I had to let this sit for a few days, but now that I try again I can remove and 
re-add the host (using CLI).  The web UI still presents an error though IPA 
Error 4302: CertificateFormatError   Certificate format error: 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old 
unsupported format.  


This is an error I ran into when working with renewing certs while referring to 
the wrong path for the certificate database (path changed with versions and I 
was unaware).  Why this is happening in the web UI though still eludes me.  The 
test host I removed via CLI and then added with the ipa-client-install command 
still does not show “Enrolled” status when I do a search for it in the UI, and 
the error above is displayed when this host shows up in results, or when I 
click on the link to the host page.  Is it possible that Apache is 
misconfigured?  I’m including my dirsrv and apache access log excerpts from 
when I try to load the host page.  I do see some errors.

Apache:

[Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake 
failed: Not accepted by client!?
[Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] 
host/clienthost.domain2....@domain.com: 
cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=',
 principal=u'host/clienthost.domain2....@domain.com', add=True, 
version=u'2.51'): NetworkError
[Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server 
certificate: -8179
[Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 
Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol:  Unknown 
protocol 'tlsv1.2' not supported
[Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher 
aes_128_sha_256
[Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher 
aes_256_sha_256
[Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_ecdsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_ecdsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher 
ecdhe_rsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher 
rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher 
rsa_aes_256_gcm_sha_384






Dirsrv:

[26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH 
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 
nentries=0 etime=0
[26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:00.146796240 -0500] conn=8 op=8119 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter 
duration extension subjectName issuerName userCertificate version algorithmId 
signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147035479 -0500] conn=8 op=8119 SORT notBefore
[26/Apr/2017:14:52:00.147051543 -0500] conn=8 op=8119 VLV 200:0:20170426145200Z 
1:0 (0)
[26/Apr/2017:14:52:00.147092417 -0500] conn=8 op=8119 RESULT err=0 tag=101 
nentries=0 etime=0
[26/Apr/2017:14:52:00.147826090 -0500] conn=8 op=8120 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter 
duration extension subjectName issuerName userCertificate version algorithmId 
signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147982635 -0500] conn=8 op=8120 SORT notAfter
[26/Apr/2017:14:52:00.147991868 -0500] conn=8 op=8120 VLV 200:0:20170426145200Z 
1:35 (0)
[26/Apr/2017:14:52:00.148105485 -0500] conn=8 op=8120 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:00.148933905 -0500] conn=8 op=8121 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo 
notAfter notBefore duration extension subjectName issuerName userCertificate 
version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.149043409 -0500] conn=8 op=8121 SORT notAfter
[26/Apr/2017:14:52:00.149052772 -0500] conn=8 op=8121 VLV 200:0:20170426145200Z 
1:4 (0)
[26/Apr/2017:14:52:00.149160758 -0500] conn=8 op=8121 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:29.001182676 -0500] conn=19057 op=17 UNBIND
[26/Apr/2017:14:52:29.001203771 -0500] conn=19057 op=17 fd=122 closed - U1
[26/Apr/2017:14:52:43.956006475 -0500] conn=19059 fd=122 slot=122 connection 
from 10.11.10.6 to 10.11.10.3
[26/Apr/2017:14:52:43.956364716 -0500] conn=19059 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl 
supportedExtension supportedFeatures supportedLDAPVersion 
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext 
lastusn highestcommittedusn aci"
[26/Apr/2017:14:52:43.957812723 -0500] conn=19059 op=0 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.961326411 -0500] conn=4 op=33437 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/clienthost.domain2....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=host/clienthost.domain2....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.961883409 -0500] conn=4 op=33437 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.961970819 -0500] conn=4 op=33438 SRCH 
base="cn=ipaConfig,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" 
attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[26/Apr/2017:14:52:43.962039666 -0500] conn=4 op=33438 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.962141970 -0500] conn=4 op=33439 SRCH 
base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.962369262 -0500] conn=4 op=33439 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.962455322 -0500] conn=4 op=33440 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/domain....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/domain....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.962718874 -0500] conn=4 op=33440 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.962817682 -0500] conn=4 op=33441 SRCH base="cn=Default 
Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.962896540 -0500] conn=4 op=33441 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.963503712 -0500] conn=4 op=33442 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/clienthost.domain2....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=host/clienthost.domain2....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.963752103 -0500] conn=4 op=33442 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.963849295 -0500] conn=4 op=33443 SRCH 
base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.963953657 -0500] conn=4 op=33443 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.964039852 -0500] conn=4 op=33444 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/domain....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/domain....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.964273302 -0500] conn=4 op=33444 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.964362345 -0500] conn=4 op=33445 SRCH base="cn=Default 
Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.964435619 -0500] conn=4 op=33445 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.964567590 -0500] conn=4 op=33446 SRCH 
base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference 
krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth 
krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags 
ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory 
ipaNTHomeDirectoryDrive"
[26/Apr/2017:14:52:43.964851835 -0500] conn=4 op=33446 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.964901338 -0500] conn=4 op=33447 SRCH 
base="cn=clienthost.domain2.com,cn=masters,cn=ipa,cn=etc,dc=domain,dc=com" 
scope=0 filter="(objectClass=*)" attrs=ALL
[26/Apr/2017:14:52:43.964982222 -0500] conn=4 op=33447 RESULT err=32 tag=101 
nentries=0 etime=0
[26/Apr/2017:14:52:43.965190437 -0500] conn=4 op=33448 MOD 
dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.971416149 -0500] conn=4 op=33448 RESULT err=0 tag=103 
nentries=0 etime=0 csn=5900fab3000000040000
[26/Apr/2017:14:52:43.972903894 -0500] conn=4 op=33449 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/domain....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/domain....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.973145956 -0500] conn=4 op=33449 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.973372685 -0500] conn=4 op=33450 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipahost.domain....@domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipahost.domain....@domain.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.973601674 -0500] conn=4 op=33450 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.973695925 -0500] conn=4 op=33451 SRCH 
base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.973792556 -0500] conn=4 op=33451 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.973887813 -0500] conn=4 op=33452 SRCH 
base="dc=domain,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/clienthost.domain2....@domain.com))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[26/Apr/2017:14:52:43.974122262 -0500] conn=4 op=33452 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.974232772 -0500] conn=4 op=33453 SRCH 
base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.974326465 -0500] conn=4 op=33453 RESULT err=0 tag=101 
nentries=1 etime=0
[26/Apr/2017:14:52:43.974905377 -0500] conn=19059 op=1 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.980786355 -0500] conn=19059 op=1 RESULT err=14 tag=97 
nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.981170143 -0500] conn=19059 op=2 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.982397706 -0500] conn=19059 op=2 RESULT err=14 tag=97 
nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.982529305 -0500] conn=19059 op=3 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.983192932 -0500] conn=19059 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.983449296 -0500] conn=19059 op=4 SRCH 
base="cn=accounts,dc=domain,dc=com" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=clienthost.domain2.com))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[26/Apr/2017:14:52:43.984109232 -0500] conn=19059 op=4 RESULT err=0 tag=101 
nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.984622970 -0500] conn=19059 op=5 SRCH 
base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[26/Apr/2017:14:52:43.984955433 -0500] conn=19059 op=5 RESULT err=0 tag=101 
nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.985234170 -0500] conn=19059 op=6 SRCH 
base="cn=sudo,dc=domain,dc=com" scope=2 
filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20038636))" attrs="objectClass 
ipaUniqueID cn member entryusn"
[26/Apr/2017:14:52:43.986861159 -0500] conn=19059 op=6 RESULT err=0 tag=101 
nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.987119181 -0500] conn=19059 op=7 SRCH 
base="cn=sudo,dc=domain,dc=com" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com))(entryusn>=20038636))"
 attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser 
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup entryusn"
[26/Apr/2017:14:52:43.987828298 -0500] conn=19059 op=7 RESULT err=0 tag=101 
nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:56:53.754308324 -0500] conn=8 op=8122 MOD 
dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[26/Apr/2017:14:56:53.758231493 -0500] conn=8 op=8122 RESULT err=0 tag=103 
nentries=0 etime=0
[26/Apr/2017:14:56:54.141384397 -0500] conn=17 op=5298 SRCH 
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:56:54.141558862 -0500] conn=17 op=5298 RESULT err=32 tag=101 
nentries=0 etime=0

