for what it's worth, kinit on the command line of the ipa server works just fine, and detects the realm ok.
On 27 November 2013 11:00, siology.io <[email protected]> wrote: > yeah maybe. I do see from the install log of the ipa-dns-install that it > changed the /etc/resolv.conf to point to its own ip - which seems a little > odd (and unwanted, more importantly). I've changed that back to how it > should be and restarted ipa but still nothing. > > There's no other KDC in the environment that i'm aware of. Certainly, the > dns i was using only have the one set of SRV records for ldap and kdc. > > The bit that puzzles me is how/why that would have affected the replica > server also. I asume it's copied the ldap dns data to the replica, but i > never installed bind there or bind-dyndb-ldap, or anything else - so i'd > expect that to be unaffected but it's also broken now. :-( > > > On 27 November 2013 10:47, Dmitri Pal <[email protected]> wrote: > >> On 11/26/2013 04:32 PM, siology.io wrote: >> >> >> >> >> On 27 November 2013 10:21, Dmitri Pal <[email protected]> wrote: >> >>> On 11/26/2013 03:37 PM, siology.io wrote: >>> >>> I'm seeing an issue with logging into the web UI of ipa. I've been using >>> IPA for 6 months or so in production, and all has been well so far. >>> >>> The last thing i did in terms of IPA was run ipa-dns-install, which >>> completed successfully, but i suspect this issue occured before that i >>> never noticed as it's been a few weeks since i used the UI. I typically >>> check the login page works and ldapsearch works after upgrades, but in this >>> instance the login box is presented, and after entering the credentials it >>> sits doing nothing for a while, then times out with 'internal server error' >>> >>> The only useful log i've managed to find is in /var/log/httpd/error_log >>> >>> [Wed Nov 27 08:41:47 2013] [error] [client (redacted)] Script timed >>> out before returning headers: wsgi.py, referer: >>> https://(redacted)/ipa/ui/ >>> >>> >>> What happens before that in the log? >>> Any DNS lookup or some other lookup? >>> >>> >> doesn't appear so, no. what makes you suspect that ? I never got as far >> as doing the ipa-dns-install on the replica. I did it on the master, then >> went to login and got this issue. It may well be that it (the UI) was >> broken previously. I couldn't work out how to remove the ipa-dns-install to >> find out if it magically resumes working though. >> >> >> >> >> A pure speculation: >> If the UI presents you the form and you fill it then you are definitely >> talking to the server. When you submit the form the server tries to do >> kinit on your behalf. It might not be able to determine where its KDC >> because the DNS configuration is broken in some way and it is now looking >> at the wrong KDC (may be AD KDC or there is a lack of the server records at >> all for some reason). >> >> >> >>> >>> >>> I'm seeing this behaviour on both my master and replica, but they are >>> both identical in terms of package versions and such, so it may not be >>> significant. >>> >>> My system versions: >>> Centos 6.4 x64 >>> >>> ipa-python-3.0.0-26.el6_4.4.x86_64 >>> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 >>> python-iniparse-0.3.1-2.1.el6.noarch >>> libipa_hbac-1.9.2-82.10.el6_4.x86_64 >>> libipa_hbac-python-1.9.2-82.10.el6_4.x86_64 >>> ipa-client-3.0.0-26.el6_4.4.x86_64 >>> ipa-server-3.0.0-26.el6_4.4.x86_64 >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-admintools-3.0.0-26.el6_4.4.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> >>> bind-dyndb-ldap-2.3-2.el6_4.1.x86_64 >>> bind-9.8.2-0.17.rc1.el6_4.6.x86_64 >>> >>> which are (afaik) all latest for centos 6.4 >>> >>> Oddly, i'm not seeing this behaviour in my virtualbox / vagrant IPA >>> testbed, which has identical version numbers, and wsgi.py in /usr/share/ipa >>> has identical md5sum. >>> >>> Not really sure how to approach debugging this further. Any ideas ? >>> Has anyone else seen this happen ? >>> >>> The ldapsearch, bind dns and everything else seem operational - just >>> the GUI is out of action. >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing >>> [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing >> [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
