Re: [Freeipa-users] sudden ipa errors.

2012-09-24 Thread Martin Kosek
Hello Nathan,

you can file the bug on Red Hat Bugzilla (bugzilla.redhat.com), you can use
this link:

https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206

Thanks in advance!
Martin

On 09/21/2012 05:53 PM, Nathan Lager wrote:
 Sure thing, can you point me to where i'd do so?  I usually have this
 sort of thing taken care of via a RedHat support ticket.  And the
 support rep creates the bug report.
 
 
 On 09/21/2012 11:19 AM, Dmitri Pal wrote:
 That, might be worthy of a bug report.


 Can you please file one?

 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-21 Thread Rob Crittenden

Lager, Nathan T. wrote:

Well, after all of this, RedHat support just resolved my issue!

It came down the the domain_realm definitions in /etc/krb5.conf.

They had me change:

[domain_realm]
  .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU

To:
[domain_realm]
  .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  lafayette.edu = SYSTEMS.LAFAYETTE.EDU

After doing so, i restarted IPA, and my commands are working properly now!

Now, to get my replica back in order...


Wow. OK, I'm glad it's working. Do we have any idea how this file 
changed? Is it wrong on all your clients or only on this one master?


rob




- Original Message -

From: Nathan Lager lag...@lafayette.edu
To: Rob Crittenden rcrit...@redhat.com
Cc: freeipa-users@redhat.com
Sent: Thursday, September 20, 2012 2:46:20 PM
Subject: Re: [Freeipa-users] sudden ipa errors.
On 09/20/2012 02:28 PM, Rob Crittenden wrote:

Nathan Lager wrote:



On 09/20/2012 11:43 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com To: Nathan
Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com
Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap
works too. Can it be one of the certs? May be some
cert expired?


No, the error is coming from GSSAPI, it is
unfortunately completely useless. I think we've pretty
well narrowed down the problem to httpd/mod_auth_kerb
but I don't know yet if this is a configuration issue
or a bug.

Nathan, can you show me your
/etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from
the krb password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try
curl:

Create a file test.json with these contents:

{method:batch,params:[[
{method:user_show,params:[[admin],{all:false}]}
],{}],id:1}

then run this:

curl -H Content-Type:application/json -H
Accept:application/json -H Accept-Language:en -H
Referer: https://caroline0.lafayette.edu/ipa/xml;
--negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
POST https://caroline0.lafayette.edu/ipa/json


Seems to be running into the same trouble.

[lagern@caroline0 PROD ~]$ curl -H
Content-Type:application/json -H Accept:application/json
-H Accept-Language:en -H Referer:
https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
--cacert /etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json !DOCTYPE HTML
PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title500
Internal Server Error/title /headbody h1Internal
Server Error/h1 pThe server encountered an internal error
or misconfiguration and was unable to complete your
request./p pPlease contact the server administrator,
root@localhost and inform them of the time the error
occurred, and anything you might have done that may have
caused the error./p pMore information about this error
may be available in the server error log./p hr
addressApache/2.2.15 (Red Hat) Server at
caroline0.lafayette.edu Port 443/address /body/html


Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu # klist -kt
/etc/httpd/conf/ipa.keytab


[root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3
[root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
Principal  -
 2
02/03/12 16:31:27
HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2
02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2
02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 3
09/19/12 15:33:53
HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3
09/19/12 15:33:53
HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu



It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
only 4. Did you change the available encryption types?


I have not changed them, not intentionally anyway. Could it be that
an update did so? I installed Ipa round rhel 6.1 or so, and have been
updating it via yum periodically.


Can you re-run the klist command with -e as well? klist -ekt ...


[root@caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf

Re: [Freeipa-users] sudden ipa errors.

2012-09-21 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/21/2012 10:18 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 Well, after all of this, RedHat support just resolved my issue!
 
 It came down the the domain_realm definitions in /etc/krb5.conf.
 
 They had me change:
 
 [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU 
 systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 
 To: [domain_realm] .systems.lafayette.edu =
 SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
 SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU 
 lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 
 After doing so, i restarted IPA, and my commands are working
 properly now!
 
 Now, to get my replica back in order...
 
 Wow. OK, I'm glad it's working. Do we have any idea how this file 
 changed? Is it wrong on all your clients or only on this one
 master?
 
It appears wrong on my replica as well, caroline1.  There are no
clients currently, other than RHEV.

I only have one lingering issue, aside from my replica being broken.

I still cant reset admin's password. It gives me the same error it was
before.

[root@caroline0 PROD ~]# kinit admin
Password for ad...@systems.lafayette.edu:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials




 rob
 
 
 
 - Original Message -
 From: Nathan Lager lag...@lafayette.edu To: Rob
 Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com 
 Sent: Thursday, September 20, 2012 2:46:20 PM Subject: Re:
 [Freeipa-users] sudden ipa errors. On 09/20/2012 02:28 PM, Rob
 Crittenden wrote:
 Nathan Lager wrote:
 
 
 On 09/20/2012 11:43 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 
 - Original Message -
 From: Rob Crittenden rcrit...@redhat.com To:
 Nathan Lager lag...@lafayette.edu Cc:
 freeipa-users@redhat.com Sent: Wednesday, September
 19, 2012 4:35:30 PM Subject: Re: [Freeipa-users]
 sudden ipa errors. Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 
 
 On 09/19/2012 03:47 PM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 
 Rob, keytab and kerberos part seems to be fine,
 ldap works too. Can it be one of the certs? May
 be some cert expired?
 
 No, the error is coming from GSSAPI, it is 
 unfortunately completely useless. I think we've
 pretty well narrowed down the problem to
 httpd/mod_auth_kerb but I don't know yet if this
 is a configuration issue or a bug.
 
 Nathan, can you show me your 
 /etc/httpd/conf.d/ipa.conf?
 Sure, as far as I know its completely stock, aside
 from the krb password auth change.
 
 Yup, configuration looks fine.
 
 Ok, let's eliminate the ipa tool as the problem and
 try curl:
 
 Create a file test.json with these contents:
 
 {method:batch,params:[[ 
 {method:user_show,params:[[admin],{all:false}]}

 
],{}],id:1}
 
 then run this:
 
 curl -H Content-Type:application/json -H 
 Accept:application/json -H Accept-Language:en -H 
 Referer: https://caroline0.lafayette.edu/ipa/xml; 
 --negotiate -u : --cacert /etc/ipa/ca.crt -d
 @test.json -X POST
 https://caroline0.lafayette.edu/ipa/json
 
 Seems to be running into the same trouble.
 
 [lagern@caroline0 PROD ~]$ curl -H 
 Content-Type:application/json -H
 Accept:application/json -H Accept-Language:en -H
 Referer: https://caroline0.lafayette.edu/ipa/xml;
 --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json
 -X POST https://caroline0.lafayette.edu/ipa/json
 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
 htmlhead title500 Internal Server Error/title
 /headbody h1Internal Server Error/h1 pThe
 server encountered an internal error or
 misconfiguration and was unable to complete your 
 request./p pPlease contact the server
 administrator, root@localhost and inform them of the
 time the error occurred, and anything you might have
 done that may have caused the error./p pMore
 information about this error may be available in the
 server error log./p hr addressApache/2.2.15 (Red
 Hat) Server at caroline0.lafayette.edu Port
 443/address /body/html
 
 Ok, need to gather some more info:
 
 # kvno HTTP/caroline0.lafayette.edu # klist -kt 
 /etc/httpd/conf/ipa.keytab
 
 [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu 
 HTTP/caroline0.lafayette@systems.lafayette.edu: kvno =
 3 [root@caroline0 PROD ~]# klist -kt
 /etc/httpd/conf/ipa.keytab Keytab name:
 WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp Principal
  - 
  2 
 02/03/12 16:31:27 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2
 02/03/12 16:31:27
 HTTP/caroline0.lafayette@systems.lafayette.edu 2 
 02/03/12 16:31:28 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2
 02/03/12 16:31:28
 HTTP/caroline0.lafayette@systems.lafayette.edu 2 
 02/03/12 16:31:28 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2
 02/03/12 16:31:28
 HTTP/caroline0.lafayette@systems.lafayette.edu 3 
 09/19/12 15:33:53 
 HTTP/caroline0.lafayette

Re: [Freeipa-users] sudden ipa errors.

2012-09-21 Thread Rob Crittenden

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/21/2012 10:18 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:

Well, after all of this, RedHat support just resolved my issue!

It came down the the domain_realm definitions in /etc/krb5.conf.

They had me change:

[domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU

To: [domain_realm] .systems.lafayette.edu =
SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
lafayette.edu = SYSTEMS.LAFAYETTE.EDU

After doing so, i restarted IPA, and my commands are working
properly now!

