[Freeipa-users] Thank You!

2017-05-08 Thread Orion Poplawski 
IPA/SSSD developers -

   I'm writing to give everyone involved in the IPA and sssd projects a big
"Thank You".  I've been poking at IPA for a little over 4 years now, looking
to migrate away from our 389ds LDAP configuration.  There have been lots of
hurdles to jump, bugs to fix, as well as a complete change of direction (from
migrating users to moving to an AD trust).  Along the way I have received a
huge amount of assistance from a large group of incredibly helpful people,
including (but not limited to) Jakub Hrozek, Lukas Slebodnik, Simo Sorce,
Pavel Březina, Nalin Dahyabhai, Rob Crittenden.  My apologies if I left anyone
out.

   I have two machines left to convert to IPA and can hardly believe sometimes
that I've finally arrived at this point.  So, thanks again for everyone for
their work on this incredibly complex and critical set of software.

- Orion

-- 
Orion Poplawski
Technical Manager  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] qradar UBA to IPA

2017-05-08 Thread Michael Plemmons 
Your listing of the filter seems incorrect unless that is a copy paste
problem.  You probably want cn=users,cn=accounts, $Suffix.  The filter
listed above shows user,cn=accounts,$Suffix.  I am not familiar with Qradar
but does it need just the uid of the user or does it need the full DN of
the user?




*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Mon, May 8, 2017 at 4:47 PM, Sean Hogan  wrote:

> Thanks Michael,
>
> Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with
> success via telnet.
>
>
>
> Sean Hogan
>
>
>
>
>
>
>
> [image: Inactive hide details for Michael Plemmons ---05/08/2017 01:21:17
> PM--->From the server running Qradar can you ping the IPA ser]Michael
> Plemmons ---05/08/2017 01:21:17 PM--->From the server running Qradar can
> you ping the IPA server? Are you able to telnet to port 389 or
>
> From: Michael Plemmons 
> To: freeipa-users 
> Date: 05/08/2017 01:21 PM
> Subject: Re: [Freeipa-users] qradar UBA to IPA
> Sent by: freeipa-users-boun...@redhat.com
> --
>
>
>
> From the server running Qradar can you ping the IPA server?  Are you able
> to telnet to port 389 or 636 of the IPA server.  The error says it can't
> contact the LDAP server which usually means you have not gotten to the
> point of authentication yet.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> *mike.plemm...@crosschx.com* 
> *www.crosschx.com* <http://www.crosschx.com/>
>
> On Mon, May 8, 2017 at 3:31 PM, Sean Hogan <*scho...@us.ibm.com*
> > wrote:
>
>Hello IPA,
>
>I am trying to set up User Behavioral analytics from Qradar to IPA.
>Having some issues with it after we got 389 and 636 open between the nets.
>
>Qradar Console is not in IPA and on differ net although we do have
>comms on 389 and 636 now
>ipa-server-3.0.0-50.el6.1.x86_64
>
>
>I set up an account in IPA with no HBACS or anything and just gave it
>a IPA role to read data which we use in the below config.
>Getting
>[image:
>
> file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg]
>
>URL I have them using ldaps://*IPofIPAserver.example.com*
><http://ipofipaserver.example.com/>
>BaseDN dc=example,dc=local
>filter users,cn=accounts,$Suffix
>attributes are left default
>username is the user i made in ipa
>pw is the pw I made in ipa
>
>
>[image:
>
> file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg]
>
>Has anyone attempted this or have any sample configs to play with or
>see anything I am doing incorrect?
>
>
>
>
>Sean Hogan
>
>
>
>
>
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
> *https://www.redhat.com/mailman/listinfo/freeipa-users*
><https://www.redhat.com/mailman/listinfo/freeipa-users>
>Go to *http://freeipa.org* <http://freeipa.org/> for more info on the
>project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] qradar UBA to IPA

2017-05-08 Thread Sean Hogan 

Thanks Michael,

Yes sir,  the qradar box is able to hit the ipa server on 389 and 636 with
success via telnet.



Sean Hogan










From:   Michael Plemmons 
To: freeipa-users 
Date:   05/08/2017 01:21 PM
Subject:Re: [Freeipa-users] qradar UBA to IPA
Sent by:freeipa-users-boun...@redhat.com



>From the server running Qradar can you ping the IPA server?  Are you able
to telnet to port 389 or 636 of the IPA server.  The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.




