[Freeipa-users] export/import users password between two differents IPA environment

[Alexandre Ellert]

Hello,

I have a broken IPA environnment with very few users and groups and
I've setup a fresh new installation.
I already recreate users and groups and now need to keep old users
passwords. Is there a way to copy/paste users password between these
two differents IPA ?

Thank you for your help

Alexandre

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Duplicate sudo rule

[Alexandre Ellert]

I create another rule via web UI and it's fine now...don't remember
why the first one was duplicated.
Is it safe to delete these entries directly from LDAP ? :
ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=xxx,dc=xxx
and
ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=xxx,dc=xxx


2016-02-22 15:34 GMT+01:00 Alexandre Ellert <ellertalexan...@gmail.com>:
> Hello,
>
> I've just deployed a new IPA server 4.2 / Centos 7.2 and I create my
> first sudo rule via web UI but it was duplicate (I don't know why...)
> Now I have two rules with the same name and I can't delete them :
>
> # ipa sudorule-find --all
> 
> 2 Sudo Rules matched
> 
>   dn: 
> ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra
>   Rule name: allow sysadmins everywher
>   Enabled: TRUE
>   ipauniqueid: faa8de54-d96d-11e5-b75f-00505693334c
>   objectclass: ipasudorule, ipaassociation
>
>   dn: 
> ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra
>   Rule name: allow sysadmins everywher
>   Enabled: TRUE
>   ipauniqueid: faac52c8-d96d-11e5-b61d-00505693334c
>   objectclass: ipasudorule, ipaassociation
> 
> Number of entries returned 2
> 
>
> # ipa sudorule-del "allow sysadmins everywher"
> ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 
> 2.
>
> Thanks for your help.
>
> Alexandre

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Duplicate sudo rule

[Alexandre Ellert]

Hello,

I've just deployed a new IPA server 4.2 / Centos 7.2 and I create my
first sudo rule via web UI but it was duplicate (I don't know why...)
Now I have two rules with the same name and I can't delete them :

# ipa sudorule-find --all

2 Sudo Rules matched

  dn: 
ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra
  Rule name: allow sysadmins everywher
  Enabled: TRUE
  ipauniqueid: faa8de54-d96d-11e5-b75f-00505693334c
  objectclass: ipasudorule, ipaassociation

  dn: 
ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra
  Rule name: allow sysadmins everywher
  Enabled: TRUE
  ipauniqueid: faac52c8-d96d-11e5-b61d-00505693334c
  objectclass: ipasudorule, ipaassociation

Number of entries returned 2


# ipa sudorule-del "allow sysadmins everywher"
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Thanks for your help.

Alexandre

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

My FreeIPA  PKI is totally broken since upgrade from 3.0 (RHEL 6.6) to 4.1
(RHEL 7.1)
This thread started on July and still no resolution... Can someone please
advice ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

So, here is the recap :
I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The
PKI was only installed on server two.
Everything was working fine, replication OK, new enrollements OK,
authentication with Kerberos and LDAP OK.
After some time, I discover that pki tomcatd service didn't restart
automatically after reboot on server two.

Now I want to repair things, but I can't deploy a new PKI and I can't
delete the existing broken PKI...

Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and
then ipa-restore ?

Please advice.


2015-09-07 13:36 GMT+02:00 Alexandre Ellert <ellertalexan...@gmail.com>:

>
> > Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabi...@redhat.com> a écrit :
> >
> > On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
> >>
> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <aboko...@redhat.com> a
> écrit :
> >>>
> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
> >>>>
> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <aboko...@redhat.com> a
> écrit :
> >>>>>
> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
> >>>>>>
> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <aboko...@redhat.com>
> a écrit :
> >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy
> another
> >>>>>>>> replica ?
> >>>>>>> You may try that. Sorry for not responding, I have some other
> tasks that
> >>>>>>> occupy my time right now.
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Can you please tell me the procedure to decommission and re-create
> a new replica ?
> >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the
> only things to do ?
> >>>>> No, you need also to remove the server from the replication topology.
> >>>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
> >>>>>
> >>>>> --
> >>>>> / Alexander Bokovoy
> >>>>
> >>>> I can’t remove the node on which I have problem with pki-tomcatd :
> >>>>
> >>>> # ipa-replica-manage del .example.com
> >>>> Deleting a master is irreversible.
> >>>> To reconnect to the remote master you will need to prepare a new
> replica file
> >>>> and re-install.
> >>>> Continue to delete? [no]: yes
> >>>> Deleting this server is not allowed as it would leave your
> installation without a CA
> >>>>
> >>>> I seem that it’s the only node where CA is installed. What should I
> do now ?
> >>> Add a replica with CA using ipa-ca-install on existing replica.
> >>>
> >>> Read the guide, it has detailed coverage of these situations.
> >>> --
> >>> / Alexander Bokovoy
> >>
> >> On the first node (which is working and without pki-tomcatd service)
> >> # ipa-ca-install
> >> Directory Manager (existing master) password:
> >>
> >> CA is already installed.
> >>
> >> How is it possible ?
> >>
> >>
> > You must provide a replica file as an argument to ipa-ca-install if you
> want to setup CA on another replica.
> >
> > --
> > Martin^3 Babinsky
>
> I’m still stuck with the correct command line :
> [root@inf-ipa ~]# ipa-ca-install
> /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'inf-ipa-2.numeezy.fr':
>Directory Service: Unsecure port (389): OK
>Directory Service: Secure port (636): OK
>Kerberos KDC: TCP (88): OK
>Kerberos Kpasswd: TCP (464): OK
>HTTP Server: Unsecure port (80): OK
>HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>Kerberos KDC: UDP (88): SKIPPED
>Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> ad...@numeezy.fr password:
>
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'inf-ipa.nume

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

> Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabi...@redhat.com> a écrit :
> 
> On 08/28/2015 05:46 PM, Alexandre Ellert wrote:
>> 
>>> Le 28 août 2015 à 17:41, Alexander Bokovoy <aboko...@redhat.com> a écrit :
>>> 
>>> On Fri, 28 Aug 2015, Alexandre Ellert wrote:
>>>> 
>>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <aboko...@redhat.com> a écrit :
>>>>> 
>>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote:
>>>>>> 
>>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <aboko...@redhat.com> a 
>>>>>>> écrit :
>>>>>>>> If the problem is too hard to solve, maybe I should try to deploy 
>>>>>>>> another
>>>>>>>> replica ?
>>>>>>> You may try that. Sorry for not responding, I have some other tasks that
>>>>>>> occupy my time right now.
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Can you please tell me the procedure to decommission and re-create a new 
>>>>>> replica ?
>>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only 
>>>>>> things to do ?
>>>>> No, you need also to remove the server from the replication topology.
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
>>>>> 
>>>>> --
>>>>> / Alexander Bokovoy
>>>> 
>>>> I can’t remove the node on which I have problem with pki-tomcatd :
>>>> 
>>>> # ipa-replica-manage del .example.com
>>>> Deleting a master is irreversible.
>>>> To reconnect to the remote master you will need to prepare a new replica 
>>>> file
>>>> and re-install.
>>>> Continue to delete? [no]: yes
>>>> Deleting this server is not allowed as it would leave your installation 
>>>> without a CA
>>>> 
>>>> I seem that it’s the only node where CA is installed. What should I do now 
>>>> ?
>>> Add a replica with CA using ipa-ca-install on existing replica.
>>> 
>>> Read the guide, it has detailed coverage of these situations.
>>> --
>>> / Alexander Bokovoy
>> 
>> On the first node (which is working and without pki-tomcatd service)
>> # ipa-ca-install
>> Directory Manager (existing master) password:
>> 
>> CA is already installed.
>> 
>> How is it possible ?
>> 
>> 
> You must provide a replica file as an argument to ipa-ca-install if you want 
> to setup CA on another replica.
> 
> -- 
> Martin^3 Babinsky

