Hi, In my home environment I'm using two-server FreeIPA configuration on Fedora. Initially installed on fedora 19 in November 2013, it have been upgraded every Fedora release. It generally works OK, but somewhat degrades during operation. Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. Thus this email and plea for assistance.
In the meantime there was a problem with expired certificates, but it solved with the help of rcrit on IRC. I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. Currently I encounter following main problems: 1) named is not servicing all the records from LDAP 2) can't login to WebUI on kaitain.pipebreaker.pl 3) can't login to WebUI on okda.pipebreaker.pl 4) pycparser.lextab/lextab.py/yacctab.py permission errors More details: ----- ad 1) named problems Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is visible in CLI, but named doesn't resolve it: $ ipa dnsrecord-find pipebreaker.pl microstation Record name: microstation AAAA record: 2001:6a0:200:d1::2 ---------------------------- Number of entries returned 1 ---------------------------- $ host microstation ; host microstation.pipebreaker.pl Host microstation not found: 3(NXDOMAIN) Host microstation.pipebreaker.pl not found: 3(NXDOMAIN) Entries added previously resolve fine. I see no errors reported in named-pkcs11.service logs. ----- ad 2) can't login to webui at kaitain When I open a WebUI while having valid ticket, I'm shown my user page, i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened. But when I logout from WebUI and try to login as admin, I receive: The password or username you entered is incorrect. The password is certainly correct, I can use it for 'kinit admin' successfully. /var/log/httpd/error log contains: [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last): [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line 63, in application [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return api.Backend.wsgi_dispatch(environ, start_response) [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__ [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, start_response) [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response) [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__ [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, self.api.env.realm, password, ipa_ccache_name) [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] raise CCacheError(message=unicode(e)) [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639107): No credentials cache found What cache is it talking about? How can I refresh it? ----- ad 3) cannot login to webui on okda When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading…" screen for couple of seconds, and afterwards "Gateway timeout" message. Everything seems to be running on this server: root@okda ~$ ipactl status WARNING: yacc table file version is out of date Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful There are no logs generated in httpd's error_log during login. There are some problems in system log: May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@5ad7c518 background process May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException May 27 14:25:48 okda.pipebreaker.pl server[2364]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at java.lang.Thread.run(Thread.java:745) as you can see, those logs do not contain any clue what's is wrong. ----- ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors I observe following errors in dnskeysyncd logs: May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' Also (related?) error during 'ipactl' invocations: $ ipactl status WARNING: yacc table file version is out of date … Warnings appear even after switching SELinux to permissive. Please help me with resolving those problems. What logs should I provide? I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting -- Tomasz Torcz ,,If you try to upissue this patchset I shall be seeking xmpp: zdzich...@chrome.pl an IP-routable hand grenade.'' -- Andrew Morton (LKML)
signature.asc
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project