Re: [Freeipa-users] ipa-* tools throws errors
David Fitzgerald wrote: Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. There are two problems here. The first is the server error which is causing the client to try the next server which is cyclone. There are records for this somewhere. I think the next place to look is /var/log/krb5kdc.log to see what is happening when you try to contact the web server. You may also want to add debug = True to /etc/ipa/default.conf and restart httpd. This will provide very verbose output on the client and server and may provide additional clues. rob ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any "ipa-" commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Servi
Re: [Freeipa-users] ipa-* tools throws errors
On 03/11/2013 02:05 PM, David Fitzgerald wrote: Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? It looks like the web server on aurora isn't configured for kerberos auth on the ipa/xml location. If it were it would have created a KRBCCAME before handing the request to IPA. IPA is complaining it can't find the kerberos credentials. Your client then falls back the server it found in your dns srv record. I can't explain that srv record or whether you've got a valid IPA server running there or not. I would check the apache config on aurora. Do you have a: /etc/httpd/conf.d/ipa.conf file? Are there any .rpmew files under /etc/httpd? Have you restarted httpd on aurora? What are the contents of /etc/httpd/conf.d/ipa.conf? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: > The host command returns the correct name: > #host 166.66.65.39 > 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, March 05, 2013 10:26 AM > To: David Fitzgerald > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-* tools throws errors > > On 03/05/2013 04:21 PM, David Fitzgerald wrote: >> Hello everyone, >> >> >> >> I have been running a freeIPA server on Scientific Linux 6.2 for about a >> year. >> Yesterday I started not being able to run any "ipa-" commands. >> Running kinit admin gives me the proper tickets, but when I run any >> ipa- command I get the following error: >> >> >> >> ipa: ERROR: Kerberos error: Service >> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. >> >> >> >> I have no idea where the cyclone.esci.millersville.edu is coming >> from, as that used to be a Windows Domain server that was >> decommissioned years ago and is no longer in DNS, nor in /
Re: [Freeipa-users] ipa-* tools throws errors
Hello David,
I am still not convinced that this issue is not caused by a DNS. This is what
we do in "ipa" command:
1) We try to primarily connect to server that is defined in
/etc/ipa/default.conf in "server" option
2) If it is not available, we try to fallback to other IPA servers which are
resolved via DNS SRV query "_ldap._tcp.DOMAIN" where DOMAIN is also read from
/etc/ipa/default.con
I do not see any other path how this server could get to "ipa". This is why I
suggested running the DNS query on the machine where you run the client:
# dig -t srv _ldap._tcp.esci.millersville.edu
It could help us see if the server is getting from this direction.
As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this
environment variable is set by "mod_auth_kerb" plugin for httpd (we configure
it in /etc/httpd/conf.d/ipa.conf, "KrbSaveCredentials" should be "on" so that
we can get the KRB5CCNAME. You can also try restarting httpd and see if that
changes anything.
Martin
On 03/08/2013 06:03 PM, David Fitzgerald wrote:
Thanks for getting back to me!
I don't think the problem has anything to do with DNS. I (finally) ran an ipa
command with the verbose flags -vv and found that it IS trying to contact
aurora.esci.millersville.edu, it fails then tries to contact
cyclone.esci.millersville.edu (still don't know where that comes from). I am
getting an 'Internal Server Error' in the output when connecting to aurora.
Here is the output:
% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/
The apache error log gives this:
Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
I have no idea what that means. Can you help?
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I started not being able to run any "ipa-" commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming
from, as that used to be a Windows Domain server that was
decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
I even grep -R all of the files in /etc and none refer to cyclone. I
checked the ipa config and krb5.conf files and they are pointing at the proper
ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request
environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSU
Re: [Freeipa-users] ipa-* tools throws errors
Thanks for getting back to me!
I don't think the problem has anything to do with DNS. I (finally) ran an ipa
command with the verbose flags -vv and found that it IS trying to contact
aurora.esci.millersville.edu, it fails then tries to contact
cyclone.esci.millersville.edu (still don't know where that comes from). I am
getting an 'Internal Server Error' in the output when connecting to aurora.
Here is the output:
% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz
pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/
The apache error log gives this:
Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.
I have no idea what that means. Can you help?
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a
>> year.
>> Yesterday I started not being able to run any "ipa-" commands.
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming
>> from, as that used to be a Windows Domain server that was
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>> I even grep -R all of the files in /etc and none refer to cyclone. I
>> checked the ipa config and krb5.conf files and they are pointing at the
>> proper ipa server.
>>
>>
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>
>>
>> /var/log/httpd/error log:
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request
>> environment
>>
>>
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
>> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>> authtime 0, admin@LINUX.DIRSRV.LOCAL for
>> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
>> found in Kerberos database
>>
>>
>>
>> I Googled these error messages, but none of the results seemed to
>> apply to my situation or didn't solve the problem Can anyone point
>> me in the ri
Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery
run on the host where you execute the ipa commands?
