Re: [Freeipa-users] ipa-* tools throws errors
David Fitzgerald wrote: Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. There are two problems here. The first is the server error which is causing the client to try the next server which is cyclone. There are records for this somewhere. I think the next place to look is /var/log/krb5kdc.log to see what is happening when you try to contact the web server. You may also want to add debug = True to /etc/ipa/default.conf and restart httpd. This will provide very verbose output on the client and server and may provide additional clues. rob ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any "ipa-" commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Servi
Re: [Freeipa-users] ipa-* tools throws errors
On 03/11/2013 02:05 PM, David Fitzgerald wrote: Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? It looks like the web server on aurora isn't configured for kerberos auth on the ipa/xml location. If it were it would have created a KRBCCAME before handing the request to IPA. IPA is complaining it can't find the kerberos credentials. Your client then falls back the server it found in your dns srv record. I can't explain that srv record or whether you've got a valid IPA server running there or not. I would check the apache config on aurora. Do you have a: /etc/httpd/conf.d/ipa.conf file? Are there any .rpmew files under /etc/httpd? Have you restarted httpd on aurora? What are the contents of /etc/httpd/conf.d/ipa.conf? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
Here is the output of the dig command. Cyclone does show up here , but our networking people say there are no srv records in our current db. I still think the trouble I am having has to do with the Internal Server Error I get when I run ipa commands. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv _ldap._tcp.esci.millersville.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.esci.millersville.edu. IN SRV ;; ANSWER SECTION: _ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 cyclone.esci.millersville.edu. ;; AUTHORITY SECTION: _tcp.esci.millersville.edu. 3600 IN NS corsair.millersville.edu. _tcp.esci.millersville.edu. 3600 IN NS garfield.millersville.edu. ;; ADDITIONAL SECTION: corsair.millersville.edu. 3600 IN A 192.206.29.2 garfield.millersville.edu. 3600 IN A 166.66.86.144 ;; Query time: 1 msec ;; SERVER: 166.66.86.144#53(166.66.86.144) ;; WHEN: Mon Mar 11 13:55:36 2013 ;; MSG SIZE rcvd: 176 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: > The host command returns the correct name: > #host 166.66.65.39 > 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, March 05, 2013 10:26 AM > To: David Fitzgerald > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-* tools throws errors > > On 03/05/2013 04:21 PM, David Fitzgerald wrote: >> Hello everyone, >> >> >> >> I have been running a freeIPA server on Scientific Linux 6.2 for about a >> year. >> Yesterday I started not being able to run any "ipa-" commands. >> Running kinit admin gives me the proper tickets, but when I run any >> ipa- command I get the following error: >> >> >> >> ipa: ERROR: Kerberos error: Service >> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. >> >> >> >> I have no idea where the cyclone.esci.millersville.edu is coming >> from, as that used to be a Windows Domain server that was >> decommissioned years ago and is no longer in DNS, nor in /
Re: [Freeipa-users] ipa-* tools throws errors
Hello David, I am still not convinced that this issue is not caused by a DNS. This is what we do in "ipa" command: 1) We try to primarily connect to server that is defined in /etc/ipa/default.conf in "server" option 2) If it is not available, we try to fallback to other IPA servers which are resolved via DNS SRV query "_ldap._tcp.DOMAIN" where DOMAIN is also read from /etc/ipa/default.con I do not see any other path how this server could get to "ipa". This is why I suggested running the DNS query on the machine where you run the client: # dig -t srv _ldap._tcp.esci.millersville.edu It could help us see if the server is getting from this direction. As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this environment variable is set by "mod_auth_kerb" plugin for httpd (we configure it in /etc/httpd/conf.d/ipa.conf, "KrbSaveCredentials" should be "on" so that we can get the KRB5CCNAME. You can also try restarting httpd and see if that changes anything. Martin On 03/08/2013 06:03 PM, David Fitzgerald wrote: Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any "ipa-" commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. I have no idea where the cyclone.esci.millersville.edu is coming from, as that used to be a Windows Domain server that was decommissioned years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and none refer to cyclone. I checked the ipa config and krb5.conf files and they are pointing at the proper ipa server. Checking log files I get these messages when I try to run ipa commands: /var/log/httpd/error log: Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment /var/log/ipa Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSU
Re: [Freeipa-users] ipa-* tools throws errors