Now, to get my replica back in order...


Wow. OK, I'm glad it's working. Do we have any idea how this file
changed? Is it wrong on all your clients or only on this one
master?


It appears wrong on my replica as well, caroline1.  There are no
clients currently, other than RHEV.

I only have one lingering issue, aside from my replica being broken.

I still cant reset admin's password. It gives me the same error it was
before.

[root@caroline0 PROD ~]# kinit admin
Password for ad...@systems.lafayette.edu:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials


Can you try kpasswd to reset the admin password?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-21 Thread Dmitri Pal
On 09/21/2012 11:13 AM, Nathan Lager wrote:


 On 09/21/2012 11:07 AM, Nathan Lager wrote:


  On 09/21/2012 10:18 AM, Rob Crittenden wrote:
  Lager, Nathan T. wrote:
  Well, after all of this, RedHat support just resolved my
  issue!
 
  It came down the the domain_realm definitions in
  /etc/krb5.conf.
 
  They had me change:
 
  [domain_realm] .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 
  To: [domain_realm] .systems.lafayette.edu =
  SYSTEMS.LAFAYETTE.EDU systems.lafayette.edu =
  SYSTEMS.LAFAYETTE.EDU .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
  lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 
  After doing so, i restarted IPA, and my commands are working
  properly now!
 
  Now, to get my replica back in order...

  Wow. OK, I'm glad it's working. Do we have any idea how this file
   changed? Is it wrong on all your clients or only on this one
  master?

  It appears wrong on my replica as well, caroline1.  There are no
  clients currently, other than RHEV.

  I only have one lingering issue, aside from my replica being
  broken.

  I still cant reset admin's password. It gives me the same error it
  was before.

  [root@caroline0 PROD ~]# kinit admin Password for
  ad...@systems.lafayette.edu: Password expired.  You must change it
  now. Enter new password: Enter it again: kinit: Password has
  expired while getting initial credentials


 Fixed this, on a hunch.  When the password expired, the pwpolicy was
 set to 90 days. RedHat Support had me change it to  days to
 effectively disable it so others wouldnt expire (because no one could
 change passwords).

 I had a hunch that because the policy was now set greater than the
 time its been since admin last changed his password, that ipa was
 getting confused when i attempted to change the expired pass.  So i
 set it back to 90.  It let me change the expired password.

 That, might be worthy of a bug report.


Can you please file one?




  rob

 
 
  - Original Message -
  From: Nathan Lager lag...@lafayette.edu To: Rob
  Crittenden rcrit...@redhat.com Cc:
  freeipa-users@redhat.com Sent: Thursday, September 20, 2012
  2:46:20 PM Subject: Re: [Freeipa-users] sudden ipa errors. On
  09/20/2012 02:28 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
 
 
  On 09/20/2012 11:43 AM, Rob Crittenden wrote:
  Lager, Nathan T. wrote:
 
  - Original Message -
  From: Rob Crittenden rcrit...@redhat.com To:
  Nathan Lager lag...@lafayette.edu Cc:
  freeipa-users@redhat.com Sent: Wednesday,
  September 19, 2012 4:35:30 PM Subject: Re:
  [Freeipa-users] sudden ipa errors. Nathan Lager
  wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 
 
  On 09/19/2012 03:47 PM, Rob Crittenden wrote:
  Dmitri Pal wrote:
 
  Rob, keytab and kerberos part seems to be
  fine, ldap works too. Can it be one of the
  certs? May be some cert expired?
 
  No, the error is coming from GSSAPI, it is
  unfortunately completely useless. I think
  we've pretty well narrowed down the problem to
  httpd/mod_auth_kerb but I don't know yet if
  this is a configuration issue or a bug.
 
  Nathan, can you show me your
  /etc/httpd/conf.d/ipa.conf?
  Sure, as far as I know its completely stock,
  aside from the krb password auth change.
 
  Yup, configuration looks fine.
 
  Ok, let's eliminate the ipa tool as the problem
  and try curl:
 
  Create a file test.json with these contents:
 
  {method:batch,params:[[
  {method:user_show,params:[[admin],{all:false}]}
 
 

 
 ],{}],id:1}
 
  then run this:
 
  curl -H Content-Type:application/json -H
  Accept:application/json -H Accept-Language:en
  -H Referer:
  https://caroline0.lafayette.edu/ipa/xml;
  --negotiate -u : --cacert /etc/ipa/ca.crt -d
  @test.json -X POST
  https://caroline0.lafayette.edu/ipa/json
 
  Seems to be running into the same trouble.
 
  [lagern@caroline0 PROD ~]$ curl -H
  Content-Type:application/json -H
  Accept:application/json -H Accept-Language:en -H
  Referer: https://caroline0.lafayette.edu/ipa/xml;
  --negotiate -u : --cacert /etc/ipa/ca.crt -d
  @test.json -X POST
  https://caroline0.lafayette.edu/ipa/json !DOCTYPE
  HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead
  title500 Internal Server Error/title
  /headbody h1Internal Server Error/h1 pThe
  server encountered an internal error or
  misconfiguration and was unable to complete your
  request./p pPlease contact the server
  administrator, root@localhost and inform them of the
  time the error occurred, and anything you might have
  done that may have caused the error./p pMore
  information about this error may be available in the
  server error log./p hr addressApache/2.2.15
  (Red Hat) Server at caroline0.lafayette.edu Port
  443/address /body/html
 
  Ok, need to gather some more info:
 
  # kvno HTTP/caroline0.lafayette.edu # klist -kt
  /etc/httpd/conf/ipa.keytab
 
  [root@caroline0 PROD ~]# kvno
  HTTP/caroline0.lafayette.edu
  HTTP/caroline0.lafayette@systems.lafayette.edu: kvno
  = 3 [root

Re: [Freeipa-users] sudden ipa errors.

2012-09-21 Thread Nathan Lager
Sure thing, can you point me to where i'd do so?  I usually have this
sort of thing taken care of via a RedHat support ticket.  And the
support rep creates the bug report.


On 09/21/2012 11:19 AM, Dmitri Pal wrote:
 That, might be worthy of a bug report.
 
 
 Can you please file one?
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-20 Thread Rob Crittenden

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com
To: Nathan Lager lag...@lafayette.edu
Cc: freeipa-users@redhat.com
Sent: Wednesday, September 19, 2012 4:35:30 PM
Subject: Re: [Freeipa-users] sudden ipa errors.
Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?


No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down the
problem to httpd/mod_auth_kerb but I don't know yet if this is a
configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from the krb
password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{method:batch,params:[[
{method:user_show,params:[[admin],{all:false}]}
],{}],id:1}

then run this:

curl -H Content-Type:application/json -H Accept:application/json
-H
Accept-Language:en -H Referer:
https://caroline0.lafayette.edu/ipa/xml; --negotiate -u : --cacert
/etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json


Seems to be running into the same trouble.

[lagern@caroline0 PROD ~]$ curl -H Content-Type:application/json -H Accept:application/json -H 
Accept-Language:en -H Referer: https://caroline0.lafayette.edu/ipa/xml; --negotiate -u : 
--cacert /etc/ipa/ca.crt -d  @test.json -X POST https://caroline0.lafayette.edu/ipa/json
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title500 Internal Server Error/title
/headbody
h1Internal Server Error/h1
pThe server encountered an internal error or
misconfiguration and was unable to complete
your request./p
pPlease contact the server administrator,
  root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error./p
pMore information about this error may be available
in the server error log./p
hr
addressApache/2.2.15 (Red Hat) Server at caroline0.lafayette.edu Port 
443/address
/body/html


Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu
# klist -kt /etc/httpd/conf/ipa.keytab

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-20 Thread Rob Crittenden

Nathan Lager wrote:



On 09/20/2012 11:43 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com To: Nathan Lager
lag...@lafayette.edu Cc: freeipa-users@redhat.com Sent:
Wednesday, September 19, 2012 4:35:30 PM Subject: Re:
[Freeipa-users] sudden ipa errors. Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap
works too. Can it be one of the certs? May be some cert
expired?


No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down
the problem to httpd/mod_auth_kerb but I don't know yet if
this is a configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from the
krb password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{method:batch,params:[[
{method:user_show,params:[[admin],{all:false}]}
],{}],id:1}

then run this:

curl -H Content-Type:application/json -H
Accept:application/json -H Accept-Language:en -H Referer:
https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
--cacert /etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json


Seems to be running into the same trouble.

