Re: [Freeipa-users] sudden ipa errors.

Wed, 19 Sep 2012 08:36:17 -0700 

Nathan Lager wrote:


On 09/19/2012 10:37 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


----- Original Message -----

From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan Lager"
<lag...@lafayette.edu> Cc: freeipa-users@redhat.com Sent:
Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab? They should be apache:apache mode
0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw-------. apache apache
unconfined_u:object_r:httpd_config_t:s0
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in permissive to
see if that works?

I was enforcing at the start of all of this, but ive since
switched to permissive for troubleshooting.  It hasnt made a
difference.


Are you getting an HTTP service principal in the client?

$ kdestroy $ kinit admin $ ipa user-show admin <fail> $ klist -fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as can
be so they aren't any help at all.

rob


Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lag...@systems.lafayette.edu

Valid starting     Expires            Service principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette....@systems.lafayette.edu
        Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
        Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette....@systems.lafayette.edu
        Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
        Addresses: (none)
[root@caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#


Is it the same major/minor error in gss_acquire_cred()?

Does GSSAPI over LDAP work?


$ ldapsearch -Y GSSAPI -h ipa.example.com -b 
cn=users,cn=accounts,dc=example,dc=com admin


rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




























					Reply via email to