Re: [Freeipa-users] ipa-* tools throws errors

Fri, 08 Mar 2013 09:06:20 -0800 

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

        % ipa -vv passwd
        ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
        send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:      
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
                 <SNIPPED OUT THE KEY STRING> ...
        send: "<?xml version='1.0' encoding='UTF-8'?    
>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
        reply: 'HTTP/1.1 500 Internal Server Error\r\n'
        header: Date: Fri, 08 Mar 2013 16:52:48 GMT
        header: Server: Apache/2.2.15 (Scientific Linux)
        header: WWW-Authenticate: Negotiate     
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
        
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
        header: Content-Length: 311
        header: Connection: close
        header: Content-Type: text/html; charset=utf-8
        ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
        ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:  
         Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -----Original Message-----
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a 
>> year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming 
>> from, as that used to be a Windows Domain server that was 
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.  
>> I even grep -R all of the files in /etc and none refer to cyclone.  I 
>> checked the ipa config and krb5.conf files and they are pointing at the 
>> proper ipa server.
>>
>>  
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>  
>>
>> /var/log/httpd/error log:  
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request 
>> environment
>>
>>  
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for 
>> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): 
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: 
>> authtime 0, admin@LINUX.DIRSRV.LOCAL for 
>> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not 
>> found in Kerberos database
>>
>>  
>>
>> I Googled these error messages, but none of the results seemed to 
>> apply to my situation or didn't solve the problem  Can anyone point 
>> me in the right direction? Any help is greatly appreciated.
>>
>>  
>>
>> For what they are worth, here are my /etc/krb5.conf and 
>> /etc/ipa/default.conf
>> files:
>>
>>  
>>
>> /etc/krb5.conf:
>>
>>  
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>  
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_lookup_realm = false
>>
>> dns_lookup_kdc = false
>>
>> rdns = false
>>
>> ticket_lifetime = 24h
>>
>> forwardable = yes
>>
>>  
>>
>> [realms]
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>>   kdc = aurora.esci.millersville.edu:88
>>
>>   admin_server = aurora.esci.millersville.edu:749
>>
>>   default_domain = esci.millersville.edu
>>
>>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>  
>>
>> [domain_realm]
>>
>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>>  
>>
>> [dbmodules]
>>
>> #  LINUX.DIRSRV.LOCAL = {
>>
>> #    db_library = kldap
>>
>> #    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> #    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_kadmind_dn = 
>> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>
>> #  }
>>
>>  
>>
>>   LINUX.DIRSRV.LOCAL = {
>>
>>     db_library = ipadb.so
>>
>>   }
>>
>>  
>>
>> /etc/ipa/default.conf
>>
>>  
>>
>> [global]
>>
>> host=aurora.esci.millersville.edu
>>
>> basedn=dc=linux,dc=dirsrv,dc=local
>>
>> realm=LINUX.DIRSRV.LOCAL
>>
>> domain=esci.millersville.edu
>>
>> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>>
>> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> enable_ra=True
>>
>> ra_plugin=dogtag
>>
>> mode=production
>>
>>  
>>
>>  
>>
>> +++++++++++++++++++++++
>>
>> David Fitzgerald
>>
>> Department of Earth Sciences
>>
>> Millersville University
>>
>> Millersville, PA 17551
>>
>>  
>>
>> Phone: 717-871-2394
>>
>>  
> 
> Hello David,
> 
> I suspect this is caused by broken DNS reverse resoltion as Keberos client 
> software often use the result of reverse record (PTR RR) resolution as a 
> hostname and not the actual hostname configured on your system.
> 
> What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct 
> hostname?
> 
> Martin
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to