I’m still stuck with the correct command line :
[root@inf-ipa ~]# ipa-ca-install 
/var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'inf-ipa-2.numeezy.fr':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@numeezy.fr password: 

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'inf-ipa.numeezy.fr':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
seconds
  [1/21]: creating certificate server user
  [2/21]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command 
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit 
status 1
  [error] RuntimeError: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 28 août 2015 à 17:41, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Fri, 28 Aug 2015, Alexandre Ellert wrote:
 
 Le 28 août 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 26 Aug 2015, Alexandre Ellert wrote:
 
 Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit 
 :
 If the problem is too hard to solve, maybe I should try to deploy another
 replica ?
 You may try that. Sorry for not responding, I have some other tasks that
 occupy my time right now.
 
 
 
 Can you please tell me the procedure to decommission and re-create a new 
 replica ?
 Are ipa-server-install —uninstall then ipa-server-install the only 
 things to do ?
 No, you need also to remove the server from the replication topology.
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
 
 --
 / Alexander Bokovoy
 
 I can’t remove the node on which I have problem with pki-tomcatd :
 
 # ipa-replica-manage del .example.com
 Deleting a master is irreversible.
 To reconnect to the remote master you will need to prepare a new replica file
 and re-install.
 Continue to delete? [no]: yes
 Deleting this server is not allowed as it would leave your installation 
 without a CA
 
 I seem that it’s the only node where CA is installed. What should I do now ?
 Add a replica with CA using ipa-ca-install on existing replica.
 
 Read the guide, it has detailed coverage of these situations.
 -- 
 / Alexander Bokovoy

On the first node (which is working and without pki-tomcatd service)
# ipa-ca-install
Directory Manager (existing master) password: 

CA is already installed.

How is it possible ?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 28 août 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 26 Aug 2015, Alexandre Ellert wrote:
 
 Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit :
 If the problem is too hard to solve, maybe I should try to deploy another
 replica ?
 You may try that. Sorry for not responding, I have some other tasks that
 occupy my time right now.
 
 
 
 Can you please tell me the procedure to decommission and re-create a new 
 replica ?
 Are ipa-server-install —uninstall then ipa-server-install the only 
 things to do ?
 No, you need also to remove the server from the replication topology.
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html
 
 -- 
 / Alexander Bokovoy

I can’t remove the node on which I have problem with pki-tomcatd :

# ipa-replica-manage del .example.com
Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica file
and re-install.
Continue to delete? [no]: yes
Deleting this server is not allowed as it would leave your installation without 
a CA

I seem that it’s the only node where CA is installed. What should I do now ?

Thank you again for your support.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit :
 If the problem is too hard to solve, maybe I should try to deploy another
 replica ?
 You may try that. Sorry for not responding, I have some other tasks that
 occupy my time right now.
 


Can you please tell me the procedure to decommission and re-create a new 
replica ?
Are ipa-server-install —uninstall then ipa-server-install the only things 
to do ?

Thank you

Alexandre-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

2015-07-23 8:41 GMT+02:00 Alexander Bokovoy aboko...@redhat.com:

 On Thu, 23 Jul 2015, Ludwig Krispenz wrote:

 - Directory server starts just fine but serves only port 389
 - krb5kdc starts just fine and works fine with LDAP server
 - Dogtag tries to use LDAP server via port 636 and fails

 We need to see why port 636 is disabled.

 why do you think so ? There is:

 [22/Jul/2015:18:14:54 +0200] - slapd started.  Listening on All
 Interfaces port 389 for LDAP requests
 [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for
 LDAPS requests
 [22/Jul/2015:18:14:54 +0200] - Listening on
 /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests

 Missed that part. However, dogtag was failing in accessing LDAP over
 port 636.

  but what is failing is:
 agmt=cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat (inf-ipa:7389):
 Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP
 server) ()

 Is dogtag on a different instance ? why do we use port 7389 ?

 Because it was migration from RHEL6 to RHEL7. In RHEL6 dogtag was living
 in a separate instance.

 --
 / Alexander Bokovoy


If the problem is too hard to solve, maybe I should try to deploy another
replica ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 22 juil. 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 22 Jul 2015, Alexandre Ellert wrote:
 
 Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Mon, 20 Jul 2015, Alexandre Ellert wrote:
 
 Can you please show output from
 fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
 
 # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
 
 This is original 'dc' definition:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 This is the offending one:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 
 In 00core.ldif, I have :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' 
 )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent' )
 If you look into 99user.ldif, you'll see the wrong definition there.
 
 99user.ldif accumulates definitions coming from replication or updates.
 You can check other IPA masters, do they have 'dc' attribute defined in
 a wrong way?
 
 I have a second IPA master and here is the occurence of ‘ domaincomponent' 
 in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
 In 00core.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent’ )
 In 99user.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) 
 D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )
 
 This two definition are exactly the same on both IPA masters.
 
 I don’t understand what is wrong in 99user.ldif ? How can I correct with the 
 good definition ?
 The correct definition is in the 00core.ldif. The one in 99user.ldif is
 wrong.
 
 I think you can remove it from 99user.ldif on both servers but you need
 to shut down dirsrv instances on both to do that.
 -- 
 / Alexander Bokovoy

I shut down IPA on both servers (ipactl stop) and removed this section in 
99user.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
  ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
  oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
  GIN ( 'RFC 2247' 'user defined' ) )

But still have the same behavior (pki-tomcatd don’t start, same errors in 
logs). Do you have another idea ?

Thanks for your support

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 22 juil. 2015 à 17:43, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 22 Jul 2015, Alexandre Ellert wrote:
 
 Le 22 juil. 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 22 Jul 2015, Alexandre Ellert wrote:
 
 Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit 
 :
 
 On Mon, 20 Jul 2015, Alexandre Ellert wrote:
 
 Can you please show output from
 fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
 
 # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
 
 This is original 'dc' definition:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 This is the offending one:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 
 In 00core.ldif, I have :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 
 'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent' )
 If you look into 99user.ldif, you'll see the wrong definition there.
 
