[Freeipa-users] export/import users password between two differents IPA environment
Hello, I have a broken IPA environnment with very few users and groups and I've setup a fresh new installation. I already recreate users and groups and now need to keep old users passwords. Is there a way to copy/paste users password between these two differents IPA ? Thank you for your help Alexandre -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Duplicate sudo rule
I create another rule via web UI and it's fine now...don't remember why the first one was duplicated. Is it safe to delete these entries directly from LDAP ? : ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=xxx,dc=xxx and ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=xxx,dc=xxx 2016-02-22 15:34 GMT+01:00 Alexandre Ellert <ellertalexan...@gmail.com>: > Hello, > > I've just deployed a new IPA server 4.2 / Centos 7.2 and I create my > first sudo rule via web UI but it was duplicate (I don't know why...) > Now I have two rules with the same name and I can't delete them : > > # ipa sudorule-find --all > > 2 Sudo Rules matched > > dn: > ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra > Rule name: allow sysadmins everywher > Enabled: TRUE > ipauniqueid: faa8de54-d96d-11e5-b75f-00505693334c > objectclass: ipasudorule, ipaassociation > > dn: > ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra > Rule name: allow sysadmins everywher > Enabled: TRUE > ipauniqueid: faac52c8-d96d-11e5-b61d-00505693334c > objectclass: ipasudorule, ipaassociation > > Number of entries returned 2 > > > # ipa sudorule-del "allow sysadmins everywher" > ipa: ERROR: The search criteria was not specific enough. Expected 1 and found > 2. > > Thanks for your help. > > Alexandre -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Duplicate sudo rule
Hello, I've just deployed a new IPA server 4.2 / Centos 7.2 and I create my first sudo rule via web UI but it was duplicate (I don't know why...) Now I have two rules with the same name and I can't delete them : # ipa sudorule-find --all 2 Sudo Rules matched dn: ipaUniqueID=faa8de54-d96d-11e5-b75f-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra Rule name: allow sysadmins everywher Enabled: TRUE ipauniqueid: faa8de54-d96d-11e5-b75f-00505693334c objectclass: ipasudorule, ipaassociation dn: ipaUniqueID=faac52c8-d96d-11e5-b61d-00505693334c,cn=sudorules,cn=sudo,dc=numeezy,dc=intra Rule name: allow sysadmins everywher Enabled: TRUE ipauniqueid: faac52c8-d96d-11e5-b61d-00505693334c objectclass: ipasudorule, ipaassociation Number of entries returned 2 # ipa sudorule-del "allow sysadmins everywher" ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. Thanks for your help. Alexandre -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
My FreeIPA PKI is totally broken since upgrade from 3.0 (RHEL 6.6) to 4.1 (RHEL 7.1) This thread started on July and still no resolution... Can someone please advice ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
So, here is the recap : I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. After some time, I discover that pki tomcatd service didn't restart automatically after reboot on server two. Now I want to repair things, but I can't deploy a new PKI and I can't delete the existing broken PKI... Maybe I should use ipa-backup and then rebuilt an IPA infrastructure and then ipa-restore ? Please advice. 2015-09-07 13:36 GMT+02:00 Alexandre Ellert <ellertalexan...@gmail.com>: > > > Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabi...@redhat.com> a écrit : > > > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: > >> > >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <aboko...@redhat.com> a > écrit : > >>> > >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: > >>>> > >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <aboko...@redhat.com> a > écrit : > >>>>> > >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: > >>>>>> > >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <aboko...@redhat.com> > a écrit : > >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy > another > >>>>>>>> replica ? > >>>>>>> You may try that. Sorry for not responding, I have some other > tasks that > >>>>>>> occupy my time right now. > >>>>>>> > >>>>>> > >>>>>> > >>>>>> Can you please tell me the procedure to decommission and re-create > a new replica ? > >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the > only things to do ? > >>>>> No, you need also to remove the server from the replication topology. > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html > >>>>> > >>>>> -- > >>>>> / Alexander Bokovoy > >>>> > >>>> I can’t remove the node on which I have problem with pki-tomcatd : > >>>> > >>>> # ipa-replica-manage del .example.com > >>>> Deleting a master is irreversible. > >>>> To reconnect to the remote master you will need to prepare a new > replica file > >>>> and re-install. > >>>> Continue to delete? [no]: yes > >>>> Deleting this server is not allowed as it would leave your > installation without a CA > >>>> > >>>> I seem that it’s the only node where CA is installed. What should I > do now ? > >>> Add a replica with CA using ipa-ca-install on existing replica. > >>> > >>> Read the guide, it has detailed coverage of these situations. > >>> -- > >>> / Alexander Bokovoy > >> > >> On the first node (which is working and without pki-tomcatd service) > >> # ipa-ca-install > >> Directory Manager (existing master) password: > >> > >> CA is already installed. > >> > >> How is it possible ? > >> > >> > > You must provide a replica file as an argument to ipa-ca-install if you > want to setup CA on another replica. > > > > -- > > Martin^3 Babinsky > > I’m still stuck with the correct command line : > [root@inf-ipa ~]# ipa-ca-install > /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': >Directory Service: Unsecure port (389): OK >Directory Service: Secure port (636): OK >Kerberos KDC: TCP (88): OK >Kerberos Kpasswd: TCP (464): OK >HTTP Server: Unsecure port (80): OK >HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocol and would need to be > checked manually: >Kerberos KDC: UDP (88): SKIPPED >Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > ad...