On 03/11/2013 02:05 PM, David Fitzgerald wrote:

Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;_ldap._tcp.esci.millersville.edu. IN   SRV

_ldap._tcp.esci.millersville.edu. 600 IN SRV    0 100 389 

_tcp.esci.millersville.edu. 3600 IN     NS      corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN     NS      garfield.millersville.edu.

corsair.millersville.edu. 3600  IN      A
garfield.millersville.edu. 3600 IN      A

;; Query time: 1 msec
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

        % ipa -vv passwd
        ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
        send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:      
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
                 <SNIPPED OUT THE KEY STRING> ...
        send: "<?xml version='1.0' encoding='UTF-8'?    
        reply: 'HTTP/1.1 500 Internal Server Error\r\n'
        header: Date: Fri, 08 Mar 2013 16:52:48 GMT
        header: Server: Apache/2.2.15 (Scientific Linux)
        header: WWW-Authenticate: Negotiate     
        header: Content-Length: 311
        header: Connection: close
        header: Content-Type: text/html; charset=utf-8
        ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
        ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
         Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

It looks like the web server on aurora isn't configured for kerberos auth on the ipa/xml location. If it were it would have created a KRBCCAME before handing the request to IPA. IPA is complaining it can't find the kerberos credentials. Your client then falls back the server it found in your dns srv record. I can't explain that srv record or whether you've got a valid IPA server running there or not.

I would check the apache config on aurora.

Do you have a:



Are there any .rpmew files under /etc/httpd?

Have you restarted httpd on aurora?

What are the contents of /etc/httpd/conf.d/ipa.conf?

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to