Hi,

Just wondering if anyone had the time to take a look at this. My understanding is that everything works up to the point that kerberos authentication takes place successfully, but for some reason the ticket obtained does not get stored.

Best regards,

Dimitrios

On Mon, Jan 15, 2018 at 9:21 PM, Dimitris Zilaskos <dimitrisz@gmail.com> wrote:
Thank you for your reply. I just retried with debug enabled but I cannot say I see anything useful.


I was wondering if I somehow can debug the kerberos procedure more...or get rid of memcache for debug purposes.

Best regards,

Dimitrios


On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden <rcritten@redhat.com> wrote:
Dimitris Zilaskos via FreeIPA-users wrote:
> Hello,
>
> I have been asked to look into an ipa server running in CentOS 6. The
> server was missbehaving for some time, with some certificates expiring
> back in October. Also / was full. I have cleaned up some space, set the
> date back before the certificates expired, restarted/rebooted but
> renewal of certs fails:
>
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
> (server portal.cloud.local, client 10.142.20.10)
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
> nickname Server-Cert for vhost: portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> Successfully paired vhost portal.cloud.local with nickname: Server-Cert
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
> for portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
> for child 0 (server portal.cloud.local:443)
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> environment
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
> did not receive Kerberos credentials
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
> portal.cloud.local:443, client 10.142.20.10)
>
> I can do kinit admin without problems. Please any hints how can I
> resoleve this?
>

This isn't much to go on.

You might create /etc/ipa/server.conf with the contents:

[global]
debug = True

and restart IPA. It should provide more information on the incmoing request.

certmonger logs to syslog so I'd check there for details from the renewal.

Knowing the state of the certs tracked by certmonger would be helpful
too (be sure to redact any PIN that might be in the getcert list output).

rob