-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/04/2014 06:36 AM, Ade Lee wrote:
>> 
>> Well here is probably the pertinent part of the debug log,
>> though there is a lot more when the clone is setting up: 
>> [31/Jul/2014:13:23:53][TP-Processor3]: AuthMgrName:
>> certUserDBAuthMgr [31/Jul/2014:13:23:53][TP-Processor3]:
>> CMSServlet: retrieving SSL certificate 
>> [31/Jul/2014:13:23:53][TP-Processor3]: CMSServlet: certUID=CN=CA 
>> Subsystem,O=example.COM [31/Jul/2014:13:23:53][TP-Processor3]:
>> CertUserDBAuth: started [31/Jul/2014:13:23:53][TP-Processor3]:
>> CertUserDBAuth: Retrieving client certificate 
>> [31/Jul/2014:13:23:53][TP-Processor3]: CertUserDBAuth: Got
>> client certificate [31/Jul/2014:13:23:53][TP-Processor3]: In
>> LdapBoundConnFactory::getConn() 
>> [31/Jul/2014:13:23:53][TP-Processor3]: masterConn is connected:
>> true [31/Jul/2014:13:23:53][TP-Processor3]: getConn: conn is
>> connected true [31/Jul/2014:13:23:53][TP-Processor3]: getConn:
>> mNumConns now 2 [31/Jul/2014:13:23:53][TP-Processor3]:
>> returnConn: mNumConns now 3 
>> [31/Jul/2014:13:23:53][TP-Processor3]: Authentication: client 
>> certificate found [31/Jul/2014:13:23:53][TP-Processor3]: In
>> LdapBoundConnFactory::getConn() 
>> [31/Jul/2014:13:23:53][TP-Processor3]: masterConn is connected:
>> true [31/Jul/2014:13:23:53][TP-Processor3]: getConn: conn is
>> connected true [31/Jul/2014:13:23:53][TP-Processor3]: getConn:
>> mNumConns now 2 [31/Jul/2014:13:23:53][TP-Processor3]:
>> returnConn: mNumConns now 3 
>> [31/Jul/2014:13:23:53][TP-Processor3]: SignedAuditEventFactory: 
>> create() 
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA
>>
>> 
Subsystem,O=example.COM] authentication failure
>> 
>> [31/Jul/2014:13:23:53][TP-Processor3]: CMSServlet: curDate=Thu
>> Jul 31 13:23:53 GMT 2014 id=caUpdateDomainXML time=11
>> 
> Lets focus on the above error.  This says that the master was
> unable to map the certificate that was presented to a user under
> ou=users, o=ipaca.
> 
> I would look at the database (for the master) and see what users
> are defined.  Check which users have the subsystem certificate
> defined as their certificate, and check the description attribute.
> That attribute should contain a string that includes the
> certificate serial number, subject DN and issuer, delimited by
> semicolons.  Check that string and confirm that the certificate for
> that user matches the description delimiter, and that the subsystem
> certificate is the same as the subsystem certificate in the replica
> certdb.
> 
> It would also be useful to see what the DS access logs say at the
> time this authentication failure occurs.
> 
> Ade
>> 
>> -Erinn
>> 
> 
> 

Well unfortunately, after restarting the IPA services on the RHEL 6.5
system I no longer receive this error at all. Using ipa-ca-install
fails in the steps before this error was received.

ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpvByIvk
ipa         : DEBUG    Process finished, return code=1
ipa         : DEBUG    stdout=Loading deployment configuration from
/tmp/tmpvByIvk.
ERROR:  Unable to access directory server: Server is unwilling to perform

ipa         : DEBUG    stderr=
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpvByIvk' returned non-zero exit
status 1
ipa         : DEBUG      File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 179, in main
    CA = cainstance.install_replica_ca(config, postinstall=True)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1678, in install_replica_ca
    subject_base=config.subject_base)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 478, in configure_instance
    self.start_creation(runtime=210)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
364, in start_creation
    method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 604, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

ipa         : DEBUG    The ipa-ca-install command failed, exception:
RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

And the access log from /var/log/dirsrv/slapd-PKI-CA/access on the
RHEL 6.5 master only shows this:

[04/Aug/2014:14:16:25 +0000] conn=211 fd=74 slot=74 connection from
2001:4870:800e:301:862b:2bff:fe67:704d to
2001:4870:800e:301:f24d:a2ff:fe09:ae0
[04/Aug/2014:14:16:25 +0000] conn=211 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[04/Aug/2014:14:16:25 +0000] conn=211 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[04/Aug/2014:14:16:25 +0000] conn=211 SSL 128-bit AES
[04/Aug/2014:14:16:25 +0000] conn=211 op=1 BIND dn="cn=Directory
Manager" method=128 version=3
[04/Aug/2014:14:16:25 +0000] conn=211 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[04/Aug/2014:14:16:25 +0000] conn=211 op=2 SRCH base="cn=schema"
scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[04/Aug/2014:14:16:25 +0000] conn=211 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[04/Aug/2014:14:16:26 +0000] conn=211 op=3 UNBIND
[04/Aug/2014:14:16:26 +0000] conn=211 op=3 fd=74 closed - U1


However, did you mean ou=People instead of ou=Users? Because I have a
People OU with admin and ipara objects, but no Users OU.

Thanks,
- -Erinn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT35tgAAoJEFg7BmJL2iPOyNoIAIdkgTl8VILwQgfXgFNPN2jz
T1jwdicLc/p08ZwacKufJ0IJVf4pko0UZrYE+ZaFEVGSuIPTzQc8oeGZoB3hKBTn
WG5MchmU3ahlzoawh5gnU6VEFPVjcs5ev7nScU/yFl2WFXDrMACD3D21CSfUCBvF
dCB7iz99xXGWqdQOf8lQPsd2/rHma0Vt6NYEN8pUyhaY7+KTapMLYMqkE/rFsV6A
L815c+j0YdadB7DUpjXP855we9Fq6NWNUnTSabvq5D02uwdIeUNtWqq8Zbhps3Gv
CY9HZhgKqAG4EOwhYJ9cmVFV40tbRS3gxgOs5gej0HHn6xUd2ySSJqczIFl8myA=
=OjGC
-----END PGP SIGNATURE-----

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to