<blockquote type="cite">
<div dir="ltr">I'm seeing an
issue with logging into the
web UI of ipa. I've been
using IPA for 6 months or so
in production, and all has
been well so far.
<div><br>
</div>
<div>The last thing i did in
terms of IPA was run
ipa-dns-install, which
completed successfully,
but i suspect this issue
occured before that i
never noticed as it's been
a few weeks since i used
the UI. I typically check
the login page works and
ldapsearch works after
upgrades, but in this
instance the login box is
presented, and after
entering the credentials
it sits doing nothing for
a while, then times out
with 'internal server
error'</div>
<div><br>
</div>
<div>The only useful log
i've managed to find is in
/var/log/httpd/error_log</div>
<div><br>
</div>
<div>
<div>[Wed Nov 27 08:41:47
2013] [error] [client
(redacted)] Script timed
out before returning
headers: wsgi.py,
referer: <a
moz-do-not-send="true"
href="https://%28redacted%29/ipa/ui/" target="_blank">https://(redacted)/ipa/ui/</a></div>
</div>
</div>
</blockquote>
<br>
</div>
What happens before that in the
log?<br>
Any DNS lookup or some other
lookup?
<div><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>doesn't appear so, no. what makes
you suspect that ? I never got as
far as doing the ipa-dns-install on
the replica. I did it on the master,
then went to login and got this
issue. It may well be that it (the
UI) was broken previously. I
couldn't work out how to remove the
ipa-dns-install to find out if it
magically resumes working though.</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<br>
</div>
A pure speculation:<br>
If the UI presents you the form and you fill it
then you are definitely talking to the server.
When you submit the form the server tries to do
kinit on your behalf. It might not be able to
determine where its KDC because the DNS
configuration is broken in some way and it is
now looking at the wrong KDC (may be AD KDC or
there is a lack of the server records at all for
some reason). <br>
<div>
<div> <br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> <br>
<blockquote type="cite">
<div dir="ltr">
<div> </div>
<div><br>
</div>
<div>I'm seeing this
behaviour on both my
master and replica, but
they are both identical
in terms of package
versions and such, so it
may not be significant.</div>
<div><br>
</div>
<div>My system versions:</div>
<div>Centos 6.4 x64</div>
<div><br>
</div>
<div>
<div>ipa-python-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-server-selinux-3.0.0-26.el6_4.4.x86_64</div>
<div>python-iniparse-0.3.1-2.1.el6.noarch</div>
<div>libipa_hbac-1.9.2-82.10.el6_4.x86_64</div>
<div>libipa_hbac-python-1.9.2-82.10.el6_4.x86_64</div>
<div>ipa-client-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-server-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-pki-ca-theme-9.0.3-7.el6.noarch</div>
<div>ipa-admintools-3.0.0-26.el6_4.4.x86_64</div>
<div>ipa-pki-common-theme-9.0.3-7.el6.noarch</div>
</div>
<div><br>
</div>
<div>
<div>bind-dyndb-ldap-2.3-2.el6_4.1.x86_64<br>
</div>
<div>bind-9.8.2-0.17.rc1.el6_4.6.x86_64<br>
</div>
</div>
<div><br>
</div>
<div>which are (afaik) all
latest for centos 6.4</div>
<div><br>
</div>
<div>Oddly, i'm not seeing
this behaviour in my
virtualbox / vagrant IPA
testbed, which has
identical version
numbers, and wsgi.py in
/usr/share/ipa has
identical md5sum.</div>
<div><br>
</div>
<div>Not really sure how
to approach debugging
this further. Any ideas
? Has anyone else seen
this happen ?</div>
<div><br>
</div>
<div>The ldapsearch, bind
dns and everything else
seem operational - just
the GUI is out of
action.</div>
</div>
</blockquote>
<br>
<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>