[Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've got an ipa server setup on RHEL6. I have a Fedora 16 client, which i joined to the IPA domain using the ipa-client-install utility. When i attempt to authenticate to my ipa server's web admin portal, i get a generic error: Your kerberos ticket is no longer valid. And it goes on to tell me to configure my browser if this is my first time accessing. I've done so, and the error remains. It also tells me to re-run kinit if i havent done so aleady, which i've also done. Kinit returns no errors. I've tried authing as my user (which is in the admin group) and as the admin user. Both give me the same result. While googling for the error, i found some helpful information about enabling debug logging both on the ipa server, and my browser (firefox). Doing so, i found the following errors: On the server: [Thu Apr 19 16:56:02 2012] [debug] src/mod_auth_kerb.c(1578): [client xx.xx.xx.xx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://(my.ipa.server)/ipa/ui/ And from my browser: - -1713670336[7fd299b24590]: nsHttpNegotiateAuth::ChallengeReceived URI blocked These have shed little to no light on the situation, other than, it sounds like something is getting blocked. I was able to join this same client to a different IPA domain (a non production version of this same domain), which worked properly. I used the ipa-client-install --uninstall command to clean up ipa before re-joining this system to the production ipa domain. I also rebooted for good measure. One major difference between the two domains is that the IPA server for dev lives on a much more open network. Our development network, and the production ipa domain lives on a production auth network, which is much more locked down. I believe i have all of the proper ports open. nmap scans give me the following for tcp and udp. PORTSTATE SERVICE 22/tcp open ssh 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 123/udp open ntp Any direction here would be most useful. Thanks! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+RZ5MACgkQsZqG4IN3sun/XgCffQ7mig01JduWGwrKRdzoRTrm mWAAn3etLizqgYnE75aMktQL08ttL5mr =Rwb+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, no proxy in place. Because this gui will be used primarily by people like Me (high privileged admin users), and flat-out blocked to everyone else, a proxy seemed like overkill. On 04/20/2012 11:41 AM, Rob Crittenden wrote: > > Are you going through a proxy? They often times mess up Negotiate > headers. I've never seen a URI blocked error in the browser. > > The (NULL) user is expected. The first request comes in with no > authentication from the browser and this is the server asking "who > are you?" The next request should include the authentication > header. > > rob - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Ro2EACgkQsZqG4IN3sukdCgCeK+GiGB0GfxnerEtznomC4o2t imgAnRBRYgDDOqeLiZgE9JiivntOcWd7 =b1qD -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/20/2012 02:26 PM, Rob Crittenden wrote: > Have you configured the browser for Kerberos? > http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html > > > > That error seems to indicate that the domain isn't defined in > network.negotiate-auth.trusted-uris > > regards > > rob I've been through the clicky-clicky that ipa's web gui sends you through (accepting the certs, and configuring the browser), a number of times. I just confirmed the trusted uri's and delegation uris. They are both correct, they look like: .my.ipa.domain.com I even tried resetting delegation-uris, and trusted-uri's to the default, and then allowing the ipa web gui to re-configure them, it hasnt helped. Thanks for the response. Sorry for the delay in mine. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VZ2sACgkQsZqG4IN3sukTkwCgqnLc6JL/ZPjC5jlt05QAWDPb eacAn3iW/mn7jqdl5/9qbcLIJr0eKAVv =wXtv -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/23/2012 11:58 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> >> On 04/20/2012 02:26 PM, Rob Crittenden wrote: >>> Have you configured the browser for Kerberos? >>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html >>> >>> >>> >>> >>> >>> That error seems to indicate that the domain isn't defined in >>> network.negotiate-auth.trusted-uris >>> >>> regards >>> >>> rob >> >> I've been through the clicky-clicky that ipa's web gui sends you >> through (accepting the certs, and configuring the browser), a >> number of times. I just confirmed the trusted uri's and >> delegation uris. They are both correct, they look like: >> .my.ipa.domain.com >> >> I even tried resetting delegation-uris, and trusted-uri's to the >> default, and then allowing the ipa web gui to re-configure them, >> it hasnt helped. >> >> Thanks for the response. Sorry for the delay in mine. > > Hmm, that is very strange. The code in question in Firefox looks > like: > > bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if > (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI > blocked\n")); return NS_ERROR_ABORT; } > > which seems to be the error you are seeing. It's a shame there > isn't more logging around the uris. > > I see that you had enabled debug logging on the Apache side. Can > you provide some more context on the failed request? > > thanks > > rob Again, sorry for the delay. This is just one in my long list of current projects. Here's the requested log data. Its a tail -f of the access and error logs. Server nanme, and client ip stripped. ==> error_log <== [Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1" ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET /ipa/ui/develop.js HTTP/1.1" 404 306 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 6 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json HTTP/1.1" 401 1771 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+ Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB =o2KT -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudden ipa errors.