[lagern@caroline0 PROD ~]$ curl -H
Content-Type:application/json -H Accept:application/json -H
Accept-Language:en -H Referer:
https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
--cacert /etc/ipa/ca.crt -d  @test.json -X POST
https://caroline0.lafayette.edu/ipa/json !DOCTYPE HTML PUBLIC
-//IETF//DTD HTML 2.0//EN htmlhead title500 Internal
Server Error/title /headbody h1Internal Server
Error/h1 pThe server encountered an internal error or
misconfiguration and was unable to complete your request./p
pPlease contact the server administrator, root@localhost and
inform them of the time the error occurred, and anything you
might have done that may have caused the error./p pMore
information about this error may be available in the server error
log./p hr addressApache/2.2.15 (Red Hat) Server at
caroline0.lafayette.edu Port 443/address /body/html


Ok, need to gather some more info:

# kvno HTTP/caroline0.lafayette.edu # klist -kt
/etc/httpd/conf/ipa.keytab


[root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3
[root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp Principal
 -

2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu
2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu
2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu



It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has only 4. 
Did you change the available encryption types?


Can you re-run the klist command with -e as well? klist -ekt ...

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-20 Thread Nathan Lager


On 09/20/2012 11:43 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 
 - Original Message -
 From: Rob Crittenden rcrit...@redhat.com To: Nathan Lager
 lag...@lafayette.edu Cc: freeipa-users@redhat.com Sent:
 Wednesday, September 19, 2012 4:35:30 PM Subject: Re:
 [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 
 
 On 09/19/2012 03:47 PM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 
 Rob, keytab and kerberos part seems to be fine, ldap
 works too. Can it be one of the certs? May be some cert
 expired?
 
 No, the error is coming from GSSAPI, it is unfortunately 
 completely useless. I think we've pretty well narrowed down
 the problem to httpd/mod_auth_kerb but I don't know yet if
 this is a configuration issue or a bug.
 
 Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
 Sure, as far as I know its completely stock, aside from the
 krb password auth change.
 
 Yup, configuration looks fine.
 
 Ok, let's eliminate the ipa tool as the problem and try curl:
 
 Create a file test.json with these contents:
 
 {method:batch,params:[[ 
 {method:user_show,params:[[admin],{all:false}]} 
 ],{}],id:1}
 
 then run this:
 
 curl -H Content-Type:application/json -H
 Accept:application/json -H Accept-Language:en -H Referer: 
 https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
 --cacert /etc/ipa/ca.crt -d @test.json -X POST 
 https://caroline0.lafayette.edu/ipa/json
 
 Seems to be running into the same trouble.
 
 [lagern@caroline0 PROD ~]$ curl -H
 Content-Type:application/json -H Accept:application/json -H
 Accept-Language:en -H Referer: 
 https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
 --cacert /etc/ipa/ca.crt -d  @test.json -X POST 
 https://caroline0.lafayette.edu/ipa/json !DOCTYPE HTML PUBLIC
 -//IETF//DTD HTML 2.0//EN htmlhead title500 Internal
 Server Error/title /headbody h1Internal Server
 Error/h1 pThe server encountered an internal error or 
 misconfiguration and was unable to complete your request./p 
 pPlease contact the server administrator, root@localhost and
 inform them of the time the error occurred, and anything you
 might have done that may have caused the error./p pMore
 information about this error may be available in the server error
 log./p hr addressApache/2.2.15 (Red Hat) Server at
 caroline0.lafayette.edu Port 443/address /body/html
 
 Ok, need to gather some more info:
 
 # kvno HTTP/caroline0.lafayette.edu # klist -kt
 /etc/httpd/conf/ipa.keytab
 
[root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3
[root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp Principal
 -

   2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu
   2 02/03/12 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
   2 02/03/12 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
   3 09/19/12 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu



 rob

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-20 Thread Nathan Lager


On 09/20/2012 02:28 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 
 
 On 09/20/2012 11:43 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 
 - Original Message -
 From: Rob Crittenden rcrit...@redhat.com To: Nathan
 Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com
 Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
 Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 
 
 On 09/19/2012 03:47 PM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 
 Rob, keytab and kerberos part seems to be fine, ldap 
 works too. Can it be one of the certs? May be some
 cert expired?
 
 No, the error is coming from GSSAPI, it is
 unfortunately completely useless. I think we've pretty
 well narrowed down the problem to httpd/mod_auth_kerb
 but I don't know yet if this is a configuration issue
 or a bug.
 
 Nathan, can you show me your
 /etc/httpd/conf.d/ipa.conf?
 Sure, as far as I know its completely stock, aside from
 the krb password auth change.
 
 Yup, configuration looks fine.
 
 Ok, let's eliminate the ipa tool as the problem and try
 curl:
 
 Create a file test.json with these contents:
 
 {method:batch,params:[[ 
 {method:user_show,params:[[admin],{all:false}]} 
 ],{}],id:1}
 
 then run this:
 
 curl -H Content-Type:application/json -H 
 Accept:application/json -H Accept-Language:en -H
 Referer: https://caroline0.lafayette.edu/ipa/xml;
 --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
 POST https://caroline0.lafayette.edu/ipa/json
 
 Seems to be running into the same trouble.
 
 [lagern@caroline0 PROD ~]$ curl -H 
 Content-Type:application/json -H Accept:application/json
 -H Accept-Language:en -H Referer: 
 https://caroline0.lafayette.edu/ipa/xml; --negotiate -u : 
 --cacert /etc/ipa/ca.crt -d  @test.json -X POST 
 https://caroline0.lafayette.edu/ipa/json !DOCTYPE HTML
 PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title500
 Internal Server Error/title /headbody h1Internal
 Server Error/h1 pThe server encountered an internal error
 or misconfiguration and was unable to complete your
 request./p pPlease contact the server administrator,
 root@localhost and inform them of the time the error
 occurred, and anything you might have done that may have
 caused the error./p pMore information about this error
 may be available in the server error log./p hr
 addressApache/2.2.15 (Red Hat) Server at 
 caroline0.lafayette.edu Port 443/address /body/html
 
 Ok, need to gather some more info:
 
 # kvno HTTP/caroline0.lafayette.edu # klist -kt 
 /etc/httpd/conf/ipa.keytab
 
 [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu 
 HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3 
 [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab 
 Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
 Principal  - 
  2
 02/03/12 16:31:27 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
 16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2
 02/03/12 16:31:28 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2
 02/03/12 16:31:28 
 HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
 16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 3
 09/19/12 15:33:53 
 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3
 09/19/12 15:33:53 
 HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
 15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
 
 
 It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
 only 4. Did you change the available encryption types?
 
I have not changed them, not intentionally anyway.  Could it be that
an update did so?  I installed Ipa round rhel 6.1 or so, and have been
updating it via yum periodically.

 Can you re-run the klist command with -e as well? klist -ekt ...
 
[root@caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
KVNO Timestamp Principal
 -

   2 02/03/12 16:31:27
HTTP/caroline0.lafayette@systems.lafayette.edu
(aes256-cts-hmac-sha1-96)
   2 02/03/12 16:31:27
HTTP/caroline0.lafayette@systems.lafayette.edu
(aes128-cts-hmac-sha1-96)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu (des3-cbc-sha1)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu (arcfour-hmac)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu (des-hmac-sha1)
   2 02/03/12 16:31:28
HTTP/caroline0.lafayette@systems.lafayette.edu (des-cbc-md5)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette@systems.lafayette.edu
(aes256-cts-hmac-sha1-96)
   3 09/19/12 15:33:53
HTTP/caroline0.lafayette@systems.lafayette.edu
(aes128-cts-hmac-sha1-96

Re: [Freeipa-users] sudden ipa errors.

2012-09-20 Thread Lager, Nathan T.
Well, after all of this, RedHat support just resolved my issue! 

It came down the the domain_realm definitions in /etc/krb5.conf. 

They had me change: 

[domain_realm]
 .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU

To:
[domain_realm]
 .systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 systems.lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 .lafayette.edu = SYSTEMS.LAFAYETTE.EDU
 lafayette.edu = SYSTEMS.LAFAYETTE.EDU

After doing so, i restarted IPA, and my commands are working properly now! 

Now, to get my replica back in order...


- Original Message -
 From: Nathan Lager lag...@lafayette.edu
 To: Rob Crittenden rcrit...@redhat.com
 Cc: freeipa-users@redhat.com
 Sent: Thursday, September 20, 2012 2:46:20 PM
 Subject: Re: [Freeipa-users] sudden ipa errors.
 On 09/20/2012 02:28 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
 
 
  On 09/20/2012 11:43 AM, Rob Crittenden wrote:
  Lager, Nathan T. wrote:
 
  - Original Message -
  From: Rob Crittenden rcrit...@redhat.com To: Nathan
  Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com
  Sent: Wednesday, September 19, 2012 4:35:30 PM Subject:
  Re: [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 
 
  On 09/19/2012 03:47 PM, Rob Crittenden wrote:
  Dmitri Pal wrote:
 
  Rob, keytab and kerberos part seems to be fine, ldap
  works too. Can it be one of the certs? May be some
  cert expired?
 
