Hello David,

I am still not convinced that this issue is not caused by a DNS. This is what we do in "ipa" command:


1) We try to primarily connect to server that is defined in /etc/ipa/default.conf in "server" option 2) If it is not available, we try to fallback to other IPA servers which are resolved via DNS SRV query "_ldap._tcp.DOMAIN" where DOMAIN is also read from /etc/ipa/default.con

I do not see any other path how this server could get to "ipa". This is why I suggested running the DNS query on the machine where you run the client:

# dig -t srv _ldap._tcp.esci.millersville.edu

It could help us see if the server is getting from this direction.



As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this environment variable is set by "mod_auth_kerb" plugin for httpd (we configure it in /etc/httpd/conf.d/ipa.conf, "KrbSaveCredentials" should be "on" so that we can get the KRB5CCNAME. You can also try restarting httpd and see if that changes anything.

Martin

On 03/08/2013 06:03 PM, David Fitzgerald wrote:
Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

        % ipa -vv passwd
        ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
        send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:      
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
                 <SNIPPED OUT THE KEY STRING> ...
        send: "<?xml version='1.0' encoding='UTF-8'?    
>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
        reply: 'HTTP/1.1 500 Internal Server Error\r\n'
        header: Date: Fri, 08 Mar 2013 16:52:48 GMT
        header: Server: Apache/2.2.15 (Scientific Linux)
        header: WWW-Authenticate: Negotiate     
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
        
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
        header: Content-Length: 311
        header: Connection: close
        header: Content-Type: text/html; charset=utf-8
        ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
        ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
         Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

On 03/05/2013 04:21 PM, David Fitzgerald wrote:
Hello everyone,



I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I  started not being able to run any "ipa-" commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:



ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.



I have no idea where the cyclone.esci.millersville.edu is coming
from, as that used to be a Windows Domain server that was
decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
I even grep -R all of the files in /etc and none refer to cyclone.  I
checked the ipa config and krb5.conf files and they are pointing at the proper 
ipa server.



Checking log files I get these messages when I try to run ipa commands:



/var/log/httpd/error log:

Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request
environment



/var/log/ipa

Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL

Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
authtime 0, admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
found in Kerberos database



I Googled these error messages, but none of the results seemed to
apply to my situation or didn't solve the problem  Can anyone point
me in the right direction? Any help is greatly appreciated.



For what they are worth, here are my /etc/krb5.conf and
/etc/ipa/default.conf
files:



/etc/krb5.conf:



includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

default_realm = LINUX.DIRSRV.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = false

rdns = false

ticket_lifetime = 24h

forwardable = yes



[realms]

LINUX.DIRSRV.LOCAL = {

   kdc = aurora.esci.millersville.edu:88

   admin_server = aurora.esci.millersville.edu:749

   default_domain = esci.millersville.edu

   pkinit_anchors = FILE:/etc/ipa/ca.crt

}



[domain_realm]

.esci.millersville.edu = LINUX.DIRSRV.LOCAL

esci.millersville.edu = LINUX.DIRSRV.LOCAL



[dbmodules]

#  LINUX.DIRSRV.LOCAL = {

#    db_library = kldap

#    ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket

#    ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local

#    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local

#    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local

#    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd

#  }



   LINUX.DIRSRV.LOCAL = {

     db_library = ipadb.so

   }



/etc/ipa/default.conf



[global]

host=aurora.esci.millersville.edu

basedn=dc=linux,dc=dirsrv,dc=local

realm=LINUX.DIRSRV.LOCAL

domain=esci.millersville.edu

xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml

ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket

enable_ra=True

ra_plugin=dogtag

mode=production





+++++++++++++++++++++++

David Fitzgerald

Department of Earth Sciences

Millersville University

Millersville, PA 17551



Phone: 717-871-2394



Hello David,

I suspect this is caused by broken DNS reverse resoltion as Keberos client 
software often use the result of reverse record (PTR RR) resolution as a 
hostname and not the actual hostname configured on your system.

What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct 
hostname?

Martin



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to