On 27.5.2016 14:28, Tomasz Torcz wrote:
> Hi,
> 
>   In my home environment I'm using two-server FreeIPA configuration on Fedora.
> Initially installed on fedora 19 in November 2013, it have been upgraded every
> Fedora release. It generally works OK, but somewhat degrades during operation.
> Recently I've jumped to F24 in hope my problems will be resolved, but they 
> weren't.
> Thus this email and plea for assistance.
> 
>   In the meantime there was a problem with expired certificates, but it solved
> with the help of rcrit on IRC.
> 
>   I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called
> kaitain.pipebreaker.pl, the other okda.pipebreaker.pl.
> 
>   Currently I encounter following main problems:
> 1) named is not servicing all the records from LDAP
> 2) can't login to WebUI on kaitain.pipebreaker.pl
> 3) can't login to WebUI on okda.pipebreaker.pl
> 4) pycparser.lextab/lextab.py/yacctab.py permission errors
> 
>   More details:
> -----
> ad 1) named problems
>   Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is
>  visible in CLI, but named doesn't resolve it:
> 
> $ ipa dnsrecord-find pipebreaker.pl microstation 
>   Record name: microstation
>   AAAA record: 2001:6a0:200:d1::2
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> $ host microstation ; host microstation.pipebreaker.pl
> Host microstation not found: 3(NXDOMAIN)
> Host microstation.pipebreaker.pl not found: 3(NXDOMAIN)
> 
>   Entries added previously resolve fine.  I see no errors reported
>  in named-pkcs11.service logs.
>   
> -----
> 
> ad 2) can't login to webui at kaitain
>   When I open a WebUI while having valid ticket, I'm shown my user page,
> i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened.
>   But when I logout from WebUI and try to login as admin, I receive:
>  
>  The password or username you entered is incorrect.
>   
>   The password is certainly correct, I can use it for 'kinit admin' 
> successfully. 
>  /var/log/httpd/error log contains:
> 
> [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception 
> occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
> [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last):
> [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/share/ipa/wsgi.py", line 
> 63, in application
> [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]     return 
> api.Backend.wsgi_dispatch(environ, start_response)
> [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in 
> __call__
> [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]     return self.route(environ, 
> start_response)
> [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route
> [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]     return app(environ, start_response)
> [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in 
> __call__
> [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]     self.kinit(user, 
> self.api.env.realm, password, ipa_ccache_name)
> [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]   File 
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
> [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28]     raise 
> CCacheError(message=unicode(e))
> [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 
> 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): 
> Unspecified GSS failure.  Minor code may provide more information, Minor 
> (2529639107): No credentials cache found
> 
>   What cache is it talking about?  How can I refresh it?
> 
> -----
> 
> 
> ad 3) cannot login to webui on okda
>    
>   When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see 
> "Loading…" screen
>  for couple of seconds, and afterwards "Gateway timeout" message. Everything
>  seems to be running on this server:
> 
> root@okda ~$ ipactl status
> WARNING: yacc table file version is out of date
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
>  There are no logs generated in httpd's error_log during login.
>  There are some problems in system log:
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM 
> org.apache.catalina.core.ContainerBase backgroundProcess
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception 
> processing realm com.netscape.cms.tomcat.ProxyRealm@5ad7c518 background 
> process
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: 
> java.lang.NullPointerException
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]:     at 
> java.lang.Thread.run(Thread.java:745)
> 
>   as you can see, those logs do not contain any clue what's is wrong.
> 
> 
> -----
> 
> ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors
>   I observe following errors in dnskeysyncd logs:
> 
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: 
> Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission 
> denied: 'lextab.py'
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc 
> table file version is out of date
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: 
> Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 
> 'yacctab.py'
> 
>   Also (related?) error during 'ipactl' invocations:
> $ ipactl status
> WARNING: yacc table file version is out of date
> …
> 
>   Warnings appear even after switching SELinux to permissive.
> 
> 
>   Please help me with resolving those problems.  What logs should I provide?
> I see no similiar issues described at 
> http://www.freeipa.org/page/Troubleshooting

Fedora 24 is broken at the moment so there is nothing you can do before it is
fixed & released.

Sorry.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to