I have a RHEL ipa server setup and running. Its been running for a while now, and suddenly, today, i'm having trouble authenticating to it, or changing my password. The error i'm getting at the command line is: [lagern@ipaserver PROD ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: cannot connect to u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error Looking at /var/log/httpd/error and access logs i see: [Wed Aug 22 13:18:07 2012] [error] [client https://ipaserver.lafayette.edu/ipa/xml I'm wading through google at the moment, to see if i can find a fix, but i'm coming up empty. -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I tried the same, kinit, and then ipa passwd commands as before, here's the output: Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: lag...@systems.lafayette.edu for krbtgt/systems.lafayette@systems.lafayette.edu, Additional pre-authentication required Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for krbtgt/systems.lafayette@systems.lafayette.edu Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for HTTP/ipaserver.lafayette@systems.lafayette.edu On 08/22/2012 02:17 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> I have a RHEL ipa server setup and running. Its been running for >> a while now, and suddenly, today, i'm having trouble >> authenticating to it, or changing my password. >> >> The error i'm getting at the command line is: >> >> [lagern@ipaserver PROD ~]$ ipa passwd Current Password: New >> Password: Enter New Password again to verify: ipa: ERROR: cannot >> connect to u'http://ipaserver.lafayette.edu/ipa/xml': Internal >> Server Error >> >> Looking at /var/log/httpd/error and access logs i see: >> >> [Wed Aug 22 13:18:07 2012] [error] [client > gss_acquire_cred() failed: Unspecified GSS failure. Minor code >> may provide more information (, Unknown error), referer: >> https://ipaserver.lafayette.edu/ipa/xml >> >> I'm wading through google at the moment, to see if i can find a >> fix, but i'm coming up empty. >> > > I'd look in your KDC Log to see if it has anything useful, > /var/log/krb5kdc. > > rob > - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA1JnUACgkQsZqG4IN3sumDxACgpLzJEqvnbxT46EAiFlTnHjm9 figAn2wGao5ZYiGGuVi7PB5E5QJTkggv =aS7e -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
[root@ipaserver PROD krb5kdc]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 On 08/22/2012 04:08 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> I tried the same, kinit, and then ipa passwd commands as before, >> here's the output: >> >> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >> lag...@systems.lafayette.edu for >> krbtgt/systems.lafayette@systems.lafayette.edu, Additional >> pre-authentication required >> >> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >> etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for >> krbtgt/systems.lafayette@systems.lafayette.edu >> >> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >> etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for >> HTTP/ipaserver.lafayette@systems.lafayette.edu > > What version of IPA is this? > > Does ipactl status show all services up? > > rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
This did not seem to help... On 08/22/2012 06:02 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> [root@ipaserver PROD krb5kdc]# ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> [root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 > > I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for > doing S4U2Proxy. No restart of httpd should be required. > > rob > >> >> >> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> -BEGIN PGP SIGNED MESSAGE- >>>> Hash: SHA1 >>>> >>>> I tried the same, kinit, and then ipa passwd commands as before, >>>> here's the output: >>>> >>>> Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>> etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH: >>>> lag...@systems.lafayette.edu for >>>> krbtgt/systems.lafayette@systems.lafayette.edu, Additional >>>> pre-authentication required >>>> >>>> Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4 >>>> etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>> etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for >>>> krbtgt/systems.lafayette@systems.lafayette.edu >>>> >>>> Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ >>>> (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339, >>>> etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for >>>> HTTP/ipaserver.lafayette@systems.lafayette.edu >>> >>> What version of IPA is this? >>> >>> Does ipactl status show all services up? >>> >>> rob >> >> > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for falling off like that. I opened a RedHat ticket on the issue, and have been running in circles with them. I forgot to check on the list for responses. I'm still having problems. Someone suggested I try: kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Which i just did, and it worked, or, at least it initialized my session. I'm still unable to execute ipa commands. In fact, im unable to execute almost any ipa commands. The web interface works, but only after RedHat had me enable kerberos password auth in the httpd config. So i can now auth to the web gui interactively, instead of requiring a kinit from my workstion. The only real client i have here is RHEV. And auth there still works except on accounts which have expired. Those accounts, cant even change their passwords. RedHat had me disable the password expiration via the web gui, however that hasnt helped accounts that are already expired. RedHat is currently blaming time skew, which i think is ridiculous. Im testing my ipa commands right on the ipa master. How could there possible be time skew. I did find that the time on my replica was off, but my replica isnt working anyway, which is a whole other issue. I think it needs to be flattened, and re-joined. On 09/10/2012 08:54 AM, Dmitri Pal wrote: > On 08/24/2012 04:43 PM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> This did not seem to help... >>> >> >> What else isn't working? Does the UI work? Do clients on other >> machines work? Does user lookup still work? >> >> rob > > > Was this issue ever resolved? > >> >>> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote: >>>> Nathan Lager wrote: >>>>> [root@ipaserver PROD krb5kdc]# ipactl status Directory >>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service: >>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA >>>>> Service: RUNNING [root@ipaserver PROD krb5kdc]# rpm -qa | >>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>> ipa-server-2.2.0-16.el6.x86_64 >>>> >>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by >>>> Apache for doing S4U2Proxy. No restart of httpd should be >>>> required. >>>> >>>> rob >>>> >>>>> >>>>> >>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>>>>> Nathan Lager wrote: >>>>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>>>>>> >>>>>>> I tried the same, kinit, and then ipa passwd commands >>>>>>> as before, here's the output: >>>>>>> >>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: NEEDED_PREAUTH: >>>>>>> lag...@systems.lafayette.edu for >>>>>>> krbtgt/systems.lafayette@systems.lafayette.edu, >>>>>>> Additional pre-authentication required >>>>>>> >>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu >>>>>>> for krbtgt/systems.lafayette@systems.lafayette.edu >>>>>>> >>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu >>>>>>> for HTTP/ipaserver.lafayette@systems.lafayette.edu >>>>>> >>>>>> What version of IPA is this? >>>>>> >>>>>> Does ipactl status show all services up? >>>>>> >>>>>> rob >>>>> >>>>> >>>> >>>> >>> >> >> >> ___ Freeipa-users >> mailing list Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBYxkYACgkQsZqG4IN3sum8awCglRnww5OA84X8QbcNB/n1+e9w lrIAn1WMdwzeGeGmG07po0P5Xk1AikN/ =PEKm -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
lock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:27:05 -0400] conn=4 op=108 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=109 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:27:05 -0400] conn=4 op=109 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=110 SRCH base="dc=systems,dc=lafayette,dc=edu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=lag...@systems.lafayette.edu))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [18/Sep/2012:16:27:05 -0400] conn=4 op=110 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:05 -0400] conn=4 op=111 SRCH base="cn=SYSTEMS.LAFAYETTE.EDU,cn=kerberos,dc=systems,dc=lafayette,dc=edu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [18/Sep/2012:16:27:05 -0400] conn=4 op=111 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2012:16:27:22 -0400] conn=49 fd=67 slot=67 connection from 139.147.7.205 to 139.147.7.204 [18/Sep/2012:16:27:22 -0400] conn=49 op=0 UNBIND [18/Sep/2012:16:27:22 -0400] conn=49 op=0 fd=67 closed - U1 [18/Sep/2012:16:29:27 -0400] conn=50 fd=67 slot=67 connection from 139.147.7.204 to 139.147.7.204 [18/Sep/2012:16:29:27 -0400] conn=50 op=0 UNBIND [18/Sep/2012:16:29:27 -0400] conn=50 op=0 fd=67 closed - U1 > What are the versions of: > > httpd [root@caroline0 PROD ~]# rpm -qa | grep httpd httpd-2.2.15-15.el6_2.1.x86_64 > mod_auth_kerb [root@caroline0 PROD ~]# rpm -qa | grep mod_auth_kerb mod_auth_kerb-5.4-9.el6.x86_64 > ipa-server [root@caroline0 PROD ~]# rpm -qa | grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 > krb5-server [root@caroline0 PROD ~]# rpm -qa | grep krb5-server krb5-server-1.9-33.el6_3.2.x86_64 krb5-server-ldap-1.9-33.el6_3.2.x86_64 > > This is RHEL 6.3? Yes. [root@caroline0 PROD ~]# cat /etc/issue Red Hat Enterprise Linux Server release 6.3 (Santiago) Kernel \r on an \m > > The problem seems isolated to mod_auth_kerb and/or s4u2proxy since > it works with password authentication in the UI. > > rob - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBY248ACgkQsZqG4IN3sukPpwCeJv+P6C/5odcVlj+2lXjLaXHT AaAAnj4hDetnFZXWFfBrGRrWKp8lwckB =UpQU -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
On 09/19/2012 10:37 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> - Original Message - >>> From: "Rob Crittenden" To: "Nathan Lager" >>> Cc: freeipa-users@redhat.com Sent: >>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. >>> >>> Ok, what are the permissions on the keytab, >>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode >>> 0600. >> >> [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >> -rw---. apache apache >> unconfined_u:object_r:httpd_config_t:s0 >> /etc/httpd/conf/ipa.keytab >> >>> >>> Are you in SELinux enforcing mode? Can you try in permissive to >>> see if that works? >> I was enforcing at the start of all of this, but ive since >> switched to permissive for troubleshooting. It hasnt made a >> difference. > > Are you getting an HTTP service principal in the client? > > $ kdestroy $ kinit admin $ ipa user-show admin $ klist -fea > > Lets try to skip s4u2proxy. Does this work: > > $ ipa --delegate user-show admin > > Unfortunately the major and minor error codes are as generic as can > be so they aren't any help at all. > > rob Here's the output. The --delegate still failed. [root@caroline0 PROD ~]# klist -fea Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lag...@systems.lafayette.edu Valid starting ExpiresService principal 09/19/12 11:23:03 09/20/12 11:22:52 krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 09/20/12 11:22:52 HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error [root@caroline0 PROD ~]# -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
On 09/19/2012 11:34 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>> Lager, Nathan T. wrote: >>>> >>>> - Original Message - >>>>> From: "Rob Crittenden" To: "Nathan >>>>> Lager" Cc: freeipa-users@redhat.com >>>>> Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>>>> [Freeipa-users] sudden ipa errors. >>>>> >>>>> Ok, what are the permissions on the keytab, >>>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache >>>>> mode 0600. >>>> >>>> [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab >>>> -rw---. apache apache >>>> unconfined_u:object_r:httpd_config_t:s0 >>>> /etc/httpd/conf/ipa.keytab >>>> >>>>> >>>>> Are you in SELinux enforcing mode? Can you try in >>>>> permissive to see if that works? >>>> I was enforcing at the start of all of this, but ive since >>>> switched to permissive for troubleshooting. It hasnt made a >>>> difference. >>> >>> Are you getting an HTTP service principal in the client? >>> >>> $ kdestroy $ kinit admin $ ipa user-show admin $ klist >>> -fea >>> >>> Lets try to skip s4u2proxy. Does this work: >>> >>> $ ipa --delegate user-show admin >>> >>> Unfortunately the major and minor error codes are as generic as >>> can be so they aren't any help at all. >>> >>> rob >> >> Here's the output. The --delegate still failed. >> >> [root@caroline0 PROD ~]# klist -fea Ticket cache: >> FILE:/tmp/krb5cc_0 Default principal: >> lag...@systems.lafayette.edu >> >> Valid starting ExpiresService principal 09/19/12 >> 11:23:03 09/20/12 11:22:52 >> krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA, >> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 >> 09/20/12 11:22:52 >> HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT, >> Etype (skey, tkt): aes256-cts-hmac-sha1-96, >> aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD >> ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to >> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error >> [root@caroline0 PROD ~]# > > Is it the same major/minor error in gss_acquire_cred()? > > Does GSSAPI over LDAP work? > > $ ldapsearch -Y GSSAPI -h ipa.example.com -b > cn=users,cn=accounts,dc=example,dc=com admin > This appears to work. [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h caroline0.lafayette.edu -b cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin SASL/GSSAPI authentication started SASL username: lag...