[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
Hi not exactly same, but feels similar here ;( _single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229) 1) full backup made with ipa-backup 2) server loss 3) new server build from scratch 4) ipa-restore 5) ..Failed to start pki-tomcatd Service --- ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exceptionjavax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote: Hi not exactly same, but feels similar here ;( _single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229) 1) full backup made with ipa-backup 2) server loss 3) new server build from scratch 4) ipa-restore 5) ..Failed to start pki-tomcatd Service --- ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exceptionjavax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, you can find troubleshooting information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. HTH, Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] authoritative nameserver
A while ago I removed my original 2 FreeIPA server after adding 4 new ones. However in the DNS zone for my FreeIPA server in the authoritative nameserver entry I still have the original nameserver. Should this have been changed when I removed it? Does this have to be changed manually? Authoritative nameserver: infra-test-ipa.gatewayblend.net. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
On 04/10/2018 04:30 PM, Hillar Aarelaid wrote: On 10. apr 2018, at 15:05, Florence Blanc-Renaudwrote: I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. sorry, i did not touch any certificates. Hi, (re-adding the mailing in copy) the certificates may have expired between the time you did the backup and reinstalled. What is the output of ipactl status? If only pki-tomcatd fails to start, then the logs from /var/log/pki/pki-tomcat/ca may provide more information. Flo it was simple ipa-backup->ipa-restore as described in https://www.freeipa.org/page/Backup_and_Restore#Server_Loss_Cases i had _single_ server and (by scenario 'Catastrophic hardware failure') i lost it so i start with new server from scratch... i followed https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore as it says: "Important It is recommended that you uninstall a server before performing a full-server restore on it." i tried a) ipa-server-install and then uninstall and then ipa-restore b) no ipa-server-install, straight to ipa-restore and always ended up with tomcat not starting it seems that most was restored, as i can do kinit with previously existed users and i can find them with ldapsearch but command line "ipa whatever-command" fail, so ;( ;( ;( Hillar #ref https://github.com/hillar/detektiven/blob/master/vagans/createFedoraIPA.bash#L71 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] modifying ttl on dns records
I am trying to modify the TTL for records in my zone. When I try to do this I am getting the following error: [gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. andrew-test.stl1 --ttl=300No option to modify specific record provided.Current DNS record contents: SSHFP record: 1 1 8F38BD27234E2F419E8179607096D497DABAB293, 1 2 3536330BFFF12A9E135FB1C0AD0592B85AF6DE4B806386CDAFB8A907 46C55DC0, 3 1 593EA53A72596B89549FE7C342EC6207CBE4B1A5, 3 2 CCD421DBE0FF48127B1360F463506FBD07D1751E9C0694398B14624E D925F2B0, 4 1 3B50D596C462184636194EBBD6D7142D964CAE4F, 4 2 4C7B1BA7E6108EC2225DBF1D85DA60CDFEDCCF11FC140A2C068A4804 E2813CB8A record: 10.1.6.200 Modify SSHFP record '1 1 8F38BD27234E2F419E8179607096D497DABAB293'? Yes/No (default No): Yipa: ERROR: invalid 'name': must be Unicode text[gatewayblend@freeipa01-dev ~]$___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Getting Synology NAS to play nice with FreeIPA
I have a synology NAS which hosts some SMB shares on my network. I would like to be able to use FreeIPA as the LDAP provider it checks against for authenticating these shares. I have a system user that I created in FreeIPA for this purpose. I configured the NAS to connect to my FreeIPA server for LDAP, but I get a message about a failure to access some users NT passwords and how the Samba service may not work for these users. It also says it could be either a lack of NT passwords for the users or insufficient privileges to access them. After chatting with Synology support they wanted me to enable CIFS plaintext password authentication. However, if I select that option it given me a warning about the share not being able to be the remote mount target of CIFS anymore due to SMB being set to v1 only and disabling the SMB related Bonjour service. If the system user doesn't have the needed privileges, how can I fix that since I can't enroll the NAS? -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org