 99user.ldif accumulates definitions coming from replication or updates.
 You can check other IPA masters, do they have 'dc' attribute defined in
 a wrong way?
 
 I have a second IPA master and here is the occurence of ‘ domaincomponent' 
 in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
 In 00core.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' 
 )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent’ )
 In 99user.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' 
 ) D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
 caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE 
 X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )
 
 This two definition are exactly the same on both IPA masters.
 
 I don’t understand what is wrong in 99user.ldif ? How can I correct with 
 the good definition ?
 The correct definition is in the 00core.ldif. The one in 99user.ldif is
 wrong.
 
 I think you can remove it from 99user.ldif on both servers but you need
 to shut down dirsrv instances on both to do that.
 --
 / Alexander Bokovoy
 
 I shut down IPA on both servers (ipactl stop) and removed this section in 
 99user.ldif :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' 
 ) D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
 caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE 
 X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )
 
 But still have the same behavior (pki-tomcatd don’t start, same errors
 in logs). Do you have another idea ?
 We need to find out where the definition comes from.
 
 Can you give me output of
 # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
 from both servers?

Server 1:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 
NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

Server 2 :
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 
NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

 
 With correct setup IPA 4.x should show:
 /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 
 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 I.e. there are two lines -- in the default schema and in the IPA
 instance schema. — 

Seems to be good ?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 22 juil. 2015 à 18:40, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 22 Jul 2015, Alexandre Ellert wrote:
 
 Le 22 juil. 2015 à 18:08, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Wed, 22 Jul 2015, Alexandre Ellert wrote:
 # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
 from both servers?
 
 Server 1:
 # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
 /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 Server 2 :
 # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
 /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 
 With correct setup IPA 4.x should show:
 /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 I.e. there are two lines -- in the default schema and in the IPA
 instance schema. —
 
 Seems to be good ?
 Yes. Can you get a new set of logs on 'ipactl start'?
 
 --
 / Alexander Bokovoy
 
 Sorry, the log is very long…I can format differently if you need.
 Thanks, no need for more logs right now.
 
 What I see from these logs:
 - Directory server starts just fine but serves only port 389
 - krb5kdc starts just fine and works fine with LDAP server
 - Dogtag tries to use LDAP server via port 636 and fails
 
 We need to see why port 636 is disabled.
 
 Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following
 attributes:
 nsslapd-security
 nsslapd-port
 
 They should be 'on' and '389' correspondingly.
 
 -- 
 / Alexander Bokovoy

Here is the result (on both servers)
# grep nsslapd-security /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif 
nsslapd-security: on
# grep nsslapd-port /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif 
nsslapd-port: 389

Notice that ns-slapd is listening on port 636 :
# netstat -antp|grep '636\|389'|grep LISTEN
tcp6   0  0 :::389  :::*LISTEN  
12271/ns-slapd  
tcp6   0  0 :::636  :::*LISTEN  
12271/ns-slapd


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit :
 
 On Mon, 20 Jul 2015, Alexandre Ellert wrote:
 
 Can you please show output from
 fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
 
 # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
 
 This is original 'dc' definition:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 This is the offending one:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 
 In 00core.ldif, I have :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent' )
 If you look into 99user.ldif, you'll see the wrong definition there.
 
 99user.ldif accumulates definitions coming from replication or updates.
 You can check other IPA masters, do they have 'dc' attribute defined in
 a wrong way?

I have a second IPA master and here is the occurence of ‘ domaincomponent' in 
/etc/dirsrv/slapd-NUMEEZY-FR/schema :
In 00core.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
  EQUALITY caseIgnoreIA5Match
  SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE
  X-ORIGIN 'RFC 4519'
  X-DEPRECATED 'domaincomponent’ )
In 99user.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )

This two definition are exactly the same on both IPA masters.

I don’t understand what is wrong in 99user.ldif ? How can I correct with the 
good definition ?

 
 As far as I remember, the only modification I made was to disable
 read-only access without authentication.  I don’t need any other
 special customization.
 Something brought the wrong definition into your IPA masters.
 May be someone tried to add support for some old application?

Nobody else never have access read/write to the IPA servers. I’m the only admin.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Can you please show output from
 fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema

# fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:objectClasses: ( 
1.3.6.1.4.1.1466.344 NAME 'dcObject'
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:  MUST dc
/etc/dirsrv/slapd-NUMEEZY-FR/schema/05rfc4524.ldif:  MUST dc
/etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 
2.16.840.1.113730.3.1.22 NAME ( 'mgrpAllowedBroadcaster' ) DESC 'Netscape 
Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  
X-ORIGIN 'Netscape Messaging Server 4.x' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 
2.16.840.1.113730.3.1.788 NAME ( 'mgrpBroadcasterPolicy' ) DESC 'Netscape 
Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15  
X-ORIGIN 'Netscape Messaging Server 4.x' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:objectclasses: ( 
2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'Netscape Messaging Server 4.x 
defined objectclass' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ 
mailAlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ 
mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ 
mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ 
mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ 
mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) 
X-ORIGIN 'Netscape Messaging Server 4.x' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60trust.ldif:# 
dc=com?sub?objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=server)
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 
1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST d
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: UST dc MAY ( userPassword $ 
searchGuide $ seeAlso $ businessCategory $ x121Ad
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: dBroadcaster $ 
mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolic
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: bTicketPolicyReference $ 
krbKdcServers $ krbPwdServers $ krbAdmServers $ krbP
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 
2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbSer
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 
2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers'  EQUALIT
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 
2.16.840.1.113730.3.1.788 NAME 'mgrpBroadcasterPolicy' DESC 
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 
2.16.840.1.113730.3.1.22 NAME 'mgrpAllowedBroadcaster' DESC 
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# (FDNs of the 
krbKdcService objects).
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# Example:   cn=kdc - 
server 1, ou=uvw, o=xyz
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:attributetypes: ( 
2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY 
distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 
2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY 
( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ 
krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ 
krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr 
$krbPwdPolicyReference $ krbPrincContainerRef ) )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# krbKdcService, 
krbAdmService and krbPwdService derive from this class.
/etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 
2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) )

 
 and definitions of 'dc' attribute from there.
 
 'dc' attribute is defined in 00core.ldif as
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent’ )

In 00core.ldif, I have :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
  EQUALITY caseIgnoreIA5Match
  SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE
  X-ORIGIN 'RFC 4519'
  X-DEPRECATED 'domaincomponent' )

 
 Note that syntax is 1.3.6.1.4.1.1466.115.121.1.26 (IA5String) while yours is
 1.3.6.1.4.1.1466.115.121.1.15 (DirectoryString), they are not the same.
 
