Outcome?, I couldnt see where the 401 or 500 "appeared"..... the screen output of curl was as attached.
regards ________________________________________ From: Rob Crittenden [[email protected]] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: > FYI.... > > Think I did it right! > > :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob > > regards > ________________________________________ > From: Rob Crittenden [[email protected]] > Sent: Wednesday, 25 May 2011 3:33 p.m. > To: Steven Jones > Cc: [email protected] > Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to > 6.1 - httpd logs > > Steven Jones wrote: >> FYI > > Ok, this is very strange, it isn't really trying very hard to do the > kerberos authentication. > > It should be requesting the HTTP service principal and then doing the > Negotiate authentication but for some reason it is giving up. > > Here is something to try (obviously replacing ipa.example.com with your > ipa server): > > % kdestroy > % scp ipa.example.com:/etc/krb5.conf test-krb5.conf > % export KRB5_CONFIG=`pwd`/test-krb5.conf > % kinit admin > % klist -f (send us this output) > % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml > % klist -f (send us this too) > % unset KRB5_CONFIG > > You should get a 500 error and not a 401. > > Some logs to capture the tail of: > > Apache error and access logs > /var/log/krb5kdc.log > > rob > >> ________________________________________ >> From: Rob Crittenden [[email protected]] >> Sent: Wednesday, 25 May 2011 9:41 a.m. >> To: Steven Jones >> Cc: [email protected] >> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to >> 6.1 - httpd logs >> >> Steven Jones wrote: >>> Logs..... >> >> Sorry, had you set the level in the wrong file. Can you set LogLevel >> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? >> >> rob >> >>> ________________________________________ >>> From: Rob Crittenden [[email protected]] >>> Sent: Wednesday, 25 May 2011 8:51 a.m. >>> To: Steven Jones >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to >>> 6.1 - httpd logs >>> >>> Steven Jones wrote: >>>> Hi, >>>> >>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 >>>> >>>> Is there a solution to this? >>> >>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache >>> and try the join again? >>> >>> This should give more feedback why mod_auth_kerb/kerberos is rejecting >>> the credentials. >>> >>> rob >>> >>>> >>>> >>>> regards >>>> ________________________________________ >>>> From: [email protected] [[email protected]] >>>> on behalf of Steven Jones [[email protected]] >>>> Sent: Tuesday, 24 May 2011 4:24 p.m. >>>> To: Rob Crittenden >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to >>>> 6.1 - httpd logs >>>> >>>> I must be going blind in my old age.....anyway here they are. >>>> >>>> regards >>>> ________________________________________ >>>> From: [email protected] [[email protected]] >>>> on behalf of Steven Jones [[email protected]] >>>> Sent: Tuesday, 24 May 2011 2:58 p.m. >>>> To: Rob Crittenden >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to >>>> 6.1 >>>> >>>> Hi, >>>> >>>> 1) Screen data of the install from using the -d option. (attach d.out) >>>> >>>> 2) ipa-install log >>>> >>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. >>>> >>>> 4) "Did you also run kinit before manually >>>> running ipa-join in your testing?" Yes.... >>>> >>>> 5) For DNS I added, >>>> >>>> allow query {any;}; >>>> >>>> into /etc/named.conf clients were then not denied DNS. >>>> >>>> regards >>>> >>>> >>>> >>>> ________________________________________ >>>> From: Rob Crittenden [[email protected]] >>>> Sent: Tuesday, 24 May 2011 2:24 p.m. >>>> To: Steven Jones >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to >>>> 6.1 >>>> >>>> Steven Jones wrote: >>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that >>>>> over from the ipa-server and re-ran ipa-join, still getting the same 401 >>>>> failure... >>>> >>>> This is a different mismatch than you were seeing with 5.6 (and a >>>> completely different error message). >>>> >>>> A few things to note: >>>> >>>> - In general, when you reference any IPA server you should always use >>>> the fully-qualified name. The SSL error you had was because the name did >>>> not match the certificate. >>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so >>>> you can always check the Apache error/access logs for diagnostic >>>> information. >>>> - The integrated DNS stores information in LDAP, not flat files, so >>>> having no data in /var/named is not surprising. >>>> >>>> ipa-join needs authentication in the form of a TGT or a one-time >>>> password. It definitely did one in the log you provided and you still >>>> got a 401, which is strange. Did you also run kinit before manually >>>> running ipa-join in your testing? >>>> >>>> Running ipa-join or ipa-client-install with the -d option will provide a >>>> lot more debugging information. >>>> >>>> I think the first place to check is the Apache error log to see why the >>>> join call failed. >>>> >>>> rob >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >
curl.out
Description: curl.out
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
