[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Hillar Aarelaid via FreeIPA-users]

Hi

not exactly same, but feels similar  here ;(

_single_ freeipa server 
(Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, 
API_VERSION: 2.229)

1) full backup made with ipa-backup 
2) server loss
3) new server build from scratch
4) ipa-restore 
5) ..Failed to start pki-tomcatd Service


---

ipa: DEBUG: response body b'Apache 
Tomcat/8.0.50 - Error reportH1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}.line {height: 1px; background-color: 
#525D76; border: none;} HTTP Status 500 - Subsystem 
unavailabletype Exception 
reportmessage Subsystem 
unavailabledescription The server encountered an internal 
error 
 that prevented it from fulfilling this 
request.exceptionjavax.ws.rs.ServiceUnavailableException:
 Subsystem 
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock
 
etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote
 The full stack trace of the root cause is available in the Apache 
Tomcat/8.0.50 logs.Apache 
Tomcat/8.0.50'
ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA 
status failed with status 500
ipa: DEBUG: Waiting for CA to start...
Failed to start pki-tomcatd Service
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Florence Blanc-Renaud via FreeIPA-users]

On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote:

Hi

not exactly same, but feels similar  here ;(

_single_ freeipa server
(Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, 
API_VERSION: 2.229)

1) full backup made with ipa-backup
2) server loss
3) new server build from scratch
4) ipa-restore
5) ..Failed to start pki-tomcatd Service


---

ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem 
unavailabletype Exception reportmessage Subsystem unavailabledescription 
The server encountered an internal error
  that prevented it from fulfilling this 
request.exceptionjavax.ws.rs.ServiceUnavailableException:
 Subsystem 
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock
  
etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote
 The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50'
ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA 
status failed with status 500
ipa: DEBUG: Waiting for CA to start...
Failed to start pki-tomcatd Service
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

you can find troubleshooting information in this blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/

I would start by checking if all the certificates are up-to-date, 
especially subsystemCert cert-pki-ca.


HTH,
Flo

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] authoritative nameserver

[Andrew Meyer via FreeIPA-users]

A while ago I removed my original 2 FreeIPA server after adding 4 new ones.  
However in the DNS zone for my FreeIPA server in the authoritative nameserver 
entry I still have the original nameserver.  Should this have been changed when 
I removed it?  Does this have to be changed manually?
Authoritative nameserver: infra-test-ipa.gatewayblend.net.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Florence Blanc-Renaud via FreeIPA-users]

On 04/10/2018 04:30 PM, Hillar Aarelaid wrote:



On 10. apr 2018, at 15:05, Florence Blanc-Renaud  wrote:

I would start by checking if all the certificates are up-to-date, especially 
subsystemCert cert-pki-ca.


sorry, i did not touch any certificates.


Hi,

(re-adding the mailing in copy)
the certificates may have expired between the time you did the backup 
and reinstalled.


What is the output of ipactl status? If only pki-tomcatd fails to start, 
then the logs from /var/log/pki/pki-tomcat/ca may provide more information.


Flo


it was simple ipa-backup->ipa-restore as described in 
https://www.freeipa.org/page/Backup_and_Restore#Server_Loss_Cases
i had _single_ server and  (by scenario 'Catastrophic hardware failure') i lost 
it so i start with new server from scratch...
i followed 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore
as it says: "Important It is recommended that you uninstall a server before 
performing a full-server restore on it."
i tried
a) ipa-server-install and then uninstall and then ipa-restore
b) no ipa-server-install, straight to ipa-restore

and always ended up with tomcat not starting
it seems that most was restored, as i can do kinit with previously existed 
users and i can find them with ldapsearch
but command line "ipa whatever-command" fail, so ;( ;( ;(

Hillar

#ref 
https://github.com/hillar/detektiven/blob/master/vagans/createFedoraIPA.bash#L71




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] modifying ttl on dns records

[Andrew Meyer via FreeIPA-users]

I am trying to modify the TTL for records in my zone.  When I try to do this I 
am getting the following error:
[gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. 
andrew-test.stl1 --ttl=300No option to modify specific record provided.Current 
DNS record contents:
SSHFP record: 1 1 8F38BD27234E2F419E8179607096D497DABAB293, 1 2 
3536330BFFF12A9E135FB1C0AD0592B85AF6DE4B806386CDAFB8A907 46C55DC0, 3 1 
593EA53A72596B89549FE7C342EC6207CBE4B1A5, 3 2 
CCD421DBE0FF48127B1360F463506FBD07D1751E9C0694398B14624E D925F2B0, 4 1 
3B50D596C462184636194EBBD6D7142D964CAE4F, 4 2 
4C7B1BA7E6108EC2225DBF1D85DA60CDFEDCCF11FC140A2C068A4804 E2813CB8A record: 
10.1.6.200
Modify SSHFP record '1 1 8F38BD27234E2F419E8179607096D497DABAB293'? Yes/No 
(default No): Yipa: ERROR: invalid 'name': must be Unicode 
text[gatewayblend@freeipa01-dev ~]$___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Getting Synology NAS to play nice with FreeIPA

[Kristian Petersen via FreeIPA-users]

I have a synology NAS which hosts some SMB shares on my network.  I would
like to be able to use FreeIPA as the LDAP provider it checks against for
authenticating these shares.  I have a system user that I created in
FreeIPA for this purpose.

I configured the NAS to connect to my FreeIPA server for LDAP, but I get a
message about a failure to access some users NT passwords and how the Samba
service may not work for these users.  It also says it could be either a
lack of NT passwords for the users or insufficient privileges to access
them.  After chatting with Synology support they wanted me to enable CIFS
plaintext password authentication.  However, if I select that option it
given me a warning about the share not being able to be the remote mount
target of CIFS anymore due to SMB being set to v1 only and disabling the
SMB related Bonjour service.  If the system user doesn't have the needed
privileges, how can I fix that since I can't enroll the NAS?

-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org