subject:"\[Freeipa\-users\] Re\: Cannot access Web UI after IPA upgrade to 4.5"

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-09-16 Thread Sigbjorn Lie via FreeIPA-users

Hi,

I just had the same issue as Gustavo with the webui after upgrading from 7.3 to 
7.4, and came across this thread. Adding the whoami plugin to dse.ldif solved 
the issue.

Thanks.


Regards,
Siggi


> On 9 Aug 2017, at 17:15, Pavel Vomacka via FreeIPA-users 
>  wrote:
> 
> 
> 
> On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
>> Pavel,
>> Thanks for the help, that solved the problem. Now I can access the web ui.
> I'm glad that it works again.
>> The upgrade took place yesterday and it was a release upgrade from rhel 7.3 
>> (last update was last week) to rhel 7.4 (so we had a lot of package updates):
>> 
> Thank you for info. I have one additional question: What was the first 
> y-version of RHEL 7 you used? 
> 
>> ID | Command line | Date and time| Action(s)  | 
>> Altered
>> ---
>> 35 | update   | 2017-08-07 09:07 | E, I, O, U |  470 
>> EE
>> 
>> 
>> Acording to yum history info, this are the ipa packages that where updated:
>> Obsoleted   ipa-admintools-4.4.0-14.el7_3.7.noarch   
>>  @rhel7
>> Updated ipa-client-4.4.0-14.el7_3.7.x86_64   
>>  @rhel7
>> Obsoleting  ipa-client-4.5.0-21.el7.x86_64   
>>  @rhel7
>> Updated ipa-client-common-4.4.0-14.el7_3.7.noarch
>>  @rhel7
>> Update4.5.0-21.el7.noarch
>>  @rhel7
>> Updated ipa-common-4.4.0-14.el7_3.7.noarch   
>>  @rhel7
>> Update 4.5.0-21.el7.noarch   
>>  @rhel7
>> Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch
>>  @rhel7
>> Update4.5.0-21.el7.noarch
>>  @rhel7
>> Updated ipa-server-4.4.0-14.el7_3.7.x86_64   
>>  @rhel7
>> Update 4.5.0-21.el7.x86_64   
>>  @rhel7
>> Updated ipa-server-common-4.4.0-14.el7_3.7.noarch
>>  @rhel7
>> Update4.5.0-21.el7.noarch
>>  @rhel7
>> Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch   
>>  @rhel7
>> Update 4.5.0-21.el7.noarch   
>>  @rhel7
>> Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64
>>  @rhel7
>> Update  1.15.2-50.el7.x86_64 
>>  @rhel7
>> Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 
>>  @rhel7
>> Update 1.15.2-50.el7.x86_64  
>>  @rhel7
>> Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch
>>  @rhel7
>> Update4.5.0-21.el7.noarch
>>  @rhel7
>> Updated python2-ipalib-4.4.0-14.el7_3.7.noarch   
>>  @rhel7
>> Update 4.5.0-21.el7.noarch   
>>  @rhel7
>> Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch
>>  @rhel7
>> Update4.5.0-21.el7.noarch
>>  @rhel7
>> Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64   
>>  @rhel7
>> Update   1.15.2-50.el7.x86_64
>>  @rhel7
>> 
>> 
>> Again, thanks for the help!
>> Kind regards
>> 
>> 
>> On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka > > wrote:
>> 
>> 
>> 
>> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>>> Hello Pavel
>>> 
>>> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka >> > wrote:
>>> 
>>> Hello Gustavo,
>>> 
>>> From what I can see, the issue would be PROTOCOL ERROR in whoami command. 
>>> Could you please check whether all services running? Please run 
>>> # ipactl status
>>> 
>>> and post the output. 
>>> 
>>> 
>>> # ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>> 
>>> 
>>>  
>>> And please could you send me the /etc/named.conf? Especially everything 
>>> after 
>>>  dyndb "ipa"  
>>> line is interesting for us. 
>>> 
>>> This is from /etc/named.conf 
>>> 
>>> options {
>>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>>> listen-on-v6 {any;};
>>> 
>>> // Put files that named is allowed to write in the data/ directory:
>>>

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-09 Thread Gustavo Berman via FreeIPA-users

