Ok so I added the line "KrbConstrainedDelegationLock ipa” to ipa.conf (httpd 
configuration)


My error log is now full of network errors:
[Fri Jan 29 16:56:46.375490 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'postgres.foo.internal', 
random=False, force=True, no_reverse=False, all=False, raw=False, 
version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 16:57:37.823928 2016] [:error] [pid 11564] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name foo.internal.>, 
None, idnsname=<DNS name sensu>, structured=False, all=False, raw=False, 
version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 16:57:38.553971 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name foo.internal.>, 
<DNS name sensu>, arecord=(u'10.11.131.56',), a_extra_create_reverse=False, 
aaaa_extra_create_reverse=False, force=False, structured=False, all=False, 
raw=False, version=u'2.156'): SUCCESS
[Fri Jan 29 16:57:42.211016 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 
11.10.in-addr.arpa.>, None, idnsname=<DNS name 56.131>, structured=False, 
all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 16:57:42.963262 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_mod(<DNS name 
11.10.in-addr.arpa.>, <DNS name 56.131>, ptrrecord=(u'sensu.foo.internal.',), 
rights=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS
[Fri Jan 29 16:57:43.642293 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_find(None, 
fqdn=u'sensu.foo.internal', all=False, raw=False, version=u'2.156', 
no_members=False, pkey_only=False): SUCCESS
[Fri Jan 29 16:57:44.352675 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'sensu.foo.internal', 
random=False, force=True, no_reverse=False, all=False, raw=False, 
version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 17:08:21.855715 2016] [:error] [pid 11563] ipa: INFO: [xmlserver] 
admin@FOO.INTERNAL: join(u'ip-10-11-131-244.foo.internal', 
nshardwareplatform=u'x86_64', nsosversion=u'3.10.0-123.8.1.el7.x86_64', 
version=u'2.51'): SUCCESS
[Fri Jan 29 17:08:28.102555 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: ping(): 
SUCCESS
[Fri Jan 29 17:08:28.150511 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: 
ca_is_enabled(version=u'2.107'): SUCCESS
[Fri Jan 29 17:08:31.398500 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: 
host_mod(u'ip-10-11-131-244.foo.internal', ipasshpubkey=(u'ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDdg1ReyUGJo6nDvWgTZcRf3HaHft+1K5HGnT5Gqu1Zc0sqI7QzGWAkdRNDiPLzan29Y8UqtHt/EXEVNKoQSXdQogHMPIU9trZf/1jVWelK4bTqAlbRn9EDaN/CPdCnHLU34H6Zv5vYPM2maPBL/KqkaLkd6Kdyz0Giwtheh6ZEFcj7GcsB6ISljFixnuPMz8Ljjsyz+SE2DPU9eKarBrKof4YYykVwIckmqa+CnyysGVPjdb5+EwKPjndnq231ozoCKnoX4U/JyP6ysqZgTCPmHi36XKMvMgC/nZ1hOJlYZnDjv+jEFhiiT6Z/YGUUkqnFodkCYteTTWPDo6pvqWrv',
 u'ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCNERA/2D3DtYISu5YdScCIQ6E2Uvc5A8QDDiMJGL/mJ+SXT4SBgq+ueXTyxBGushetdaBXtFwave4eetp4zYG0=',
 u'ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIPSvTYCp6Fj7JDEpjobXf5nsPiJILvkCbXGgCY1icM94'), 
updatedns=False, version=u'2.26'): SUCCESS
[Fri Jan 29 17:08:31.622190 2016] [:error] [pid 11564] ipa: INFO: [xmlserver] 
host/ip-10-11-131-244.foo.internal@FOO.INTERNAL: cert_request(u'STUFF', 
principal=u'host/ip-10-11-131-244.foo.internal@FOO.INTERNAL', add=True, 
version=u'2.51'): NetworkError
[Fri Jan 29 17:08:41.204307 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name foo.internal.>, 
None, idnsname=<DNS name secgw>, structured=False, all=False, raw=False, 
version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 17:08:41.922042 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name foo.internal.>, 
<DNS name secgw>, arecord=(u'10.11.131.244',), a_extra_create_reverse=False, 
aaaa_extra_create_reverse=False, force=False, structured=False, all=False, 
raw=False, version=u'2.156'): SUCCESS
[Fri Jan 29 17:08:44.983558 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 
11.10.in-addr.arpa.>, None, idnsname=<DNS name 244.131>, structured=False, 
all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 17:08:45.745427 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_add(<DNS name 
11.10.in-addr.arpa.>, <DNS name 244.131>, a_extra_create_reverse=False, 
aaaa_extra_create_reverse=False, ptrrecord=(u'secgw.foo.internal.',), 
force=False, structured=False, all=False, raw=False, version=u'2.156'): SUCCESS
[Fri Jan 29 17:08:46.472084 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: dnsrecord_find(<DNS name 
11.10.in-addr.arpa.>, None, idnsname=<DNS name 244.131>, structured=False, 
all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Fri Jan 29 17:08:47.120281 2016] [:error] [pid 11564] SSL Library Error: 
-12268 Cannot connect: SSL is disabled
[Fri Jan 29 17:08:47.801773 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'secgw.foo.internal', 
random=False, force=True, no_reverse=False, all=False, raw=False, 
version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 17:08:54.623020 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, 
raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS
[Fri Jan 29 17:08:55.465319 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add(u'test.foo.com', random=False, 
force=False, no_reverse=False, all=False, raw=False, version=u'2.156', 
no_members=False): SUCCESS
[Fri Jan 29 17:08:56.151143 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_find(u'test.foo.com', all=False, 
raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS
[Fri Jan 29 17:08:56.932284 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: host_add_managedby(u'test.foo.com', 
all=False, raw=False, version=u'2.156', no_members=False, 
host=(u'secgw.foo.internal',)): SUCCESS
[Fri Jan 29 17:08:57.576412 2016] [:error] [pid 11564] SSL Library Error: 
-12268 Cannot connect: SSL is disabled
[Fri Jan 29 17:08:59.249853 2016] [:error] [pid 11566] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: 
service_add(u'SSLVPN/test.foo.com@FOO.INTERNAL', force=False, all=False, 
raw=False, version=u'2.156', no_members=False): SUCCESS
[Fri Jan 29 17:09:00.760791 2016] [:error] [pid 11563] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-----BEGIN CERTIFICATE 
REQUEST-----\\-----END CERTIFICATE REQUEST-----', 
principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, 
version=u'2.156'): NetworkError
[Fri Jan 29 17:09:00.762689 2016] [:error] [pid 11563] [client 
10.11.131.244:45913] mod_wsgi (pid=11563): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:00.762751 2016] [:error] [pid 11563] [client 
10.11.131.244:45913] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
[Fri Jan 29 17:09:06.875890 2016] [:error] [pid 11562] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_request(u'-----BEGIN CERTIFICATE 
REQUEST-----\\-----END CERTIFICATE REQUEST-----', 
principal=u'SSLVPN/test.foo.com', request_type=u'pkcs10', add=False, 
version=u'2.156'): NetworkError
[Fri Jan 29 17:09:06.877909 2016] [:error] [pid 11562] [client 
10.11.131.244:45914] mod_wsgi (pid=11562): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:06.877956 2016] [:error] [pid 11562] [client 
10.11.131.244:45914] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:17.927499 2016] [:error] [pid 11565] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', 
out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError
[Fri Jan 29 17:09:17.929404 2016] [:error] [pid 11565] [client 
10.11.131.244:45915] mod_wsgi (pid=11565): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:17.929450 2016] [:error] [pid 11565] [client 
10.11.131.244:45915] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:23.973680 2016] [:error] [pid 11772] ipa: INFO: 
[jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', 
out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError
[Fri Jan 29 17:09:23.975618 2016] [:error] [pid 11772] [client 
10.11.131.244:45916] mod_wsgi (pid=11772): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'., referer: https://ipa.foo.internal/ipa/xml
[Fri Jan 29 17:09:23.975684 2016] [:error] [pid 11772] [client 
10.11.131.244:45916] IOError: failed to write data, referer: 
https://ipa.foo.internal/ipa/xml