  No, the error is coming from GSSAPI, it is
  unfortunately completely useless. I think we've pretty
  well narrowed down the problem to httpd/mod_auth_kerb
  but I don't know yet if this is a configuration issue
  or a bug.
 
  Nathan, can you show me your
  /etc/httpd/conf.d/ipa.conf?
  Sure, as far as I know its completely stock, aside from
  the krb password auth change.
 
  Yup, configuration looks fine.
 
  Ok, let's eliminate the ipa tool as the problem and try
  curl:
 
  Create a file test.json with these contents:
 
  {method:batch,params:[[
  {method:user_show,params:[[admin],{all:false}]}
  ],{}],id:1}
 
  then run this:
 
  curl -H Content-Type:application/json -H
  Accept:application/json -H Accept-Language:en -H
  Referer: https://caroline0.lafayette.edu/ipa/xml;
  --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X
  POST https://caroline0.lafayette.edu/ipa/json
 
  Seems to be running into the same trouble.
 
  [lagern@caroline0 PROD ~]$ curl -H
  Content-Type:application/json -H Accept:application/json
  -H Accept-Language:en -H Referer:
  https://caroline0.lafayette.edu/ipa/xml; --negotiate -u :
  --cacert /etc/ipa/ca.crt -d @test.json -X POST
  https://caroline0.lafayette.edu/ipa/json !DOCTYPE HTML
  PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title500
  Internal Server Error/title /headbody h1Internal
  Server Error/h1 pThe server encountered an internal error
  or misconfiguration and was unable to complete your
  request./p pPlease contact the server administrator,
  root@localhost and inform them of the time the error
  occurred, and anything you might have done that may have
  caused the error./p pMore information about this error
  may be available in the server error log./p hr
  addressApache/2.2.15 (Red Hat) Server at
  caroline0.lafayette.edu Port 443/address /body/html
 
  Ok, need to gather some more info:
 
  # kvno HTTP/caroline0.lafayette.edu # klist -kt
  /etc/httpd/conf/ipa.keytab
 
  [root@caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
  HTTP/caroline0.lafayette@systems.lafayette.edu: kvno = 3
  [root@caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
  Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab KVNO Timestamp
  Principal  -
   2
  02/03/12 16:31:27
  HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
  16:31:27 HTTP/caroline0.lafayette@systems.lafayette.edu 2
  02/03/12 16:31:28
  HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
  16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 2
  02/03/12 16:31:28
  HTTP/caroline0.lafayette@systems.lafayette.edu 2 02/03/12
  16:31:28 HTTP/caroline0.lafayette@systems.lafayette.edu 3
  09/19/12 15:33:53
  HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
  15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu 3
  09/19/12 15:33:53
  HTTP/caroline0.lafayette@systems.lafayette.edu 3 09/19/12
  15:33:53 HTTP/caroline0.lafayette@systems.lafayette.edu
 
 
  It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has
  only 4. Did you change the available encryption types?
 
 I have not changed them, not intentionally anyway. Could it be that
 an update did so? I installed Ipa round rhel 6.1 or so, and have been
 updating it via yum periodically.
 
  Can you re-run the klist command with -e as well? klist -ekt ...
 
 [root@caroline0 PROD ~]# klist -kte /etc/httpd/conf/ipa.keytab
 Keytab name: WRFILE:/etc/httpd/conf

Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Dmitri Pal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/18/2012 03:06 PM, Nathan Lager wrote:
 Sorry for falling off like that.
 I opened a RedHat ticket on the issue, and have been running in
 circles with them. I forgot to check on the list for responses.


 I'm still having problems. Someone suggested I try:

 kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu

 Which i just did, and it worked, or, at least it initialized my session.

 I'm still unable to execute ipa commands. In fact, im unable to
 execute almost any ipa commands.

 The web interface works, but only after RedHat had me enable kerberos
 password auth in the httpd config. So i can now auth to the web gui
 interactively, instead of requiring a kinit from my workstion.

 The only real client i have here is RHEV. And auth there still works
 except on accounts which have expired. Those accounts, cant even
 change their passwords.

 RedHat had me disable the password expiration via the web gui, however
 that hasnt helped accounts that are already expired.

 RedHat is currently blaming time skew, which i think is ridiculous.

Well this is probably my fault. I looked in the case (it is huge) and
saw that there are issues with the time in the log so I suggested they
ask you to check the times to rule that part out. I have not had a
chance to follow up. But time skew usually creates all sorts of strange
things and if the time skew was the problem in the past but some
passwords were created then there might be problems with the expiration.

I was also very concerned about the framework not being able to get
kerberos ticket for whatever reason and the reason was not clear.

 Im testing my ipa commands right on the ipa master. How could there
 possible be time skew.

This was not clear from the case and also I asked to ask you just to
check the time on the server.

 I did find that the time on my replica was
 off, but my replica isnt working anyway, which is a whole other issue.
 I think it needs to be flattened, and re-joined.

OK let us treat it as a separate issue.



 On 09/10/2012 08:54 AM, Dmitri Pal wrote:
  On 08/24/2012 04:43 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
  This did not seem to help...
 
 
  What else isn't working? Does the UI work? Do clients on other
  machines work? Does user lookup still work?
 
  rob


  Was this issue ever resolved?

 
 
  On 08/22/2012 06:02 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
  [root@ipaserver PROD krb5kdc]# ipactl status Directory
  Service: RUNNING KDC Service: RUNNING KPASSWD Service:
  RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA
  Service: RUNNING [root@ipaserver PROD krb5kdc]# rpm -qa |
  grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64
  ipa-server-2.2.0-16.el6.x86_64
 
  I'd try removing /tmp/krb5cc_48. This is the ccache used by
  Apache for doing S4U2Proxy. No restart of httpd should be
  required.
 
  rob
 
 
 
  On 08/22/2012 04:08 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  I tried the same, kinit, and then ipa passwd commands
  as before, here's the output:
 
  Aug 22 14:32:13 ipaserver.lafayette.edu
  krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
  ipa-servers-ip: NEEDED_PREAUTH:
  lag...@systems.lafayette.edu for
  krbtgt/systems.lafayette@systems.lafayette.edu,
  Additional pre-authentication required
 
  Aug 22 14:32:19 ipaserver.lafayette.edu
  krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
  ipa-servers-ip: ISSUE: authtime 1345660339, etypes
  {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu
  for krbtgt/systems.lafayette@systems.lafayette.edu
 
  Aug 22 14:32:35 ipaserver.lafayette.edu
  krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23})
  ipa-servers-ip: ISSUE: authtime 1345660339, etypes
  {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu
  for HTTP/ipaserver.lafayette@systems.lafayette.edu
 
  What version of IPA is this?
 
  Does ipactl status show all services up?
 
  rob
 
 
 
 
 
 
 
  ___ Freeipa-users
  mailing list Freeipa-users@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-users



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


- ---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQWba1AAoJEKRjuMOPSn1YTJEH/RJ1gw28L5ml0XF8I3XWXLgY
49n2IWPGF8vIGC8pSx024F0hAGBBtrY9sQGROU53IkMpkmiJPPROmstCiEQBogbf
6wcVq9EXqG+oIZHZOL5KXla+9a1Xy1o1pEx8m61j7mFexLa8i3LejwdK0lZETGuy
Up21DWr1C1NBSPviD8IjRU1V8I15TL5skzO0BcAfzf7PNCFBsKzBJf5QO2ocb1WK
CPXT1HdR4l/q1X2iPV33EHI+JmwDREpFCewSoMy3bBJGl4T7rIZKKzcI/dLRy3sH

Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Rob Crittenden

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com
To: Nathan Lager lag...@lafayette.edu
Cc: freeipa-users@redhat.com
Sent: Tuesday, September 18, 2012 5:17:00 PM
Subject: Re: [Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab?
They should be apache:apache mode 0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache unconfined_u:object_r:httpd_config_t:s0 
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in permissive to see if
that works?

I was enforcing at the start of all of this, but ive since switched to 
permissive for troubleshooting.  It hasnt made a difference.


Are you getting an HTTP service principal in the client?

$ kdestroy
$ kinit admin
$ ipa user-show admin
fail
$ klist -fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as can be 
so they aren't any help at all.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Rob Crittenden

Nathan Lager wrote:


On 09/19/2012 10:37 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com To: Nathan Lager
lag...@lafayette.edu Cc: freeipa-users@redhat.com Sent:
Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab? They should be apache:apache mode
0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache
unconfined_u:object_r:httpd_config_t:s0
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in permissive to
see if that works?

