Alexandre Pitre wrote:
> chmod 644 /etc/ipa/ca.crt
> chmod 660 /var/run/ipa/ccaches/admin\@IPA.DOMAIN.COM <http://IPA.DOMAIN.COM>
> 
> Fixed the issue.
> 
> The installation was done with a 027 umask. Should I be worried that
> something else may have incorrect permissions ?

Not entirely sure. We are tracking the issue in
https://pagure.io/freeipa/issue/7193

rob

> 
> Thanks for your help everyone
> Alex
> 
> On Thu, Jan 18, 2018 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Alexandre Pitre via FreeIPA-users wrote:
>     > Hi,
>     >
>     > I recently deployed a new FreeIPA domain running on CentOS 7.4 and
>     > FreeIPA 4.5
>     >
>     > The installation went without hiccups but the WebUI isn't working as
>     > expected. Logging in with admin failed with this error:
>     >
>     > Login failed due to an unknow reason.
>     >
>     > I've seen this issue with every FreeIPA 4.5 replica I've built. As you
>     > may know this is pretty common error with 4.5. I usually just
>     chmod 444
>     > /var/lib/ipa-client/pki/* as pointed out
>     > in https://access.redhat.com/solutions/3178971
>     <https://access.redhat.com/solutions/3178971> and the logging start
>     > working again but not this time with a brand new domain installation.
>     >
>     > Permissions are correct for the PEM
>     > ll /var/lib/pki/*
>     > -r--r--r-- 1 root root 4406 Jan  9 14:49 ca-bundle.pem
>     > -r--r--r-- 1 root root 4406 Jan  9 14:49 kdc-ca-bundle.pem
>     >
>     > Here's the output of /var/log/httpd/error_log
>     >
>     > [Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537] AH01232:
>     > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>     > [Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537]
>     > NSSSessionCacheTimeout is deprecated. Ignoring.
>     > [Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537]
>     > AH01757: generating secret for digest authentication ...
>     > [Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid
>     > 12537] AH02282: No slotmem from mod_heartmonitor
>     > [Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537]
>     > NSSSessionCacheTimeout is deprecated. Ignoring.
>     > [Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537]
>     > AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14
>     > NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal
>     > operations
>     > [Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094:
>     > Command line: '/usr/sbin/httpd -D FOREGROUND'
>     > [Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: ***
>     > PROCESS START ***
>     > [Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: ***
>     > PROCESS START ***
>     > [Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401
>     > Unauthorized: [Errno 13] Permission denied
> 
>     Check the perms on /etc/ipa/ca.crt as well.
> 
>     Did you have custom umask set when installing the server?
>     > Output of /var/log/messages show weird errors
> 
>     These are all generally "normal".
> 
>     rob
> 
> 
> 
> 
> -- 
> Alexandre Pitre
> alexandre.pi...@gmail.com <mailto:alexandre.pi...@gmail.com>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to