Hi,

just a wild guess but was ipa installed with a umask more restrictive than 022?
You may also want to start ipa in debug mode in order to have more traces:
$ cat /etc/ipa/server.conf
[global]
debug=True

$ ipactl restart

HTH,
Flo

On 01/18/2018 08:42 AM, Alexandre Pitre via FreeIPA-users wrote:
SELinux is disabled in our CentOS template. Good hypothesis tho.

On Jan 18, 2018 01:36, "Tony Brian Albers via FreeIPA-users" <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote:

    On 01/18/2018 02:24 AM, Alexandre Pitre via FreeIPA-users wrote:
     > Hi,
     >
     > I recently deployed a new FreeIPA domain running on CentOS 7.4 and
     > FreeIPA 4.5
     >
     > The installation went without hiccups but the WebUI isn't working as
     > expected. Logging in with admin failed with this error:
     >
     > Login failed due to an unknow reason.
     >
     > I've seen this issue with every FreeIPA 4.5 replica I've built.
    As you
     > may know this is pretty common error with 4.5. I usually just
    chmod 444
     > /var/lib/ipa-client/pki/* as pointed out in
     > https://access.redhat.com/solutions/3178971
    <https://access.redhat.com/solutions/3178971> and the logging start
     > working again but not this time with a brand new domain installation.
     >
     > Permissions are correct for the PEM
     > ll /var/lib/pki/*
     > -r--r--r-- 1 root root 4406 Jan  9 14:49 ca-bundle.pem
     > -r--r--r-- 1 root root 4406 Jan  9 14:49 kdc-ca-bundle.pem
     >
     > Here's the output of /var/log/httpd/error_log
     >
     > [Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537]
    AH01232:
     > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
     > [Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537]
     > NSSSessionCacheTimeout is deprecated. Ignoring.
     > [Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537]
     > AH01757: generating secret for digest authentication ...
     > [Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid
     > 12537] AH02282: No slotmem from mod_heartmonitor
     > [Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537]
     > NSSSessionCacheTimeout is deprecated. Ignoring.
     > [Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537]
     > AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14
     > NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal
     > operations
     > [Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094:
     > Command line: '/usr/sbin/httpd -D FOREGROUND'
     > [Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: ***
     > PROCESS START ***
     > [Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: ***
     > PROCESS START ***
     > [Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401
     > Unauthorized: [Errno 13] Permission denied
     >
     > Output of /var/log/messages show weird errors:
     >
     > Jan 18 01:14:36 bo2-tnt-ipa-001 ipa-dnskeysyncd: ipa         : ERROR
     > syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"})
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.102629780 +0000] - ERR - schema-compat-plugin -
     > scheduled schema-compat-plugin tree scan in about 5 seconds after the
     > server startup!
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.115268733 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=com does
    not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.116680963 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=com
    does not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.117878580 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=com does not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.119338367 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target ou=sudoers,dc=ipa,dc=domain,dc=com does not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.120503775 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=com does
    not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.122000132 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.123149308 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.124282277 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.125837472 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.126966928 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.128085824 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.129501796 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.130686657 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.132301267 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.134575956 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.135778559 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not
    exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.142405173 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=casigningcert
     > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com
    does not
     > exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.143655721 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=casigningcert
     > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com
    does not
     > exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.233078350 +0000] - ERR - NSACLPlugin -
    acl_parse -
     > The ACL target cn=automember rebuild
    membership,cn=tasks,cn=config does
     > not exist
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.238586332 +0000] - ERR - cos-plugin -
     > cos_dn_defs_cb - Skipping CoS Definitcomn cn=Password
     > Policy,cn=accounts,dc=ipa,dc=domain,dc=com--no CoS Templates found,
     > which should be added before the CoS Definitcomn.
     > Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:38.261575767 +0000] - ERR - schema-compat-plugin -
     > schema-compat-plugin tree scan will start in about 5 seconds!
     > Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:43.268319379 +0000] - ERR - schema-compat-plugin -
     > warning: no entries set up under ou=sudoers,dc=ipa,dc=domain,dc=com
     > Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:43.272302862 +0000] - ERR - schema-compat-plugin -
     > warning: no entries set up under cn=ng,
    cn=compat,dc=ipa,dc=domain,dc=com
     > Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:43.279547839 +0000] - ERR - schema-compat-plugin -
     > warning: no entries set up under cn=computers,
     > cn=compat,dc=ipa,dc=domain,dc=com
     > Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd:
     > [18/Jan/2018:01:14:43.285336505 +0000] - ERR - schema-compat-plugin -
     > Finished plugin initializatcomn.
     >
     > Any ideas why ?
     >
     > Thanks
     > Alexandre Pitre
     >
     >
     > _______________________________________________
     > FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
     > To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>
     >


    My first thought: Is SELinux giving you a hard time? Check
    /var/log/audit/audit.log

    Or try setting SELinux to permissive mode and restart the server. If
    everything then works, you can start figuring out what SELinux is doing
    and why.

    /tony

    --
    Tony Albers
    Systems administrator, IT-development
    Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
    Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
    <tel:%2B45%208946%202316>
    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to