 What modifications did you do to the schema?

As far as I remember, the only modification I made was to disable read-only 
access without authentication.
I don’t need any other special customization.

 
 

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 20 juil. 2015 à 17:58, Petr Vobornik pvobo...@redhat.com a écrit :
 
 On 07/20/2015 05:17 PM, Alexander Bokovoy wrote:
 On Mon, 20 Jul 2015, Alexandre Ellert wrote:
 
 Can you please show output from
 fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
 
 # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
 
 This is original 'dc' definition:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 
 This is the offending one:
 /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 
 In 00core.ldif, I have :
 attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc'
 'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 SINGLE-VALUE
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent' )
 If you look into 99user.ldif, you'll see the wrong definition there.
 
 99user.ldif accumulates definitions coming from replication or updates.
 You can check other IPA masters, do they have 'dc' attribute defined in
 a wrong way?
 
 As far as I remember, the only modification I made was to disable
 read-only access without authentication.  I don’t need any other
 special customization.
 Something brought the wrong definition into your IPA masters.
 May be someone tried to add support for some old application?
 
 
 Probably caused by migration from 6.6 to 7.x. See 
 https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause 
 any issue but looks scary.

I confirm this was a migration from CentOS 6.6 to 7.1. Every thing else worked 
just fine following the RedHat migration procedure 
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html)

 
 I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the 
 time the following CA error happened (could be new start).
 
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
 Internal Database Error encountered: Could not connect to LDAP server host 
 ipa.mydomain.org http://ipa.mydomain.org/

I restarted IPA :

/var/log/pki/pki-tomcat/ca/debug  :
[20/Jul/2015:18:12:17][localhost-startStop-1]: CMS:Caught EBaseException

/var/log/krb5kdc.log :
otp: Loaded
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](Error): preauth pkinit 
failed to initialize: No realms configured correctly for pkinit support
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): setting up network...
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 8: 
udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address 
:: port 88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping 
unrecognized local address family 17
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping 
unrecognized local address family 17
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 9: 
udp fe80::250:56ff:fe93:357e%ens160.88
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 11: 
tcp 0.0.0.0.88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 10: 
tcp ::.88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): set up 4 sockets
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16636](info): commencing operation
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: 
host/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, 
Additional pre-authentication required
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 
tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for 
krbtgt/numeezy...@numeezy.fr
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 
tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for 
ldap/inf-ipa-2.numeezy...@numeezy.fr
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: 
DNS/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, 
Additional pre-authentication required
Jul 20 18:11:48

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 16 juil. 2015 à 09:29, Lukas Slebodnik lsleb...@redhat.com a écrit :
 
 I had a similar issue on fedora 21 or fedora 22.
 The workarounds from freeipa ticket #4666 did not help for me either.
 I found out that there was some problem with upgrading dogtag configuration.
 
 You can try up ru upgrade manually. It might help you.
 [root@vm-114 ~]# rpm -q --scripts pki-server
 postinstall scriptlet (using /bin/sh):
 ## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
 ##from EITHER 'sysVinit' OR previous 'systemd' processes to the new
 ##PKI deployment process
 
echo Upgrading server at `/bin/date`. 
/var/log/pki/pki-server-upgrade-10.2.4.log 21
/sbin/pki-server-upgrade --silent 
/var/log/pki/pki-server-upgrade-10.2.4.log 21
echo  /var/log/pki/pki-server-upgrade-10.2.4.log 21
 
systemctl daemon-reload
 
 
 In my case, it didn't help. So I updated freeipa to the latest version.
 then I install similar new freeipa on another machine. So I had functional
 dogtag. Then I tried to fix broken dogtag configuration using functional
 configuration from 2nd freeipa. I would definitely recommend to backup data
 from old freeipa before any manual updates.
 
 Maybe Fraser would have a better advice.
 
 LS

I tried the suggested solution with pki-server-upgrade script but it didn’t 
fix, the output was :
# cat /var/log/pki/pki-server-upgrade-10.1.2.log
Upgrading from version 10.1.2 to 10.1.2:
1. Add TLS Range Support

Upgrade complete.

I will try the second solution and install a fresh new IPA server to compare 
dogtag configuration.
Do you know what files/directory I should check ?

Thanks for your help-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Le 30 juin 2015 à 10:16, Alexandre Ellert aell...@numeezy.com a écrit :
 
 
 Could you please provide the content of logfile:
 `/var/log/pki/pki-tomcat/ca/debug', around the time the error
 occurs?
 
 Thanks,
 Fraser
 
 When the pki-tomcatd service is trying to start, I see this message in 
 /var/log/pki/pki-tomcat/ca/debug
 
 [30/Jun/2015:10:02:13][localhost-startStop-1]: 
 
 [30/Jun/2015:10:02:13][localhost-startStop-1]: =  DEBUG SUBSYSTEM 
 INITIALIZED   ===
 [30/Jun/2015:10:02:13][localhost-startStop-1]: 
 
 [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug
 [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug
 [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log
 [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs
 [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init()  
 mEnableSerialMgmt=true
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init 
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning 
 true
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init()
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends
 [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection 
 errorIfDown is true
 [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown 
 true
 [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client 
 auth cert nicknamesubsystemCert cert-pki-ca
 [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
 Internal Database Error encountered: Could not connect to LDAP server host 
 ipa.mydomain.org http://ipa.mydomain.org/ port 636 Error 
 netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
   at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658)
   at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934)
   at 
 com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865)
   at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362)
   at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
   at com.netscape.certsrv.apps.CMS.start(CMS.java:1585)
   at 
 com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
   at 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:606)
   at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
   at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
   at 
 org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
   at 
 org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
   at 
 org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
   at 
 org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
   at 
 org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
   at 
 org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
   at 
 org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
   at 
 org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
   at 
 org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
   at 
 org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
   at 
 org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
   at 
 org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
   at java.security.AccessController.doPrivileged(Native Method

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

2015-06-29 19:37 GMT+02:00 Alexandre Ellert aell...@numeezy.com:
 Hello,

 I have a problem on a replica server running Centos 7.1 and ipa 
 4.1.0-18.el7.centos.3.x86_64 (last version)
 Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot 
 the whole server) :
 # ipactl status
 Directory Service: STOPPED
 Directory Service must be running in order to obtain status of other services
 ipa: INFO: The ipactl command was successful

 and I have to force the start process :
 # ipactl start -f
 Existing service file detected!
 Assuming stale, cleaning and proceeding
 Starting Directory Service
 Starting krb5kdc Service
 Starting kadmin Service
 Starting named Service
 Starting ipa_memcached Service
 Starting httpd Service
 Starting pki-tomcatd Service


 Failed to start pki-tomcatd Service
 Forced start, ignoring pki-tomcatd Service, continuing normal operation
 Starting ipa-otpd Service
 ipa: INFO: The ipactl command was successful

 But, as you see the pki-tomcatd is unable to start.
 I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and 
 found this error :
 Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke
 SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path 
 [/ca] threw exception
 java.io.IOException: CS server is not ready to serve.
 at 
 com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
 at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
 at 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:606)
 at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
 at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
 at 
 org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
 at 
 org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
 at 
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
 at 
 org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
 at 
 org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
 at 
 org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
 at java.security.AccessController.doPrivileged(Native Method)
 at 
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
 at 
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
 at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
 at 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:606)
 at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
 at 
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
 at 
 org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
 at 
 org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
 at 
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
 at 
 org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
 at 
 org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
 at 
 org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
 at java.security.AccessController.doPrivileged(Native Method)
 at 
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
 at 
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
 at 
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
 at 
 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
 at 
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
 at 
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at 
 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
 at 
 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
 at 
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

 Could you please provide the content of logfile:
 `/var/log/pki/pki-tomcat/ca/debug', around the time the error
 occurs?
 
