Nathan Lager wrote:



On 09/20/2012 11:43 AM, Rob Crittenden wrote:
Lager, Nathan T. wrote:

----- Original Message -----
From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan Lager"
<lag...@lafayette.edu> Cc: freeipa-users@redhat.com Sent:
Wednesday, September 19, 2012 4:35:30 PM Subject: Re:
[Freeipa-users] sudden ipa errors. Nathan Lager wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:
Dmitri Pal wrote:

Rob, keytab and kerberos part seems to be fine, ldap
works too. Can it be one of the certs? May be some cert
expired?

No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down
the problem to httpd/mod_auth_kerb but I don't know yet if
this is a configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
Sure, as far as I know its completely stock, aside from the
krb password auth change.

Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{"method":"batch","params":[[
{"method":"user_show","params":[["admin"],{"all":false}]}
],{}],"id":1}

then run this:

curl -H "Content-Type:application/json" -H
"Accept:application/json" -H "Accept-Language:en" -H "Referer:
https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u :
--cacert /etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json

Seems to be running into the same trouble.

[lagern@caroline0 PROD ~]$ curl -H
"Content-Type:application/json" -H "Accept:application/json" -H
"Accept-Language:en" -H "Referer:
https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u :
--cacert /etc/ipa/ca.crt -d  @test.json -X POST
https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML PUBLIC
"-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal
Server Error</title> </head><body> <h1>Internal Server
Error</h1> <p>The server encountered an internal error or
misconfiguration and was unable to complete your request.</p>
<p>Please contact the server administrator, root@localhost and
inform them of the time the error occurred, and anything you
might have done that may have caused the error.</p> <p>More
information about this error may be available in the server error
log.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at
caroline0.lafayette.edu Port 443</address> </body></html>

Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu # klist -kt
/etc/httpd/conf/ipa.keytab

[root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno = 3
[root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
    2 02/03/12 16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu
    2 02/03/12 16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu
    2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu
    2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu
    2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu
    2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu
    3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu
    3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu
    3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu
    3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu


It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has only 4. Did you change the available encryption types?

Can you re-run the klist command with -e as well? klist -ekt ...

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to