On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> 
>> ----- Original Message -----
>>> From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan Lager"
>>> <lag...@lafayette.edu> Cc: freeipa-users@redhat.com Sent:
>>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
>>> [Freeipa-users] sudden ipa errors.
>>> 
>>> Ok, what are the permissions on the keytab, 
>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode
>>> 0600.
>> 
>> [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab 
>> -rw-------. apache apache
>> unconfined_u:object_r:httpd_config_t:s0 
>> /etc/httpd/conf/ipa.keytab
>> 
>>> 
>>> Are you in SELinux enforcing mode? Can you try in permissive to
>>> see if that works?
>> I was enforcing at the start of all of this, but ive since
>> switched to permissive for troubleshooting.  It hasnt made a
>> difference.
> 
> Are you getting an HTTP service principal in the client?
> 
> $ kdestroy $ kinit admin $ ipa user-show admin <fail> $ klist -fea
> 
> Lets try to skip s4u2proxy. Does this work:
> 
> $ ipa --delegate user-show admin
> 
> Unfortunately the major and minor error codes are as generic as can
> be so they aren't any help at all.
> 
> rob

Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lag...@systems.lafayette.edu

Valid starting     Expires            Service principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette....@systems.lafayette.edu
        Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
        Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette....@systems.lafayette.edu
        Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
        Addresses: (none)
[root@caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#




-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to