 Thanks,
 Fraser

When the pki-tomcatd service is trying to start, I see this message in 
/var/log/pki/pki-tomcat/ca/debug

[30/Jun/2015:10:02:13][localhost-startStop-1]: 

[30/Jun/2015:10:02:13][localhost-startStop-1]: =  DEBUG SUBSYSTEM 
INITIALIZED   ===
[30/Jun/2015:10:02:13][localhost-startStop-1]: 

[30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug
[30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug
[30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log
[30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs
[30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init()  
mEnableSerialMgmt=true
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init 
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning 
true
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init()
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends
[30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection 
errorIfDown is true
[30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true
[30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth 
cert nicknamesubsystemCert cert-pki-ca
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server host 
ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating 
JSS SSL Socket (-1)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362)
at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1585)
at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at 

[Freeipa-users] Failed to start pki-tomcatd Service

[Alexandre Ellert]

Hello,

I have a problem on a replica server running Centos 7.1 and ipa 
4.1.0-18.el7.centos.3.x86_64 (last version)
Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot the 
whole server) :
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful

and I have to force the start process :
# ipactl start -f
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service


Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing normal operation
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful

But, as you see the pki-tomcatd is unable to start.
I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found 
this error :
Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path 
[/ca] threw exception
java.io.IOException: CS server is not ready to serve.
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at 

Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed

[Alexandre Ellert]

 You have to adapt the example to your environment:
 LDAP search base should be cn=dns, dc=ivscloud, dc=local
 
  $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' 
 '(objectClass=idnsConfigObject)'
 [...]
  # search result
  search: 4
  result: 32 No such object

My mistake, here is the result :

ldapsearch -Y GSSAPI -b 'cn=dns,dc=ivscloud,dc=local' 
'(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started
SASL username: admin@IVSCLOUD.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=dns,dc=ivscloud,dc=local with scope subtree
# filter: (objectClass=idnsConfigObject)
# requesting: ALL
#

# dns, ivscloud.local
dn: cn=dns,dc=ivscloud,dc=local
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: top
cn: dns

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

 
 Anyway, your configuration in /etc/named.conf seems correct.
 
 Please let us know if you are able to reproduce the crash, I don't see a way 
 how to fix it without a reproducer.

I don't know how to reproduce. Maybe try to put a  cron '/sbin/service named 
reload' and see if it crash.

 
 Have a nice day!
 
 -- 
 Petr^2 Spacek


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed

[Alexandre Ellert]

 We need more information about your configuration. Please add details 
 mentioned at
 
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Aboutyouroperatingsystemdistribution

 
 and
 
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Abouttheplugin

What distribution/version/architecture you use?
 Centos 6.5 (2.6.32-431.el6.x86_64) up to date
What plugin version you use?
 bind-dyndb-ldap-2.3-5.el6.x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation?
 Yes
Which version of BIND you use ?
 bind-9.8.2-0.17.rc1.el6_4.6.x86_64
Please provide dynamic-db section from configuration file /etc/named.conf :
 dynamic-db ipa {
library ldap.so;
arg uri ldapi://%2fvar%2frun%2fslapd-IVSCLOUD-LOCAL.socket;
arg base cn=dns, dc=ivscloud,dc=local;
arg fake_mname ipa-master.ivscloud.local.;
arg auth_method sasl;
arg sasl_mech GSSAPI;
arg sasl_user DNS/ipa-master.ivscloud.local;
arg zone_refresh 0;
arg psearch yes;
arg serial_autoincrement yes;
arg connections 4;
 };
Do you have some other text based or DLZ zones configured?
 no
Do you have some global forwarders configured in BIND configuration file?
 no
 options {
[…]

forward first;
forwarders { };

  […]
 };
Do you have some settings in global configuration object in LDAP?
 no (not sure)
 $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' 
'(objectClass=idnsConfigObject)'
 SASL/GSSAPI authentication started
 SASL username: admin@IVSCLOUD.LOCAL
 SASL SSF: 56
 SASL data security layer installed.
 # extended LDIF
 #
 # LDAPv3
 # base cn=dns,dc=example,dc=com with scope subtree
 # filter: (objectClass=idnsConfigObject)
 # requesting: ALL
 #

 # search result
 search: 4
 result: 32 No such object

 # numResponses: 1

 Do you see any messages complaining about broken connection or something like 
 that? Did the server worked fine before the reload?
The server worked fine before reload (caused by logrotate).
I've searched in log file /var/log/dirsrv/*, /var/log/messages but didn't find 
anything interesting.

Thanks for your help



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] named failure

[Alexandre Ellert]

Hi,

This night, named crashed on my IPA server (Centos 6.5) :

Dec 29 02:27:02 ipa-master named[1537]: received control channel command 
'reload'
Dec 29 02:27:03 ipa-master named[1537]: ldap_helper.c:640: 
REQUIRE(pthread_kill(ldap_inst-watcher, 10) == 0) failed, back trace
Dec 29 02:27:03 ipa-master named[1537]: #0 0x7f6f443a0eff in ??
Dec 29 02:27:03 ipa-master named[1537]: #1 0x7f6f42d0c89a in ??
Dec 29 02:27:03 ipa-master named[1537]: #2 0x7f6f3e48acbf in ??
Dec 29 02:27:03 ipa-master named[1537]: #3 0x7f6f3e48efd6 in ??
Dec 29 02:27:03 ipa-master named[1537]: #4 0x7f6f3e48f591 in ??
Dec 29 02:27:03 ipa-master named[1537]: #5 0x7f6f43bfca54 in ??
Dec 29 02:27:03 ipa-master named[1537]: #6 0x7f6f443c1b87 in ??
Dec 29 02:27:03 ipa-master named[1537]: #7 0x7f6f443c4726 in ??
Dec 29 02:27:03 ipa-master named[1537]: #8 0x7f6f443c4b36 in ??
Dec 29 02:27:03 ipa-master named[1537]: #9 0x7f6f443c4cf8 in ??
Dec 29 02:27:03 ipa-master named[1537]: #10 0x7f6f44399f55 in ??
Dec 29 02:27:03 ipa-master named[1537]: #11 0x7f6f4439d616 in ??
Dec 29 02:27:03 ipa-master named[1537]: #12 0x7f6f42d2b2f8 in ??
Dec 29 02:27:03 ipa-master named[1537]: #13 0x7f6f426e09d1 in ??
Dec 29 02:27:03 ipa-master named[1537]: #14 0x7f6f41c41b6d in ??
Dec 29 02:27:03 ipa-master named[1537]: exiting (due to assertion failure)

DNS was setup during installation time and didn't notify any problem since this 
server is in production (several months).

