[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm open to hear some opinions and thoughts on what the best way to auto-provision service principles in an environment with a 100% autonomous build process.. Lets say for example, I wanted to provision a mail server and configure dovecot SSO in the same process. Obviously something like this would be terrible in a production environment as having this in the %post of a kickstart gives away the admin password %post echo redhat123 | kinit admin -- ipa service-add imap/$(hostname) ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k /etc/dovecot/krb5.keytab Is there are more secure way to perform such a task via kickstart or other provisioning method? Thanks all Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPaOtAAoJEAJsWS61tB+qzXQQAJr7M1CR+P0lLsxy7gM3/twG FJNCyPdaOgMwVP83R2i2X3WlnNI2nCAF3b+ANBm4SBhseA1Xmidn1+CUltDw20/w wO+NzNBdMYVyQXVr0LziBZPWcdScHuJWp1fAC2DPKI5DmKeWdNf5nmWfBgiRKb6X Xdo2cRbLmxkbqbJvTdVGTOz8LujGuiTHsHXPertB3QKob7tvkZDoSBGI3ZoYckFO dgg7lqaMBeaflOb/uuxV4evjmLIrI48jfKPAVXlp7m8jw47aNgFRxPn0YJxrQXAF 9uV/Y61jVsI5HqW9ofcLeYdKFfWCx1VZwQqpqZRv0Ge0X7npnbMomcTOpSli8Moz 4GVbRLa9YcuXX2AYCJ6F6SpL7M77ogw7CyxgQNGu3LAnGDs8EkN7iwreGrvVF0p3 xx0w9WD0PXLMPpaQxTDba1hO+Lxa/rtAhTHw5/J4qk1sjPjEP4SI/ZlbXeESaEPK XN1WVYV9pbm2j1KRYMM6WsSCWigNg7PMrk7otPiZZQK3XexQzVpsOawfaDcWQoUH YCCb/fBdKHr57wzv93nV4LYhI/vnM/9CV4tI82Vrv3rlQJa0TJJeZKdNvWyKW2WA ldIFpA+Tf3TSBVa+i2fnD8Rp0flWRg7HcX+uMYrmh36qTXvdgF5dlxtRMnmpToQl MBoHhPn6fuGVVdVsNSS/ =0ONW -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote: It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in between like 2.0-2.1-3.0 would be better? To be on the safe side you might want to include 2.2 as well in the upgrade path. HTH bye, Sumit And I learned a valuable lesson: if it ain't broke, don't upgrade. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Saturday, March 9, 2013 5:19:51 AM Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone On 03/07/2013 11:47 PM, Tim Hildred wrote: Hello, I have been using IPA for authentication with a RHEV environment. Quite a while ago, I got help from this list in making it so that my users could access the WebUI with their login and passwords, no Kerberos ticket required. I also had it working that when their passwords expired, they would ssh to the IPA server as themselves, get challenged for their current password, and then the opportunity to provide a new one. The update to ipa-server 3.0.0-25.el6 means that I can no longer log into the WebUI with just a login and password (see attached screenshot) and that users who try and update expired passwords get: You must change your password now and login again! Changing password for user juwu. Current Password: New password: Retype new password: Password change failed. Server message: Password not changed. It seems that password might have not matched the server policy. Have you tried different users and different passwords? What does kerberos log on the server show? It will give you some hint about the reason why the password was rejected. It might be that the password you are trying to use already in the history of passwords. AFAIR there was a bug that we did not handle history of passwords properly in some cases. Now as it is fixed you might see a proper policy enforcement. Insufficient access to perform requested operation while trying to change password. passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Can anyone help me restore that functionality? Please? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Hello David, I am still not convinced that this issue is not caused by a DNS. This is what we do in ipa command: 1) We try to primarily connect to server that is defined in /etc/ipa/default.conf in server option 2) If it is not available, we try to fallback to other IPA servers which are resolved via DNS SRV query _ldap._tcp.DOMAIN where DOMAIN is also read from /etc/ipa/default.con I do not see any other path how this server could get to ipa. This is why I suggested running the DNS query on the machine where you run the client: # dig -t srv _ldap._tcp.esci.millersville.edu It could help us see if the server is getting from this direction. As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this environment variable is set by mod_auth_kerb plugin for httpd (we configure it in /etc/httpd/conf.d/ipa.conf, KrbSaveCredentials should be on so that we can get the KRB5CCNAME. You can also try restarting httpd and see if that changes anything. Martin On 03/08/2013 06:03 PM, David Fitzgerald wrote: Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate SNIPPED OUT THE KEY STRING ... send: ?xml