Mike Plemmons | Senior DevOps Engineer | CROSSCHX
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Mon, May 8, 2017 at 3:31 PM, Sean Hogan  wrote:
  Hello IPA,

  I am trying to set up User Behavioral analytics from Qradar to IPA.
  Having some issues with it after we got 389 and 636 open between the
  nets.

  Qradar Console is not in IPA and on differ net although we do have comms
  on 389 and 636 now
  ipa-server-3.0.0-50.el6.1.x86_64


  I set up an account in IPA with no HBACS or anything and just gave it a
  IPA role to read data which we use in the below config.
  Getting
  
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1CFC0CDDB6F2F123.jpg


  URL I have them using ldaps://IPofIPAserver.example.com
  BaseDN dc=example,dc=local
  filter users,cn=accounts,$Suffix
  attributes are left default
  username is the user i made in ipa
  pw is the pw I made in ipa


  
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1B778A1810D34E76.jpg


  Has anyone attempted this or have any sample configs to play with or see
  anything I am doing incorrect?




  Sean Hogan







  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] qradar UBA to IPA

2017-05-08 Thread Michael Plemmons 
>From the server running Qradar can you ping the IPA server?  Are you able
to telnet to port 389 or 636 of the IPA server.  The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.





*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Mon, May 8, 2017 at 3:31 PM, Sean Hogan  wrote:

> Hello IPA,
>
> I am trying to set up User Behavioral analytics from Qradar to IPA. Having
> some issues with it after we got 389 and 636 open between the nets.
>
> Qradar Console is not in IPA and on differ net although we do have comms
> on 389 and 636 now
> ipa-server-3.0.0-50.el6.1.x86_64
>
>
> I set up an account in IPA with no HBACS or anything and just gave it a
> IPA role to read data which we use in the below config.
> Getting
> [image:
> file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg]
>
> URL I have them using ldaps://IPofIPAserver.example.com
> BaseDN dc=example,dc=local
> filter users,cn=accounts,$Suffix
> attributes are left default
> username is the user i made in ipa
> pw is the pw I made in ipa
>
>
> [image:
> file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg]
>
> Has anyone attempted this or have any sample configs to play with or see
> anything I am doing incorrect?
>
>
>
>
> Sean Hogan
>
>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] qradar UBA to IPA

2017-05-08 Thread Sean Hogan 

Hello IPA,

  I am trying to set up User Behavioral analytics from Qradar to IPA.
Having some issues with it after we got 389 and 636 open between the nets.

Qradar Console is not in IPA and on differ net although we do have comms on
389 and 636 now
ipa-server-3.0.0-50.el6.1.x86_64


I set up an account in IPA with no HBACS or anything and just gave it a IPA
role to read data which we use in the below config.
Getting
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1CFC0CDDB6F2F123.jpg

URL I have them using ldaps://IPofIPAserver.example.com
BaseDN  dc=example,dc=local
filter users,cn=accounts,$Suffix
attributes are left default
username is the user i made in ipa
pw is the pw I made in ipa


file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1B778A1810D34E76.jpg

Has anyone attempted this or have any sample configs to play with or see
anything I am doing incorrect?




Sean Hogan





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
From the cli - it looks like the answers I’m getting are actually coming from 
one of my non-upgraded servers.The window for those servers is later tonight.   
The request gets denied on the localhost it seems.  

(Lb3 is the local server.  Ipa11 is offsite server that has not been upgraded)

[pfuller@lb3 ~]$ ipa -vvv user-show admin
ipa: INFO: trying https://lb3.sac.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding: 
gzip\r\nAccept-Language: en-us\r\nReferer: 
https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate 
YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACCjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent:
 xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: 
application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}], "method": 
"ping", "id": 0}'
reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Date: Mon, 08 May 2017 18:04:19 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
header: Content-Length: 347
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
ipa: INFO: trying https://ipa11.be.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}



Not seeing much in the http logs

[Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471] AH00170: 
caught SIGWINCH, shutting down gracefully
[Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232: suEXEC 
mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007] AH01757: 
generating secret for digest authentication ...
[Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid 26007] 
AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007] AH00163: 
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal 
operations
[Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG: importing 
all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.automember
[Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.automount
[Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.baseldap
[Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG: 
ipaserver.plugins.baseldap is not a valid plugin module
[Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.baseuser
[Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.batch
[Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.ca
[Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.caacl
[Mon May 08 10:59:15.451621 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.cert
[Mon May 08 10:59:15.451817 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.certprofile
[Mon May 08 10:59:15.451978 2017] [:error] [pid 26014] ipa: DEBUG: importing 
plugin module ipaserver.plugins.config
[Mon May 08 10:59:15.462890 2017] [:error] [pid 26013] ipa: DEBUG: importing 
all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.463836 2017] [:error] [pid 26013] ipa: DEBUG: importing 
plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.471193 2017] [:error

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> http error log has nothing.  This is with http restart and a failed
> request for web ui.  The request has no error.  Is there a different log
> that I am overlooking that might have more information?

