On 09/20/2012 11:43 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> ----- Original Message ----- >>> From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan Lager" >>> <lag...@lafayette.edu> Cc: freeipa-users@redhat.com Sent: >>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> >>>> >>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>> Dmitri Pal wrote: >>>>>> >>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>> works too. Can it be one of the certs? May be some cert >>>>>> expired? >>>>> >>>>> No, the error is coming from GSSAPI, it is unfortunately >>>>> completely useless. I think we've pretty well narrowed down >>>>> the problem to httpd/mod_auth_kerb but I don't know yet if >>>>> this is a configuration issue or a bug. >>>>> >>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? >>>> Sure, as far as I know its completely stock, aside from the >>>> krb password auth change. >>> >>> Yup, configuration looks fine. >>> >>> Ok, let's eliminate the ipa tool as the problem and try curl: >>> >>> Create a file test.json with these contents: >>> >>> {"method":"batch","params":[[ >>> {"method":"user_show","params":[["admin"],{"all":false}]} >>> ],{}],"id":1} >>> >>> then run this: >>> >>> curl -H "Content-Type:application/json" -H >>> "Accept:application/json" -H "Accept-Language:en" -H "Referer: >>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>> https://caroline0.lafayette.edu/ipa/json >>> >> Seems to be running into the same trouble. >> >> [lagern@caroline0 PROD ~]$ curl -H >> "Content-Type:application/json" -H "Accept:application/json" -H >> "Accept-Language:en" -H "Referer: >> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : >> --cacert /etc/ipa/ca.crt -d @test.json -X POST >> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML PUBLIC >> "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal >> Server Error</title> </head><body> <h1>Internal Server >> Error</h1> <p>The server encountered an internal error or >> misconfiguration and was unable to complete your request.</p> >> <p>Please contact the server administrator, root@localhost and >> inform them of the time the error occurred, and anything you >> might have done that may have caused the error.</p> <p>More >> information about this error may be available in the server error >> log.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at >> caroline0.lafayette.edu Port 443</address> </body></html> > > Ok, need to gather some more info: > > # kvno HTTP/caroline0.lafayette.edu # klist -kt > /etc/httpd/conf/ipa.keytab > [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno = 3 [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/03/12 16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12 16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu
> rob -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users