-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 09/21/2012 11:07 AM, Nathan Lager wrote:
> 
> 
> On 09/21/2012 10:18 AM, Rob Crittenden wrote:
>> Lager, Nathan T. wrote:
>>> Well, after all of this, RedHat support just resolved my
>>> issue!
>>> 
>>> It came down the the domain_realm definitions in
>>> /etc/krb5.conf.
>>> 
>>> They had me change:
>>> 
>>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU 
>>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>> 
>>> To: [domain_realm] .systems.lafayette.edu = 
>>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = 
>>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU 
>>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU
>>> 
>>> After doing so, i restarted IPA, and my commands are working 
>>> properly now!
>>> 
>>> Now, to get my replica back in order...
> 
>> Wow. OK, I'm glad it's working. Do we have any idea how this file
>>  changed? Is it wrong on all your clients or only on this one 
>> master?
> 
> It appears wrong on my replica as well, caroline1.  There are no 
> clients currently, other than RHEV.
> 
> I only have one lingering issue, aside from my replica being
> broken.
> 
> I still cant reset admin's password. It gives me the same error it
> was before.
> 
> [root@caroline0 PROD ~]# kinit admin Password for
> ad...@systems.lafayette.edu: Password expired.  You must change it
> now. Enter new password: Enter it again: kinit: Password has
> expired while getting initial credentials
> 
> 
Fixed this, on a hunch.  When the password expired, the pwpolicy was
set to 90 days. RedHat Support had me change it to 9999 days to
effectively disable it so others wouldnt expire (because no one could
change passwords).

I had a hunch that because the policy was now set greater than the
time its been since admin last changed his password, that ipa was
getting confused when i attempted to change the expired pass.  So i
set it back to 90.  It let me change the expired password.

That, might be worthy of a bug report.