@numeezy.fr password: > > Check SSH connection to remote master > Execute check on remote master > Check connection from master to remote replica 'inf-ipa.nume
Re: [Freeipa-users] Failed to start pki-tomcatd Service
> Le 4 sept. 2015 à 16:37, Martin Babinsky <mbabi...@redhat.com> a écrit : > > On 08/28/2015 05:46 PM, Alexandre Ellert wrote: >> >>> Le 28 août 2015 à 17:41, Alexander Bokovoy <aboko...@redhat.com> a écrit : >>> >>> On Fri, 28 Aug 2015, Alexandre Ellert wrote: >>>> >>>>> Le 28 août 2015 à 17:09, Alexander Bokovoy <aboko...@redhat.com> a écrit : >>>>> >>>>> On Wed, 26 Aug 2015, Alexandre Ellert wrote: >>>>>> >>>>>>> Le 28 juil. 2015 à 05:59, Alexander Bokovoy <aboko...@redhat.com> a >>>>>>> écrit : >>>>>>>> If the problem is too hard to solve, maybe I should try to deploy >>>>>>>> another >>>>>>>> replica ? >>>>>>> You may try that. Sorry for not responding, I have some other tasks that >>>>>>> occupy my time right now. >>>>>>> >>>>>> >>>>>> >>>>>> Can you please tell me the procedure to decommission and re-create a new >>>>>> replica ? >>>>>> Are "ipa-server-install —uninstall" then "ipa-server-install" the only >>>>>> things to do ? >>>>> No, you need also to remove the server from the replication topology. >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>> I can’t remove the node on which I have problem with pki-tomcatd : >>>> >>>> # ipa-replica-manage del .example.com >>>> Deleting a master is irreversible. >>>> To reconnect to the remote master you will need to prepare a new replica >>>> file >>>> and re-install. >>>> Continue to delete? [no]: yes >>>> Deleting this server is not allowed as it would leave your installation >>>> without a CA >>>> >>>> I seem that it’s the only node where CA is installed. What should I do now >>>> ? >>> Add a replica with CA using ipa-ca-install on existing replica. >>> >>> Read the guide, it has detailed coverage of these situations. >>> -- >>> / Alexander Bokovoy >> >> On the first node (which is working and without pki-tomcatd service) >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> CA is already installed. >> >> How is it possible ? >> >> > You must provide a replica file as an argument to ipa-ca-install if you want > to setup CA on another replica. > > -- > Martin^3 Babinsky I’m still stuck with the correct command line : [root@inf-ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-inf-ipa.numeezy.fr.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'inf-ipa-2.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@numeezy.fr password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'inf-ipa.numeezy.fr': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. Connection check OK Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp_KIouo'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 28 août 2015 à 17:41, Alexander Bokovoy aboko...@redhat.com a écrit : On Fri, 28 Aug 2015, Alexandre Ellert wrote: Le 28 août 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 26 Aug 2015, Alexandre Ellert wrote: Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit : If the problem is too hard to solve, maybe I should try to deploy another replica ? You may try that. Sorry for not responding, I have some other tasks that occupy my time right now. Can you please tell me the procedure to decommission and re-create a new replica ? Are ipa-server-install —uninstall then ipa-server-install the only things to do ? No, you need also to remove the server from the replication topology. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html -- / Alexander Bokovoy I can’t remove the node on which I have problem with pki-tomcatd : # ipa-replica-manage del .example.com Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting this server is not allowed as it would leave your installation without a CA I seem that it’s the only node where CA is installed. What should I do now ? Add a replica with CA using ipa-ca-install on existing replica. Read the guide, it has detailed coverage of these situations. -- / Alexander Bokovoy On the first node (which is working and without pki-tomcatd service) # ipa-ca-install Directory Manager (existing master) password: CA is already installed. How is it possible ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 28 août 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 26 Aug 2015, Alexandre Ellert wrote: Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit : If the problem is too hard to solve, maybe I should try to deploy another replica ? You may try that. Sorry for not responding, I have some other tasks that occupy my time right now. Can you please tell me the procedure to decommission and re-create a new replica ? Are ipa-server-install —uninstall then ipa-server-install the only things to do ? No, you need also to remove the server from the replication topology. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html -- / Alexander Bokovoy I can’t remove the node on which I have problem with pki-tomcatd : # ipa-replica-manage del .example.com Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting this server is not allowed as it would leave your installation without a CA I seem that it’s the only node where CA is installed. What should I do now ? Thank you again for your support. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 28 juil. 2015 à 05:59, Alexander Bokovoy aboko...@redhat.com a écrit : If the problem is too hard to solve, maybe I should try to deploy another replica ? You may try that. Sorry for not responding, I have some other tasks that occupy my time right now. Can you please tell me the procedure to decommission and re-create a new replica ? Are ipa-server-install —uninstall then ipa-server-install the only things to do ? Thank you Alexandre-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
2015-07-23 8:41 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 23 Jul 2015, Ludwig Krispenz wrote: - Directory server starts just fine but serves only port 389 - krb5kdc starts just fine and works fine with LDAP server - Dogtag tries to use LDAP server via port 636 and fails We need to see why port 636 is disabled. why do you think so ? There is: [22/Jul/2015:18:14:54 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for LDAPS requests [22/Jul/2015:18:14:54 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests Missed that part. However, dogtag was failing in accessing LDAP over port 636. but what is failing is: agmt=cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () Is dogtag on a different instance ? why do we use port 7389 ? Because it was migration from RHEL6 to RHEL7. In RHEL6 dogtag was living in a separate instance. -- / Alexander Bokovoy If the problem is too hard to solve, maybe I should try to deploy another replica ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 22 juil. 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 22 Jul 2015, Alexandre Ellert wrote: Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit : On Mon, 20 Jul 2015, Alexandre Ellert wrote: Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema This is original 'dc' definition: /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) This is the offending one: /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) If you look into 99user.ldif, you'll see the wrong definition there. 99user.ldif accumulates definitions coming from replication or updates. You can check other IPA masters, do they have 'dc' attribute defined in a wrong way? I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : In 00core.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent’ ) In 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) This two definition are exactly the same on both IPA masters. I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? The correct definition is in the 00core.ldif. The one in 99user.ldif is wrong. I think you can remove it from 99user.ldif on both servers but you need to shut down dirsrv instances on both to do that. -- / Alexander Bokovoy I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) But still have the same behavior (pki-tomcatd don’t start, same errors in logs). Do you have another idea ? Thanks for your support -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 22 juil. 2015 à 17:43, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 22 Jul 2015, Alexandre Ellert wrote: Le 22 juil. 2015 à 17:09, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 22 Jul 2015, Alexandre Ellert wrote: Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit : On Mon, 20 Jul 2015, Alexandre Ellert wrote: Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema This is original 'dc' definition: /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) This is the offending one: /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) If you look into 99user.ldif, you'll see the wrong definition there. 99user.ldif accumulates definitions coming from replication or updates. You can check other IPA masters, do they have 'dc' attribute defined in a wrong way? I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : In 00core.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent’ ) In 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) This two definition are exactly the same on both IPA masters. I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? The correct definition is in the 00core.ldif. The one in 99user.ldif is wrong. I think you can remove it from 99user.ldif on both servers but you need to shut down dirsrv instances on both to do that. -- / Alexander Bokovoy I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) But still have the same behavior (pki-tomcatd don’t start, same errors in logs). Do you have another idea ? We need to find out where the definition comes from. Can you give me output of # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv from both servers? Server 1: # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) Server 2 : # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) With correct setup IPA 4.x should show: /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) I.e. there are two lines -- in the default schema and in the IPA instance schema. — Seems to be good ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 22 juil. 2015 à 18:40, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 22 Jul 2015, Alexandre Ellert wrote: Le 22 juil. 2015 à 18:08, Alexander Bokovoy aboko...