Dimitris Zilaskos wrote:
> Hi,
> 
> Just wondering if anyone had the time to take a look at this. My
> understanding is that everything works up to the point that kerberos
> authentication takes place successfully, but for some reason the ticket
> obtained does not get stored.

I guess I'd try to debug it outside of certmonger.

Try a typical IPA commandd with verbose output:

% ipa -vvv user-show admin

You should see the Kerberos negotiation happening on the client side. If
that request still fails then I think we'd need to see the Apache
mod_auth_kerb configuration along with the client-side output (and
anything that looks interesting on the server side). It's unlikely that
anything changed but one never knows.

rob

> 
> Best regards,
> 
> Dimitrios
> 
> On Mon, Jan 15, 2018 at 9:21 PM, Dimitris Zilaskos <dimitr...@gmail.com
> <mailto:dimitr...@gmail.com>> wrote:
> 
>     Thank you for your reply. I just retried with debug enabled but I
>     cannot say I see anything useful.
> 
> 
>     I was wondering if I somehow can debug the kerberos procedure
>     more...or get rid of memcache for debug purposes.
> 
>     Best regards,
> 
>     Dimitrios
> 
> 
>     On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden <rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>> wrote:
> 
>         Dimitris Zilaskos via FreeIPA-users wrote:
>         > Hello,
>         >
>         > I have been asked to look into an ipa server running in CentOS
>         6. The
>         > server was missbehaving for some time, with some certificates
>         expiring
>         > back in October. Also / was full. I have cleaned up some
>         space, set the
>         > date back before the certificates expired, restarted/rebooted but
>         > renewal of certs fails:
>         >
>         > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0
>         established
>         > (server portal.cloud.local, client 10.142.20.10)
>         > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948):
>         SNI: Found
>         > nickname Server-Cert for vhost: portal.cloud.local
>         > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
>         > Successfully paired vhost portal.cloud.local with nickname:
>         Server-Cert
>         > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93):
>         SNI request
>         > for portal.cloud.local
>         > [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request
>         received
>         > for child 0 (server portal.cloud.local:443)
>         > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
>         wsgi_dispatch.__call__:
>         > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
>         xmlserver.__call__:
>         > [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
>         > Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>         > environment
>         > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response:
>         CCacheError:
>         > did not receive Kerberos credentials
>         > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed
>         (server
>         > portal.cloud.local:443, client 10.142.20.10)
>         >
>         > I can do kinit admin without problems. Please any hints how can I
>         > resoleve this?
>         >
> 
>         This isn't much to go on.
> 
>         You might create /etc/ipa/server.conf with the contents:
> 
>         [global]
>         debug = True
> 
>         and restart IPA. It should provide more information on the
>         incmoing request.
> 
>         certmonger logs to syslog so I'd check there for details from
>         the renewal.
> 
>         Knowing the state of the certs tracked by certmonger would be
>         helpful
>         too (be sure to redact any PIN that might be in the getcert list
>         output).
> 
>         rob
> 
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to