Can you please advice about how to investigate to find the root cause of this 
crash ?
Should I worry about that or is this just a isolated case ?

Thanks for your support.

Alexandre.___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Cross-realm trust with AD and ssh keys management

[Alexandre Ellert]

Hi,

I've successfully setup a testing environment with an IPA server (RHEL 6.4) and 
a cross realm trust with my Active Directory (Win2008 R2).
Authentication works both with AD passwords and Kerberos GSS-API.

Now, I'm trying to find the way to manage ssh key which belong to AD users. It 
seems that I can do that only with users declared on IPA domain.
Can you confirm that ?
Does winsync method provide a way to add ssh key to an AD user ?

Your suggestions are welcome.

Thanks.

Alexandre.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sudo rule applied to a host group

[Alexandre Ellert]

Hi,

I'm trying to get working a sudo rule for a group of user, basically if want to 
allow all the developers (dev-users) to become root on developers servers 
(dev-servers).
When this rule is applied to a single host or all hosts or severals named host, 
it works fine : dev-users can sudo without prompting for a password (I have 
sudo option !authenticate)
But if I apply the rule to the dev-servers group, it doesn't work : when a 
member of dev-users try to sudo, it prompt for a password and even the password 
is correct, password is asked again.

I use ipa-server-3.0.0-26.el6_4.4 and RHEL 6 and a custom Debian package for 
clients (based on freeipa 3.0.2).
I checked /etc/sudo-ldap.conf, /etc/nsswitch.conf and /etc/rc.local on clients 
and everything seems correct.

Do i missed something ?

Thanks for your help.

Alexandre.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit :

 On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
 Hi,
 
 I have these 3 errors/warnings message when I join a Debian client to a RHEL 
 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
 
 = certmonger failed to stop: [Errno 2] No such file or directory: 
 '/var/run/ipa/services.list'
 There is no such file even on RHEL 6. What is this file ?
 
 This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
 RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
 /var/run/ipa/ directory is there (or update debian platform file to override
 PlatformService class in ipapython/platform/base/__init__.py).

I managed to fix that and will update soon my repo with a new package version. 
Thanks for the information.

 
 = host_mod: KerbTransport instance has no attribute '_conn'
 What does that mean ?
 
 This means that there was some issue with XMLRPC call to IPA server (the error
 message is indeed unfortunate) - does ipaclient-install.log contain more 
 details?

Unfortunately there is no more details in ipaclient-install.log, here is the 
relevant part :
2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute 
'_conn'
2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
Is there any way to get more debug log ?
In my opinion, warning about ssh keys should not trigger here, because I can 
see them on my IPA server.

 
 = Failed to upload host SSH public keys.
 This is strange because SSH key are correctly uploaded !
 
 Here is the complete stack trace :
 ...
 
 HTH,
 Martin
 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit :

 On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
 
 Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit :
 
 On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
 Hi,
 
 I have these 3 errors/warnings message when I join a Debian client to a 
 RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
 
 = certmonger failed to stop: [Errno 2] No such file or directory: 
 '/var/run/ipa/services.list'
 There is no such file even on RHEL 6. What is this file ?
 
 This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
 RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
 /var/run/ipa/ directory is there (or update debian platform file to override
 PlatformService class in ipapython/platform/base/__init__.py).
 
 I managed to fix that and will update soon my repo with a new package 
 version. Thanks for the information.
 
 
 = host_mod: KerbTransport instance has no attribute '_conn'
 What does that mean ?
 
 This means that there was some issue with XMLRPC call to IPA server (the 
 error
 message is indeed unfortunate) - does ipaclient-install.log contain more 
 details?
 
 Unfortunately there is no more details in ipaclient-install.log, here is the 
 relevant part :
 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute 
 '_conn'
 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
 Is there any way to get more debug log ?
 In my opinion, warning about ssh keys should not trigger here, because I can 
 see them on my IPA server.
 
 
 Are you sure the SSH keys aren't there from previous installation attempt or
 similar? The _conn generally means there was some problem with the connection
 to server in the xmlrpclib python library.

I can confirm you that SSH key upload is successful. I've done tests with a 
fresh install of Debian.
To be sure, I will create a new VM and try an ipa-client-install with 
modifications you give me.

 
 We need to find out what and why triggers it, a change in ipa-client-install
 script like below may shed more light on what is the source of the error:
 
 
 diff --git a/ipa-client/ipa-install/ipa-client-install
 b/ipa-client/ipa-install/ipa-client-install
 index 280edd7..f82b9f6 100755
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
 @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, 
 create_sshfp):
 pass
 except StandardError, e:
 root_logger.info(host_mod: %s, str(e))
 +import traceback
 +traceback.print_exc()
 root_logger.warning(Failed to upload host SSH public keys.)
 return
 
 
 Martin

Thanks
Alexandre


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Here is the traceback :
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
host_mod: KerbTransport instance has no attribute '_conn'
Traceback (most recent call last):
  File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys
updatedns=False
  File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in 
__call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run
return self.forward(*args, **options)
  File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in 
forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward
response = command(*xml_wrap(params))
  File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__
return self.__send(self.__name, args)
  File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request
verbose=self.__verbose
  File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request
self.close()
  File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close
self._conn.close()
AttributeError: KerbTransport instance has no attribute '_conn'
Failed to upload host SSH public keys.

- Key are correctly uploaded on the new VM.

Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit :

 
 Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit :
 
 On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
 
 Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit :
 
 On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
 Hi,
 
 I have these 3 errors/warnings message when I join a Debian client to a 
 RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
 
 = certmonger failed to stop: [Errno 2] No such file or directory: 
 '/var/run/ipa/services.list'
 There is no such file even on RHEL 6. What is this file ?
 
 This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
 RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
 /var/run/ipa/ directory is there (or update debian platform file to 
 override
 PlatformService class in ipapython/platform/base/__init__.py).
 
 I managed to fix that and will update soon my repo with a new package 
 version. Thanks for the information.
 
 
 = host_mod: KerbTransport instance has no attribute '_conn'
 What does that mean ?
 