> 
> 
>> rob
> 
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Nathan Lager" <lag...@lafayette.edu> To: "Rob 
>>>> Crittenden" <rcrit...@redhat.com> Cc:
>>>> freeipa-users@redhat.com Sent: Thursday, September 20, 2012
>>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On
>>>> 09/20/2012 02:28 PM, Rob Crittenden wrote:
>>>>> Nathan Lager wrote:
>>>>>> 
>>>>>> 
>>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>>>>>>> Lager, Nathan T. wrote:
>>>>>>>> 
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Rob Crittenden" <rcrit...@redhat.com> To: 
>>>>>>>>> "Nathan Lager" <lag...@lafayette.edu> Cc: 
>>>>>>>>> freeipa-users@redhat.com Sent: Wednesday,
>>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re:
>>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager
>>>>>>>>> wrote:
>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>>>>>>> Dmitri Pal wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Rob, keytab and kerberos part seems to be
>>>>>>>>>>>> fine, ldap works too. Can it be one of the
>>>>>>>>>>>> certs? May be some cert expired?
>>>>>>>>>>> 
>>>>>>>>>>> No, the error is coming from GSSAPI, it is 
>>>>>>>>>>> unfortunately completely useless. I think
>>>>>>>>>>> we've pretty well narrowed down the problem to 
>>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if
>>>>>>>>>>> this is a configuration issue or a bug.
>>>>>>>>>>> 
>>>>>>>>>>> Nathan, can you show me your 
>>>>>>>>>>> /etc/httpd/conf.d/ipa.conf?
>>>>>>>>>> Sure, as far as I know its completely stock,
>>>>>>>>>> aside from the krb password auth change.
>>>>>>>>> 
>>>>>>>>> Yup, configuration looks fine.
>>>>>>>>> 
>>>>>>>>> Ok, let's eliminate the ipa tool as the problem
>>>>>>>>> and try curl:
>>>>>>>>> 
>>>>>>>>> Create a file test.json with these contents:
>>>>>>>>> 
>>>>>>>>> {"method":"batch","params":[[ 
>>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
>>>>>>>>>
>>>>>>>>>
>
>>>>>>>>> 
],{}],"id":1}
>>>>>>>>> 
>>>>>>>>> then run this:
>>>>>>>>> 
>>>>>>>>> curl -H "Content-Type:application/json" -H 
>>>>>>>>> "Accept:application/json" -H "Accept-Language:en"
>>>>>>>>> -H "Referer:
>>>>>>>>> https://caroline0.lafayette.edu/ipa/xml"; 
>>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d 
>>>>>>>>> @test.json -X POST 
>>>>>>>>> https://caroline0.lafayette.edu/ipa/json
>>>>>>>>> 
>>>>>>>> Seems to be running into the same trouble.
>>>>>>>> 
>>>>>>>> [lagern@caroline0 PROD ~]$ curl -H 
>>>>>>>> "Content-Type:application/json" -H 
>>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H 
>>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"; 
>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d
>>>>>>>> @test.json -X POST
>>>>>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE
>>>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
>>>>>>>> <title>500 Internal Server Error</title> 
>>>>>>>> </head><body> <h1>Internal Server Error</h1> <p>The 
>>>>>>>> server encountered an internal error or 
>>>>>>>> misconfiguration and was unable to complete your 
>>>>>>>> request.</p> <p>Please contact the server 
>>>>>>>> administrator, root@localhost and inform them of the 
>>>>>>>> time the error occurred, and anything you might have 
>>>>>>>> done that may have caused the error.</p> <p>More 
>>>>>>>> information about this error may be available in the 
>>>>>>>> server error log.</p> <hr> <address>Apache/2.2.15
>>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port 
>>>>>>>> 443</address> </body></html>
>>>>>>> 
>>>>>>> Ok, need to gather some more info:
>>>>>>> 
>>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt 
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>> 
>>>>>> [root@caroline0 PROD ~]# kvno
>>>>>> HTTP/caroline0.lafayette.edu 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno
>>>>>> = 3 [root@caroline0 PROD ~]# klist -kt 
>>>>>> /etc/httpd/conf/ipa.keytab Keytab name: 
>>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
>>>>>> Principal ---- ----------------- 
>>>>>> --------------------------------------------------------
>>>>>> 2 02/03/12 16:31:27 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 
>>>>>> 02/03/12 16:31:27 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 
>>>>>> 02/03/12 16:31:28 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 
>>>>>> 02/03/12 16:31:28 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 
>>>>>> 02/03/12 16:31:28 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 
>>>>>> 02/03/12 16:31:28 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 
>>>>>> 09/19/12 15:33:53 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 
>>>>>> 09/19/12 15:33:53 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 
>>>>>> 09/19/12 15:33:53 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 
>>>>>> 09/19/12 15:33:53 
>>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu
>>>>>> 
>>>>> 
>>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and
>>>>> 3 has only 4. Did you change the available encryption
>>>>> types?
>>>>> 
>>>> I have not changed them, not intentionally anyway. Could it
>>>> be that an update did so? I installed Ipa round rhel 6.1 or
>>>> so, and have been updating it via yum periodically.
>>>> 
>>>>> Can you re-run the klist command with -e as well? klist
>>>>> -ekt ...
>>>>> 
>>>> [root@caroline0 PROD ~]# klist -kte
>>>> /etc/httpd/conf/ipa.keytab Keytab name:
>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal
>>>> ---- ----------------- 
>>>> -------------------------------------------------------- 2 
>>>> 02/03/12 16:31:27 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (des3-cbc-sha1) 2 02/03/12 16:31:28 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (arcfour-hmac) 2 02/03/12 16:31:28 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (des-hmac-sha1) 2 02/03/12 16:31:28 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (des-cbc-md5) 3 09/19/12 15:33:53 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (des3-cbc-sha1) 3 09/19/12 15:33:53 
>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 
>>>> (arcfour-hmac)
>>>> 
>>>> 
>>>>> rob
>>>>> 
>>>> 
>>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan
>>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11
>>>> Pardee Hall Lafayette College, Easton, PA 18042
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list Freeipa-users@redhat.com 
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
> _______________________________________________ Freeipa-users
> mailing list Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBchDYACgkQsZqG4IN3sukxCQCfeOoaiy3JIRfG10SgCcYYVvpj
mQMAoJzEiG0DZorcweyIhYwUPB9opHT9
=HM3I
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to