Well, after all of this, RedHat support just resolved my issue! 

It came down the the domain_realm definitions in /etc/krb5.conf. 

They had me change: 

[domain_realm]
 .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU

To:
[domain_realm]
 .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 lafayette.edu = SYSTEMS.LAFAYETTE.EDU

After doing so, i restarted IPA, and my commands are working properly now! 

Now, to get my replica back in order...


----- Original Message -----
> From: "Nathan Lager" <lag...@lafayette.edu>
> To: "Rob Crittenden" <rcrit...@redhat.com>
> Cc: freeipa-users@redhat.com
> Sent: Thursday, September 20, 2012 2:46:20 PM
> Subject: Re: [Freeipa-users] sudden ipa errors.
> On 09/20/2012 02:28 PM, Rob Crittenden wrote:
> > Nathan Lager wrote:
> >>
> >>
> >> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
> >>> Lager, Nathan T. wrote:
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Rob Crittenden" <rcrit...@redhat.com> To: "Nathan
> >>>>> Lager" <lag...@lafayette.edu> Cc: freeipa-users@redhat.com
> >>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
> >>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
> >>>>>>> Dmitri Pal wrote:
> >>>>>>>>
> >>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap
> >>>>>>>> works too. Can it be one of the certs? May be some
> >>>>>>>> cert expired?
> >>>>>>>
> >>>>>>> No, the error is coming from GSSAPI, it is
> >>>>>>> unfortunately completely useless. I think we've pretty
> >>>>>>> well narrowed down the problem to httpd/mod_auth_kerb
> >>>>>>> but I don't know yet if this is a configuration issue
> >>>>>>> or a bug.
> >>>>>>>
> >>>>>>> Nathan, can you show me your
> >>>>>>> /etc/httpd/conf.d/ipa.conf?
> >>>>>> Sure, as far as I know its completely stock, aside from
> >>>>>> the krb password auth change.
> >>>>>
> >>>>> Yup, configuration looks fine.
> >>>>>
> >>>>> Ok, let's eliminate the ipa tool as the problem and try
> >>>>> curl:
> >>>>>
> >>>>> Create a file test.json with these contents:
> >>>>>
> >>>>> {"method":"batch","params":[[
> >>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
> >>>>> ],{}],"id":1}
> >>>>>
> >>>>> then run this:
> >>>>>
> >>>>> curl -H "Content-Type:application/json" -H
> >>>>> "Accept:application/json" -H "Accept-Language:en" -H
> >>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml";
> >>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
> >>>>> POST https://caroline0.lafayette.edu/ipa/json
> >>>>>
> >>>> Seems to be running into the same trouble.
> >>>>
> >>>> [lagern@caroline0 PROD ~]$ curl -H
> >>>> "Content-Type:application/json" -H "Accept:application/json"
> >>>> -H "Accept-Language:en" -H "Referer:
> >>>> https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u :
> >>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST
> >>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML
> >>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500
> >>>> Internal Server Error</title> </head><body> <h1>Internal
> >>>> Server Error</h1> <p>The server encountered an internal error
> >>>> or misconfiguration and was unable to complete your
> >>>> request.</p> <p>Please contact the server administrator,
> >>>> root@localhost and inform them of the time the error
> >>>> occurred, and anything you might have done that may have
> >>>> caused the error.</p> <p>More information about this error
> >>>> may be available in the server error log.</p> <hr>
> >>>> <address>Apache/2.2.15 (Red Hat) Server at
> >>>> caroline0.lafayette.edu Port 443</address> </body></html>
> >>>
> >>> Ok, need to gather some more info:
> >>>
> >>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
> >>> /etc/httpd/conf/ipa.keytab
> >>>
> >> [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno = 3
> >> [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
> >> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
> >> Principal ---- -----------------
> >> -------------------------------------------------------- 2
> >> 02/03/12 16:31:27
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
> >> 16:31:27 HTTP/caroline0.lafayette....@systems.lafayette.edu 2
> >> 02/03/12 16:31:28
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
> >> 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 2
> >> 02/03/12 16:31:28
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 02/03/12
> >> 16:31:28 HTTP/caroline0.lafayette....@systems.lafayette.edu 3
> >> 09/19/12 15:33:53
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12
> >> 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu 3
> >> 09/19/12 15:33:53
> >> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 09/19/12
> >> 15:33:53 HTTP/caroline0.lafayette....@systems.lafayette.edu
> >>
> >
> > It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
> > only 4. Did you change the available encryption types?
> >
> I have not changed them, not intentionally anyway. Could it be that
> an update did so? I installed Ipa round rhel 6.1 or so, and have been
> updating it via yum periodically.
> 
> > Can you re-run the klist command with -e as well? klist -ekt ...
> >
> [root@caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 02/03/12 16:31:27
> HTTP/caroline0.lafayette....@systems.lafayette.edu
> (aes256-cts-hmac-sha1-96)
> 2 02/03/12 16:31:27
> HTTP/caroline0.lafayette....@systems.lafayette.edu
> (aes128-cts-hmac-sha1-96)
> 2 02/03/12 16:31:28
> HTTP/caroline0.lafayette....@systems.lafayette.edu (des3-cbc-sha1)
> 2 02/03/12 16:31:28
> HTTP/caroline0.lafayette....@systems.lafayette.edu (arcfour-hmac)
> 2 02/03/12 16:31:28
> HTTP/caroline0.lafayette....@systems.lafayette.edu (des-hmac-sha1)
> 2 02/03/12 16:31:28
> HTTP/caroline0.lafayette....@systems.lafayette.edu (des-cbc-md5)
> 3 09/19/12 15:33:53
> HTTP/caroline0.lafayette....@systems.lafayette.edu
> (aes256-cts-hmac-sha1-96)
> 3 09/19/12 15:33:53
> HTTP/caroline0.lafayette....@systems.lafayette.edu
> (aes128-cts-hmac-sha1-96)
> 3 09/19/12 15:33:53
> HTTP/caroline0.lafayette....@systems.lafayette.edu (des3-cbc-sha1)
> 3 09/19/12 15:33:53
> HTTP/caroline0.lafayette....@systems.lafayette.edu (arcfour-hmac)
> 
> 
> > rob
> >
> 
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Nathan Lager, RHCSA, RHCE (#110-011-426)
> System Administrator
> 11 Pardee Hall
> Lafayette College, Easton, PA 18042
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to