subject:"\[Freeipa\-users\] Re\: CCacheError\: did not receive Kerberos credentials"

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

2018-01-17 Thread Rob Crittenden via FreeIPA-users

Dimitris Zilaskos wrote:
> Hi,
> 
> Just wondering if anyone had the time to take a look at this. My
> understanding is that everything works up to the point that kerberos
> authentication takes place successfully, but for some reason the ticket
> obtained does not get stored.

I guess I'd try to debug it outside of certmonger.

Try a typical IPA commandd with verbose output:

% ipa -vvv user-show admin

You should see the Kerberos negotiation happening on the client side. If
that request still fails then I think we'd need to see the Apache
mod_auth_kerb configuration along with the client-side output (and
anything that looks interesting on the server side). It's unlikely that
anything changed but one never knows.

rob

> 
> Best regards,
> 
> Dimitrios
> 
> On Mon, Jan 15, 2018 at 9:21 PM, Dimitris Zilaskos  > wrote:
> 
> Thank you for your reply. I just retried with debug enabled but I
> cannot say I see anything useful.
> 
> 
> I was wondering if I somehow can debug the kerberos procedure
> more...or get rid of memcache for debug purposes.
> 
> Best regards,
> 
> Dimitrios
> 
> 
> On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden  > wrote:
> 
> Dimitris Zilaskos via FreeIPA-users wrote:
> > Hello,
> >
> > I have been asked to look into an ipa server running in CentOS
> 6. The
> > server was missbehaving for some time, with some certificates
> expiring
> > back in October. Also / was full. I have cleaned up some
> space, set the
> > date back before the certificates expired, restarted/rebooted but
> > renewal of certs fails:
> >
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0
> established
> > (server portal.cloud.local, client 10.142.20.10)
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948):
> SNI: Found
> > nickname Server-Cert for vhost: portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> > Successfully paired vhost portal.cloud.local with nickname:
> Server-Cert
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93):
> SNI request
> > for portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request
> received
> > for child 0 (server portal.cloud.local:443)
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
> xmlserver.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> > Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> > environment
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response:
> CCacheError:
> > did not receive Kerberos credentials
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed
> (server
> > portal.cloud.local:443, client 10.142.20.10)
> >
> > I can do kinit admin without problems. Please any hints how can I
> > resoleve this?
> >
> 
> This isn't much to go on.
> 
> You might create /etc/ipa/server.conf with the contents:
> 
> [global]
> debug = True
> 
> and restart IPA. It should provide more information on the
> incmoing request.
> 
> certmonger logs to syslog so I'd check there for details from
> the renewal.
> 
> Knowing the state of the certs tracked by certmonger would be
> helpful
> too (be sure to redact any PIN that might be in the getcert list
> output).
> 
> rob
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

2018-01-17 Thread Dimitris Zilaskos via FreeIPA-users

Hi,

Just wondering if anyone had the time to take a look at this. My
understanding is that everything works up to the point that kerberos
authentication takes place successfully, but for some reason the ticket
obtained does not get stored.

Best regards,

Dimitrios

On Mon, Jan 15, 2018 at 9:21 PM, Dimitris Zilaskos 
wrote:

> Thank you for your reply. I just retried with debug enabled but I cannot
> say I see anything useful.
>
>
> I was wondering if I somehow can debug the kerberos procedure more...or
> get rid of memcache for debug purposes.
>
> Best regards,
>
> Dimitrios
>
>
> On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden 
> wrote:
>
>> Dimitris Zilaskos via FreeIPA-users wrote:
>> > Hello,
>> >
>> > I have been asked to look into an ipa server running in CentOS 6. The
>> > server was missbehaving for some time, with some certificates expiring
>> > back in October. Also / was full. I have cleaned up some space, set the
>> > date back before the certificates expired, restarted/rebooted but
>> > renewal of certs fails:
>> >
>> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
>> > (server portal.cloud.local, client 10.142.20.10)
>> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
>> > nickname Server-Cert for vhost: portal.cloud.local
>> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
>> > Successfully paired vhost portal.cloud.local with nickname: Server-Cert
>> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
>> > for portal.cloud.local
>> > [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
>> > for child 0 (server portal.cloud.local:443)
>> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
>> wsgi_dispatch.__call__:
>> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
>> > [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
>> > Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>> > environment
>> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
>> > did not receive Kerberos credentials
>> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
>> > portal.cloud.local:443, client 10.142.20.10)
>> >
>> > I can do kinit admin without problems. Please any hints how can I
>> > resoleve this?
>> >
>>
>> This isn't much to go on.
>>
>> You might create /etc/ipa/server.conf with the contents:
>>
>> [global]
>> debug = True
>>
>> and restart IPA. It should provide more information on the incmoing
>> request.
>>
>> certmonger logs to syslog so I'd check there for details from the renewal.
>>
>> Knowing the state of the certs tracked by certmonger would be helpful
>> too (be sure to redact any PIN that might be in the getcert list output).
>>
>> rob
>>
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

2018-01-15 Thread Dimitris Zilaskos via FreeIPA-users

Thank you for your reply. I just retried with debug enabled but I cannot
say I see anything useful.


I was wondering if I somehow can debug the kerberos procedure more...or get
rid of memcache for debug purposes.

Best regards,

Dimitrios


On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden  wrote:

> Dimitris Zilaskos via FreeIPA-users wrote:
> > Hello,
> >
> > I have been asked to look into an ipa server running in CentOS 6. The
> > server was missbehaving for some time, with some certificates expiring
> > back in October. Also / was full. I have cleaned up some space, set the
> > date back before the certificates expired, restarted/rebooted but
> > renewal of certs fails:
> >
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
> > (server portal.cloud.local, client 10.142.20.10)
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
> > nickname Server-Cert for vhost: portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> > Successfully paired vhost portal.cloud.local with nickname: Server-Cert
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
> > for portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
> > for child 0 (server portal.cloud.local:443)
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> > Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> > environment
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
> > did not receive Kerberos credentials
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
> > portal.cloud.local:443, client 10.142.20.10)
> >
> > I can do kinit admin without problems. Please any hints how can I
> > resoleve this?
> >
>
> This isn't much to go on.
>
> You might create /etc/ipa/server.conf with the contents:
>
> [global]
> debug = True
>
> and restart IPA. It should provide more information on the incmoing
> request.
>
> certmonger logs to syslog so I'd check there for details from the renewal.
>
> Knowing the state of the certs tracked by certmonger would be helpful
> too (be sure to redact any PIN that might be in the getcert list output).
>
> rob
>


certmonger.log
Description: Binary data


getcertlist.log
Description: Binary data


httperror.log
Description: Binary data


krb5kdc.log
Description: Binary data
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

2018-01-15 Thread Rob Crittenden via FreeIPA-users

Dimitris Zilaskos via FreeIPA-users wrote:
> Hello,
> 
> I have been asked to look into an ipa server running in CentOS 6. The
> server was missbehaving for some time, with some certificates expiring
> back in October. Also / was full. I have cleaned up some space, set the
> date back before the certificates expired, restarted/rebooted but
> renewal of certs fails:
> 
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
> (server portal.cloud.local, client 10.142.20.10)
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
> nickname Server-Cert for vhost: portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> Successfully paired vhost portal.cloud.local with nickname: Server-Cert
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
> for portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
> for child 0 (server portal.cloud.local:443)
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> environment
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
> did not receive Kerberos credentials
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
> portal.cloud.local:443, client 10.142.20.10)
> 
> I can do kinit admin without problems. Please any hints how can I
> resoleve this?
> 

This isn't much to go on.

You might create /etc/ipa/server.conf with the contents:

[global]
debug = True

and restart IPA. It should provide more information on the incmoing request.

certmonger logs to syslog so I'd check there for details from the renewal.

Knowing the state of the certs tracked by certmonger would be helpful
too (be sure to redact any PIN that might be in the getcert list output).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

4 matches

Site Navigation

Mail list logo

Footer information