David Fitzgerald wrote:
Here is the output of the dig command. Cyclone does show up here , but our
networking people say there are no srv records in our current db. I still
think the trouble I am having has to do with the Internal Server Error I get
when I run ipa commands.
There are two problems here. The first is the server error which is
causing the client to try the next server which is cyclone. There are
records for this somewhere.
I think the next place to look is /var/log/krb5kdc.log to see what is
happening when you try to contact the web server. You may also want to
add debug = True to /etc/ipa/default.conf and restart httpd. This will
provide very verbose output on the client and server and may provide
additional clues.
rob
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN SRV
;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV 0 100 389
cyclone.esci.millersville.edu.
;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu.
;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600 IN A 192.206.29.2
garfield.millersville.edu. 3600 IN A 166.66.86.144
;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE rcvd: 176
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Thanks for getting back to me!
I don't think the problem has anything to do with DNS. I (finally) ran an ipa
command with the verbose flags -vv and found that it IS trying to contact
aurora.esci.millersville.edu, it fails then tries to contact
cyclone.esci.millersville.edu (still don't know where that comes from). I am
getting an 'Internal Server Error' in the output when connecting to aurora.
Here is the output:
% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
<SNIPPED OUT THE KEY STRING> ...
send: "<?xml version='1.0' encoding='UTF-8'?
>\n<methodCall>\n<methodName>ping</methodName>\n<params>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/
The apache error log gives this:
Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
I have no idea what that means. Can you help?
-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I started not being able to run any "ipa-" commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming
from, as that used to be a Windows Domain server that was
decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
I even grep -R all of the files in /etc and none refer to cyclone. I
checked the ipa config and krb5.conf files and they are pointing at the proper
ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request
environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
authtime 0, admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
found in Kerberos database
I Googled these error messages, but none of the results seemed to
apply to my situation or didn't solve the problem Can anyone point
me in the right direction? Any help is greatly appreciated.
For what they are worth, here are my /etc/krb5.conf and
/etc/ipa/default.conf
files:
/etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.DIRSRV.LOCAL = {
kdc = aurora.esci.millersville.edu:88
admin_server = aurora.esci.millersville.edu:749
default_domain = esci.millersville.edu
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.esci.millersville.edu = LINUX.DIRSRV.LOCAL
esci.millersville.edu = LINUX.DIRSRV.LOCAL
[dbmodules]
# LINUX.DIRSRV.LOCAL = {
# db_library = kldap
# ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
# ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
# ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
# ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
# ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
# }
LINUX.DIRSRV.LOCAL = {
db_library = ipadb.so
}
/etc/ipa/default.conf
[global]
host=aurora.esci.millersville.edu
basedn=dc=linux,dc=dirsrv,dc=local
realm=LINUX.DIRSRV.LOCAL
domain=esci.millersville.edu
xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
enable_ra=True
ra_plugin=dogtag
mode=production
+++++++++++++++++++++++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551
Phone: 717-871-2394
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.
What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct
hostname?
Martin
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