@redhat.com a écrit : On Wed, 22 Jul 2015, Alexandre Ellert wrote: # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv from both servers? Server 1: # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) Server 2 : # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) With correct setup IPA 4.x should show: /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) I.e. there are two lines -- in the default schema and in the IPA instance schema. — Seems to be good ? Yes. Can you get a new set of logs on 'ipactl start'? -- / Alexander Bokovoy Sorry, the log is very long…I can format differently if you need. Thanks, no need for more logs right now. What I see from these logs: - Directory server starts just fine but serves only port 389 - krb5kdc starts just fine and works fine with LDAP server - Dogtag tries to use LDAP server via port 636 and fails We need to see why port 636 is disabled. Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following attributes: nsslapd-security nsslapd-port They should be 'on' and '389' correspondingly. -- / Alexander Bokovoy Here is the result (on both servers) # grep nsslapd-security /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif nsslapd-security: on # grep nsslapd-port /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif nsslapd-port: 389 Notice that ns-slapd is listening on port 636 : # netstat -antp|grep '636\|389'|grep LISTEN tcp6 0 0 :::389 :::*LISTEN 12271/ns-slapd tcp6 0 0 :::636 :::*LISTEN 12271/ns-slapd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 20 juil. 2015 à 17:17, Alexander Bokovoy aboko...@redhat.com a écrit : On Mon, 20 Jul 2015, Alexandre Ellert wrote: Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema This is original 'dc' definition: /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) This is the offending one: /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) If you look into 99user.ldif, you'll see the wrong definition there. 99user.ldif accumulates definitions coming from replication or updates. You can check other IPA masters, do they have 'dc' attribute defined in a wrong way? I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : In 00core.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent’ ) In 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) This two definition are exactly the same on both IPA masters. I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? As far as I remember, the only modification I made was to disable read-only access without authentication. I don’t need any other special customization. Something brought the wrong definition into your IPA masters. May be someone tried to add support for some old application? Nobody else never have access read/write to the IPA servers. I’m the only admin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif: MUST dc /etc/dirsrv/slapd-NUMEEZY-FR/schema/05rfc4524.ldif: MUST dc /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME ( 'mgrpAllowedBroadcaster' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.788 NAME ( 'mgrpBroadcasterPolicy' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/50ns-mail.ldif:objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'Netscape Messaging Server 4.x defined objectclass' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60trust.ldif:# dc=com?sub?objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=server) /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' SUP top AUXILIARY MUST d /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: UST dc MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Ad /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: dBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolic /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif: bTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbP /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbSer /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALIT /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.788 NAME 'mgrpBroadcasterPolicy' DESC /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME 'mgrpAllowedBroadcaster' DESC /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# (FDNs of the krbKdcService objects). /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# Example: cn=kdc - server 1, ou=uvw, o=xyz /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:# krbKdcService, krbAdmService and krbPwdService derive from this class. /etc/dirsrv/slapd-NUMEEZY-FR/schema/60kerberos.ldif:objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) ) and definitions of 'dc' attribute from there. 'dc' attribute is defined in 00core.ldif as attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent’ ) In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) Note that syntax is 1.3.6.1.4.1.1466.115.121.1.26 (IA5String) while yours is 1.3.6.1.4.1.1466.115.121.1.15 (DirectoryString), they are not the same. What modifications did you do to the schema? As far as I remember, the only modification I made was to disable read-only access without authentication. I don’t need any other special customization.
