Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 35 | update | 2017-08-07 09:07 | E, I, O, U | 470 EE Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Again, thanks for the help! Kind regards On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com> wrote: > > > On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote: > > Hello Pavel > > On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com> > wrote: > >> >> Hello Gustavo, >> From what I can see, the issue would be PROTOCOL ERROR in whoami command. >> Could you please check whether all services running? Please run >> # ipactl status >> >> and post the output. >> >> > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > > > >> And please could you send me the /etc/named.conf? Especially everything >> after >> dyndb "ipa" >> line is interesting for us. >> > > This is from /etc/named.conf > > options { > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > listen-on-v6 {any;}; > > // Put files that named is allowed to write in the data/ directory: > directory "/var/named"; // the default > dump-file "data/cache_dump.db"; > statistics-file "data/named_stats.txt"; > memstatistics-file "data/named_mem_stats.txt"; > > forward only; > forwarders { > 10.73.2.100; > 10.73.2.102; > 10.73.2.101; > }; > > // Any host is permitted to issue recursive queries > allow-recursion { any; }; > > tkey-gssapi-keytab "/etc/named.keytab"; > pid-file "/run/named/named.pid"; > dnssec-enable yes; > dnssec-validation no; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > }; > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > * By default, SELinux policy does not allow named to modify the > /var/named directory, > * so put the default debug log file in data/ : > */ > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > print-time yes; > }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > > dyndb "ipa" "/usr/lib64/bind/ldap.so" { > uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; > base "cn=dns, dc=fisica,dc=cabib"; > fake_mname "ipaserver.fisica.cabib."; > auth_method "sasl"; > sasl_mech "GSSAPI"; > sasl_user "DNS/ipaserver.fisica.cabib"; > server_id "ipaserver.fisica.cabib"; > }; > include "/etc/named.root.key"; > > key "rndc-key" { > algorithm hmac-md5; > secret "#########################"; > }; > > > Thank you for the configuration. It looks good. > > Another thing that might be incorrect is that the whoami plugin is not > loaded. Please check whether you have following line: > dn: cn=whoami,cn=plugins,cn=config > > in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif > > If not please add there following lines (between double quotes and without > them): > > " > dn: cn=whoami,cn=plugins,cn=config > cn: whoami > nsslapd-plugin-depends-on-type: database > nsslapd-pluginDescription: whoami extended operation plugin > nsslapd-pluginEnabled: on > nsslapd-pluginId: whoami-plugin > nsslapd-pluginInitfunc: whoami_init > nsslapd-pluginPath: libwhoami-plugin > nsslapd-pluginType: extendedop > nsslapd-pluginVendor: 389 Project > nsslapd-pluginVersion: 1.3.5.18 > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > " > > and change the nsslapd-pluginVersion value to the same as other plugins > have. > > Then you will probably need to restart ipa service or at least dirsrv. > > Did that help? > > Could you please tell us more about upgrade? Especially from which version > did you upgrade to 4.5 and which OS do you use? Which version of IPA did > you have when you started using IPA? > > > -- > Gustavo Berman > Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > -- > Pavel^3 Vomacka > > -- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org