Thoughts?

ipa.conf for completeness:

Attachment: ipa.conf
Description: ipa.conf

Realm is replaced with my realm name on the server.

> On Jan 29, 2016, at 11:04 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
> David Zabner wrote:
>> Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? 
>> It seems like this is the only place where the library is referenced one way 
>> or the other…
>> 
> 
> You need to set this globally:
> 
> KrbConstrainedDelegationLock ipa
> 
> And I assume you replaced $realm with your actual realm, right?
> 
> It would also be useful to know how it doesn't work.
> 
> rob
> 
>> Thanks for all your help.
>> 
>>> On Jan 29, 2016, at 6:35 AM, Petr Spacek <pspa...@redhat.com> wrote:
>>> 
>>> Interesting, we have to investigate it!
>>> 
>>> Here is a ticket:
>>> https://fedorahosted.org/freeipa/ticket/5653
>>> 
>>> You can Cc yourself to it and watch the progress.
>>> 
>>> Petr^2 Spacek
>>> 
>>> On 28.1.2016 20:17, David Zabner wrote:
>>>> I was guessing that it was a problem with mod_auth_gssapi and so I tried 
>>>> switching the auth method back to mod_auth_kerb which did not work. 
>>>> (although it is entirely possible that I did not switch it correctly)
>>>> 
>>>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to:
>>>> <Location "/ipa">
>>>> AuthType Kerberos
>>>> AuthName "Kerberos Login"
>>>> KrbMethodNegotiate on
>>>> KrbMethodK5Passwd off
>>>> KrbServiceName HTTP
>>>> KrbAuthRealms $realm
>>>> Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>>> KrbSaveCredentials on
>>>> KrbConstrainedDelegation on
>>>> Require valid-user
>>>> ErrorDocument 401 /ipa/errors/unauthorized.html
>>>> </Location>
>>>> It just seemed to cause other problems...
>>>> 
>>>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony 
>>>> <aizz...@harris.com<mailto:aizz...@harris.com>> wrote:
>>>> 
>>>> I should add that some of my team members have tried serializing their 
>>>> instance launches, and this problem does not seem to occur under those 
>>>> circumstances.  (That’s not a solution, just a data point for those 
>>>> interested in this behavior).  Thanks.
>>>> 
>>>> 
>>>> From: Izzo, Anthony (U.S. Person)
>>>> Sent: Thursday, January 28, 2016 1:35 PM
>>>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>>>> Cc: 'David Zabner' <da...@cazena.com<mailto:da...@cazena.com>>
>>>> Subject: RE: [Freeipa-users] Server error with multiple clients joining 
>>>> domain simultaneously
>>>> 
>>>> Yes, that’s it!
>>>> 
>>>> From: David Zabner [mailto:da...@cazena.com]
>>>> Sent: Thursday, January 28, 2016 1:31 PM
>>>> To: Izzo, Anthony (U.S. Person) 
>>>> <aizz...@harris.com<mailto:aizz...@harris.com>>
>>>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>>>> Subject: Re: [Freeipa-users] Server error with multiple clients joining 
>>>> domain simultaneously
>>>> 
>>>> This sounds exactly like the problem I am having. I will attach my error 
>>>> log. Is this what yours looks like?
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> -- 
>>> Petr^2 Spacek
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> 
>> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to