When the s4u2 proxy delegation fails, we return an Internal Error, which does not really help in investigating the root cause. The error message should be improved.
Internal Error
Error message:
# ipa user-find ipa: ERROR: cannot connect to u'http://vm-068.idm.lab.bos.redhat.com/ipa/xml': Internal Server Error
/var/log/httpd/error_log:
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] mod_wsgi (pid=29694): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] Traceback (most recent call last): [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/share/ipa/wsgi.py", line 48, in application [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] return api.Backend.session(environ, start_response) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipaserver/rpcserver.py", line 148, in __call__ [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] return self.route(environ, start_response) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipaserver/rpcserver.py", line 160, in route [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] return app(environ, start_response) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipaserver/rpcserver.py", line 320, in __call__ [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] self.create_context(ccache=environ. get('KRB5CCNAME')) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipalib/backend.py", line 110, in create_context [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] self.Backend.ldap2.connect(ccache=ccache) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipalib/backend.py", line 62, in connect [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] conn = self.create_connection(*args, **kw) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipalib/encoder.py", line 190, in new_f [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] return f(*new_args, **kwargs) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipaserver/plugins/ldap2.py", line 478, in create_connection [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] _handle_errors(e) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] File "/usr/lib/python2.7/site-packages/ ipaserver/plugins/ldap2.py", line 243, in _handle_errors [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] raise errors.DatabaseError(desc=desc, info=info) [Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)
How to test:
An easy way of reproducing the issue is for example to modifify ipaAllowedTarget in cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX to point to an non-existent ACL container or remove a memberPrincipal for the tested machine.
ipaAllowedTarget
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
memberPrincipal
The call to create_connection in the backend was outside a try/except so we would miss public ACI errors. This will catch them.
To test this you can delete the S4U2Proxy delegation:
$ ldapmodify -x -D 'cn=directory manager' -W LDAP Password: dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: modify delete: memberPrincipal $ kinit admin $ user-show admin ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE
To fix your instance run:
# ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update
attachment freeipa-rcrit-964-exception.patch
master: b241e82[[BR]] ipa-2-2: a9b33ff
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.