-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all
I have setup the domain trust set up and have errors when trying to map groups from AD to IPA Environment is IPA 3.0 on RHEL 6.4 and Windows 2012 When adding groups, I get the following. [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins external map' domain_admins_map --external [root@ds01 ~]# ipa group-add-member domain_admins_map --external 'NT\Domain Admins' [member user]: [member group]: ipa: ERROR: cannot connect to u'https://ds01.example.com/ipa/session/xml': Internal Server Error [root@ds01 ~]# When the above error occurs I see the following in /var/log/httpd/error_log ==> /var/log/httpd/error_log <== [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME environment variable (/var/run/ipa_memcached/krbcc_TDN) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi (pid=5374): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most recent call last): [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/share/ipa/wsgi.py", line 49, in application [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return api.Backend.wsgi_dispatch(environ, start_response) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in __call__ [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return self.route(environ, start_response) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in route [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return app(environ, start_response) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in __call__ [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = super(xmlserver_session, self).__call__(environ, start_response) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in __call__ [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = super(xmlserver, self).__call__(environ, start_response) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in __call__ [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = self.wsgi_execute(environ) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = self.Command[name](*args, **options) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret = self.run(*args, **options) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return self.execute(*args, **options) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1590, in execute [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in post_callback [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid = domain_validator.get_sid_trusted_domain_object(sid) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in get_sid_trusted_domain_object [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = self.resolve_against_gc(domain, components['name']) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in resolve_against_gc [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = self.__resolve_against_gc(info, host, port, name) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in __resolve_against_gc [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] conn.sasl_interactive_bind_s(None, sasl_auth) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566, in sasl_interactive_bind_s [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, sasl_flags) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = func(*args,**kwargs) [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/[email protected] not found in Kerberos database)', 'desc': 'Local error'} Just to clarify, iptables has been flushed and selinux is currently permissive. Running latest patches from RHN as of 2013/03/14 Any thoughts? Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQuv6AAoJEAJsWS61tB+qlhQP/RK9S18bpd8TnfMtxQVk1IqY JIj5Zfj5h3XFHiMFX2YWQW/Sl4lJogQ1q53ZF39DkCGBmm3B3c1Bj1SMM57ZjDqJ mW4quxr84m4hpPPd3CMPWeepJw9iLIWjrNd6Ux1CK32Otv+mHuH0MYtWSAUz+F/+ 55h7weYKp9AdN+2kLxTlxCWlV9jSYef1yzyjw2Lr/aMihkr9z0zsyGFolDxf9H6v Srl9xgsZCk449UDSoJWRWb2j05dW6+ON/OURbfWgYb3qvSCrIe2feO9PRJS3sZTZ QFB563P1b5EOnHIQ6sNCNpLZ8i2nhelFxtu/Q4UL/xpSvzG5oJElTmsmDKlAIEht aYiKYfarncyHnqRhzBIGilkPKPZ8KhMNW1UElbc3rNtN4OmkAVCRM6XtSufvENH1 +niQJJTlcyYwXOi8kuFjutFYdQQ+c2+/NpeT7eFgs1wKra6U9PK9rCBJUpFa4Ki/ aQbSHcpJqtF22eI3qOnkvRvEdUlCiYhDSRWxVzoBJUf/PC4Oc7wpj2nj9sYbIn6M fAu5PcETw2khMkzKOZyiUAVxz+OJPJWZrm6Z9YZ7yHGeLeYTyhhMZjcyp6tX8U1R Y7LNCW4Waxich3v0F5Vu2s6UgWdKv/RPVfK+CQo5CBA7JEeHYJsIFBQQ+INEssun SbTm28MR28tcjyuK/gIj =qy05 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