version='1.0' encoding='UTF-8'? \nmethodCall\nmethodNameping/methodName\nparams\n/params\n/methodCall\n reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any ipa- commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. I have no idea where the cyclone.esci.millersville.edu is coming from, as that used to be a Windows Domain server that was decommissioned years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and none refer to cyclone. I checked the ipa config and krb5.conf files and they are pointing at the proper ipa server. Checking log files I get these messages when I try to run ipa commands: /var/log/httpd/error log: Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment /var/log/ipa Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18 tkt=18 ses=18},
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Hoi, Dale Macartneyさんが書きました: I'm open to hear some opinions and thoughts on what the best way to auto-provision service principles in an environment with a 100% autonomous build process.. Lets say for example, I wanted to provision a mail server and configure dovecot SSO in the same process. Obviously something like this would be terrible in a production environment as having this in the %post of a kickstart gives away the admin password %post echo redhat123 | kinit admin -- ipa service-add imap/$(hostname) ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k /etc/dovecot/krb5.keytab Is there are more secure way to perform such a task via kickstart or other provisioning method? How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2013 11:04 AM, Christian Horn wrote: Hoi, Dale Macartneyさんが書きました: I'm open to hear some opinions and thoughts on what the best way to auto-provision service principles in an environment with a 100% autonomous build process.. Lets say for example, I wanted to provision a mail server and configure dovecot SSO in the same process. Obviously something like this would be terrible in a production environment as having this in the %post of a kickstart gives away the admin password %post echo redhat123 | kinit admin -- ipa service-add imap/$(hostname) ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k /etc/dovecot/krb5.keytab Is there are more secure way to perform such a task via kickstart or other provisioning method? How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? That definitely gets around security concerns, however still requires some manual intervention... the keytab could be pushed using config management, but generating it in the first place still requires work as a trusted user. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPcFCAAoJEAJsWS61tB+qqZMP/RM51shHoYGwK+L91OKru61c aJc/ubBt1sCLcnxazDC5nAsuRrKtwGg3b76r2B8FE1Mhi4gBYOm/G5+lLITjiDTx 3BR7Uh9ruTpRkdt1YE1Cptj0aFSL8MUdb/I3f8yPaGbBdLmJL/pXNg44Oz8Kmc2Q ZVxIar5aMpMG+gkHPNNS5jeay867dyV+P3r1RUuYhDQX0ALGBnE69OxZnwdiFkDE G+ZqS8SNORndyMKb+jIzfuasdrL831sfwT7xpODQUzyTGT9OWO1PE6PRfm5wkdpi pWvLE3tvKiokb+fEuQnC6PTCjZfEIR0HWNF1J6eeAYQJ3827dKvA2nISQBD10GUc R3eIVgUszW+8GUpAt9vVqu0PKiTPCUNGV+JCuCBLVVHXlHxkd1PpfMDPtmOCh8Y1 Nk46AyAqJ7UIY45piJTgoRUhYR/sQzcXYSjyQlL4UTFxLE/7iK2DE+GJsdywlWOB qfgWTyWnWjLd9+FJHUe1vSNw/C8VO+eT0mh+s4yIN32QmgdieoHShKQ6eAAh+m46 vXM7YFi+UdUFuMb0lSeCu+DOkASpm4AhoHDQULqQdusQO8orG0vV8JxJtGKa/E/n icBUjTt2IJvV1pNMUKRDNfjqVx7NPulDszOIjaOJ/Y7ohMtFkhpuGQaX/NIQ+zqJ MzQPcBAy1pxeJuJWYJTN =CQBx -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Dale Macartneyさんが書きました: On 03/11/2013 11:04 AM, Christian Horn wrote: How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? That definitely gets around security concerns, however still requires some manual intervention... the keytab could be pushed using config management, but generating it in the first place still requires work as a trusted user. Yes, but this could be automated. If you deploy i.e. with cobbler there were IIRC hooks so one can do serverside tasks, as soon as a system gets added. So the secret could be embedded in a script there. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2013 11:39 AM, Christian Horn wrote: Dale Macartneyさんが書きました: On 03/11/2013 11:04 AM, Christian Horn wrote: How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? That definitely gets around security concerns, however still requires some manual intervention... the keytab could be pushed using config management, but generating it in the first place still requires work as a trusted user. Yes, but this could be automated. If you deploy i.e. with cobbler there were IIRC hooks so one can do serverside tasks, as soon as a system gets added. So the secret could be embedded in a script there. In my current lab, I just use my own script which pushes api calls to rhev to deploy machines. I know there is a way to use a user keytab to auth to IPA. I could do that and have my provisioning script push the necessary admin commands and leave the client to pull to the client during %post... I guess it depends on the provisioning model within the organisation. