Hello Petr,

Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek:
> On 23.6.2016 15:27, Günther J. Niederwimmer wrote:
> > Hello Martin,
> > 
> > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti:
> >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
> >>>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
> >>>>> hello,
> >>>>> 
> >>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
> >>>>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
> >>>>>>> Hello,
> >>>>>>> 
> >>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
> >>>>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
> >>>>>>>>> Hello List,
> >>>>>>>>> 
> >>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
> >>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote:
> >>>>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
> >>>>>>>>>>>> Hello
> >>>>>>>>>>>> 
> >>>>>>>>>>>> on my system the ods-exporter i mean have a problem.
> >>>>>>>>>>>> 
> >>>>>>>>>>>> I have this in the logs
> >>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1
> >>>>>>>>>>>> 
> >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise
> >>>>>>>>>>>> errors.ACIError(info=info)
> >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
> >>>>>>>>>>>> Insufficient
> >>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified
> >>>>>>>>>>>> GSS
> >>>>>>>>>>>> failure.
> >>>>>>>>>>>> Minor code may provide more information (Ticket expired)
> >>>>>>>>>>>                       
> >>>>>>>>>>>                       Here seems to be a reason why it failed.
> >>>>>>>>>>>                       But I can't help you more.
> >>>>>>>>>> 
> >>>>>>>>>> Lukas is right. Interesting, this should never happen :-)
> >>>>>>>>> 
> >>>>>>>>> this have I also found ;-)
> >>>>>>>>> 
> >>>>>>>>>> Please enable debugging using procedure
> >>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o
> >>>>>>>>>> r_
> >>>>>>>>>> re
> >>>>>>>>>> tu
> >>>>>>>>>> rn
> >>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart.
> >>>>>>>>>> Thank you!
> >>>>>>>>> 
> >>>>>>>>> OK,
> >>>>>>>>> 
> >>>>>>>>> I attache the messages log?
> >>>>>>>>> 
> >>>>>>>>> I mean this is a problem with my DNS ?
> >>>>>>>> 
> >>>>>>>> Hello,
> >>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI?
> >>>>>>>> 
> >>>>>>>> identity/services/ipa-ods-exported/<hostname>
> >>>>>>>> There should be kerberos status in right top corner in details view
> >>>>>>> 
> >>>>>>> I have a
> >>>>>>> identity/services/ipa-ods-exporter/..
> >>>>>>> 
> >>>>>>> with a "Kerberos Key Present, Service Provisioned"
> >>>>>>> 
> >>>>>>> but no Certificate ?
> >>>>>> 
> >>>>>> Can you try,
> >>>>>> 
> >>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
> >>>>>> ipa-ods-exporter/$(hostname)
> >>>>> 
> >>>>> OK
> >>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
> >>>>> exporter/$(hostname)"
> >>>>> 
> >>>>> written on one line!! is this OK.
> >>>>> 
> >>>>>> and do ldapsearch
> >>>>>> # ldapsearch -Y GSSAPI
> >>>>> 
> >>>>> and also ldapsearch is OK
> >>>>> 
> >>>>>> It should show us if keytab is okay
> >>>>> 
> >>>>> But the Error is present :-(.
> >>>> 
> >>>> We need to see precise error. Please copy&paste it into the e-mail.
> >>> 
> >>> that is it.
> >>> 
> >>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed.
> >>> 
> >>>> It would be awesome if you could follow general rules for bug
> >>>> reporting:
> >>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html
> >>>> 
> >>>> Besides other things it would allow us to help you in shorter time.
> >>>> 
> >>>> Have a nice day!
> >> 
> >> This is weird, It looks like your kerberos keytab is valid, but I have
> >> no idea why you are getting ticket expired messages. It should just
> >> kinit again.
> >> 
> >> Can you please remove this ccache file?
> >> /var/opendnssec/tmp/ipa-ods-exporter.ccache
> > 
> > OK now i make a ipactl stop remove the ccache file and start ipa again.
> > 
> > to start the ods-exporte I have to wait a long time 1-2 min. ;-)
> > 
> > I send you the log without debug when you like this with debug tell me.
> > Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last):
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
> > exporter", line 656, in <module>
> > Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind()
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File
> > "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in
> > gssapi_bind
> > Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls,
> > client_controls)
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/
> > contextlib.py", line 35, in __exit__
> > Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value,
> > traceback) Jun 23 14:57:56 ipa ipa-ods-exporter: File
> > "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in
> > error_handler
> > Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info)
> > Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient
> > access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> > Minor code may provide more information (Ticket expired)
> > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process
> > exited,
> > code=exited, status=1/FAILURE
> > Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed
> > state.
> > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed.
> 
> This is really weird, I have no idea what happened. We can try a big hammer:
> Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g.
> /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT

before I start a big hammer I tell you same things.

I make now again ipactl status and found
ipa-ods-exporter is not running (?).

after a restart I found a lot of WARNINGS and Errors like this

Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'enableOCSP' to 'false' did not find a matching 
property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/
ca/ocsp' did not find a matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert 
cert-pki-ca' did not find a matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching 
property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a 
matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a 
matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ocspTimeout' to '10' did not find a matching 
property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'strictCiphers' to 'true' did not find a matching 
property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' 
did not find a matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-
SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-
SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-
SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
Jul  7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM 
org.apache.catalina.startup.SetAllPropertiesRule begin
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'ssl3Ciphers' to '-
SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-
SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-
SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-
SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did 
not find a matching property.
Jul  7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/
Connector} Setting property 'tlsCiphers' to '-
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.

 Jul  7 10:40:08 ipa server: INFO: Initializing ProtocolHandler ["http-
bio-8443"]
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" 
not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
Jul  7 10:40:08 ipa server: Error: SSL cipher 
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS

and what is with the memcached servers ? is this normal

Jul  7 10:40:19 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers 
not running
Jul  7 10:40:19 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers 
not running


> and re-run ipa-dns-install with the same options as you used for the first
> time. It should re-create the keytab and all other things.
I hope I remember ;-)

OK, this is the next step.

In the moment the DNS from ipa with DNSSEC is very unstable  :-(.

> I hope it will help.

;-)
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to