[Freeipa-users] Re: How to wreck your IPA environment
DNS and kerberos seem to be working fine (and have been for a long while). All `ipa` commands fail: ``` # kinit admin Password for admin@$REALM: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful # ipa help topics ipa: ERROR: cannot connect to 'any of the configured servers': https://$MASTER/ipa/json, https://$REPLICA/ipa/json ``` (yes, the firewall is open) Attempting to login via the WebUI with user/pass, says `Authenticating...`, then prints red text: An unknown error occurred. (or something to that effect). The apache error log shows: ``` [Tue Nov 06 07:46:46.388297 2018] [:error] [pid 23816] ipa: INFO: *** PROCESS START *** [Tue Nov 06 07:46:46.862410 2018] [:error] [pid 23815] ipa: INFO: *** PROCESS START *** [Tue Nov 06 07:48:55.510961 2018] [:error] [pid 23816] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Tue Nov 06 07:48:55.512943 2018] [:error] [pid 23816] [remote $MASTER_IP:52342] mod_wsgi (pid=23816): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Tue Nov 06 07:48:55.513207 2018] [:error] [pid 23816] [remote $MASTER_IP:52342] RuntimeError: response has not been started [Tue Nov 06 17:09:21.20 2018] [:error] [pid 23815] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Tue Nov 06 17:09:21.113133 2018] [:error] [pid 23815] [remote $MASTER_IP:52342] mod_wsgi (pid=23815): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Tue Nov 06 17:09:21.113410 2018] [:error] [pid 23815] [remote $MASTER_IP:52342] RuntimeError: response has not been started [Tue Nov 06 17:17:28.498098 2018] [auth_gssapi:error] [pid 23819] [client $CLIENT:36060] NO AUTH DATA Client did not send any authentication headers, referer: https://$MASTER/ipa/ui/ [Tue Nov 06 17:17:28.522306 2018] [auth_gssapi:error] [pid 23819] [client $CLIENT:36060] NO AUTH DATA Client did not send any authentication headers, referer: https://$MASTER/ipa/ui/ [Tue Nov 06 17:17:35.408453 2018] [:error] [pid 23815] [remote $CLIENT:24687] mod_wsgi (pid=23815): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Tue Nov 06 17:17:35.408776 2018] [:error] [pid 23815] [remote $CLIENT:24687] Traceback (most recent call last): [Tue Nov 06 17:17:35.408944 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/share/ipa/wsgi.py", line 51, in application [Tue Nov 06 17:17:35.409572 2018] [:error] [pid 23815] [remote $CLIENT:24687] return api.Backend.wsgi_dispatch(environ, start_response) [Tue Nov 06 17:17:35.409666 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__ [Tue Nov 06 17:17:35.471519 2018] [:error] [pid 23815] [remote $CLIENT:24687] return self.route(environ, start_response) [Tue Nov 06 17:17:35.471701 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route [Tue Nov 06 17:17:35.471923 2018] [:error] [pid 23815] [remote $CLIENT:24687] return app(environ, start_response) [Tue Nov 06 17:17:35.472027 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__ [Tue Nov 06 17:17:35.472163 2018] [:error] [pid 23815] [remote $CLIENT:24687] self.kinit(user_principal, password, ipa_ccache_name) [Tue Nov 06 17:17:35.472244 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit [Tue Nov 06 17:17:35.472378 2018] [:error] [pid 23815] [remote $CLIENT:24687] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Tue Nov 06 17:17:35.472461 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Tue Nov 06 17:17:35.474208 2018] [:error] [pid 23815] [remote $CLIENT:24687] run(args, env=env, raiseonerr=True, capture_error=True) [Tue Nov 06 17:17:35.474308 2018] [:error] [pid 23815] [remote $CLIENT:24687] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run [Tue Nov 06 17:17:35.480086 2018] [:error] [pid 23815] [remote $CLIENT:24687] raise CalledProcessError(p.returncode, arg_string, str(output)) [Tue Nov 06 17:17:35.480364 2018] [:error] [pid 23815] [remote $CLIENT:24687] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_23815 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
[Freeipa-users] Getting access denied when using kerberos when mounting nfs share
I followed these instructions to enable kerberos within my realm/domain. My FreeIPA, NFS server and my NFS client is CentOS 7.4 https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html I’m completely stuck in that when I mount the NFS share I get Sudo mount -o sec=krb5p share.example.com:/data/shared /mnt/shared “mount.nfs: access denied by server while mounting share.example.com:/data/shared” My /etc/exports file /data/shared 172.16.0.0/24(sec=krb5p, rw, ...) On my nfs server /var/log/messages all i see is rpc.mountd[1674]: authenticated mount request from 172.16.0.23:819 for /data/shared (/data/shared) If i remove the “sec=krb5p” from the mount and the exports file it mounts just fine. -Kevin___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to wreck your IPA environment
...oh, it says "Your reply has been sent, and is being processed'...maybe that means it will eventually show up. I guess I'll wait :S ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to wreck your IPA environment
...uggg, crap, tried replying twice and hyperkitty seems to just eat all my text... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Vault: Cannot authenticate agent with certificate