I was enforcing at the start of all of this, but ive since
switched to permissive for troubleshooting.  It hasnt made a
difference.


Are you getting an HTTP service principal in the client?

$ kdestroy $ kinit admin $ ipa user-show admin fail $ klist -fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as can
be so they aren't any help at all.

rob


Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lag...@systems.lafayette.edu

Valid starting ExpiresService principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette@systems.lafayette.edu
Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette@systems.lafayette.edu
Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
[root@caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#


Is it the same major/minor error in gss_acquire_cred()?

Does GSSAPI over LDAP work?

$ ldapsearch -Y GSSAPI -h ipa.example.com -b 
cn=users,cn=accounts,dc=example,dc=com admin


rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Nathan Lager


On 09/19/2012 11:34 AM, Rob Crittenden wrote:
 Nathan Lager wrote:
 
 On 09/19/2012 10:37 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 
 - Original Message -
 From: Rob Crittenden rcrit...@redhat.com To: Nathan
 Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com
 Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: 
 [Freeipa-users] sudden ipa errors.
 
 Ok, what are the permissions on the keytab, 
 /etc/httpd/conf/ipa.keytab? They should be apache:apache
 mode 0600.
 
 [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab 
 -rw---. apache apache 
 unconfined_u:object_r:httpd_config_t:s0 
 /etc/httpd/conf/ipa.keytab
 
 
 Are you in SELinux enforcing mode? Can you try in
 permissive to see if that works?
 I was enforcing at the start of all of this, but ive since 
 switched to permissive for troubleshooting.  It hasnt made a 
 difference.
 
 Are you getting an HTTP service principal in the client?
 
 $ kdestroy $ kinit admin $ ipa user-show admin fail $ klist
 -fea
 
 Lets try to skip s4u2proxy. Does this work:
 
 $ ipa --delegate user-show admin
 
 Unfortunately the major and minor error codes are as generic as
 can be so they aren't any help at all.
 
 rob
 
 Here's the output. The --delegate still failed.
 
 [root@caroline0 PROD ~]# klist -fea Ticket cache:
 FILE:/tmp/krb5cc_0 Default principal:
 lag...@systems.lafayette.edu
 
 Valid starting ExpiresService principal 09/19/12
 11:23:03  09/20/12 11:22:52 
 krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA,
 Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
 09/20/12 11:22:52 
 HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT,
 Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD
 ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to 
 u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error 
 [root@caroline0 PROD ~]#
 
 Is it the same major/minor error in gss_acquire_cred()?
 
 Does GSSAPI over LDAP work?
 
 $ ldapsearch -Y GSSAPI -h ipa.example.com -b 
 cn=users,cn=accounts,dc=example,dc=com admin
 
This appears to work.

[root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
caroline0.lafayette.edu -b
cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
SASL/GSSAPI authentication started
SASL username: lag...@systems.lafayette.edu
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu with
scope subtree
# filter: (objectclass=*)
# requesting: admin
#

# users, accounts, systems.lafayette.edu
dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

# admin, users, accounts, systems.lafayette.edu
dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

-- a bunch of other users here --

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9

 rob
 
 

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Rob Crittenden

Nathan Lager wrote:



On 09/19/2012 11:34 AM, Rob Crittenden wrote:

Nathan Lager wrote:


On 09/19/2012 10:37 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: Rob Crittenden rcrit...@redhat.com To: Nathan
Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com
Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab? They should be apache:apache
mode 0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache
unconfined_u:object_r:httpd_config_t:s0
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in
permissive to see if that works?

I was enforcing at the start of all of this, but ive since
switched to permissive for troubleshooting.  It hasnt made a
difference.


Are you getting an HTTP service principal in the client?

$ kdestroy $ kinit admin $ ipa user-show admin fail $ klist
-fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as
can be so they aren't any help at all.

rob


Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea Ticket cache:
FILE:/tmp/krb5cc_0 Default principal:
lag...@systems.lafayette.edu

Valid starting ExpiresService principal 09/19/12
11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA,
Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
09/20/12 11:22:52
HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT,
Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD
~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#


Is it the same major/minor error in gss_acquire_cred()?

Does GSSAPI over LDAP work?

$ ldapsearch -Y GSSAPI -h ipa.example.com -b
cn=users,cn=accounts,dc=example,dc=com admin


This appears to work.

[root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
caroline0.lafayette.edu -b
cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
SASL/GSSAPI authentication started
SASL username: lag...@systems.lafayette.edu
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu with
scope subtree
# filter: (objectclass=*)
# requesting: admin
#

# users, accounts, systems.lafayette.edu
dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

# admin, users, accounts, systems.lafayette.edu
dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

-- a bunch of other users here --

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9



Ok, so it's JUST Apache then.

Is the hostname on caroline0 set as a FQDN (/bin/hostname)?

If not, I'd try setting it to caroline0.lafayette.edu

If so, might be worth trying to refresh your Apache keytab. I made some 
educated guesses on your hostnames/realm, please double-check:


# ipa-getkeytab -s caroline0.lafayette.edu -p 
HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k 
/etc/httpd/conf/ipa.keytab


Should not be required to restart httpd but it shouldn't hurt. Run 
kdestroy/kinit before trying ipa user-show again.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 02:54 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 
 
 On 09/19/2012 11:34 AM, Rob Crittenden wrote:
 Nathan Lager wrote:
 
 On 09/19/2012 10:37 AM, Rob Crittenden wrote:
 Lager, Nathan T. wrote:
 
 - Original Message -
 From: Rob Crittenden rcrit...@redhat.com To:
 Nathan Lager lag...@lafayette.edu Cc:
 freeipa-users@redhat.com Sent: Tuesday, September 18,
 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
 errors.
 
 Ok, what are the permissions on the keytab, 
 /etc/httpd/conf/ipa.keytab? They should be
 apache:apache mode 0600.
 
 [lagern@caroline0 PROD ~]$ ls -lZ
 /etc/httpd/conf/ipa.keytab -rw---. apache apache 
 unconfined_u:object_r:httpd_config_t:s0 
 /etc/httpd/conf/ipa.keytab
 
 
 Are you in SELinux enforcing mode? Can you try in 
 permissive to see if that works?
 I was enforcing at the start of all of this, but ive
 since switched to permissive for troubleshooting.  It
 hasnt made a difference.
 
 Are you getting an HTTP service principal in the client?
 
 $ kdestroy $ kinit admin $ ipa user-show admin fail $
 klist -fea
 
 Lets try to skip s4u2proxy. Does this work:
 
 $ ipa --delegate user-show admin
 
 Unfortunately the major and minor error codes are as
 generic as can be so they aren't any help at all.
 
 rob
 
 Here's the output. The --delegate still failed.
 
 [root@caroline0 PROD ~]# klist -fea Ticket cache: 
 FILE:/tmp/krb5cc_0 Default principal: 
 lag...@systems.lafayette.edu
 
 Valid starting ExpiresService principal
 09/19/12 11:23:03  09/20/12 11:22:52 
 krbtgt/systems.lafayette@systems.lafayette.edu Flags:
 FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 
 09/20/12 11:22:52 
 HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
 FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
 PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
 connect to u'http://caroline0.lafayette.edu/ipa/xml':
 Internal Server Error [root@caroline0 PROD ~]#
 
 Is it the same major/minor error in gss_acquire_cred()?
 
 Does GSSAPI over LDAP work?
 
 $ ldapsearch -Y GSSAPI -h ipa.example.com -b 
 cn=users,cn=accounts,dc=example,dc=com admin
 
 This appears to work.
 
 [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h 
 caroline0.lafayette.edu -b 
 cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin 
 SASL/GSSAPI authentication started SASL username:
 lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
 layer installed. # extended LDIF # # LDAPv3 # base
 cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu with scope
 subtree # filter: (objectclass=*) # requesting: admin #
 
 # users, accounts, systems.lafayette.edu dn:
 cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 
 # admin, users, accounts, systems.lafayette.edu dn:
 uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 
 -- a bunch of other users here --
 
 # search result search: 4 result: 0 Success
 
 # numResponses: 10 # numEntries: 9
 
 
 Ok, so it's JUST Apache then.
 
 Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
 
 If not, I'd try setting it to caroline0.lafayette.edu
 
 If so, might be worth trying to refresh your Apache keytab. I made
 some educated guesses on your hostnames/realm, please
 double-check:
 
 # ipa-getkeytab -s caroline0.lafayette.edu -p 
 HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k 
 /etc/httpd/conf/ipa.keytab
 
 Should not be required to restart httpd but it shouldn't hurt. Run 
 kdestroy/kinit before trying ipa user-show again.
 
 rob

well, seems like we're at least narrowing things down.  But its still
no good.

