On 09/21/2012 11:13 AM, Nathan Lager wrote: > > > On 09/21/2012 11:07 AM, Nathan Lager wrote: > > > > On 09/21/2012 10:18 AM, Rob Crittenden wrote: > >> Lager, Nathan T. wrote: > >>> Well, after all of this, RedHat support just resolved my > >>> issue! > >>> > >>> It came down the the domain_realm definitions in > >>> /etc/krb5.conf. > >>> > >>> They had me change: > >>> > >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> > >>> To: [domain_realm] .systems.lafayette.edu = > >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = > >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU > >>> > >>> After doing so, i restarted IPA, and my commands are working > >>> properly now! > >>> > >>> Now, to get my replica back in order... > > >> Wow. OK, I'm glad it's working. Do we have any idea how this file > >> changed? Is it wrong on all your clients or only on this one > >> master? > > > It appears wrong on my replica as well, caroline1. There are no > > clients currently, other than RHEV. > > > I only have one lingering issue, aside from my replica being > > broken. > > > I still cant reset admin's password. It gives me the same error it > > was before. > > > [root@caroline0 PROD ~]# kinit admin Password for > > ad...@systems.lafayette.edu: Password expired. You must change it > > now. Enter new password: Enter it again: kinit: Password has > > expired while getting initial credentials > > > Fixed this, on a hunch. When the password expired, the pwpolicy was > set to 90 days. RedHat Support had me change it to 9999 days to > effectively disable it so others wouldnt expire (because no one could > change passwords). > > I had a hunch that because the policy was now set greater than the > time its been since admin last changed his password, that ipa was > getting confused when i attempted to change the expired pass. So i > set it back to 90. It let me change the expired password. > > That, might be worthy of a bug report. > > Can you please file one?
> > > >> rob > > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Nathan Lager" <lag...@lafayette.edu> To: "Rob > >>>> Crittenden" <rcrit...@redhat.com> Cc: > >>>> freeipa-users@redhat.com Sent: Thursday, September 20, 2012 > >>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On > >>>> 09/20/2012 02:28 PM, Rob Crittenden wrote: > >>>>> Nathan Lager wrote: > >>>>>> > >>>>>> > >>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: > >>>>>>> Lager, Nathan T. wrote: > >>>>>>>> > >>>>>>>> ----- Original Message ----- > >>>>>>>>> From: "Rob Crittenden" <rcrit...@redhat.com> To: > >>>>>>>>> "Nathan Lager" <lag...@lafayette.edu> Cc: > >>>>>>>>> freeipa-users@redhat.com Sent: Wednesday, > >>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re: > >>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager > >>>>>>>>> wrote: > >>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: > >>>>>>>>>>> Dmitri Pal wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Rob, keytab and kerberos part seems to be > >>>>>>>>>>>> fine, ldap works too. Can it be one of the > >>>>>>>>>>>> certs? May be some cert expired? > >>>>>>>>>>> > >>>>>>>>>>> No, the error is coming from GSSAPI, it is > >>>>>>>>>>> unfortunately completely useless. I think > >>>>>>>>>>> we've pretty well narrowed down the problem to > >>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if > >>>>>>>>>>> this is a configuration issue or a bug. > >>>>>>>>>>> > >>>>>>>>>>> Nathan, can you show me your > >>>>>>>>>>> /etc/httpd/conf.d/ipa.conf? > >>>>>>>>>> Sure, as far as I know its completely stock, > >>>>>>>>>> aside from the krb password auth change. > >>>>>>>>> > >>>>>>>>> Yup, configuration looks fine. > >>>>>>>>> > >>>>>>>>> Ok, let's eliminate the ipa tool as the problem > >>>>>>>>> and try curl: > >>>>>>>>> > >>>>>>>>> Create a file test.json with these contents: > >>>>>>>>> > >>>>>>>>> {"method":"batch","params":[[ > >>>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} > >>>>>>>>> > >>>>>>>>> > > >>>>>>>>> > ],{}],"id":1} > >>>>>>>>> > >>>>>>>>> then run this: > >>>>>>>>> > >>>>>>>>> curl -H "Content-Type:application/json" -H > >>>>>>>>> "Accept:application/json" -H "Accept-Language:en" > >>>>>>>>> -H "Referer: > >>>>>>>>> https://caroline0.lafayette.edu/ipa/xml" > >>>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d > >>>>>>>>> @test.json -X POST > >>>>>>>>> https://caroline0.lafayette.edu/ipa/json > >>>>>>>>> > >>>>>>>> Seems to be running into the same trouble. > >>>>>>>> > >>>>>>>> [lagern@caroline0 PROD ~]$ curl -H > >>>>>>>> "Content-Type:application/json" -H > >>>>>>>> "Accept:application/json" -H "Accept-Language:en" -H > >>>>>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml" > >>>>>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d > >>>>>>>> @test.json -X POST > >>>>>>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE > >>>>>>>> HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> > >>>>>>>> <title>500 Internal Server Error</title> > >>>>>>>> </head><body> <h1>Internal Server Error</h1> <p>The > >>>>>>>> server encountered an internal error or > >>>>>>>> misconfiguration and was unable to complete your > >>>>>>>> request.</p> <p>Please contact the server > >>>>>>>> administrator, root@localhost and inform them of the > >>>>>>>> time the error occurred, and anything you might have > >>>>>>>> done that may have caused the error.</p> <p>More > >>>>>>>> information about this error may be available in the > >>>>>>>> server error log.</p> <hr> <address>Apache/2.2.15 > >>>>>>>> (Red Hat) Server at caroline0.lafayette.edu Port > >>>>>>>> 443</address> </body></html> > >>>>>>> > >>>>>>> Ok, need to gather some more info: > >>>>>>> > >>>>>>> # kvno HTTP/caroline0.lafayette.edu # klist -kt > >>>>>>> /etc/httpd/conf/ipa.keytab > >>>>>>> > >>>>>> [root@caroline0 PROD ~]# kvno > >>>>>> HTTP/caroline0.lafayette.edu > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu: kvno > >>>>>> = 3 [root@caroline0 PROD ~]# klist -kt > >>>>>> /etc/httpd/conf/ipa.keytab Keytab name: > >>>>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp > >>>>>> Principal ---- ----------------- > >>>>>> -------------------------------------------------------- > >>>>>> 2 02/03/12 16:31:27 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 > >>>>>> 02/03/12 16:31:27 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 2 > >>>>>> 02/03/12 16:31:28 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu 3 > >>>>>> 09/19/12 15:33:53 > >>>>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>>>> > >>>>> > >>>>> It may be nothing, but I wonder why kvno 2 has 6 keys and > >>>>> 3 has only 4. Did you change the available encryption > >>>>> types? > >>>>> > >>>> I have not changed them, not intentionally anyway. Could it > >>>> be that an update did so? I installed Ipa round rhel 6.1 or > >>>> so, and have been updating it via yum periodically. > >>>> > >>>>> Can you re-run the klist command with -e as well? klist > >>>>> -ekt ... > >>>>> > >>>> [root@caroline0 PROD ~]# klist -kte > >>>> /etc/httpd/conf/ipa.keytab Keytab name: > >>>> WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal > >>>> ---- ----------------- > >>>> -------------------------------------------------------- 2 > >>>> 02/03/12 16:31:27 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (aes256-cts-hmac-sha1-96) 2 02/03/12 16:31:27 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (aes128-cts-hmac-sha1-96) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (des3-cbc-sha1) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (arcfour-hmac) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (des-hmac-sha1) 2 02/03/12 16:31:28 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (des-cbc-md5) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (aes256-cts-hmac-sha1-96) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (aes128-cts-hmac-sha1-96) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (des3-cbc-sha1) 3 09/19/12 15:33:53 > >>>> HTTP/caroline0.lafayette....@systems.lafayette.edu > >>>> (arcfour-hmac) > >>>> > >>>> > >>>>> rob > >>>>> > >>>> > >>>> -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan > >>>> Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 > >>>> Pardee Hall Lafayette College, Easton, PA 18042 > >>>> > >>>> _______________________________________________ > >>>> Freeipa-users mailing list Freeipa-users@redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ Freeipa-users > > mailing list Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users