Thanks for getting back to me! I don't think the problem has anything to do with DNS. I (finally) ran an ipa command with the verbose flags -vv and found that it IS trying to contact aurora.esci.millersville.edu, it fails then tries to contact cyclone.esci.millersville.edu (still don't know where that comes from). I am getting an 'Internal Server Error' in the output when connecting to aurora. Here is the output: % ipa -vv passwd ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml send: u'POST /ipa/xml HTTP/1.0\r\nHost: aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer: https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate ... send: "\n\nping\n\n\n\n" reply: 'HTTP/1.1 500 Internal Server Error\r\n' header: Date: Fri, 08 Mar 2013 16:52:48 GMT header: Server: Apache/2.2.15 (Scientific Linux) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8 header: Content-Length: 311 header: Connection: close header: Content-Type: text/html; charset=utf-8 ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/ The apache error log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: > The host command returns the correct name: > #host 166.66.65.39 > 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, March 05, 2013 10:26 AM > To: David Fitzgerald > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-* tools throws errors > > On 03/05/2013 04:21 PM, David Fitzgerald wrote: >> Hello everyone, >> >> >> >> I have been running a freeIPA server on Scientific Linux 6.2 for about a >> year. >> Yesterday I started not being able to run any "ipa-" commands. >> Running kinit admin gives me the proper tickets, but when I run any >> ipa- command I get the following error: >> >> >> >> ipa: ERROR: Kerberos error: Service >> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. >> >> >> >> I have no idea where the cyclone.esci.millersville.edu is coming >> from, as that used to be a Windows Domain server that was >> decommissioned years ago and is no longer in DNS, nor in /etc/hosts. >> I even grep -R all of the files in /etc and none refer to cyclone. I >> checked the ipa config and krb5.conf files and they are pointing at the >> proper ipa server. >> >> >> >> Checking log files I get these messages when I try to run ipa commands: >> >> >> >> /var/log/httpd/error log: >> >> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: >> xmlserver.__call__: KRB5CCNAME not defined in HTTP request >> environment >> >> >> >> /var/log/ipa >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime >> 1362491436, etypes {rep=18 >> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for >> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: >> authtime 0, admin@LINUX.DIRSRV.LOCAL for >> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not >> found in Kerberos database >> >> >> >> I Googled these error messages, but none of the results seemed to >> apply to my situation or didn't solve the problem Can anyone point >> me in the ri
Re: [Freeipa-users] ipa-* tools throws errors
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: > The host command returns the correct name: > #host 166.66.65.39 > 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Tuesday, March 05, 2013 10:26 AM > To: David Fitzgerald > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-* tools throws errors > > On 03/05/2013 04:21 PM, David Fitzgerald wrote: >> Hello everyone, >> >> >> >> I have been running a freeIPA server on Scientific Linux 6.2 for about a >> year. >> Yesterday I started not being able to run any "ipa-" commands. >> Running kinit admin gives me the proper tickets, but when I run any >> ipa- command I get the following error: >> >> >> >> ipa: ERROR: Kerberos error: Service >> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. >> >> >> >> I have no idea where the cyclone.esci.millersville.edu is coming from, >> as that used to be a Windows Domain server that was decommissioned >> years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R >> all of the files in /etc and none refer to cyclone. I checked the ipa >> config and krb5.conf files and they are pointing at the proper ipa server. >> >> >> >> Checking log files I get these messages when I try to run ipa commands: >> >> >> >> /var/log/httpd/error log: >> >> Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: >> xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment >> >> >> >> /var/log/ipa >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime >> 1362491436, etypes {rep=18 >> tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for >> krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL >> >> Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): >> TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: >> authtime 0, admin@LINUX.DIRSRV.LOCAL for >> HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not >> found in Kerberos database >> >> >> >> I Googled these error messages, but none of the results seemed to >> apply to my situation or didn't solve the problem Can anyone point me >> in the right direction? Any help is greatly appreciated. >> >> >> >> For what they are worth, here are my /etc/krb5.conf and >> /etc/ipa/default.conf >> files: >> >> >> >> /etc/krb5.conf: >> >> >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> >> >> [libdefaults] >> >> default_realm = LINUX.DIRSRV.LOCAL >> >> dns_lookup_realm = false >> >> dns_lookup_kdc = false >> >> rdns = false >> >> ticket_lifetime = 24h >> >> forwardable = yes >> >> >> >> [realms] >> >> LINUX.DIRSRV.LOCAL = { >> >> kdc = aurora.esci.millersville.edu:88 >> >> admin_server = aurora.esci.millersville.edu:749 >> >> default_domain = esci.millersville.edu >> >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> >> [domain_realm] >> >> .esci.millersville.edu = LINUX.DIRSRV.LOCAL >> >> esci.millersville.edu = LINUX.DIRSRV.LOCAL >> >> >> >> [dbmodules] >> >> # LINUX.DIRSRV.LOCAL = { >> >> #db_library = kldap >> >> #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket >> >> #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local >> >> #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local >> >> #ldap_kadmind_dn = >> uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local >> >> #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd >> >> # } >> >> >> >> LINUX.DIRSRV.LOCAL = { >> >> db
