Ok so I added the line "KrbConstrainedDelegationLock ipa” to ipa.conf (httpd configuration)
My error log is now full of network errors:
[Fri Jan 29 16:56:46.375490 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'postgres.foo.internal', random=False, force=True, no_reverse=False, all=False, raw=False, version=u'2.156', no_members=False): SUCCESS [Fri Jan 29 16:57:37.823928 2016] [:error] [pid 11564] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name foo.internal.>, None, idnsname=<DNS name sensu>, structured=False, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Fri Jan 29 16:57:38.553971 2016] [:error] [pid 11566] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name foo.internal.>, <DNS name sensu>, arecord=(u'10.11.131.56',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS [Fri Jan 29 16:57:42.211016 2016] [:error] [pid 11563] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 11.10.in-addr.arpa.>, None, idnsname=<DNS name 56.131>, structured=False, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Fri Jan 29 16:57:42.963262 2016] [:error] [pid 11562] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_mod(<DNS name 11.10.in-addr.arpa.>, <DNS name 56.131>, ptrrecord=(u'sensu.foo.internal.',), rights=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS [Fri Jan 29 16:57:43.642293 2016] [:error] [pid 11565] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_find(None, fqdn=u'sensu.foo.internal', all=False, raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS [Fri Jan 29 16:57:44.352675 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'sensu.foo.internal', random=False, force=True, no_reverse=False, all=False, raw=False, version=u'2.156', no_members=False): SUCCESS [Fri Jan 29 17:08:21.855715 2016] [:error] [pid 11563] ipa: INFO: [xmlserver] admin@FOO.INTERNAL: join(u'ip-10-11-131-244.foo.internal', nshardwareplatform=u'x86_64', nsosversion=u'3.10.0-123.8.1.el7.x86_64', version=u'2.51'): SUCCESS [Fri Jan 29 17:08:28.102555 2016] [:error] [pid 11562] ipa: INFO: [jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: ping(): SUCCESS [Fri Jan 29 17:08:28.150511 2016] [:error] [pid 11565] ipa: INFO: [jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: ca_is_enabled(version=u'2.107'): SUCCESS [Fri Jan 29 17:08:31.398500 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: host_mod(u'ip-10-11-131-244.foo.internal', ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdg1ReyUGJo6nDvWgTZcRf3HaHft+1K5HGnT5Gqu1Zc0sqI7QzGWAkdRNDiPLzan29Y8UqtHt/EXEVNKoQSXdQogHMPIU9trZf/1jVWelK4bTqAlbRn9EDaN/CPdCnHLU34H6Zv5vYPM2maPBL/KqkaLkd6Kdyz0Giwtheh6ZEFcj7GcsB6ISljFixnuPMz8Ljjsyz+SE2DPU9eKarBrKof4YYykVwIckmqa+CnyysGVPjdb5+EwKPjndnq231ozoCKnoX4U/JyP6ysqZgTCPmHi36XKMvMgC/nZ1hOJlYZnDjv+jEFhiiT6Z/YGUUkqnFodkCYteTTWPDo6pvqWrv', u'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCNERA/2D3DtYISu5YdScCIQ6E2Uvc5A8QDDiMJGL/mJ+SXT4SBgq+ueXTyxBGushetdaBXtFwave4eetp4zYG0=', u'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSvTYCp6Fj7JDEpjobXf5nsPiJILvkCbXGgCY1icM94'), updatedns=False, version=u'2.26'): SUCCESS [Fri Jan 29 17:08:31.622190 2016] [:error] [pid 11564] ipa: INFO: [xmlserver] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: cert_request(u'STUFF', principal=u'host/ip-10-11-131-244.foo.internal@FOO.INTERNAL', add=True, version=u'2.51'): NetworkError [Fri Jan 29 17:08:41.204307 2016] [:error] [pid 11566] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name foo.internal.>, None, idnsname=<DNS name secgw>, structured=False, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Fri Jan 29 17:08:41.922042 2016] [:error] [pid 11563] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name foo.internal.>, <DNS name secgw>, arecord=(u'10.11.131.244',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS [Fri Jan 29 17:08:44.983558 2016] [:error] [pid 11562] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 11.10.in-addr.arpa.>, None, idnsname=<DNS name 244.131>, structured=False, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Fri Jan 29 17:08:45.745427 2016] [:error] [pid 11565] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name 11.10.in-addr.arpa.>, <DNS name 244.131>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, ptrrecord=(u'secgw.foo.internal.',), force=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS [Fri Jan 29 17:08:46.472084 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 11.10.in-addr.arpa.>, None, idnsname=<DNS name 244.131>, structured=False, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Fri Jan 29 17:08:47.120281 2016] [:error] [pid 11564] SSL Library Error: -12268 Cannot connect: SSL is disabled [Fri Jan 29 17:08:47.801773 2016] [:error] [pid 11566] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'secgw.foo.internal', random=False, force=True, no_reverse=False, all=False, raw=False, version=u'2.156', no_members=False): SUCCESS [Fri Jan 29 17:08:54.623020 2016] [:error] [pid 11563] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS [Fri Jan 29 17:08:55.465319 2016] [:error] [pid 11562] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'test.foo.com', random=False, force=False, no_reverse=False, all=False, raw=False, version=u'2.156', no_members=False): SUCCESS [Fri Jan 29 17:08:56.151143 2016] [:error] [pid 11565] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS [Fri Jan 29 17:08:56.932284 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: host_add_managedby(u'test.foo.com', all=False, raw=False, version=u'2.156', no_members=False, host=(u'secgw.foo.internal',)): SUCCESS [Fri Jan 29 17:08:57.576412 2016] [:error] [pid 11564] SSL Library Error: -12268 Cannot connect: SSL is disabled [Fri Jan 29 17:08:59.249853 2016] [:error] [pid 11566] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: service_add(u'SSLVPN/test.foo.com@FOO.INTERNAL', force=False, all=False, raw=False, version=u'2.156', no_members=False): SUCCESS [Fri Jan 29 17:09:00.760791 2016] [:error] [pid 11563] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-----BEGIN CERTIFICATE REQUEST-----\\-----END CERTIFICATE REQUEST-----', principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, version=u'2.156'): NetworkError [Fri Jan 29 17:09:00.762689 2016] [:error] [pid 11563] [client 10.11.131.244:45913] mod_wsgi (pid=11563): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:00.762751 2016] [:error] [pid 11563] [client 10.11.131.244:45913] IOError: failed to write data, referer: https://ipa.foo.internal/ipa/xml p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute [Fri Jan 29 17:09:06.875890 2016] [:error] [pid 11562] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-----BEGIN CERTIFICATE REQUEST-----\\-----END CERTIFICATE REQUEST-----', principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, version=u'2.156'): NetworkError [Fri Jan 29 17:09:06.877909 2016] [:error] [pid 11562] [client 10.11.131.244:45914] mod_wsgi (pid=11562): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:06.877956 2016] [:error] [pid 11562] [client 10.11.131.244:45914] IOError: failed to write data, referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:17.927499 2016] [:error] [pid 11565] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError [Fri Jan 29 17:09:17.929404 2016] [:error] [pid 11565] [client 10.11.131.244:45915] mod_wsgi (pid=11565): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:17.929450 2016] [:error] [pid 11565] [client 10.11.131.244:45915] IOError: failed to write data, referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:23.973680 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError [Fri Jan 29 17:09:23.975618 2016] [:error] [pid 11772] [client 10.11.131.244:45916] mod_wsgi (pid=11772): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:23.975684 2016] [:error] [pid 11772] [client 10.11.131.244:45916] IOError: failed to write data, referer: https://ipa.foo.internal/ipa/xml
Thoughts? ipa.conf for completeness:
ipa.conf
Description: ipa.conf
Realm is replaced with my realm name on the server. > On Jan 29, 2016, at 11:04 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > > David Zabner wrote: >> Any guesses as to why I couldnt revert to using the mod_auth_kerb library? >> It seems like this is the only place where the library is referenced one way >> or the other >> > > You need to set this globally: > > KrbConstrainedDelegationLock ipa > > And I assume you replaced $realm with your actual realm, right? > > It would also be useful to know how it doesn't work. > > rob > >> Thanks for all your help. >> >>> On Jan 29, 2016, at 6:35 AM, Petr Spacek <pspa...@redhat.com> wrote: >>> >>> Interesting, we have to investigate it! >>> >>> Here is a ticket: >>> https://fedorahosted.org/freeipa/ticket/5653 >>> >>> You can Cc yourself to it and watch the progress. >>> >>> Petr^2 Spacek >>> >>> On 28.1.2016 20:17, David Zabner wrote: >>>> I was guessing that it was a problem with mod_auth_gssapi and so I tried >>>> switching the auth method back to mod_auth_kerb which did not work. >>>> (although it is entirely possible that I did not switch it correctly) >>>> >>>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to: >>>> <Location "/ipa"> >>>> AuthType Kerberos >>>> AuthName "Kerberos Login" >>>> KrbMethodNegotiate on >>>> KrbMethodK5Passwd off >>>> KrbServiceName HTTP >>>> KrbAuthRealms $realm >>>> Krb5KeyTab /etc/httpd/conf/ipa.keytab >>>> KrbSaveCredentials on >>>> KrbConstrainedDelegation on >>>> Require valid-user >>>> ErrorDocument 401 /ipa/errors/unauthorized.html >>>> </Location> >>>> It just seemed to cause other problems... >>>> >>>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony >>>> <aizz...@harris.com<mailto:aizz...@harris.com>> wrote: >>>> >>>> I should add that some of my team members have tried serializing their >>>> instance launches, and this problem does not seem to occur under those >>>> circumstances. (Thats not a solution, just a data point for those >>>> interested in this behavior). Thanks. >>>> >>>> >>>> From: Izzo, Anthony (U.S. Person) >>>> Sent: Thursday, January 28, 2016 1:35 PM >>>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >>>> Cc: 'David Zabner' <da...@cazena.com<mailto:da...@cazena.com>> >>>> Subject: RE: [Freeipa-users] Server error with multiple clients joining >>>> domain simultaneously >>>> >>>> Yes, thats it! >>>> >>>> From: David Zabner [mailto:da...@cazena.com] >>>> Sent: Thursday, January 28, 2016 1:31 PM >>>> To: Izzo, Anthony (U.S. Person) >>>> <aizz...@harris.com<mailto:aizz...@harris.com>> >>>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >>>> Subject: Re: [Freeipa-users] Server error with multiple clients joining >>>> domain simultaneously >>>> >>>> This sounds exactly like the problem I am having. I will attach my error >>>> log. Is this what yours looks like? >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>> >>> >>> -- >>> Petr^2 Spacek >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
