-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Morning all

I have setup the domain trust set up and have errors when trying to map
groups from AD to IPA

Environment is IPA 3.0 on RHEL 6.4 and Windows 2012

When adding groups, I get the following.

[root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
external map' domain_admins_map --external
[root@ds01 ~]# ipa group-add-member domain_admins_map --external
'NT\Domain Admins'
[member user]:
[member group]:
ipa: ERROR: cannot connect to
u'https://ds01.example.com/ipa/session/xml': Internal Server Error
[root@ds01 ~]#

When the above error occurs I see the following in /var/log/httpd/error_log

==> /var/log/httpd/error_log <==
[Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
environment variable (/var/run/ipa_memcached/krbcc_TDN)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
(pid=5374): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
recent call last):
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/share/ipa/wsgi.py", line 49, in application
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
api.Backend.wsgi_dispatch(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.route(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in
route
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
app(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
super(xmlserver_session, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
super(xmlserver, self).__call__(environ, start_response)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in
__call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     response =
self.wsgi_execute(environ)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
self.Command[name](*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     ret =
self.run(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.execute(*args, **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
1590, in execute
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     **options)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in
post_callback
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     actual_sid =
domain_validator.get_sid_trusted_domain_object(sid)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
get_sid_trusted_domain_object
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
self.resolve_against_gc(domain, components['name'])
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     entry =
self.__resolve_against_gc(info, host, port, name)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
__resolve_against_gc
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]    
conn.sasl_interactive_bind_s(None, sasl_auth)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566,
in sasl_interactive_bind_s
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
sasl_flags)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
sasl_interactive_bind_s
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]   File
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
_ldap_call
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]     result =
func(*args,**kwargs)
[Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Server
ldap/dc01.nt.example....@example.com not found in Kerberos database)',
'desc': 'Local error'}


Just to clarify, iptables has been flushed and selinux is currently
permissive. Running latest patches from RHN as of 2013/03/14

Any thoughts?

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQuv6AAoJEAJsWS61tB+qlhQP/RK9S18bpd8TnfMtxQVk1IqY
JIj5Zfj5h3XFHiMFX2YWQW/Sl4lJogQ1q53ZF39DkCGBmm3B3c1Bj1SMM57ZjDqJ
mW4quxr84m4hpPPd3CMPWeepJw9iLIWjrNd6Ux1CK32Otv+mHuH0MYtWSAUz+F/+
55h7weYKp9AdN+2kLxTlxCWlV9jSYef1yzyjw2Lr/aMihkr9z0zsyGFolDxf9H6v
Srl9xgsZCk449UDSoJWRWb2j05dW6+ON/OURbfWgYb3qvSCrIe2feO9PRJS3sZTZ
QFB563P1b5EOnHIQ6sNCNpLZ8i2nhelFxtu/Q4UL/xpSvzG5oJElTmsmDKlAIEht
aYiKYfarncyHnqRhzBIGilkPKPZ8KhMNW1UElbc3rNtN4OmkAVCRM6XtSufvENH1
+niQJJTlcyYwXOi8kuFjutFYdQQ+c2+/NpeT7eFgs1wKra6U9PK9rCBJUpFa4Ki/
aQbSHcpJqtF22eI3qOnkvRvEdUlCiYhDSRWxVzoBJUf/PC4Oc7wpj2nj9sYbIn6M
fAu5PcETw2khMkzKOZyiUAVxz+OJPJWZrm6Z9YZ7yHGeLeYTyhhMZjcyp6tX8U1R
Y7LNCW4Waxich3v0F5Vu2s6UgWdKv/RPVfK+CQo5CBA7JEeHYJsIFBQQ+INEssun
SbTm28MR28tcjyuK/gIj
=qy05
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to