Re: [Freeipa-users] ipa-* tools throws errors
The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors On 03/05/2013 04:21 PM, David Fitzgerald wrote: > Hello everyone, > > > > I have been running a freeIPA server on Scientific Linux 6.2 for about a > year. > Yesterday I started not being able to run any "ipa-" commands. > Running kinit admin gives me the proper tickets, but when I run any > ipa- command I get the following error: > > > > ipa: ERROR: Kerberos error: Service > u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. > > > > I have no idea where the cyclone.esci.millersville.edu is coming from, > as that used to be a Windows Domain server that was decommissioned > years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R > all of the files in /etc and none refer to cyclone. I checked the ipa > config and krb5.conf files and they are pointing at the proper ipa server. > > > > Checking log files I get these messages when I try to run ipa commands: > > > > /var/log/httpd/error log: > > Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: > xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment > > > > /var/log/ipa > > Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): > TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime > 1362491436, etypes {rep=18 > tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for > krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL > > Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): > TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: > authtime 0, admin@LINUX.DIRSRV.LOCAL for > HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not > found in Kerberos database > > > > I Googled these error messages, but none of the results seemed to > apply to my situation or didn't solve the problem Can anyone point me > in the right direction? Any help is greatly appreciated. > > > > For what they are worth, here are my /etc/krb5.conf and > /etc/ipa/default.conf > files: > > > > /etc/krb5.conf: > > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = LINUX.DIRSRV.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > > > [realms] > > LINUX.DIRSRV.LOCAL = { > > kdc = aurora.esci.millersville.edu:88 > > admin_server = aurora.esci.millersville.edu:749 > > default_domain = esci.millersville.edu > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > > > [domain_realm] > > .esci.millersville.edu = LINUX.DIRSRV.LOCAL > > esci.millersville.edu = LINUX.DIRSRV.LOCAL > > > > [dbmodules] > > # LINUX.DIRSRV.LOCAL = { > > #db_library = kldap > > #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket > > #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local > > #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local > > #ldap_kadmind_dn = > uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local > > #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd > > # } > > > > LINUX.DIRSRV.LOCAL = { > > db_library = ipadb.so > > } > > > > /etc/ipa/default.conf > > > > [global] > > host=aurora.esci.millersville.edu > > basedn=dc=linux,dc=dirsrv,dc=local > > realm=LINUX.DIRSRV.LOCAL > > domain=esci.millersville.edu > > xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml > > ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket > > enable_ra=True > > ra_plugin=dogtag > > mode=production > > > > > > +++ > > David Fitzgerald > > Department of Earth Sciences > > Millersville University > > Millersville, PA 17551 > > > > Phone: 717-871-2394 > > Hello David, I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system. What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-* tools throws errors
On 03/05/2013 04:21 PM, David Fitzgerald wrote: > Hello everyone, > > > > I have been running a freeIPA server on Scientific Linux 6.2 for about a > year. > Yesterday I started not being able to run any "ipa-" commands. Running kinit > admin gives me the proper tickets, but when I run any ipa- command I get the > following error: > > > > ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not > found in Kerberos database/. > > > > I have no idea where the cyclone.esci.millersville.edu is coming from, as that > used to be a Windows Domain server that was decommissioned years ago and is no > longer in DNS, nor in /etc/hosts. I even grep –R all of the files in /etc > and > none refer to cyclone. I checked the ipa config and krb5.conf files and they > are pointing at the proper ipa server. > > > > Checking log files I get these messages when I try to run ipa commands: > > > > /var/log/httpd/error log: > > Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: > xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment > > > > /var/log/ipa > > Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 > etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18 > tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for > krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL > > Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 > etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0, > admin@LINUX.DIRSRV.LOCAL for > HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in > Kerberos database > > > > I Googled these error messages, but none of the results seemed to apply to my > situation or didn’t solve the problem Can anyone point me in the right > direction? Any help is greatly appreciated. > > > > For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf > files: > > > > /etc/krb5.conf: > > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = LINUX.DIRSRV.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > > > [realms] > > LINUX.DIRSRV.LOCAL = { > > kdc = aurora.esci.millersville.edu:88 > > admin_server = aurora.esci.millersville.edu:749 > > default_domain = esci.millersville.edu > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > > > [domain_realm] > > .esci.millersville.edu = LINUX.DIRSRV.LOCAL > > esci.millersville.edu = LINUX.DIRSRV.LOCAL > > > > [dbmodules] > > # LINUX.DIRSRV.LOCAL = { > > #db_library = kldap > > #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket > > #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local > > #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local > > #ldap_kadmind_dn = > uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local > > #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd > > # } > > > > LINUX.DIRSRV.LOCAL = { > > db_library = ipadb.so > > } > > > > /etc/ipa/default.conf > > > > [global] > > host=aurora.esci.millersville.edu > > basedn=dc=linux,dc=dirsrv,dc=local > > realm=LINUX.DIRSRV.LOCAL > > domain=esci.millersville.edu > > xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml > > ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket > > enable_ra=True > > ra_plugin=dogtag > > mode=production > > > > > > +++ > > David Fitzgerald > > Department of Earth Sciences > > Millersville University > > Millersville, PA 17551 > > > > Phone: 717-871-2394 > > Hello David, I suspect this is caused by broken DNS reverse resoltion as Keberos client software often use the result of reverse record (PTR RR) resolution as a hostname and not the actual hostname configured on your system. What does "host $IP_ADDRESS_OF_YOUR_HOST" returns? Does it return the correct hostname? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-* tools throws errors
Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any "ipa-" commands. Running kinit admin gives me the proper tickets, but when I run any ipa- command I get the following error: ipa: ERROR: Kerberos error: Service u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/. I have no idea where the cyclone.esci.millersville.edu is coming from, as that used to be a Windows Domain server that was decommissioned years ago and is no longer in DNS, nor in /etc/hosts. I even grep -R all of the files in /etc and none refer to cyclone. I checked the ipa config and krb5.conf files and they are pointing at the proper ipa server. Checking log files I get these messages when I try to run ipa commands: /var/log/httpd/error log: Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment /var/log/ipa Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime 1362491436, etypes {rep=18 tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info): TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: UNKNOWN_SERVER: authtime 0, admin@LINUX.DIRSRV.LOCAL for HTTP/cyclone.esci.millersville.edu@LINUX.DIRSRV.LOCAL, Server not found in Kerberos database I Googled these error messages, but none of the results seemed to apply to my situation or didn't solve the problem Can anyone point me in the right direction? Any help is greatly appreciated. For what they are worth, here are my /etc/krb5.conf and /etc/ipa/default.conf files: /etc/krb5.conf: includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LINUX.DIRSRV.LOCAL dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] LINUX.DIRSRV.LOCAL = { kdc = aurora.esci.millersville.edu:88 admin_server = aurora.esci.millersville.edu:749 default_domain = esci.millersville.edu pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .esci.millersville.edu = LINUX.DIRSRV.LOCAL esci.millersville.edu = LINUX.DIRSRV.LOCAL [dbmodules] # LINUX.DIRSRV.LOCAL = { #db_library = kldap #ldap_servers = ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket #ldap_kerberos_container_dn = cn=kerberos,dc=linux,dc=dirsrv,dc=local #ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local #ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=linux,dc=dirsrv,dc=local #ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd # } LINUX.DIRSRV.LOCAL = { db_library = ipadb.so } /etc/ipa/default.conf [global] host=aurora.esci.millersville.edu basedn=dc=linux,dc=dirsrv,dc=local realm=LINUX.DIRSRV.LOCAL domain=esci.millersville.edu xmlrpc_uri=https://aurora.esci.millersville.edu/ipa/xml ldap_uri=ldapi://%2fvar%2frun%2fslapd-LINUX-DIRSRV-LOCAL.socket enable_ra=True ra_plugin=dogtag mode=production +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users