The hostname is the fqdn. /bin/hostname returns it as such.


[root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
HTTP/caroline0.lafayette@systems.lafayette.edu -k
/etc/httpd/conf/ipa.keytab
Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
[root@caroline0 PROD ~]# service httpd restart
Stopping httpd:[  OK  ]
Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
ajp://localhost:9447/ already used by another worker
[Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
used by another worker
   [  OK  ]
[root@caroline0 PROD ~]# kdestroy
[root@caroline0 PROD ~]# kinit lagern
Password for lag...@systems.lafayette.edu:
[root@caroline0 PROD ~]# ipa pwpolicy-show
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error


- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net

Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Dmitri Pal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 03:37 PM, Nathan Lager wrote:


 On 09/19/2012 02:54 PM, Rob Crittenden wrote:
  Nathan Lager wrote:
 
 
  On 09/19/2012 11:34 AM, Rob Crittenden wrote:
  Nathan Lager wrote:
 
  On 09/19/2012 10:37 AM, Rob Crittenden wrote:
  Lager, Nathan T. wrote:
 
  - Original Message -
  From: Rob Crittenden rcrit...@redhat.com To:
  Nathan Lager lag...@lafayette.edu Cc:
  freeipa-users@redhat.com Sent: Tuesday, September 18,
  2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
  errors.
 
  Ok, what are the permissions on the keytab,
  /etc/httpd/conf/ipa.keytab? They should be
  apache:apache mode 0600.
 
  [lagern@caroline0 PROD ~]$ ls -lZ
  /etc/httpd/conf/ipa.keytab -rw---. apache apache
  unconfined_u:object_r:httpd_config_t:s0
  /etc/httpd/conf/ipa.keytab
 
 
  Are you in SELinux enforcing mode? Can you try in
  permissive to see if that works?
  I was enforcing at the start of all of this, but ive
  since switched to permissive for troubleshooting. It
  hasnt made a difference.
 
  Are you getting an HTTP service principal in the client?
 
  $ kdestroy $ kinit admin $ ipa user-show admin fail $
  klist -fea
 
  Lets try to skip s4u2proxy. Does this work:
 
  $ ipa --delegate user-show admin
 
  Unfortunately the major and minor error codes are as
  generic as can be so they aren't any help at all.
 
  rob
 
  Here's the output. The --delegate still failed.
 
  [root@caroline0 PROD ~]# klist -fea Ticket cache:
  FILE:/tmp/krb5cc_0 Default principal:
  lag...@systems.lafayette.edu
 
  Valid starting Expires Service principal
  09/19/12 11:23:03 09/20/12 11:22:52
  krbtgt/systems.lafayette@systems.lafayette.edu Flags:
  FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
  aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
  09/20/12 11:22:52
  HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
  FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
  aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
  PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
  connect to u'http://caroline0.lafayette.edu/ipa/xml':
  Internal Server Error [root@caroline0 PROD ~]#
 
  Is it the same major/minor error in gss_acquire_cred()?
 
  Does GSSAPI over LDAP work?
 
  $ ldapsearch -Y GSSAPI -h ipa.example.com -b
  cn=users,cn=accounts,dc=example,dc=com admin
 
  This appears to work.
 
  [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
  caroline0.lafayette.edu -b
  cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
  SASL/GSSAPI authentication started SASL username:
  lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
  layer installed. # extended LDIF # # LDAPv3 # base
  cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu with scope
  subtree # filter: (objectclass=*) # requesting: admin #
 
  # users, accounts, systems.lafayette.edu dn:
  cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 
  # admin, users, accounts, systems.lafayette.edu dn:
  uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 
  -- a bunch of other users here --
 
  # search result search: 4 result: 0 Success
 
  # numResponses: 10 # numEntries: 9
 

  Ok, so it's JUST Apache then.

  Is the hostname on caroline0 set as a FQDN (/bin/hostname)?

  If not, I'd try setting it to caroline0.lafayette.edu

  If so, might be worth trying to refresh your Apache keytab. I made
  some educated guesses on your hostnames/realm, please
  double-check:

  # ipa-getkeytab -s caroline0.lafayette.edu -p
  HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
  /etc/httpd/conf/ipa.keytab

  Should not be required to restart httpd but it shouldn't hurt. Run
  kdestroy/kinit before trying ipa user-show again.

  rob

 well, seems like we're at least narrowing things down. But its still
 no good.

 The hostname is the fqdn. /bin/hostname returns it as such.


 [root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
 HTTP/caroline0.lafayette@systems.lafayette.edu -k
 /etc/httpd/conf/ipa.keytab
 Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
 [root@caroline0 PROD ~]# service httpd restart
 Stopping httpd: [ OK ]
 Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
 ajp://localhost:9447/ already used by another worker
 [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
 used by another worker
 [ OK ]
 [root@caroline0 PROD ~]# kdestroy
 [root@caroline0 PROD ~]# kinit lagern
 Password for lag...@systems.lafayette.edu:
 [root@caroline0 PROD ~]# ipa pwpolicy-show
 ipa: ERROR: cannot connect to
 u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error



Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
Thank you,
Dmitri Pal

Sr. Engineering

Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Rob Crittenden

Dmitri Pal wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 03:37 PM, Nathan Lager wrote:



 
  On 09/19/2012 02:54 PM, Rob Crittenden wrote:
   Nathan Lager wrote:
  
  
   On 09/19/2012 11:34 AM, Rob Crittenden wrote:
   Nathan Lager wrote:
  
   On 09/19/2012 10:37 AM, Rob Crittenden wrote:
   Lager, Nathan T. wrote:
  
   - Original Message -
   From: Rob Crittenden rcrit...@redhat.com To:
   Nathan Lager lag...@lafayette.edu Cc:
   freeipa-users@redhat.com Sent: Tuesday, September 18,
   2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
   errors.
  
   Ok, what are the permissions on the keytab,
   /etc/httpd/conf/ipa.keytab? They should be
   apache:apache mode 0600.
  
   [lagern@caroline0 PROD ~]$ ls -lZ
   /etc/httpd/conf/ipa.keytab -rw---. apache apache
   unconfined_u:object_r:httpd_config_t:s0
   /etc/httpd/conf/ipa.keytab
  
  
   Are you in SELinux enforcing mode? Can you try in
   permissive to see if that works?
   I was enforcing at the start of all of this, but ive
   since switched to permissive for troubleshooting. It
   hasnt made a difference.
  
   Are you getting an HTTP service principal in the client?
  
   $ kdestroy $ kinit admin $ ipa user-show admin fail $
   klist -fea
  
   Lets try to skip s4u2proxy. Does this work:
  
   $ ipa --delegate user-show admin
  
   Unfortunately the major and minor error codes are as
   generic as can be so they aren't any help at all.
  
   rob
  
   Here's the output. The --delegate still failed.
  
   [root@caroline0 PROD ~]# klist -fea Ticket cache:
   FILE:/tmp/krb5cc_0 Default principal:
   lag...@systems.lafayette.edu
  
   Valid starting Expires Service principal
   09/19/12 11:23:03 09/20/12 11:22:52
   krbtgt/systems.lafayette@systems.lafayette.edu Flags:
   FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
   aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
   09/20/12 11:22:52
   HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
   FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
   aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
   PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
   connect to u'http://caroline0.lafayette.edu/ipa/xml':
   Internal Server Error [root@caroline0 PROD ~]#
  
   Is it the same major/minor error in gss_acquire_cred()?
  
   Does GSSAPI over LDAP work?
  
   $ ldapsearch -Y GSSAPI -h ipa.example.com -b
   cn=users,cn=accounts,dc=example,dc=com admin
  
   This appears to work.
  
   [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
   caroline0.lafayette.edu -b
   cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
   SASL/GSSAPI authentication started SASL username:
   lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
   layer installed. # extended LDIF # # LDAPv3 # base
   cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu with scope
   subtree # filter: (objectclass=*) # requesting: admin #
  
   # users, accounts, systems.lafayette.edu dn:
   cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
  
   # admin, users, accounts, systems.lafayette.edu dn:
   uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
  
   -- a bunch of other users here --
  
   # search result search: 4 result: 0 Success
  
   # numResponses: 10 # numEntries: 9
  
 
   Ok, so it's JUST Apache then.
 
   Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
 
   If not, I'd try setting it to caroline0.lafayette.edu
 
   If so, might be worth trying to refresh your Apache keytab. I made
   some educated guesses on your hostnames/realm, please
   double-check:
 
   # ipa-getkeytab -s caroline0.lafayette.edu -p
   HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
   /etc/httpd/conf/ipa.keytab
 
   Should not be required to restart httpd but it shouldn't hurt. Run
   kdestroy/kinit before trying ipa user-show again.
 
   rob
 
  well, seems like we're at least narrowing things down. But its still
  no good.
 