# dig -t srv _ldap._tcp.esci.millersville.edu
Does it return the right results?
Martin
On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
>
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
>
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a
>> year.
>> Yesterday I started not being able to run any "ipa-" commands.
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming from,
>> as that used to be a Windows Domain server that was decommissioned
>> years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R
>> all of the files in /etc and none refer to cyclone. I checked the ipa
>> config and krb5.conf files and they are pointing at the proper ipa server.
>>
>>
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>
>>
>> /var/log/httpd/error log:
>>
>> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
>> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>>
>>
>>
>> /var/log/ipa
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
>> 1362491436, etypes {rep=18
>> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
>> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>>
>> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
>> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
>> authtime 0, admin@LINUX.DIRSRV.LOCAL for
>> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
>> found in Kerberos database
>>
>>
>>
>> I Googled these error messages, but none of the results seemed to
>> apply to my situation or didn't solve the problem Can anyone point me
>> in the right direction? Any help is greatly appreciated.
>>
>>
>>
>> For what they are worth, here are my /etc/krb5.conf and
>> /etc/ipa/default.conf
>> files:
>>
>>
>>
>> /etc/krb5.conf:
>>
>>
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>
>>
>> [libdefaults]
>>
>> default_realm = LINUX.DIRSRV.LOCAL
>>
>> dns_lookup_realm = false
>>
>> dns_lookup_kdc = false
>>
>> rdns = false
>>
>> ticket_lifetime = 24h
>>
>> forwardable = yes
>>
>>
>>
>> [realms]
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>> kdc = aurora.esci.millersville.edu:88
>>
>> admin_server = aurora.esci.millersville.edu:749
>>
>> default_domain = esci.millersville.edu
>>
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>
>>
>> [domain_realm]
>>
>> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>>
>>
>>
>> [dbmodules]
>>
>> # LINUX.DIRSRV.LOCAL = {
>>
>> #db_library = kldap
>>
>> #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>>
>> #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>>
>> #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #ldap_kadmind_dn =
>> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>>
>> #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>
>> # }
>>
>>
>>
>> LINUX.DIRSRV.LOCAL = {
>>
>> db
Re: [Freeipa-users] ipa-* tools throws errors
The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
>
>
>
> I have been running a freeIPA server on Scientific Linux 6.2 for about a
> year.
> Yesterday I started not being able to run any "ipa-" commands.
> Running kinit admin gives me the proper tickets, but when I run any
> ipa- command I get the following error:
>
>
>
> ipa: ERROR: Kerberos error: Service
> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>
>
>
> I have no idea where the cyclone.esci.millersville.edu is coming from,
> as that used to be a Windows Domain server that was decommissioned
> years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R
> all of the files in /etc and none refer to cyclone. I checked the ipa
> config and krb5.conf files and they are pointing at the proper ipa server.
>
>
>
> Checking log files I get these messages when I try to run ipa commands:
>
>
>
> /var/log/httpd/error log:
>
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>
>
>
> /var/log/ipa
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
> 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER:
> authtime 0, admin@LINUX.DIRSRV.LOCAL for
> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not
> found in Kerberos database
>
>
>
> I Googled these error messages, but none of the results seemed to
> apply to my situation or didn't solve the problem Can anyone point me
> in the right direction? Any help is greatly appreciated.
>
>
>
> For what they are worth, here are my /etc/krb5.conf and
> /etc/ipa/default.conf
> files:
>
>
>
> /etc/krb5.conf:
>
>
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = LINUX.DIRSRV.LOCAL
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = false
>
> rdns = false
>
> ticket_lifetime = 24h
>
> forwardable = yes
>
>
>
> [realms]
>
> LINUX.DIRSRV.LOCAL = {
>
> kdc = aurora.esci.millersville.edu:88
>
> admin_server = aurora.esci.millersville.edu:749
>
> default_domain = esci.millersville.edu
>
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
>
> [domain_realm]
>
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
>
>
> [dbmodules]
>
> # LINUX.DIRSRV.LOCAL = {
>
> #db_library = kldap
>
> #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>
> #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> #ldap_kadmind_dn =
> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>
> # }
>
>
>
> LINUX.DIRSRV.LOCAL = {
>
> db_library = ipadb.so
>
> }
>
>
>
> /etc/ipa/default.conf
>
>
>
> [global]
>
> host=aurora.esci.millersville.edu
>
> basedn=dc=linux,dc=dirsrv,dc=local
>
> realm=LINUX.DIRSRV.LOCAL
>
> domain=esci.millersville.edu
>
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> enable_ra=True
>
> ra_plugin=dogtag
>
> mode=production
>
>
>
>
>
> +++
>
> David Fitzgerald
>
> Department of Earth Sciences
>
> Millersville University
>
> Millersville, PA 17551
>
>
>
> Phone: 717-871-2394
>
>
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.