Hi Pavel,
On this machine it says that the first install of rhel-release-server was
7.2-9
But the ipa information came from a centos 6.4 install some years ago with
ipa 3.0
Later it was converted to rhel 7.0  and then upgraded through the years
Hope that helps


On Wed, Aug 9, 2017 at 12:15 PM, Pavel Vomacka  wrote:

>
>
> On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
>
> Pavel,
> Thanks for the help, that solved the problem. Now I can access the web ui.
>
> I'm glad that it works again.
>
> The upgrade took place yesterday and it was a release upgrade from rhel
> 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package
> updates):
>
> Thank you for info. I have one additional question: What was the first
> y-version of RHEL 7 you used?
>
> ID | Command line | Date and time| Action(s)  |
> Altered
> 
> ---
> 35 | update   | 2017-08-07 09:07 | E, I, O, U |
> 470 EE
>
>
> Acording to yum history info, this are the ipa packages that where updated:
> Obsoleted   ipa-admintools-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Updated ipa-client-4.4.0-14.el7_3.7.x86_64
> @rhel7
> Obsoleting  ipa-client-4.5.0-21.el7.x86_64
> @rhel7
> Updated ipa-client-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-server-4.4.0-14.el7_3.7.x86_64
> @rhel7
> Update 4.5.0-21.el7.x86_64
> @rhel7
> Updated ipa-server-common-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated ipa-server-dns-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64
> @rhel7
> Update  1.15.2-50.el7.x86_64
> @rhel7
> Updated python-libipa_hbac-1.14.0-43.
> el7_3.18.x86_64  @rhel7
> Update 1.15.2-50.el7.x86_64
> @rhel7
> Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated python2-ipalib-4.4.0-14.el7_3.
> 7.noarch@rhel7
> Update 4.5.0-21.el7.noarch
> @rhel7
> Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch
> @rhel7
> Update4.5.0-21.el7.noarch
> @rhel7
> Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64
> @rhel7
> Update   1.15.2-50.el7.x86_64
> @rhel7
>
>
> Again, thanks for the help!
> Kind regards
>
>
> On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka  wrote:
>
>>
>>
>> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>>
>> Hello Pavel
>>
>> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka 
>> wrote:
>>
>>>
>>> Hello Gustavo,
>>> From what I can see, the issue would be PROTOCOL ERROR in whoami
>>> command. Could you please check whether all services running? Please run
>>> # ipactl status
>>>
>>> and post the output.
>>>
>>>
>> # ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>>
>>
>>
>>> And please could you send me the /etc/named.conf? Especially everything
>>> after
>>>  dyndb "ipa"
>>> line is interesting for us.
>>>
>>
>> This is from /etc/named.conf
>>
>> options {
>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>> listen-on-v6 {any;};
>>
>> // Put files that named is allowed to write in the data/
>> directory:
>> directory "/var/named"; // the default
>> dump-file   "data/cache_dump.db";
>> statistics-file "data/named_stats.txt";
>> memstatistics-file  "data/named_mem_stats.txt";
>>
>> forward only;
>> forwarders {
>> 10.73.2.100;
>> 10.73.2.102;
>> 10.73.2.101;
>> };
>>
>> // Any host is permitted to issue recursive queries
>> allow-recursion { any; };
>>
>> tkey-gssapi-keytab "/etc/named.keytab";
>> pid-file "/run/named/named.pid";
>> dnssec-enable yes;
>> dnssec-validation no;
>> bindkeys-file "/etc/named.iscdlv.key";
>> managed-keys-directory "/var/named/dynamic";
>> };

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-09 Thread Pavel Vomacka via FreeIPA-users




On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:

Pavel,
Thanks for the help, that solved the problem. Now I can access the web ui.

I'm glad that it works again.
The upgrade took place yesterday and it was a release upgrade from 
rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of 
package updates):


Thank you for info. I have one additional question: What was the first 
y-version of RHEL 7 you used?