 This means that there was some issue with XMLRPC call to IPA server (the 
 error
 message is indeed unfortunate) - does ipaclient-install.log contain more 
 details?
 
 Unfortunately there is no more details in ipaclient-install.log, here is 
 the relevant part :
 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute 
 '_conn'
 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
 Is there any way to get more debug log ?
 In my opinion, warning about ssh keys should not trigger here, because I 
 can see them on my IPA server.
 
 
 Are you sure the SSH keys aren't there from previous installation attempt or
 similar? The _conn generally means there was some problem with the connection
 to server in the xmlrpclib python library.
 
 I can confirm you that SSH key upload is successful. I've done tests with a 
 fresh install of Debian.
 To be sure, I will create a new VM and try an ipa-client-install with 
 modifications you give me.
 
 
 We need to find out what and why triggers it, a change in ipa-client-install
 script like below may shed more light on what is the source of the error:
 
 
 diff --git a/ipa-client/ipa-install/ipa-client-install
 b/ipa-client/ipa-install/ipa-client-install
 index 280edd7..f82b9f6 100755
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
 @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, 
 create_sshfp):
pass
except StandardError, e:
root_logger.info(host_mod: %s, str(e))
 +import traceback
 +traceback.print_exc()
root_logger.warning(Failed to upload host SSH public keys.)
return
 
 
 Martin
 
 Thanks
 Alexandre
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Sorry, mistake from me.
I remove all patch from RHEL and just keep 
0053-Cookie-Expires-date-should-be-locale-insensitive.patch.
Everything seems fine now.
I'm going to test.

Thanks for you help


Le 19 juil. 2013 à 17:53, Alexandre Ellert aell...@numeezy.com a écrit :

 It's based on 3.0.2 with 1011-xmlrpc_response.patch (found in 
 ipa-3.0.0-26.el6_4.4.src.rpm) and self._conn.close() is added by this patch. 
 I included it because it correct this problem :
 unable to parse cookie header 'ipa_session=83701130bf434d20cf8c5a3fe2a0ac56; 
 Domain=inf-ipa.numeezy.fr; Path=/ipa; Expires=Fri, 19 Jul 2013 16:08:31 GMT; 
 Secure; HttpOnly': unable to parse expires datetime 'Fri, 19 Jul 2013 
 16:08:31'
 
 
 Le 19 juil. 2013 à 17:08, Martin Kosek mko...@redhat.com a écrit :
 
 Thanks, this should help. Maybe the IPA just tries to close the connection
 twice _after_ keys were uploaded to the server.
 
 Anyway, what version of IPA software is the Debian package based on? I cannot
 find line self._conn.close() in ipalib/rpc.py in any of our active 
 branches.
 
 Martin
 
 On 07/19/2013 05:03 PM, Alexandre Ellert wrote:
 Here is the traceback :
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
 Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
 host_mod: KerbTransport instance has no attribute '_conn'
 Traceback (most recent call last):
 File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys
   updatedns=False
 File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in 
 __call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run
   return self.forward(*args, **options)
 File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in 
 forward
   return self.Backend.xmlclient.forward(self.name, *args, **kw)
 File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward
   response = command(*xml_wrap(params))
 File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__
   return self.__send(self.__name, args)
 File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request
   verbose=self.__verbose
 File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request
   self.close()
 File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close
   self._conn.close()
 AttributeError: KerbTransport instance has no attribute '_conn'
 Failed to upload host SSH public keys.
 
 - Key are correctly uploaded on the new VM.
 
 Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit :
 
 
 Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit :
 
 On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
 
 Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit :
 
 On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
 Hi,
 
 I have these 3 errors/warnings message when I join a Debian client to 
 a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
 
 = certmonger failed to stop: [Errno 2] No such file or directory: 
 '/var/run/ipa/services.list'
 There is no such file even on RHEL 6. What is this file ?
 
 This was added in IPA 3.0.1 to fix a systemd hang so it does not exist 
 in
 RHEL-6.4 which contains IPA 3.0. The deb package should just make sure 
 the
 /var/run/ipa/ directory is there (or update debian platform file to 
 override
 PlatformService class in ipapython/platform/base/__init__.py).
 
 I managed to fix that and will update soon my repo with a new package 
 version. Thanks for the information.
 
 
 = host_mod: KerbTransport instance has no attribute '_conn'
 What does that mean ?
 
 This means that there was some issue with XMLRPC call to IPA server 
 (the error
 message is indeed unfortunate) - does ipaclient-install.log contain 
 more details?
 
 Unfortunately there is no more details in ipaclient-install.log, here is 
 the relevant part :
 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no 
 attribute '_conn'
 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
 Is there any way to get more debug log ?
 In my opinion, warning about ssh keys should not trigger here, because I 
 can see them on my IPA server.
 
 
 Are you sure the SSH keys aren't there from previous installation attempt 
 or
 similar? The _conn generally means there was some problem with the 
 connection
 to server in the xmlrpclib python library.
 
 I can confirm you that SSH key upload is successful. I've done tests with 
 a fresh install of Debian.
 To be sure, I will create a new VM and try an ipa-client-install with 
 modifications you give me.
 
 
 We need to find out what and why triggers it, a change in 
 ipa-client-install
 script like below may shed more light on what is the source of the error:
 
 
 diff --git a/ipa-client/ipa-install/ipa-client-install
 b/ipa-client/ipa-install/ipa-client-install
 index 280edd7..f82b9f6

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

I've made packages from Debian Wheezy (actually only amd64). The goal is ti 
have a full functional and compatible client with Centos/RHEL 6.4 freeipa 
server 3.0.0.
Actually join domain, ssh key upload, certificate enrollment and sudo 
integration works in my environment.

If you want to test, just add this to /etc/apt/sources.list :
deb http://apt.numeezy.fr wheezy main
deb-src http://apt.numeezy.fr wheezy main
and import my GPG key :
# wget -qO - http://apt.numeezy.fr/numeezy.asc | sudo apt-key add -
Then, install package named freeipa-client.
You can also download source using : apt-get source freeipa.

Feel free to contact me if you have any issue using this package.

PS : I've based my work on package done by Timo Aaltonen for Ubuntu. Thanks to 
him for his excellent work !

Alexandre

Le 15 juil. 2013 à 08:37, Petr Spacek pspa...@redhat.com a écrit :

 On 12.7.2013 19:57, Alexandre Ellert wrote:
 Thanks for pointing that bug, compilation succeeded if adding 
 X-Python-Version: 2.7 to debian/control file.
 Now, testing functionality...
 I can give you some feedback if you want (i'm new here. Is there only 
 RHEL/Fedora users on this mailing list ?)
 