@systems.lafayette.edu SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: admin # # users, accounts, systems.lafayette.edu dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu # admin, users, accounts, systems.lafayette.edu dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu <-- a bunch of other users here --> # search result search: 4 result: 0 Success # numResponses: 10 # numEntries: 9 > rob > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 02:54 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: >>> Nathan Lager wrote: >>>> >>>> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>>>> Lager, Nathan T. wrote: >>>>>> >>>>>> - Original Message - >>>>>>> From: "Rob Crittenden" To: >>>>>>> "Nathan Lager" Cc: >>>>>>> freeipa-users@redhat.com Sent: Tuesday, September 18, >>>>>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa >>>>>>> errors. >>>>>>> >>>>>>> Ok, what are the permissions on the keytab, >>>>>>> /etc/httpd/conf/ipa.keytab? They should be >>>>>>> apache:apache mode 0600. >>>>>> >>>>>> [lagern@caroline0 PROD ~]$ ls -lZ >>>>>> /etc/httpd/conf/ipa.keytab -rw---. apache apache >>>>>> unconfined_u:object_r:httpd_config_t:s0 >>>>>> /etc/httpd/conf/ipa.keytab >>>>>> >>>>>>> >>>>>>> Are you in SELinux enforcing mode? Can you try in >>>>>>> permissive to see if that works? >>>>>> I was enforcing at the start of all of this, but ive >>>>>> since switched to permissive for troubleshooting. It >>>>>> hasnt made a difference. >>>>> >>>>> Are you getting an HTTP service principal in the client? >>>>> >>>>> $ kdestroy $ kinit admin $ ipa user-show admin $ >>>>> klist -fea >>>>> >>>>> Lets try to skip s4u2proxy. Does this work: >>>>> >>>>> $ ipa --delegate user-show admin >>>>> >>>>> Unfortunately the major and minor error codes are as >>>>> generic as can be so they aren't any help at all. >>>>> >>>>> rob >>>> >>>> Here's the output. The --delegate still failed. >>>> >>>> [root@caroline0 PROD ~]# klist -fea Ticket cache: >>>> FILE:/tmp/krb5cc_0 Default principal: >>>> lag...@systems.lafayette.edu >>>> >>>> Valid starting ExpiresService principal >>>> 09/19/12 11:23:03 09/20/12 11:22:52 >>>> krbtgt/systems.lafayette@systems.lafayette.edu Flags: >>>> FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 >>>> 09/20/12 11:22:52 >>>> HTTP/caroline0.lafayette@systems.lafayette.edu Flags: >>>> FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, >>>> aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 >>>> PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot >>>> connect to u'http://caroline0.lafayette.edu/ipa/xml': >>>> Internal Server Error [root@caroline0 PROD ~]# >>> >>> Is it the same major/minor error in gss_acquire_cred()? >>> >>> Does GSSAPI over LDAP work? >>> >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b >>> cn=users,cn=accounts,dc=example,dc=com admin >>> >> This appears to work. >> >> [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h >> caroline0.lafayette.edu -b >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin >> SASL/GSSAPI authentication started SASL username: >> lag...@systems.lafayette.edu SASL SSF: 56 SASL data security >> layer installed. # extended LDIF # # LDAPv3 # base >> with scope >> subtree # filter: (objectclass=*) # requesting: admin # >> >> # users, accounts, systems.lafayette.edu dn: >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu >> >> # admin, users, accounts, systems.lafayette.edu dn: >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu >> >> <-- a bunch of other users here --> >> >> # search result search: 4 result: 0 Success >> >> # numResponses: 10 # numEntries: 9 >> > > Ok, so it's JUST Apache then. > > Is the hostname on caroline0 set as a FQDN (/bin/hostname)? > > If not, I'd try setting it to caroline0.lafayette.edu > > If so, might be worth trying to refresh your Apache keytab. I made > some educated guesses on your hostnames/realm, please > double-check: > > # ipa-getkeyt
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 03:47 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> Rob, keytab and kerberos part seems to be fine, ldap works too. >> Can it be one of the certs? May be some cert expired? > > No, the error is coming from GSSAPI, it is unfortunately > completely useless. I think we've pretty well narrowed down the > problem to httpd/mod_auth_kerb but I don't know yet if this is a > configuration issue or a bug. > > Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? Sure, as far as I know its completely stock, aside from the krb password auth change. # # VERSION 4 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archivejar # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /var/run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 WSGIProcessGroup ipa WSGIApplicationGroup ipa WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: SetHandler None SetHandler None SetHandler None KrbConstrainedDelegationLock ipa # Protect /ipa and everything below it in webspace with Apache Kerberos auth AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # Turn off Apache authentication for sessions Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages SetHandler None AllowOverride None Satisfy Any Allow from all # For CRL publishing Alias /ipa/crl "/var/lib/pki-ca/publish" SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" SetHandler None AllowOverride None Satisfy Any Allow from all # Protect our CGIs AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py > > rob > > ___ Freeipa-users > mailing list Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaI3QACgkQsZqG4IN3sumy3wCbBqmfPFIXwZOstNiH8jBY39hx +uQAn11DGp7RbKyM4PiV8VJ0NH1v4lwY =ol+i -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
On 09/20/2012 11:43 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> - Original Message - >>> From: "Rob Crittenden" To: "Nathan Lager" >>> Cc: freeipa-users@redhat.com Sent: >>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>>> >>>> >>>> >>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>> Dmitri Pal wrote: >>>>>> >>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>> works too. Can it be one of the certs? May be some cert >>>>>> expired? >>>>> >>>>> No, the error is coming from GSSAPI, it is unfortunately >>>>> completely useless. I think we've pretty well narrowed down >>>>> the problem to httpd/mod_auth_kerb but I don't know yet if >>>>> this is a configuration issue or a bug. >>>>> >>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? >>>> Sure, as far as I know its completely stock, aside from the >>>> krb password auth change. >>> >>> Yup, configuration looks fine. >>> >>> Ok, let's eliminate the ipa tool as the problem and try curl: >>> >>> Create a file test.json with these contents: >>> >>> {"method":"batch","params":[[ >>> {"method":"user_show","params":[["admin"],{"all":false}]} >>> ],{}],"id":1} >>> >>> then run this: >>> >>> curl -H "Content-Type:application/json" -H >>> "Accept:application/json" -H "Accept-Language:en" -H "Referer: >>> https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u : >>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>> https://caroline0.lafayette.edu/ipa/json >>> >> Seems to be running into the same trouble. >> >> [lagern@caroline0 PROD ~]$ curl -H >> "Content-Type:application/json" -H "Accept:application/json" -H >> "Accept-Language:en" -H "Referer: >> https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u : >> --cacert /etc/ipa/ca.crt -d @test.json -X POST >> https://caroline0.lafayette.edu/ipa/json > "-//IETF//DTD HTML 2.0//EN"> 500 Internal >> Server Error Internal Server >> Error The server encountered an internal error or >> misconfiguration and was unable to complete your request. >> Please contact the server administrator, root@localhost and >> inform them of the time the error occurred, and anything you >> might have done that may have caused the error. More >> information about this error may be available in the server error >> log. Apache/2.2.15 (Red Hat) Server at >> caroline0.lafayette.edu Port 443 > > Ok, need to gather some more info: > > # kvno HTTP/caroline0.lafayette.edu # klist -kt > /etc/httpd/conf/ipa.keytab > [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3 [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal - -------- 2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu > rob -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
On 09/20/2012 02:28 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> >> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>> Lager, Nathan T. wrote: >>>> >>>> - Original Message - >>>>> From: "Rob Crittenden" To: "Nathan >>>>> Lager" Cc: freeipa-users@redhat.com >>>>> Sent: Wednesday, September 19, 2012 4:35:30 PM Subject: >>>>> Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote: >>>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>>>>> >>>>>> >>>>>> >>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>> Dmitri Pal wrote: >>>>>>>> >>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap >>>>>>>> works too. Can it be one of the certs? May be some >>>>>>>> cert expired? >>>>>>> >>>>>>> No, the error is coming from GSSAPI, it is >>>>>>> unfortunately completely useless. I think we've pretty >>>>>>> well narrowed down the problem to httpd/mod_auth_kerb >>>>>>> but