On 03/11/2013 02:05 PM, David Fitzgerald wrote:


Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN   SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV    0 100 389 
cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN     NS      corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN     NS      garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600  IN      A       192.206.29.2
garfield.millersville.edu. 3600 IN      A       166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

        % ipa -vv passwd
        ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
        send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:      
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
                 <SNIPPED OUT THE KEY STRING> ...
        send: "<?xml version='1.0' encoding='UTF-8'?    
>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
        reply: 'HTTP/1.1 500 Internal Server Error\r\n'
        header: Date: Fri, 08 Mar 2013 16:52:48 GMT
        header: Server: Apache/2.2.15 (Scientific Linux)
        header: WWW-Authenticate: Negotiate     
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
        
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
        header: Content-Length: 311
        header: Connection: close
        header: Content-Type: text/html; charset=utf-8
        ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
        ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
         Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

It looks like the web server on aurora isn't configured for kerberos auth on the ipa/xml location. If it were it would have created a KRBCCAME before handing the request to IPA. IPA is complaining it can't find the kerberos credentials. Your client then falls back the server it found in your dns srv record. I can't explain that srv record or whether you've got a valid IPA server running there or not.

I would check the apache config on aurora.

Do you have a:

/etc/httpd/conf.d/ipa.conf

file?

Are there any .rpmew files under /etc/httpd?

Have you restarted httpd on aurora?

What are the contents of /etc/httpd/conf.d/ipa.conf?


--
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to