ID | Command line | Date and time | Action(s)  | 
Altered

---
35 | update   | 2017-08-07 09:07 | E, I, O, U 
|  470 EE



Acording to yum history info, this are the ipa packages that where 
updated:

Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7
Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7
Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7
Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch@rhel7
Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7
Update 4.5.0-21.el7.x86_64@rhel7
Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch@rhel7
Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64  @rhel7
Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64   @rhel7
Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch@rhel7
Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64 @rhel7


Again, thanks for the help!
Kind regards


On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka > wrote:




On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:

Hello Pavel

On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka
> wrote:


Hello Gustavo,

From what I can see, the issue would be PROTOCOL ERROR in
whoami command. Could you please check whether all services
running? Please run
# ipactl status

and post the output.


# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful


And please could you send me the /etc/named.conf? Especially
everything after
 dyndb "ipa"
line is interesting for us.


This is from /etc/named.conf

options {
// turns on IPv6 for port 53, IPv4 is on by default for
all ifaces
listen-on-v6 {any;};

// Put files that named is allowed to write in the data/
directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

forward only;
forwarders {
10.73.2.100;
10.73.2.102;
10.73.2.101;
};

// Any host is permitted to issue recursive queries
allow-recursion { any; };

tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

/* If you want to enable debugging, eg. using the 'rndc trace'
command,
 * By default, SELinux policy does not allow named to modify the
/var/named directory,
 * so put the default debug log file in data/ :
 */
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};

zone "." IN {
type hint;
file

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-08 Thread Pavel Vomacka via FreeIPA-users


Hello Gustavo,


On 08/07/2017 04:20 PM, Gustavo Berman via FreeIPA-users wrote:


Hi there,
Today we upgraded to the latest IPA 4.5, log says it upgraded just 
fine, ipa seems to authenticate allright, but web ui fails with:



Operations Error


Some operations failed.


an internal error has occurred


And the details it shows when I press the OK button are:


  Runtime error

Web UI got in unrecoverable state during "profile" phase.


  Technical details:

t.metadata is undefined
|update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:18156 
 
choose_profile@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651 
register_phases/ 
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181 
_run_phase/ 
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476 
 
forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:29752 
 
_run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3440 
 
next_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 
_run_phase/ 
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 
 
c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 
d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:62246 
 
_run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3548 
 
next_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 
_run_phase/ 
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 
 
c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 
 
l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873 
dojo/promise/all/ 
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:85255 
 
c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 
 
l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873 
register_phases/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092 
 
on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431 
freeipa/rpc/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160 
freeipa/rpc/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953 
freeipa/rpc/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790 
freeipa/rpc/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 
freeipa/rpc/ 
https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:53786 
 
f@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 
dojo/on/

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-08 Thread Gustavo Berman via FreeIPA-users

Pavel,
Thanks for the help, that solved the problem. Now I can access the web ui.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3
(last update was last week) to rhel 7.4 (so we had a lot of package
updates):

ID | Command line | Date and time| Action(s)  |
Altered
---
35 | update   | 2017-08-07 09:07 | E, I, O, U |
470 EE


Acording to yum history info, this are the ipa packages that where updated:
Obsoleted
ipa-admintools-4.4.0-14.el7_3.7.noarch@rhel7
Updated
ipa-client-4.4.0-14.el7_3.7.x86_64@rhel7
Obsoleting
ipa-client-4.5.0-21.el7.x86_64@rhel7
Updated
ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-common-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-4.4.0-14.el7_3.7.x86_64@rhel7
Update
4.5.0-21.el7.x86_64@rhel7
Updated
ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
ipa-server-dns-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update
1.15.2-50.el7.x86_64  @rhel7
Updated
python-libipa_hbac-1.14.0-43.el7_3.18.x86_64  @rhel7
Update
1.15.2-50.el7.x86_64   @rhel7
Updated
python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
python2-ipalib-4.4.0-14.el7_3.7.noarch@rhel7
Update
4.5.0-21.el7.noarch@rhel7
Updated
python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7
Update
4.5.0-21.el7.noarch @rhel7
Updated
sssd-ipa-1.14.0-43.el7_3.18.x86_64@rhel7
Update
1.15.2-50.el7.x86_64 @rhel7


Again, thanks for the help!
Kind regards


On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka  wrote:

>
>
> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
>
> Hello Pavel
>
> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka 
> wrote:
>
>>
>> Hello Gustavo,
>> From what I can see, the issue would be PROTOCOL ERROR in whoami command.
>> Could you please check whether all services running? Please run
>> # ipactl status
>>
>> and post the output.
>>
>>
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
>
>
>
>> And please could you send me the /etc/named.conf? Especially everything
>> after
>>  dyndb "ipa"
>> line is interesting for us.
>>
>
> This is from /etc/named.conf
>
> options {
> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
> listen-on-v6 {any;};
>
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file   "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file  "data/named_mem_stats.txt";
>
> forward only;
> forwarders {
> 10.73.2.100;
> 10.73.2.102;
> 10.73.2.101;
> };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-keytab "/etc/named.keytab";
> pid-file "/run/named/named.pid";
> dnssec-enable yes;
> dnssec-validation no;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>  * By default, SELinux policy does not allow named to modify the
> /var/named directory,
>  * so put the default debug log file in data/ :
>  */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> print-time yes;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-08 Thread Pavel Vomacka via FreeIPA-users




On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:

Hello Pavel

On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka > wrote:



Hello Gustavo,

From what I can see, the issue would be PROTOCOL ERROR in whoami
command. Could you please check whether all services running?
Please run
# ipactl status

and post the output.


# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful


And please could you send me the /etc/named.conf? Especially
everything after
 dyndb "ipa"
line is interesting for us.


This is from /etc/named.conf

options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};

// Put files that named is allowed to write in the data/ 
directory:

directory "/var/named"; // the default
dump-file   "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

forward only;
forwarders {
10.73.2.100;
10.73.2.102;
10.73.2.101;
};

// Any host is permitted to issue recursive queries
allow-recursion { any; };

tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the 
/var/named directory,

 * so put the default debug log file in data/ :
 */
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};

zone "." IN {
type hint;
file "named.ca ";
};

include "/etc/named.rfc1912.zones";

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
base "cn=dns, dc=fisica,dc=cabib";
fake_mname "ipaserver.fisica.cabib.";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/ipaserver.fisica.cabib";
server_id "ipaserver.fisica.cabib";
};
include "/etc/named.root.key";

key "rndc-key" {
algorithm hmac-md5;
secret "#";
};



Thank you for the configuration. It looks good.

Another thing that might be incorrect is that the whoami plugin is not 
loaded. Please check whether you have following line:

dn: cn=whoami,cn=plugins,cn=config

in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif

If not please add there following lines (between double quotes and 
without them):


"
dn: cn=whoami,cn=plugins,cn=config
cn: whoami
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: whoami extended operation plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: whoami-plugin
nsslapd-pluginInitfunc: whoami_init
nsslapd-pluginPath: libwhoami-plugin
nsslapd-pluginType: extendedop
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 1.3.5.18
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
"

and change the nsslapd-pluginVersion value to the same as other plugins 
have.


Then you will probably need to restart ipa service or at least dirsrv.

Did that help?

Could you please tell us more about upgrade? Especially from which 
version did you upgrade to 4.5 and which OS do you use? Which version of 
IPA did you have when you started using IPA?


--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Pavel^3 Vomacka

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

2017-08-07 Thread Gustavo Berman via FreeIPA-users

Hello Pavel

On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka  wrote:

>
> Hello Gustavo,
> From what I can see, the issue would be PROTOCOL ERROR in whoami command.
> Could you please check whether all services running? Please run
> # ipactl status
>
> and post the output.
>
>
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful




> And please could you send me the /etc/named.conf? Especially everything
> after
>  dyndb "ipa"
> line is interesting for us.
>

This is from /etc/named.conf

options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file   "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file  "data/named_mem_stats.txt";

forward only;
forwarders {
10.73.2.100;
10.73.2.102;
10.73.2.101;
};

// Any host is permitted to issue recursive queries
allow-recursion { any; };

tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named
directory,
 * so put the default debug log file in data/ :
 */
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
base "cn=dns, dc=fisica,dc=cabib";
fake_mname "ipaserver.fisica.cabib.";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/ipaserver.fisica.cabib";
server_id "ipaserver.fisica.cabib";
};
include "/etc/named.root.key";

key "rndc-key" {
algorithm hmac-md5;
secret "#";
};



-- 
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

7 matches

Site Navigation

Mail list logo

Footer information