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example: > ipa -v vault-add test --type=standard ipa: INFO: trying https://ipa-01.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: ERROR: an internal error has occurred In /var/log/pki/pki-tomcat/kra/system I see the following message: 0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found In /var/log/pki/pki-tomcat/kra/debug is see the following messages: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH Any suggestions? Has something gone wrong with the setup? -- Peter Oliver ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to wreck your IPA environment
Chris Evich via FreeIPA-users wrote: > Hey all, > > About a year ago I did a really, really stupid thing. I updated IPA on one > CentOS 7 host, then before being really sure things were working, I did the > replica. Turned out the first upgrade only 'mostly' worked[*], meaning both > hosts are now partially wrecked :S > > The good news is, DNS and PKI seems mostly in-tact and functional (why I > haven't done anything for a year). The bad news is, the web interface and > API-access (ipa cmdline) is non-functional. Meaning I have no way to > maintain the setup, add new replicas/hosts, etc. :( > > Both kerberos and ldapsearch are working, so I'm wondering if there's a way I > can "save" my DNS and user/group/kerberos records, to make a > re-build/re-install less painful? I don't have anything worth saving > PKI-wise. > > Thoughts? > > [*] The damage was caused by running out of disk-space after the package > install, while the upgrade or schema-update script was running. I'm not > above trying to repair the API, but so far my attempts have all been > fruitless. I tried 'yum reinstall' and manually running the upgrade scripts. > The damage seems to be inside the databases, since restoring from backup > also restores API-breakage. We need more information on why your definition of wrecked is. What isn't working? What logs can you provide? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Alex Corcoles via FreeIPA-users wrote: > So I solved my LXC problems (thanks Rob, again), but now: > > ipa-replica-install -U --setup-ca -N > > fails when rebuilding my replica from scratch, see: > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > , where I think I've copied the relevant logs. I think I saw someone > recommending revoking the replica certs, which makes sense as I'm using > the same hostname that I used on the previous replica, but that doesn't > seem to fix things. > > (I'm removing the previous replica via the admin interface, IPA Server > -> Topology -> IPA Servers, select my replica and "Delete Server". This > removes it too from the host list). I don't know what it is but it isn't related to existing entries in IPA (nor un-revoked certs). The dogtag installer is asking for a serial # range and getting a NotFound. Maybe Fraser knows. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] How to wreck your IPA environment
Hey all, About a year ago I did a really, really stupid thing. I updated IPA on one CentOS 7 host, then before being really sure things were working, I did the replica. Turned out the first upgrade only 'mostly' worked[*], meaning both hosts are now partially wrecked :S The good news is, DNS and PKI seems mostly in-tact and functional (why I haven't done anything for a year). The bad news is, the web interface and API-access (ipa cmdline) is non-functional. Meaning I have no way to maintain the setup, add new replicas/hosts, etc. :( Both kerberos and ldapsearch are working, so I'm wondering if there's a way I can "save" my DNS and user/group/kerberos records, to make a re-build/re-install less painful? I don't have anything worth saving PKI-wise. Thoughts? [*] The damage was caused by running out of disk-space after the package install, while the upgrade or schema-update script was running. I'm not above trying to repair the API, but so far my attempts have all been fruitless. I tried 'yum reinstall' and manually running the upgrade scripts. The damage seems to be inside the databases, since restoring from backup also restores API-breakage. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
OK, will to that this afternoon. Is creating a new replica reusing an old replica's name a supported thing? My replica is automatically provisioned, so it's appealing to me to rebuild it if there's any problem with it, but having to change its name is a chore (replica names should not be important, but some software does not seem to behave correctly). I'm not sure of what's the good practice here. In any case, I will try to also create a second replica with a different name to see if the problem is caused by reusing the name. On Tue, Nov 6, 2018 at 1:25 AM Fraser Tweedale wrote: > On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users > wrote: > > Might this be related to: > > > > https://pagure.io/freeipa/issue/7654 > > > > Maybe? > > > Possibly. Need the HTTP access log, the Dogtag access log > (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag > debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being > contacted (ovh1.pdp7.net) to analyse further. > > Cheers, > Fraser > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org