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPcNdAAoJEAJsWS61tB+qjuUQAK34npb0p8M0U64499r/Y/ZP RswnOiTLgylGv/Lwt3Tb5aNQvA75Qu2i45BBB3q5NuqN6/m7c2Re7HkMQpfzdEhz l72Iytz1m9WG802Ibd77MmTGNX1rapYv9JKb1K9QhQVoPCZHwWye6pXGuGAbacab LXmm0hR3ajZhJwYBh7/6oqaZwXv01qI8Xv/vYmD+ZtDevxmHWeaTGiwUq7gUDCeo B/McDGd6SiT0juPuAzr694eqryRN1qMDsQu9rv8FsBmFaTtW0WQ0JUMrJKdvYNCm O6zCdqJKRI536JNUxm49Zot1K8PnlTgkE0jBHkQJn9XeCt63nr2NUuVRgWjEuoXK FfYsDSEM7SZ3b69WuOnmhKuk697Yn8lMolvWKOFQR/RNa8wa+gNo3uaAXyTnulBv ba0S2Iehd6pBknuyDN8c1xmGcTSaDIgFeXUnKCVYw5rTo4pfLO/g/zTQwK4wvlJB ODhOy/n2BiLh/zDu5qadYdPUTbbKZyrYV/ulrhSiMBqFzc7plsFyMQ1uEnvrRFyE 9VgX92u5h2Vw6+mURWZLdFYp3jTMgOsKe+IX6g85hcNyg7JkuP732FCNPkEjoX4O OSLvx3i2dtSkrKOXKnnf2pHoiRKnzRZ/NVFmOvYHy8Js2WO8TPBXyTkL6bf/Y8QH z/tB69rCpBy80wyTWAKn =B5hc -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
On 03/11/2013 07:43 AM, Dale Macartney wrote: On 03/11/2013 11:39 AM, Christian Horn wrote: Dale Macartneyさんが書きました: On 03/11/2013 11:04 AM, Christian Horn wrote: How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? That definitely gets around security concerns, however still requires some manual intervention... the keytab could be pushed using config management, but generating it in the first place still requires work as a trusted user. Yes, but this could be automated. If you deploy i.e. with cobbler there were IIRC hooks so one can do serverside tasks, as soon as a system gets added. So the secret could be embedded in a script there. In my current lab, I just use my own script which pushes api calls to rhev to deploy machines. I know there is a way to use a user keytab to auth to IPA. I could do that and have my provisioning script push the necessary admin commands and leave the client to pull to the client during %post... I guess it depends on the provisioning model within the organisation. For the things to work right the provisioning service MUST have some behind the scenes interaction with IPA. This is what we always had in mind. Let us say that provisioning system is called P. Setup: 1) Create a principal for P 2) Provision keytab for P 3) Make P use IPA interfaces authenticating as P rpincipal using keytab 4) Make sure P has the right permissions to manage other hosts 5) Make P store IPA public cert Provisioning sequence: 1) User/script requests provisioning of a system 2) P connects to IPA and creates a host entry in IPA, an OTP is returned back 3) P provides IPA public cert for the new machine 4) P inserts OTP into the kickstart for the system to join IPA 5) If provision of the identity fails P should disable host in IPA to make sure that the OTP has not been stolen and used to provision some other fake system. This is how things should work in a prefect world. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate SNIPPED OUT THE KEY STRING ... send: ?xml version='1.0' encoding='UTF-8'? \nmethodCall\nmethodNameping/methodName\nparams\n/params\n/methodCall\n reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any ipa- commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. I have no idea where the cyclone.esci.millersville.edu is coming from, as that used to be a Windows Domain server that was decommissioned years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and none refer to cyclone. I checked the ipa config and krb5.conf files and they are pointing at the proper ipa server. Checking log files I get these
Re: [Freeipa-users] ipa-* tools throws errors
On 03/11/2013 02:05 PM, David Fitzgerald wrote: Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate SNIPPED OUT THE KEY STRING ... send: ?xml version='1.0' encoding='UTF-8'? \nmethodCall\nmethodNameping/methodName\nparams\n/params\n/methodCall\n reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? It looks like the web server on aurora isn't configured for kerberos auth on the ipa/xml location. If it were it would have created a KRBCCAME before handing the request to IPA. IPA is complaining it can't find the kerberos credentials. Your client then falls back the server it found in your dns srv record. I can't explain that srv record or whether you've got a valid IPA server running there or not. I would check the apache config on aurora. Do you have a: /etc/httpd/conf.d/ipa.conf file? Are there any .rpmew files under /etc/httpd? Have you restarted httpd on aurora? What are the contents of /etc/httpd/conf.d/ipa.conf? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users