  The hostname is the fqdn. /bin/hostname returns it as such.
 
 
  [root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
  HTTP/caroline0.lafayette@systems.lafayette.edu -k
  /etc/httpd/conf/ipa.keytab
  Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
  [root@caroline0 PROD ~]# service httpd restart
  Stopping httpd: [ OK ]
  Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
  ajp://localhost:9447/ already used by another worker
  [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
  used by another worker
  [ OK ]
  [root@caroline0 PROD ~]# kdestroy
  [root@caroline0 PROD ~]# kinit lagern
  Password for lag...@systems.lafayette.edu:
  [root@caroline0 PROD ~]# ipa pwpolicy-show
  ipa: ERROR: cannot connect to
  u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
 
 

Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?


No, the error is coming from GSSAPI

Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 
 Rob, keytab and kerberos part seems to be fine, ldap works too. 
 Can it be one of the certs? May be some cert expired?
 
 No, the error is coming from GSSAPI, it is unfortunately
 completely useless. I think we've pretty well narrowed down the
 problem to httpd/mod_auth_kerb but I don't know yet if this is a
 configuration issue or a bug.
 
 Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
Sure, as far as I know its completely stock, aside from the krb
password auth change.

#
# VERSION 4 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html



# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archivejar


# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi
package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /var/run/httpd/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa
application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
Location /ipa/errors
  SetHandler None
/Location
Location /ipa/config
  SetHandler None
/Location
Location /ipa/crl
  SetHandler None
/Location

KrbConstrainedDelegationLock ipa

# Protect /ipa and everything below it in webspace with Apache
Kerberos auth
Location /ipa
  AuthType Kerberos
  AuthName Kerberos Login
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbServiceName HTTP
  KrbAuthRealms SYSTEMS.LAFAYETTE.EDU
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  KrbConstrainedDelegation on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
/Location

# Turn off Apache authentication for sessions
Location /ipa/session/json
  Satisfy Any
  Order Deny,Allow
  Allow from all
/Location

Location /ipa/session/login_password
  Satisfy Any
  Order Deny,Allow
  Allow from all
/Location

# This is where we redirect on failed auth
Alias /ipa/errors /usr/share/ipa/html

# For the MIT Windows config files
Alias /ipa/config /usr/share/ipa/html

# Do no authentication on the directory that contains error messages
Directory /usr/share/ipa/html
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
/Directory


# For CRL publishing
Alias /ipa/crl /var/lib/pki-ca/publish
Directory /var/lib/pki-ca/publish
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
/Directory


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui /usr/share/ipa/ui
Directory /usr/share/ipa/ui
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
/Directory



# Protect our CGIs
Directory /var/www/cgi-bin
  AuthType Kerberos
  AuthName Kerberos Login
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms SYSTEMS.LAFAYETTE.EDU
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
/Directory


# migration related pages
Alias /ipa/migration /usr/share/ipa/migration
Directory /usr/share/ipa/migration
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
/Directory


 
 rob
 
 ___ Freeipa-users
 mailing list Freeipa-users@redhat.com 
 https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaI3QACgkQsZqG4IN3sumy3wCbBqmfPFIXwZOstNiH8jBY39hx
+uQAn11DGp7RbKyM4PiV8VJ0NH1v4lwY
=ol+i
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-19 Thread Rob Crittenden

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?


No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down the
problem to httpd/mod_auth_kerb but I don't know yet if this is a
configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from the krb
password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{method:batch,params:[[
{method:user_show,params:[[admin],{all:false}]}
],{}],id:1}

then run this:

curl -H Content-Type:application/json -H Accept:application/json -H 
Accept-Language:en -H Referer: 
https://caroline0.lafayette.edu/ipa/xml; --negotiate -u : --cacert 
/etc/ipa/ca.crt -d  @test.json -X POST 
https://caroline0.lafayette.edu/ipa/json


This does the equivalent of an: ipa user-show admin

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Rob Crittenden

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sorry for falling off like that.
I opened a RedHat ticket on the issue, and have been running in
circles with them.  I forgot to check on the list for responses.


I'm still having problems.  Someone suggested I try:

kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu

Which i just did, and it worked, or, at least it initialized my session.

I'm still unable to execute ipa commands.  In fact, im unable to
execute almost any ipa commands.

The web interface works, but only after RedHat had me enable kerberos
password auth in the httpd config.  So i can now auth to the web gui
interactively, instead of requiring a kinit from my workstion.

The only real client i have here is RHEV.  And auth there still works
except on accounts which have expired.  Those accounts, cant even
change their passwords.

RedHat had me disable the password expiration via the web gui, however
that hasnt helped accounts that are already expired.

RedHat is currently blaming time skew, which i think is ridiculous.
Im testing my ipa commands right on the ipa master. How could there
possible be time skew.  I did find that the time on my replica was
off, but my replica isnt working anyway, which is a whole other issue.
  I think it needs to be flattened, and re-joined.


I think we need to start with the basics, so here is a slew of 
questions, things to try:


You said you enabled password auth? Did you do this by setting 
KrbMethodK5Passwd to on?


You say that some commands work, which ones?

It seems that kinit works? kinit admin

Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the 
httpd service, then:


$ kdestroy
$ kinit admin
$ ipa user-show admin

Provide the logs covering the restart of Apache until the error from 
/var/log/httpd/error_log, /var/log/krb5kdc.log and 
/var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 
seconds so it may be a while before it gets updated.


What are the versions of:

httpd
mod_auth_kerb
ipa-server
krb5-server

This is RHEL 6.3?

The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it 
works with password authentication in the UI.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

IM going to respond inline to avoid confusion.

On 09/18/2012 03:22 PM, Rob Crittenden wrote:
 
 I think we need to start with the basics, so here is a slew of 
 questions, things to try:
 
 You said you enabled password auth? Did you do this by setting 
 KrbMethodK5Passwd to on?
 

Yes, in /etc/conf.d/ipa.conf, I changed
KrbMethodK5Passwd from off to on, and reloaded httpd.

 You say that some commands work, which ones?
 
There are very few that dont error out.  The ones i've come across are
things like, ipa-replica-manage, every ipa command command ive
attempted to run dies with:


[root@caroline0 PROD conf.d]# ipa user-show lagern
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error


 It seems that kinit works? kinit admin
 
kinit admin works, but admin's password is expired, so the session
never fully init's.  Before his password expired, i could kinit admin.
 I can still kinit as myself, which is an admin account.

 Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and
 restart the httpd service, then:
 
 $ kdestroy $ kinit admin $ ipa user-show admin
 
 Provide the logs covering the restart of Apache until the error
 from /var/log/httpd/error_log, /var/log/krb5kdc.log and 
 /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers
 for 30 seconds so it may be a while before it gets updated.
 

loglevel is already debug due to my other testing.
I've restarted httpd anyway, in case you get any meaningful errors in
httpd's start procedure.

I then ran the commands you requested.  Here are the log outputs.

Im sorry that these are dumped in and hard to read..

/var/log/httpd/error_log:
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down
[Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0
[Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert.
[Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for
digest authentication ...
[Tue Sep 18 16:26:47 2012] [notice] Digest: done
[Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already 

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Rob Crittenden

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

IM going to respond inline to avoid confusion.

On 09/18/2012 03:22 PM, Rob Crittenden wrote:


I think we need to start with the basics, so here is a slew of
questions, things to try:

You said you enabled password auth? Did you do this by setting
KrbMethodK5Passwd to on?



Yes, in /etc/conf.d/ipa.conf, I changed
KrbMethodK5Passwd from off to on, and reloaded httpd.


You say that some commands work, which ones?


There are very few that dont error out.  The ones i've come across are
things like, ipa-replica-manage, every ipa command command ive
attempted to run dies with:


[root@caroline0 PROD conf.d]# ipa user-show lagern
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error



It seems that kinit works? kinit admin


kinit admin works, but admin's password is expired, so the session
never fully init's.  Before his password expired, i could kinit admin.
  I can still kinit as myself, which is an admin account.


Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and
restart the httpd service, then:

$ kdestroy $ kinit admin $ ipa user-show admin

Provide the logs covering the restart of Apache until the error
from /var/log/httpd/error_log, /var/log/krb5kdc.log and
/var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers
for 30 seconds so it may be a while before it gets updated.



loglevel is already debug due to my other testing.
I've restarted httpd anyway, in case you get any meaningful errors in
httpd's start procedure.

I then ran the commands you requested.  Here are the log outputs.

