Pavel,
Thanks for the help, that solved the problem. Now I can access the web ui.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3
(last update was last week) to rhel 7.4 (so we had a lot of package
updates):
ID | Command line | Date and time | Action(s) |
Altered
-------------------------------------------------------------------------------
35 | update | 2017-08-07 09:07 | E, I, O, U |
470 EE
Acording to yum history info, this are the ipa packages that where updated:
Obsoleted
ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7
Updated
ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7
Obsoleting
ipa-client-4.5.0-21.el7.x86_64 @rhel7
Updated
ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7
Update
4.5.0-21.el7.x86_64 @rhel7
Updated
ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update
1.15.2-50.el7.x86_64 @rhel7
Updated
python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update
1.15.2-50.el7.x86_64 @rhel7
Updated
python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7
Update
1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help!
Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com> wrote:
>
>
> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>
> Hello Pavel
>
> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com>
> wrote:
>
>>
>> Hello Gustavo,
>> From what I can see, the issue would be PROTOCOL ERROR in whoami command.
>> Could you please check whether all services running? Please run
>> # ipactl status
>>
>> and post the output.
>>
>>
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
>
>
>
>> And please could you send me the /etc/named.conf? Especially everything
>> after
>> dyndb "ipa"
>> line is interesting for us.
>>
>
> This is from /etc/named.conf
>
> options {
> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
> listen-on-v6 {any;};
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
>
> forward only;
> forwarders {
> 10.73.2.100;
> 10.73.2.102;
> 10.73.2.101;
> };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-keytab "/etc/named.keytab";
> pid-file "/run/named/named.pid";
> dnssec-enable yes;
> dnssec-validation no;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> print-time yes;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
>
> dyndb "ipa" "/usr/lib64/bind/ldap.so" {
> uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
> base "cn=dns, dc=fisica,dc=cabib";
> fake_mname "ipaserver.fisica.cabib.";
> auth_method "sasl";
> sasl_mech "GSSAPI";
> sasl_user "DNS/ipaserver.fisica.cabib";
> server_id "ipaserver.fisica.cabib";
> };
> include "/etc/named.root.key";
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "#########################";
> };
>
>
> Thank you for the configuration. It looks good.
>
> Another thing that might be incorrect is that the whoami plugin is not
> loaded. Please check whether you have following line:
> dn: cn=whoami,cn=plugins,cn=config
>
> in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
>
> If not please add there following lines (between double quotes and without
> them):
>
> "
> dn: cn=whoami,cn=plugins,cn=config
> cn: whoami
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginDescription: whoami extended operation plugin
> nsslapd-pluginEnabled: on
> nsslapd-pluginId: whoami-plugin
> nsslapd-pluginInitfunc: whoami_init
> nsslapd-pluginPath: libwhoami-plugin
> nsslapd-pluginType: extendedop
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginVersion: 1.3.5.18
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> "
>
> and change the nsslapd-pluginVersion value to the same as other plugins
> have.
>
> Then you will probably need to restart ipa service or at least dirsrv.
>
> Did that help?
>
> Could you please tell us more about upgrade? Especially from which version
> did you upgrade to 4.5 and which OS do you use? Which version of IPA did
> you have when you started using IPA?
>
>
> --
> Gustavo Berman
> Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> --
> Pavel^3 Vomacka
>
>
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