  

> On Apr 20, 2017, at 1:03 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
> Andrew Krause wrote:
>> Sorry for the self bump but no one has any insight on this?
>> 
>> 
>>> On Apr 17, 2017, at 11:31 AM, Andrew Krause 
>>> <andrew.kra...@breakthroughfuel.com> wrote:
>>> 
>>> Many hosts in our web ui show a null status for “enrolled”.  When you do a 
>>> search that includes any of these host objects the web UI posts errors, and 
>>> if you click on one of the problem hosts the same error stops anything from 
>>> loading on the host page.  
>>> 
>>> I’ve been trying to solve this problem on my own for quite some time and 
>>> have not been successful.  It’s impossible to remove the host through the 
>>> web UI and using CLI commands seem to remove the entry from IPA (host is 
>>> not found with ipa host-find), but it is still visible in the UI.  One 
>>> thing that may be common with all of these hosts is that they were enrolled 
>>> with our IPA system back while we were running version 3.0 and likely have 
>>> had issues for quite some time.  Multiple updates have happened since then, 
>>> and all of our hosts added within the last year are working fine.  I 
>>> suspect there’s an issue with a path somewhere for a certificate database, 
>>> but I’m unable to pinpoint what is going wrong.  
> 
> It should not be possible to have different views in the UI and the CLI
> since they make the same backend calls. What you'd want to do, hopefully
> on a semi-quiet system, is to do a host-find on the CLI and then list
> all hosts in the UI and compare the logs in /var/log/httpd/error_log and
> look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
> a buffered log so be patient).
> 
> They should be doing more or less the exact same set of queries.
> 
> Very doubtful that this has anything to do with certs. Anything on the
> client would be completely separate from what is on the server.
> 
> One thing you may be seeing though is that in 3.0 clients a host
> certificate was obtained for it. This was dropped with 4.0, but it
> wouldn't affect any visibility on the server.
> 
> rob
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to