On 27.5.2016 14:28, Tomasz Torcz wrote: > Hi, > > In my home environment I'm using two-server FreeIPA configuration on Fedora. > Initially installed on fedora 19 in November 2013, it have been upgraded every > Fedora release. It generally works OK, but somewhat degrades during operation. > Recently I've jumped to F24 in hope my problems will be resolved, but they > weren't. > Thus this email and plea for assistance. > > In the meantime there was a problem with expired certificates, but it solved > with the help of rcrit on IRC. > > I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called > kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. > > Currently I encounter following main problems: > 1) named is not servicing all the records from LDAP > 2) can't login to WebUI on kaitain.pipebreaker.pl > 3) can't login to WebUI on okda.pipebreaker.pl > 4) pycparser.lextab/lextab.py/yacctab.py permission errors > > More details: > ----- > ad 1) named problems > Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is > visible in CLI, but named doesn't resolve it: > > $ ipa dnsrecord-find pipebreaker.pl microstation > Record name: microstation > AAAA record: 2001:6a0:200:d1::2 > ---------------------------- > Number of entries returned 1 > ---------------------------- > > $ host microstation ; host microstation.pipebreaker.pl > Host microstation not found: 3(NXDOMAIN) > Host microstation.pipebreaker.pl not found: 3(NXDOMAIN) > > Entries added previously resolve fine. I see no errors reported > in named-pkcs11.service logs. > > ----- > > ad 2) can't login to webui at kaitain > When I open a WebUI while having valid ticket, I'm shown my user page, > i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened. > But when I logout from WebUI and try to login as admin, I receive: > > The password or username you entered is incorrect. > > The password is certainly correct, I can use it for 'kinit admin' > successfully. > /var/log/httpd/error log contains: > > [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception > occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last): > [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line > 63, in application > [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] return > api.Backend.wsgi_dispatch(environ, start_response) > [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in > __call__ > [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, > start_response) > [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route > [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response) > [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in > __call__ > [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, > self.api.env.realm, password, ipa_ccache_name) > [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit > [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] raise > CCacheError(message=unicode(e)) > [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote > 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): > Unspecified GSS failure. Minor code may provide more information, Minor > (2529639107): No credentials cache found > > What cache is it talking about? How can I refresh it? > > ----- > > > ad 3) cannot login to webui on okda > > When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see > "Loading…" screen > for couple of seconds, and afterwards "Gateway timeout" message. Everything > seems to be running on this server: > > root@okda ~$ ipactl status > WARNING: yacc table file version is out of date > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > There are no logs generated in httpd's error_log during login. > There are some problems in system log: > May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM > org.apache.catalina.core.ContainerBase backgroundProcess > May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception > processing realm com.netscape.cms.tomcat.ProxyRealm@5ad7c518 background > process > May 27 14:25:48 okda.pipebreaker.pl server[2364]: > java.lang.NullPointerException > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at > java.lang.Thread.run(Thread.java:745) > > as you can see, those logs do not contain any clue what's is wrong. > > > ----- > > ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors > I observe following errors in dnskeysyncd logs: > > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: > Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission > denied: 'lextab.py' > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc > table file version is out of date > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: > Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: > 'yacctab.py' > > Also (related?) error during 'ipactl' invocations: > $ ipactl status > WARNING: yacc table file version is out of date > … > > Warnings appear even after switching SELinux to permissive. > > > Please help me with resolving those problems. What logs should I provide? > I see no similiar issues described at > http://www.freeipa.org/page/Troubleshooting
Fedora 24 is broken at the moment so there is nothing you can do before it is fixed & released. Sorry. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
