On 7.7.2016 11:32, Günther J. Niederwimmer wrote: > Hello Petr, > > Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: >> On 23.6.2016 15:27, Günther J. Niederwimmer wrote: >>> Hello Martin, >>> >>> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >>>> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: >>>>> Hello, >>>>> >>>>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: >>>>>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote: >>>>>>> hello, >>>>>>> >>>>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: >>>>>>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >>>>>>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: >>>>>>>>>>> Hello List, >>>>>>>>>>> >>>>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>>>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: >>>>>>>>>>>>>> Hello >>>>>>>>>>>>>> >>>>>>>>>>>>>> on my system the ods-exporter i mean have a problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have this in the logs >>>>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise >>>>>>>>>>>>>> errors.ACIError(info=info) >>>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>>>>>>>>>> Insufficient >>>>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>>>>>>>>>> GSS >>>>>>>>>>>>>> failure. >>>>>>>>>>>>>> Minor code may provide more information (Ticket expired) >>>>>>>>>>>>> >>>>>>>>>>>>> Here seems to be a reason why it failed. >>>>>>>>>>>>> But I can't help you more. >>>>>>>>>>>> >>>>>>>>>>>> Lukas is right. Interesting, this should never happen :-) >>>>>>>>>>> >>>>>>>>>>> this have I also found ;-) >>>>>>>>>>> >>>>>>>>>>>> Please enable debugging using procedure >>>>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o >>>>>>>>>>>> r_ >>>>>>>>>>>> re >>>>>>>>>>>> tu >>>>>>>>>>>> rn >>>>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>>>>>>>>>> Thank you! >>>>>>>>>>> >>>>>>>>>>> OK, >>>>>>>>>>> >>>>>>>>>>> I attache the messages log? >>>>>>>>>>> >>>>>>>>>>> I mean this is a problem with my DNS ? >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? >>>>>>>>>> >>>>>>>>>> identity/services/ipa-ods-exported/<hostname> >>>>>>>>>> There should be kerberos status in right top corner in details view >>>>>>>>> >>>>>>>>> I have a >>>>>>>>> identity/services/ipa-ods-exporter/.. >>>>>>>>> >>>>>>>>> with a "Kerberos Key Present, Service Provisioned" >>>>>>>>> >>>>>>>>> but no Certificate ? >>>>>>>> >>>>>>>> Can you try, >>>>>>>> >>>>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab >>>>>>>> ipa-ods-exporter/$(hostname) >>>>>>> >>>>>>> OK >>>>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- >>>>>>> exporter/$(hostname)" >>>>>>> >>>>>>> written on one line!! is this OK. >>>>>>> >>>>>>>> and do ldapsearch >>>>>>>> # ldapsearch -Y GSSAPI >>>>>>> >>>>>>> and also ldapsearch is OK >>>>>>> >>>>>>>> It should show us if keytab is okay >>>>>>> >>>>>>> But the Error is present :-(. >>>>>> >>>>>> We need to see precise error. Please copy&paste it into the e-mail. >>>>> >>>>> that is it. >>>>> >>>>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. >>>>> >>>>>> It would be awesome if you could follow general rules for bug >>>>>> reporting: >>>>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html >>>>>> >>>>>> Besides other things it would allow us to help you in shorter time. >>>>>> >>>>>> Have a nice day! >>>> >>>> This is weird, It looks like your kerberos keytab is valid, but I have >>>> no idea why you are getting ticket expired messages. It should just >>>> kinit again. >>>> >>>> Can you please remove this ccache file? >>>> /var/opendnssec/tmp/ipa-ods-exporter.ccache >>> >>> OK now i make a ipactl stop remove the ccache file and start ipa again. >>> >>> to start the ods-exporte I have to wait a long time 1-2 min. ;-) >>> >>> I send you the log without debug when you like this with debug tell me. >>> Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >>> exporter", line 656, in <module> >>> Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File >>> "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in >>> gssapi_bind >>> Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >>> client_controls) >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >>> contextlib.py", line 35, in __exit__ >>> Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, >>> traceback) Jun 23 14:57:56 ipa ipa-ods-exporter: File >>> "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in >>> error_handler >>> Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >>> Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (Ticket expired) >>> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process >>> exited, >>> code=exited, status=1/FAILURE >>> Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed >>> state. >>> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed. >> >> This is really weird, I have no idea what happened. We can try a big hammer: >> Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g. >> /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT > > before I start a big hammer I tell you same things. > > I make now again ipactl status and found > ipa-ods-exporter is not running (?). > > after a restart I found a lot of WARNINGS and Errors like this > > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'enableOCSP' to 'false' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/ > ca/ocsp' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert > cert-pki-ca' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find > a > matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find > a > matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspTimeout' to '10' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'strictCiphers' to 'true' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' > did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,- > SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,- > SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- > SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ssl3Ciphers' to '- > SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA, > +SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5, > +SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,- > SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,- > SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,- > SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,- > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' > did > not find a matching property. > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'tlsCiphers' to '- > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > +TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA, > +TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA, > +TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,- > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > +TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > +TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. > > Jul 7 10:40:08 ipa server: INFO: Initializing ProtocolHandler ["http- > bio-8443"] > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" > not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
Hmm, this might be interesting. Please open a ticket https://fedorahosted.org/freeipa/newticket and describe exact version of the packages (output from $ rpm -q) and how did you get to these messages. > and what is with the memcached servers ? is this normal > > Jul 7 10:40:19 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers > not running > Jul 7 10:40:19 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers > not running You can ignore this, it is harmless and will be fixed later on. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