What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct
hostname?
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote:
> Hello everyone,
>
>
>
> I have been running a freeIPA server on Scientific Linux 6.2 for about a
> year.
> Yesterday I started not being able to run any "ipa-" commands. Running kinit
> admin gives me the proper tickets, but when I run any ipa- command I get the
> following error:
>
>
>
> ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not
> found in Kerberos database/.
>
>
>
> I have no idea where the cyclone.esci.millersville.edu is coming from, as that
> used to be a Windows Domain server that was decommissioned years ago and is no
> longer in DNS, nor in /etc/hosts. I even grep –R all of the files in /etc
> and
> none refer to cyclone. I checked the ipa config and krb5.conf files and they
> are pointing at the proper ipa server.
>
>
>
> Checking log files I get these messages when I try to run ipa commands:
>
>
>
> /var/log/httpd/error log:
>
> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
>
>
>
> /var/log/ipa
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18
> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
>
> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
> etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0,
> admin@LINUX.DIRSRV.LOCAL for
> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in
> Kerberos database
>
>
>
> I Googled these error messages, but none of the results seemed to apply to my
> situation or didn’t solve the problem Can anyone point me in the right
> direction? Any help is greatly appreciated.
>
>
>
> For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf
> files:
>
>
>
> /etc/krb5.conf:
>
>
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = LINUX.DIRSRV.LOCAL
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = false
>
> rdns = false
>
> ticket_lifetime = 24h
>
> forwardable = yes
>
>
>
> [realms]
>
> LINUX.DIRSRV.LOCAL = {
>
> kdc = aurora.esci.millersville.edu:88
>
> admin_server = aurora.esci.millersville.edu:749
>
> default_domain = esci.millersville.edu
>
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
>
> [domain_realm]
>
> .esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
> esci.millersville.edu = LINUX.DIRSRV.LOCAL
>
>
>
> [dbmodules]
>
> # LINUX.DIRSRV.LOCAL = {
>
> #db_library = kldap
>
> #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
>
> #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> #ldap_kadmind_dn =
> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
>
> #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>
> # }
>
>
>
> LINUX.DIRSRV.LOCAL = {
>
> db_library = ipadb.so
>
> }
>
>
>
> /etc/ipa/default.conf
>
>
>
> [global]
>
> host=aurora.esci.millersville.edu
>
> basedn=dc=linux,dc=dirsrv,dc=local
>
> realm=LINUX.DIRSRV.LOCAL
>
> domain=esci.millersville.edu
>
> xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
>
> ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
>
> enable_ra=True
>
> ra_plugin=dogtag
>
> mode=production
>
>
>
>
>
> +++
>
> David Fitzgerald
>
> Department of Earth Sciences
>
> Millersville University
>
> Millersville, PA 17551
>
>
>
> Phone: 717-871-2394
>
>
Hello David,
I suspect this is caused by broken DNS reverse resoltion as Keberos client
software often use the result of reverse record (PTR RR) resolution as a
hostname and not the actual hostname configured on your system.
What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct
hostname?
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-* tools throws errors
Hello everyone,
I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I started not being able to run any "ipa-" commands. Running kinit
admin gives me the proper tickets, but when I run any ipa- command I get the
following error:
ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not
found in Kerberos database/.
I have no idea where the cyclone.esci.millersville.edu is coming from, as that
used to be a Windows Domain server that was decommissioned years ago and is no
longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and
none refer to cyclone. I checked the ipa config and krb5.conf files and they
are pointing at the proper ipa server.
Checking log files I get these messages when I try to run ipa commands:
/var/log/httpd/error log:
Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment
/var/log/ipa
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL
Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4
etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0,
admin@LINUX.DIRSRV.LOCAL for
HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in
Kerberos database
I Googled these error messages, but none of the results seemed to apply to my
situation or didn't solve the problem Can anyone point me in the right
direction? Any help is greatly appreciated.
For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf
files:
/etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUX.DIRSRV.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.DIRSRV.LOCAL = {
kdc = aurora.esci.millersville.edu:88
admin_server = aurora.esci.millersville.edu:749
default_domain = esci.millersville.edu
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.esci.millersville.edu = LINUX.DIRSRV.LOCAL
esci.millersville.edu = LINUX.DIRSRV.LOCAL
[dbmodules]
# LINUX.DIRSRV.LOCAL = {
#db_library = kldap
#ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
#ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local
#ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local
#ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
# }
LINUX.DIRSRV.LOCAL = {
db_library = ipadb.so
}
/etc/ipa/default.conf
[global]
host=aurora.esci.millersville.edu
basedn=dc=linux,dc=dirsrv,dc=local
realm=LINUX.DIRSRV.LOCAL
domain=esci.millersville.edu
xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket
enable_ra=True
ra_plugin=dogtag
mode=production
+++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551
Phone: 717-871-2394
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