No.

Create /etc/ipa/server.conf with these contents:

[global]
debug = True

Restart Apache.

Try with a browser and see what gets logged, if anything.

I'd also try with the cli to compare. With the client you can add -vvv
to get a lot more client-side logging: ipa -vvv user-show admin

rob

> 
> 
> [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471]
> AH01757: generating secret for digest authentication ...
> [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid
> 25471] AH02282: No slotmem from mod_heartmonitor
> [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471]
> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
> -- resuming normal operations
> [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094:
> Command line: '/usr/sbin/httpd -D FOREGROUND'
> [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: ***
> PROCESS START ***
> [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: ***
> PROCESS START **
> 
> 
> 
>> On May 8, 2017, at 1:43 PM, Rob Crittenden > > wrote:
>>
>> Pete Fuller wrote:
>>> IPA command line seems to work.   Have been able to use ipa user-find
>>> and ipa cert-find.  Can also sudo and kinit from other machines as
>>> IPA user.
>>>
>>> Another clue here, looks like even when querying with the ipa cli tools,
>>> I’m getting 400 errors in the access logs.  The top one is obviously a
>>> browser request.  The next 4 were following a cli call to ipa user-find.
>>> That request does respond back with users, so not sure what is failing
>>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>>>
>>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>>> Gecko/20100101 Firefox/53.0"
>>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>>> 400 347
>>
>> Note that client activity (login, sudo, etc) does not go through Apache.
>> Only the IPA API does (so web UI and cli).
>>
>> Still need to see the error log.
>>
>> rob
>>
>>>
>>>
 On May 8, 2017, at 1:20 PM, Rob Crittenden >>> 
 > wrote:

 Pete Fuller wrote:
> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
> IPA replicas for my North American datacenters.  All seem to have the
> same issue that I am now unable to connect to the web UI, with the
> following error in the browser…
>
>
> Bad Request
>
> Your browser sent a request that this server could not understand.
>
> Additionally, a 400 Bad Request error was encountered while trying to
> use an ErrorDocument to handle the request.
>
>
>
> The maddening thing is I can’t find any reference in the apache logs to
> what is generating the error and why a direct request to the UI would
> error. 
>
> As far as I can tell IPA is otherwise working.  Logins seem to work,
> sudo rules are working, DNS is working.  
>
> [root@lb3 httpd]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
>
> I can see one file in the httpd/conf.d directory that was changed -
> nss.conf.  I attempted reverting and that did not work.
>
> Has anyone run upon this error?  

 Does the ipa command-line tool work?

 What are you seeing in the Apache error log?

 rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
http error log has nothing.  This is with http restart and a failed request for 
web ui.  The request has no error.  Is there a different log that I am 
overlooking that might have more information?


[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: 
generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] 
AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: 
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 
NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal 
operations
[Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS 
START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS 
START **



> On May 8, 2017, at 1:43 PM, Rob Crittenden  wrote:
> 
> Pete Fuller wrote:
>> IPA command line seems to work.   Have been able to use ipa user-find
>> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
>> 
>> Another clue here, looks like even when querying with the ipa cli tools,
>> I’m getting 400 errors in the access logs.  The top one is obviously a
>> browser request.  The next 4 were following a cli call to ipa user-find.
>> That request does respond back with users, so not sure what is failing
>> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
>> 
>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
>> Gecko/20100101 Firefox/53.0"
>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
>> 400 347
> 
> Note that client activity (login, sudo, etc) does not go through Apache.
> Only the IPA API does (so web UI and cli).
> 
> Still need to see the error log.
> 
> rob
> 
>> 
>> 
>>> On May 8, 2017, at 1:20 PM, Rob Crittenden >> 
>>> >> wrote:
>>> 
>>> Pete Fuller wrote:
 I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
 IPA replicas for my North American datacenters.  All seem to have the
 same issue that I am now unable to connect to the web UI, with the
 following error in the browser…
 
 
 Bad Request
 
 Your browser sent a request that this server could not understand.
 
 Additionally, a 400 Bad Request error was encountered while trying to
 use an ErrorDocument to handle the request.
 
 
 
 The maddening thing is I can’t find any reference in the apache logs to
 what is generating the error and why a direct request to the UI would
 error. 
 