I don't know yet if this is a configuration issue >>>>>>> or a bug. >>>>>>> >>>>>>> Nathan, can you show me your >>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>> Sure, as far as I know its completely stock, aside from >>>>>> the krb password auth change. >>>>> >>>>> Yup, configuration looks fine. >>>>> >>>>> Ok, let's eliminate the ipa tool as the problem and try >>>>> curl: >>>>> >>>>> Create a file test.json with these contents: >>>>> >>>>> {"method":"batch","params":[[ >>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>> ],{}],"id":1} >>>>> >>>>> then run this: >>>>> >>>>> curl -H "Content-Type:application/json" -H >>>>> "Accept:application/json" -H "Accept-Language:en" -H >>>>> "Referer: https://caroline0.lafayette.edu/ipa/xml"; >>>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X >>>>> POST https://caroline0.lafayette.edu/ipa/json >>>>> >>>> Seems to be running into the same trouble. >>>> >>>> [lagern@caroline0 PROD ~]$ curl -H >>>> "Content-Type:application/json" -H "Accept:application/json" >>>> -H "Accept-Language:en" -H "Referer: >>>> https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u : >>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST >>>> https://caroline0.lafayette.edu/ipa/json >>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> 500 >>>> Internal Server Error Internal >>>> Server Error The server encountered an internal error >>>> or misconfiguration and was unable to complete your >>>> request. Please contact the server administrator, >>>> root@localhost and inform them of the time the error >>>> occurred, and anything you might have done that may have >>>> caused the error. More information about this error >>>> may be available in the server error log. >>>> Apache/2.2.15 (Red Hat) Server at >>>> caroline0.lafayette.edu Port 443 >>> >>> Ok, need to gather some more info: >>> >>> # kvno HTTP/caroline0.lafayette.edu # klist -kt >>> /etc/httpd/conf/ipa.keytab >>> >> [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu >> HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3 >> [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab >> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp >> Principal - >> 2 >> 02/03/12 16:31:27 >> HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 >> 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2 >> 02/03/12 16:31:28 >> HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12 >> 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2 >> 02/03/12 16:31:28 >> HTTP/caro
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/21/2012 10:18 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> Well, after all of this, RedHat support just resolved my issue! >> >> It came down the the domain_realm definitions in /etc/krb5.conf. >> >> They had me change: >> >> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> >> To: [domain_realm] .systems.lafayette.edu = >> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = >> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> lafayette.edu = SYSTEMS.LAFAYETTE.EDU >> >> After doing so, i restarted IPA, and my commands are working >> properly now! >> >> Now, to get my replica back in order... > > Wow. OK, I'm glad it's working. Do we have any idea how this file > changed? Is it wrong on all your clients or only on this one > master? > It appears wrong on my replica as well, caroline1. There are no clients currently, other than RHEV. I only have one lingering issue, aside from my replica being broken. I still cant reset admin's password. It gives me the same error it was before. [root@caroline0 PROD ~]# kinit admin Password for ad...@systems.lafayette.edu: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials > rob > >> >> >> - Original Message - >>> From: "Nathan Lager" To: "Rob >>> Crittenden" Cc: freeipa-users@redhat.com >>> Sent: Thursday, September 20, 2012 2:46:20 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. On 09/20/2012 02:28 PM, Rob >>> Crittenden wrote: >>>> Nathan Lager wrote: >>>>> >>>>> >>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>>>>> Lager, Nathan T. wrote: >>>>>>> >>>>>>> - Original Message - >>>>>>>> From: "Rob Crittenden" To: >>>>>>>> "Nathan Lager" Cc: >>>>>>>> freeipa-users@redhat.com Sent: Wednesday, September >>>>>>>> 19, 2012 4:35:30 PM Subject: Re: [Freeipa-users] >>>>>>>> sudden ipa errors. Nathan Lager wrote: >>>>>>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>>>>> Dmitri Pal wrote: >>>>>>>>>>> >>>>>>>>>>> Rob, keytab and kerberos part seems to be fine, >>>>>>>>>>> ldap works too. Can it be one of the certs? May >>>>>>>>>>> be some cert expired? >>>>>>>>>> >>>>>>>>>> No, the