Im sorry that these are dumped in and hard to read..

/var/log/httpd/error_log:
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:45 2012] [error] Exception KeyError:
KeyError(140591752845280,) in module 'threading' from
'/usr/lib64/python2.6/threading.pyc' ignored
[Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down
[Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0
[Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS
[Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert.
[Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for
digest authentication ...
[Tue Sep 18 16:26:47 2012] [notice] Digest: done
[Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ already initialized
[Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker
ajp://localhost:9447/ 

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Lager, Nathan T.

- Original Message -
 From: Rob Crittenden rcrit...@redhat.com
 To: Nathan Lager lag...@lafayette.edu
 Cc: freeipa-users@redhat.com
 Sent: Tuesday, September 18, 2012 5:17:00 PM
 Subject: Re: [Freeipa-users] sudden ipa errors.
 
 Ok, what are the permissions on the keytab,
 /etc/httpd/conf/ipa.keytab?
 They should be apache:apache mode 0600.

[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache unconfined_u:object_r:httpd_config_t:s0 
/etc/httpd/conf/ipa.keytab

 
 Are you in SELinux enforcing mode? Can you try in permissive to see if
 that works?
I was enforcing at the start of all of this, but ive since switched to 
permissive for troubleshooting.  It hasnt made a difference. 

 
 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-09-10 Thread Dmitri Pal
On 08/24/2012 04:43 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 This did not seem to help...


 What else isn't working? Does the UI work? Do clients on other
 machines work? Does user lookup still work?

 rob


Was this issue ever resolved?



 On 08/22/2012 06:02 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 [root@ipaserver PROD krb5kdc]# ipactl status
 Directory Service: RUNNING
 KDC Service: RUNNING
 KPASSWD Service: RUNNING
 MEMCACHE Service: RUNNING
 HTTP Service: RUNNING
 CA Service: RUNNING
 [root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
 ipa-server-selinux-2.2.0-16.el6.x86_64
 ipa-server-2.2.0-16.el6.x86_64

 I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for
 doing S4U2Proxy. No restart of httpd should be required.

 rob



 On 08/22/2012 04:08 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I tried the same, kinit, and then ipa passwd commands as before,
 here's the output:

 Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info):
 AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
 lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu, Additional
 pre-authentication required

 Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info):
 AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu

 Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
 (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 HTTP/ipaserver.lafayette@systems.lafayette.edu

 What version of IPA is this?

 Does ipactl status show all services up?

 rob







 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-24 Thread Rob Crittenden

Nathan Lager wrote:

This did not seem to help...



What else isn't working? Does the UI work? Do clients on other machines 
work? Does user lookup still work?


rob



On 08/22/2012 06:02 PM, Rob Crittenden wrote:

Nathan Lager wrote:

[root@ipaserver PROD krb5kdc]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64


I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for
doing S4U2Proxy. No restart of httpd should be required.

rob




On 08/22/2012 04:08 PM, Rob Crittenden wrote:

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I tried the same, kinit, and then ipa passwd commands as before,
here's the output:

Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu, Additional
pre-authentication required

Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu

Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
(4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
HTTP/ipaserver.lafayette@systems.lafayette.edu


What version of IPA is this?

Does ipactl status show all services up?

rob











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-23 Thread Nathan Lager
This did not seem to help...


On 08/22/2012 06:02 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 [root@ipaserver PROD krb5kdc]# ipactl status
 Directory Service: RUNNING
 KDC Service: RUNNING
 KPASSWD Service: RUNNING
 MEMCACHE Service: RUNNING
 HTTP Service: RUNNING
 CA Service: RUNNING
 [root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
 ipa-server-selinux-2.2.0-16.el6.x86_64
 ipa-server-2.2.0-16.el6.x86_64
 
 I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for
 doing S4U2Proxy. No restart of httpd should be required.
 
 rob
 


 On 08/22/2012 04:08 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I tried the same, kinit, and then ipa passwd commands as before,
 here's the output:

 Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
 lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu, Additional
 pre-authentication required

 Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu

 Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
 (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 HTTP/ipaserver.lafayette@systems.lafayette.edu

 What version of IPA is this?

 Does ipactl status show all services up?

 rob


 
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-23 Thread Simo Sorce
- Original Message -
 I have a RHEL ipa server setup and running.  Its been running for a
 while now, and suddenly, today, i'm having trouble authenticating to
 it, or changing my password.
 
 The error i'm getting at the command line is:
 
 [lagern@ipaserver PROD ~]$ ipa passwd
 Current Password:
 New Password:
 Enter New Password again to verify:
 ipa: ERROR: cannot connect to
 u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error
 
 Looking at /var/log/httpd/error and access logs i see:
 
 [Wed Aug 22 13:18:07 2012] [error] [client client ip)]
 gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
 provide more information (, Unknown error), referer:
 https://ipaserver.lafayette.edu/ipa/xml
 
 I'm wading through google at the moment, to see if i can find a fix,
 but i'm coming up empty.


Can you check if the http keytab is ok ?

kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu

Does this command work ?

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-22 Thread Rob Crittenden

Nathan Lager wrote:

I have a RHEL ipa server setup and running.  Its been running for a
while now, and suddenly, today, i'm having trouble authenticating to
it, or changing my password.

The error i'm getting at the command line is:

[lagern@ipaserver PROD ~]$ ipa passwd
Current Password:
New Password:
Enter New Password again to verify:
ipa: ERROR: cannot connect to
u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error

Looking at /var/log/httpd/error and access logs i see:

[Wed Aug 22 13:18:07 2012] [error] [client client ip)]
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
provide more information (, Unknown error), referer:
https://ipaserver.lafayette.edu/ipa/xml

I'm wading through google at the moment, to see if i can find a fix,
but i'm coming up empty.



I'd look in your KDC Log to see if it has anything useful, /var/log/krb5kdc.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-22 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I tried the same, kinit, and then ipa passwd commands as before,
here's the output:

Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu, Additional
pre-authentication required

Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu

Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
(4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
HTTP/ipaserver.lafayette@systems.lafayette.edu


On 08/22/2012 02:17 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 I have a RHEL ipa server setup and running.  Its been running for
 a while now, and suddenly, today, i'm having trouble
 authenticating to it, or changing my password.
 
 The error i'm getting at the command line is:
 
 [lagern@ipaserver PROD ~]$ ipa passwd Current Password: New
 Password: Enter New Password again to verify: ipa: ERROR: cannot
 connect to u'http://ipaserver.lafayette.edu/ipa/xml': Internal
 Server Error
 
 Looking at /var/log/httpd/error and access logs i see:
 
 [Wed Aug 22 13:18:07 2012] [error] [client client ip)] 
 gss_acquire_cred() failed: Unspecified GSS failure.  Minor code
 may provide more information (, Unknown error), referer: 
 https://ipaserver.lafayette.edu/ipa/xml
 
 I'm wading through google at the moment, to see if i can find a
 fix, but i'm coming up empty.
 
 
 I'd look in your KDC Log to see if it has anything useful, 
 /var/log/krb5kdc.
 
 rob
 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA1JnUACgkQsZqG4IN3sumDxACgpLzJEqvnbxT46EAiFlTnHjm9
figAn2wGao5ZYiGGuVi7PB5E5QJTkggv
=aS7e
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-22 Thread Rob Crittenden

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I tried the same, kinit, and then ipa passwd commands as before,
here's the output:

Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu, Additional
pre-authentication required

Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu

Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
(4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
HTTP/ipaserver.lafayette@systems.lafayette.edu


What version of IPA is this?

Does ipactl status show all services up?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-22 Thread Nathan Lager
[root@ipaserver PROD krb5kdc]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64


On 08/22/2012 04:08 PM, Rob Crittenden wrote:
 Nathan Lager wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I tried the same, kinit, and then ipa passwd commands as before,
 here's the output:

 Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
 lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu, Additional
 pre-authentication required

 Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 krbtgt/systems.lafayette@systems.lafayette.edu

 Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
 (4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
 etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
 HTTP/ipaserver.lafayette@systems.lafayette.edu
 
 What version of IPA is this?
 
 Does ipactl status show all services up?
 
 rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] sudden ipa errors.

2012-08-22 Thread Rob Crittenden

Nathan Lager wrote:

[root@ipaserver PROD krb5kdc]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64


I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for 
doing S4U2Proxy. No restart of httpd should be required.


rob




On 08/22/2012 04:08 PM, Rob Crittenden wrote:

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I tried the same, kinit, and then ipa passwd commands as before,
here's the output:

Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu, Additional
pre-authentication required

Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu

Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
(4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
HTTP/ipaserver.lafayette@systems.lafayette.edu


What version of IPA is this?

Does ipactl status show all services up?

rob






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users