ERF12-5287 » History » Version 9
Stephen Benjamin, 12/04/2015 10:48 AM
| 1 | 3 | Stephen Benjamin | h1. ERF12-5287: Unable to create realm entry |
|---|---|---|---|
| 2 | |||
| 3 | 8 | Stephen Benjamin | Look at /var/log/foreman-proxy/proxy.log and /var/log/foreman/production.log for errors. |
| 4 | 1 | Stephen Benjamin | |
| 5 | Possible solutions to this issue: |
||
| 6 | |||
| 7 | 9 | Stephen Benjamin | h2. Can you kinit? |
| 8 | |||
| 9 | Is the keytab readable by the foreman-proxy user? Can you successfully kinit? Try this: |
||
| 10 | |||
| 11 | <pre> |
||
| 12 | KRB5_TRACE=/dev/stdout sudo -u foreman-proxy kinit realm-proxy@EXAMPLE.COM -k -t /etc/foreman-proxy/freeipa.keytab |
||
| 13 | </pre> |
||
| 14 | |||
| 15 | |||
| 16 | 6 | Stephen Benjamin | h2. Upgraded IPA 3.x to 4.x |
| 17 | |||
| 18 | 7 | Stephen Benjamin | If you upgraded IPA from 3 to 4, the permissions system has changed and the custom permissions foreman needs are not migrated correctly. You can verify this is the problem by looking at /var/log/httpd/*.log for permissions errors. |
| 19 | 6 | Stephen Benjamin | |
| 20 | Re-run `foreman-prepare-realm` from a server with the IPA version *4* client tools installed (such as the FreeIPA server itself). |
||
| 21 | |||
| 22 | |||
| 23 | 2 | Stephen Benjamin | h2. Expired Keytab |
| 24 | |||
| 25 | Do you see an error like this in /var/log/foreman-proxy/proxy.log? |
||
| 26 | |||
| 27 | <pre> |
||
| 28 | ERROR -- : Failed to initailize credentials cache from keytab: krb5_get_init_creds_keytab: Decrypt integrity check failed |
||
| 29 | </pre> |
||
| 30 | |||
| 31 | 4 | Tommy McNeely | Your Keytab may be expired. The keytab expiration follows your password expiration policies. |
| 32 | 2 | Stephen Benjamin | |
| 33 | You can get a new one by: |
||
| 34 | |||
| 35 | <pre> |
||
| 36 | # kinit admin@EXAMPLE.COM (or other suitable IPA admin) |
||
| 37 | # ipa-getkeytab -s ipa01.example.com -p realm-proxy@EXAMPLE.COM -k /etc/foreman-proxy/freeipa.keytab |
||
| 38 | 4 | Tommy McNeely | # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab |
| 39 | 2 | Stephen Benjamin | </pre> |
| 40 | |||
| 41 | 1 | Stephen Benjamin | |
| 42 | h2. Wrong Size Error |
||
| 43 | |||
| 44 | Do you see an error like this in /var/log/foreman-proxy/proxy.log? |
||
| 45 | |||
| 46 | <pre> |
||
| 47 | E, [2014-11-03T15:23:02.715791 #21273] ERROR -- : Wrong size. Was 307, should be 191 |
||
| 48 | </pre> |
||
| 49 | |||
| 50 | This is due to a bug in Ruby: |
||
| 51 | https://bugs.ruby-lang.org/issues/8182 |
||
| 52 | |||
| 53 | 5 | Dominic Cleal | This has been fixed in RHEL 7.1 + rebuilds, please run @yum update ruby@. The relevant bugzilla |
| 54 | 1 | Stephen Benjamin | is: https://bugzilla.redhat.com/show_bug.cgi?id=1071187 |
| 55 | |||
| 56 | 5 | Dominic Cleal | On 7.0, you can temporarily work around the problem by commenting these out on lines 505-506 in |
| 57 | 1 | Stephen Benjamin | /usr/share/ruby/xmlrpc/client.rb: |
| 58 | |||
| 59 | <pre> |
||
| 60 | #elsif expected != "<unknown>" and expected.to_i != data.bytesize and resp["Transfer-Encoding"].nil? |
||
| 61 | # raise "Wrong size. Was #{data.bytesize}, should be |
||
| 62 | # #{expected}" |
||
| 63 | </pre> |