 As far as I can tell IPA is otherwise working.  Logins seem to work,
 sudo rules are working, DNS is working.  
 
 [root@lb3 httpd]# ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 ipa-custodia Service: RUNNING
 ntpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 
 I can see one file in the httpd/conf.d directory that was changed -
 nss.conf.  I attempted reverting and that did not work.
 
 Has anyone run upon this error?  
>>> 
>>> Does the ipa command-line tool work?
>>> 
>>> What are you seeing in the Apache error log?
>>> 
>>> rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> IPA command line seems to work.   Have been able to use ipa user-find
> and ipa cert-find.  Can also sudo and kinit from other machines as IPA user.
> 
> Another clue here, looks like even when querying with the ipa cli tools,
> I’m getting 400 errors in the access logs.  The top one is obviously a
> browser request.  The next 4 were following a cli call to ipa user-find.
>  That request does respond back with users, so not sure what is failing
> there.  The 192.168.0.95 IP is the local ip of the IPA server itself. 
> 
> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
> Gecko/20100101 Firefox/53.0"
> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
> 400 347
> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
> 400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).

Still need to see the error log.

rob

> 
> 
>> On May 8, 2017, at 1:20 PM, Rob Crittenden > > wrote:
>>
>> Pete Fuller wrote:
>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
>>> IPA replicas for my North American datacenters.  All seem to have the
>>> same issue that I am now unable to connect to the web UI, with the
>>> following error in the browser…
>>>
>>>
>>>  Bad Request
>>>
>>> Your browser sent a request that this server could not understand.
>>>
>>> Additionally, a 400 Bad Request error was encountered while trying to
>>> use an ErrorDocument to handle the request.
>>>
>>>
>>>
>>> The maddening thing is I can’t find any reference in the apache logs to
>>> what is generating the error and why a direct request to the UI would
>>> error. 
>>>
>>> As far as I can tell IPA is otherwise working.  Logins seem to work,
>>> sudo rules are working, DNS is working.  
>>>
>>> [root@lb3 httpd]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> I can see one file in the httpd/conf.d directory that was changed -
>>> nss.conf.  I attempted reverting and that did not work.
>>>
>>> Has anyone run upon this error?  
>>
>> Does the ipa command-line tool work?
>>
>> What are you seeing in the Apache error log?
>>
>> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
That was my first thought too.  Tried with different browsers, in incognito, 
etc.  


> On May 8, 2017, at 1:24 PM, Per Qvindesland  wrote:
> 
> Tried with another browser? 400 normally means an issue with cookies or cache.
> 
> Sent from my Commodore 64
> 
>> On 8 May 2017, at 17:59, Pete Fuller  wrote:
>> 
>> an


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Per Qvindesland 
Tried with another browser? 400 normally means an issue with cookies or cache.

Sent from my Commodore 64

> On 8 May 2017, at 17:59, Pete Fuller  wrote:
> 
> an

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Rob Crittenden 
Pete Fuller wrote:
> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
> IPA replicas for my North American datacenters.  All seem to have the
> same issue that I am now unable to connect to the web UI, with the
> following error in the browser…
> 
> 
>   Bad Request
> 
> Your browser sent a request that this server could not understand.
> 
> Additionally, a 400 Bad Request error was encountered while trying to
> use an ErrorDocument to handle the request.
> 
> 
> 
> The maddening thing is I can’t find any reference in the apache logs to
> what is generating the error and why a direct request to the UI would
> error. 
> 
> As far as I can tell IPA is otherwise working.  Logins seem to work,
> sudo rules are working, DNS is working.  
> 
> [root@lb3 httpd]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> 
> I can see one file in the httpd/conf.d directory that was changed -
> nss.conf.  I attempted reverting and that did not work.
> 
> Has anyone run upon this error?  

Does the ipa command-line tool work?

What are you seeing in the Apache error log?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

2017-05-08 Thread Pete Fuller 
I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are IPA 
replicas for my North American datacenters.  All seem to have the same issue 
that I am now unable to connect to the web UI, with the following error in the 
browser…

Bad Request

Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to use an 
ErrorDocument to handle the request.



The maddening thing is I can’t find any reference in the apache logs to what is 
generating the error and why a direct request to the UI would error. 

As far as I can tell IPA is otherwise working.  Logins seem to work, sudo rules 
are working, DNS is working.  

[root@lb3 httpd]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING

I can see one file in the httpd/conf.d directory that was changed - nss.conf.  
I attempted reverting and that did not work.

Has anyone run upon this error?  

Thanks

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project