 This list is not Fedora/RHEL specific. We are glad to hear about ports to 
 another distributions, please continue! :-)
 
 -- 
 Petr^2 Spacek
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Hi,

I have these 3 errors/warnings message when I join a Debian client to a RHEL 
6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):

= certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
There is no such file even on RHEL 6. What is this file ?
= host_mod: KerbTransport instance has no attribute '_conn'
What does that mean ?
= Failed to upload host SSH public keys.
This is strange because SSH key are correctly uploaded !

Here is the complete stack trace :
Server :
ipa host-add test1.numeezy.fr --platform=VMware, Inc. --os=Debian GNU/Linux 
7.1 (wheezy) --password= OTP_password

Client  :
# ipa-client-install --server=inf-ipa.numeezy.fr --hostname=test1.numeezy.fr 
--domain=numeezy.fr --realm=NUMEEZY.FR --password=OTP_password --no-ntp 
--unattended 
Hostname: test1.numeezy.fr
Realm: NUMEEZY.FR
DNS Domain: numeezy.fr
IPA Server: inf-ipa.numeezy.fr
BaseDN: dc=numeezy,dc=fr
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Enrolled in IPA realm NUMEEZY.FR
Created /etc/ipa/default.conf
Domain numeezy.fr is already configured in existing SSSD config, creating a new 
one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm NUMEEZY.FR
trying https://inf-ipa.numeezy.fr/ipa/xml
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
host_mod: KerbTransport instance has no attribute '_conn'
Failed to upload host SSH public keys.

Please let me know if more information is needed and thanks in advance for your 
help.

Regards,

Alexandre
 
Le 18 juil. 2013 à 19:49, Arthur art...@deus.pro a écrit :

 В Fri, 12 Jul 2013 19:57:09 +0200
 Alexandre Ellert aell...@numeezy.com пишет:
 
 Thanks for pointing that bug, compilation succeeded if adding
 X-Python-Version: 2.7 to debian/control file. Now, testing
 functionality... I can give you some feedback if you want (i'm new
 here. Is there only RHEL/Fedora users on this mailing list ?)
 
 Le 12 juil. 2013 à 19:36, Alexander Bokovoy aboko...@redhat.com a
 écrit :
 
 On Fri, 12 Jul 2013, Alexandre Ellert wrote:
 Hi,
 
 I'm currently trying to get a functional .deb package working on
 Debian Wheezy. I have tried to recompile a package from Ubuntu
 Precise (https://launchpad.net/~freeipa/+archive/ppa) without
 success.
 
 First error was about compiling ipa-join :
 ipa-join.c: In function ‘callRPC’:
 ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no
 member named ‘gssapi_delegation’ = Fix : Add
 backport-gssapi-delegation.patch to package xmlrpc-c and then
 install resulting libxmlrpc-core-c3-dev.deb and
 libxmlrpc-core-c3.deb
 
 Now, recompile again with new patched libxmlrpc-core-c3...
 compilation go further, but I'm stuck at the end of process of
 building .deb : dh_install --list-missing dh_install:
 usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp
 but is not installed to anywhere dh_install:
 usr/sbin/ipa-client-automount exists in debian/tmp but is not
 installed to anywhere make[1]: quittant le répertoire
 « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs
 dh_installchangelogs dh_installexamples
 dh_installman
 dh_installcatalogs
 dh_installcron
 dh_installdebconf
 dh_installemacsen
 dh_installifupdown
 dh_installinfo
 dh_python2
 E: dh_python2:145: extension for python2.6 is missing. Build
 extensions for all supported Python versions (`pyversions -vr`) or
 adjust X-Python-Version field or pass --no-guessing-versions to
 dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur:
 debian/rules binary a produit une erreur de sortie de type 2
 
 Any idea or me advice about how to backport freeipa-client to
 wheezy ?
 Perhaps, you can fix it in a manner similar to
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
 
 -- 
 / Alexander Bokovoy
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 That is great! I have to use some debian servers. It would be good to
 add them to IPA-domain :)
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Hi,

I'm currently trying to get a functional .deb package working on Debian Wheezy.
I have tried to recompile a package from Ubuntu Precise 
(https://launchpad.net/~freeipa/+archive/ppa) without success.

First error was about compiling ipa-join :
ipa-join.c: In function ‘callRPC’:
ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member named 
‘gssapi_delegation’
= Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then 
install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb

Now, recompile again with new patched libxmlrpc-core-c3... compilation go 
further, but I'm stuck at the end of process of building .deb :
dh_install --list-missing
dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp 
but is not installed to anywhere
dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not 
installed to anywhere
make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 »
   dh_install
   dh_installdocs
   dh_installchangelogs
   dh_installexamples
   dh_installman
   dh_installcatalogs
   dh_installcron
   dh_installdebconf
   dh_installemacsen
   dh_installifupdown
   dh_installinfo
   dh_python2
E: dh_python2:145: extension for python2.6 is missing. Build extensions for all 
supported Python versions (`pyversions -vr`) or adjust X-Python-Version field 
or pass --no-guessing-versions to dh_python2
make: *** [binary] Erreur 3
dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie 
de type 2

Any idea or me advice about how to backport freeipa-client to wheezy ?
Thanks a lot.

Alexandre___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

[Alexandre Ellert]

Thanks for pointing that bug, compilation succeeded if adding 
X-Python-Version: 2.7 to debian/control file.
Now, testing functionality...
I can give you some feedback if you want (i'm new here. Is there only 
RHEL/Fedora users on this mailing list ?)

Le 12 juil. 2013 à 19:36, Alexander Bokovoy aboko...@redhat.com a écrit :

 On Fri, 12 Jul 2013, Alexandre Ellert wrote:
 Hi,
 
 I'm currently trying to get a functional .deb package working on Debian 
 Wheezy.
 I have tried to recompile a package from Ubuntu Precise 
 (https://launchpad.net/~freeipa/+archive/ppa) without success.
 
 First error was about compiling ipa-join :
 ipa-join.c: In function ‘callRPC’:
 ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member 
 named ‘gssapi_delegation’
 = Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then 
 install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb
 
 Now, recompile again with new patched libxmlrpc-core-c3... compilation go 
 further, but I'm stuck at the end of process of building .deb :
 dh_install --list-missing
 dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in 
 debian/tmp but is not installed to anywhere
 dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not 
 installed to anywhere
 make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 »
  dh_install
  dh_installdocs
  dh_installchangelogs
  dh_installexamples
  dh_installman
  dh_installcatalogs
  dh_installcron
  dh_installdebconf
  dh_installemacsen
  dh_installifupdown
  dh_installinfo
  dh_python2
 E: dh_python2:145: extension for python2.6 is missing. Build extensions for 
 all supported Python versions (`pyversions -vr`) or adjust X-Python-Version 
 field or pass --no-guessing-versions to dh_python2
 make: *** [binary] Erreur 3
 dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de 
 sortie de type 2
 
 Any idea or me advice about how to backport freeipa-client to wheezy ?
 Perhaps, you can fix it in a manner similar to
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
 
 -- 
 / Alexander Bokovoy


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users