error is coming from GSSAPI, it is >>>>>>>>>> unfortunately completely useless. I think we've >>>>>>>>>> pretty well narrowed down the problem to >>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if this >>>>>>>>>> is a configuration issue or a bug. >>>>>>>>>> >>>>>>>>>> Nathan, can you show me your >>>>>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>>>>> Sure, as far as I know its completely stock, aside >>>>>>>>> from the krb password auth change. >>>>>>>> >>>>>>>> Yup, configuration looks fine. >>>>>>>> >>>>>>>> Ok, let's eliminate the ipa tool as the problem and >>>>>>>> try curl: >>>>>>>> >>>>>>>> Create a file test.json with these contents: >>>>>>>> >>>>>>>> {"method":"batch","params":[[ >>>>>>>> {"method":"user_show","params":[["admin"],{"all":false}]} >>>>>>>> >>>>>>>> ],{}],"id":1} >>>>>>>> >>>>>>>> then run this: >>>>>>>> >>>>>>>> curl -H "Content-Type:application/json" -H >>>>>>>> "Accept:application/jso
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/21/2012 11:07 AM, Nathan Lager wrote: > > > On 09/21/2012 10:18 AM, Rob Crittenden wrote: >> Lager, Nathan T. wrote: >>> Well, after all of this, RedHat support just resolved my >>> issue! >>> >>> It came down the the domain_realm definitions in >>> /etc/krb5.conf. >>> >>> They had me change: >>> >>> [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> To: [domain_realm] .systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu = >>> SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> lafayette.edu = SYSTEMS.LAFAYETTE.EDU >>> >>> After doing so, i restarted IPA, and my commands are working >>> properly now! >>> >>> Now, to get my replica back in order... > >> Wow. OK, I'm glad it's working. Do we have any idea how this file >> changed? Is it wrong on all your clients or only on this one >> master? > > It appears wrong on my replica as well, caroline1. There are no > clients currently, other than RHEV. > > I only have one lingering issue, aside from my replica being > broken. > > I still cant reset admin's password. It gives me the same error it > was before. > > [root@caroline0 PROD ~]# kinit admin Password for > ad...@systems.lafayette.edu: Password expired. You must change it > now. Enter new password: Enter it again: kinit: Password has > expired while getting initial credentials > > Fixed this, on a hunch. When the password expired, the pwpolicy was set to 90 days. RedHat Support had me change it to days to effectively disable it so others wouldnt expire (because no one could change passwords). I had a hunch that because the policy was now set greater than the time its been since admin last changed his password, that ipa was getting confused when i attempted to change the expired pass. So i set it back to 90. It let me change the expired password. That, might be worthy of a bug report. > > >> rob > >>> >>> >>> - Original Message - >>>> From: "Nathan Lager" To: "Rob >>>> Crittenden" Cc: >>>> freeipa-users@redhat.com Sent: Thursday, September 20, 2012 >>>> 2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On >>>> 09/20/2012 02:28 PM, Rob Crittenden wrote: >>>>> Nathan Lager wrote: >>>>>> >>>>>> >>>>>> On 09/20/2012 11:43 AM, Rob Crittenden wrote: >>>>>>> Lager, Nathan T. wrote: >>>>>>>> >>>>>>>> - Original Message - >>>>>>>>> From: "Rob Crittenden" To: >>>>>>>>> "Nathan Lager" Cc: >>>>>>>>> freeipa-users@redhat.com Sent: Wednesday, >>>>>>>>> September 19, 2012 4:35:30 PM Subject: Re: >>>>>>>>> [Freeipa-users] sudden ipa errors. Nathan Lager >>>>>>>>> wrote: >>>>>>>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote: >>>>>>>>>>> Dmitri Pal wrote: >>>>>>>>>>>> >>>>>>>>>>>> Rob, keytab and kerberos part seems to be >>>>>>>>>>>> fine, ldap works too. Can it be one of the >>>>>>>>>>>> certs? May be some cert expired? >>>>>>>>>>> >>>>>>>>>>> No, the error is coming from GSSAPI, it is >>>>>>>>>>> unfortunately completely useless. I think >>>>>>>>>>> we've pretty well narrowed down the problem to >>>>>>>>>>> httpd/mod_auth_kerb but I don't know yet if >>>>>>>>>>> this is a configuration issue or a bug. >>>>>>>>>>> >>>>>>>>>>> Nathan, can you show me your >>>>>>>>>>> /etc/httpd/conf.d/ipa.conf? >>>>>>>>>> Sure, as far as I know its completely stock, >>>>>>>>>> aside from the krb password auth change. >&
Re: [Freeipa-users] sudden ipa errors.
Sure thing, can you point me to where i'd do so? I usually have this sort of thing taken care of via a RedHat support ticket. And the support rep creates the bug report. On 09/21/2012 11:19 AM, Dmitri Pal wrote: >> That, might be worthy of a bug report. >> >> > Can you please file one? > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users