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 20 juil. 2015 à 17:58, Petr Vobornik pvobo...@redhat.com a écrit : On 07/20/2015 05:17 PM, Alexander Bokovoy wrote: On Mon, 20 Jul 2015, Alexandre Ellert wrote: Can you please show output from fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema This is original 'dc' definition: /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) This is the offending one: /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D In 00core.ldif, I have : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent' ) If you look into 99user.ldif, you'll see the wrong definition there. 99user.ldif accumulates definitions coming from replication or updates. You can check other IPA masters, do they have 'dc' attribute defined in a wrong way? As far as I remember, the only modification I made was to disable read-only access without authentication. I don’t need any other special customization. Something brought the wrong definition into your IPA masters. May be someone tried to add support for some old application? Probably caused by migration from 6.6 to 7.x. See https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause any issue but looks scary. I confirm this was a migration from CentOS 6.6 to 7.1. Every thing else worked just fine following the RedHat migration procedure (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html) I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the time the following CA error happened (could be new start). [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org http://ipa.mydomain.org/ I restarted IPA : /var/log/pki/pki-tomcat/ca/debug : [20/Jul/2015:18:12:17][localhost-startStop-1]: CMS:Caught EBaseException /var/log/krb5kdc.log : otp: Loaded Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): setting up network... Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 9: udp fe80::250:56ff:fe93:357e%ens160.88 krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 11: tcp 0.0.0.0.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 10: tcp ::.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): set up 4 sockets Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16636](info): commencing operation Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: host/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Additional pre-authentication required Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for ldap/inf-ipa-2.numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: DNS/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Additional pre-authentication required Jul 20 18:11:48
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 16 juil. 2015 à 09:29, Lukas Slebodnik lsleb...@redhat.com a écrit : I had a similar issue on fedora 21 or fedora 22. The workarounds from freeipa ticket #4666 did not help for me either. I found out that there was some problem with upgrading dogtag configuration. You can try up ru upgrade manually. It might help you. [root@vm-114 ~]# rpm -q --scripts pki-server postinstall scriptlet (using /bin/sh): ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ##from EITHER 'sysVinit' OR previous 'systemd' processes to the new ##PKI deployment process echo Upgrading server at `/bin/date`. /var/log/pki/pki-server-upgrade-10.2.4.log 21 /sbin/pki-server-upgrade --silent /var/log/pki/pki-server-upgrade-10.2.4.log 21 echo /var/log/pki/pki-server-upgrade-10.2.4.log 21 systemctl daemon-reload In my case, it didn't help. So I updated freeipa to the latest version. then I install similar new freeipa on another machine. So I had functional dogtag. Then I tried to fix broken dogtag configuration using functional configuration from 2nd freeipa. I would definitely recommend to backup data from old freeipa before any manual updates. Maybe Fraser would have a better advice. LS I tried the suggested solution with pki-server-upgrade script but it didn’t fix, the output was : # cat /var/log/pki/pki-server-upgrade-10.1.2.log Upgrading from version 10.1.2 to 10.1.2: 1. Add TLS Range Support Upgrade complete. I will try the second solution and install a fresh new IPA server to compare dogtag configuration. Do you know what files/directory I should check ? Thanks for your help-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Le 30 juin 2015 à 10:16, Alexandre Ellert aell...@numeezy.com a écrit : Could you please provide the content of logfile: `/var/log/pki/pki-tomcat/ca/debug', around the time the error occurs? Thanks, Fraser When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org http://ipa.mydomain.org/ port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method
Re: [Freeipa-users] Failed to start pki-tomcatd Service
2015-06-29 19:37 GMT+02:00 Alexandre Ellert aell...@numeezy.com: Hello, I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot the whole server) : # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful and I have to force the start process : # ipactl start -f Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful But, as you see the pki-tomcatd is unable to start. I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408
Re: [Freeipa-users] Failed to start pki-tomcatd Service
Could you please provide the content of logfile: `/var/log/pki/pki-tomcat/ca/debug', around the time the error occurs? Thanks, Fraser When the pki-tomcatd service is trying to start, I see this message in /var/log/pki/pki-tomcat/ca/debug [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === [30/Jun/2015:10:02:13][localhost-startStop-1]: [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem id=log [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init id=dbs [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init() [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection errorIfDown is true [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown true [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1585) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at
[Freeipa-users] Failed to start pki-tomcatd Service
Hello, I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot the whole server) : # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful and I have to force the start process : # ipactl start -f Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful But, as you see the pki-tomcatd is unable to start. I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at
Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed
You have to adapt the example to your environment: LDAP search base should be cn=dns, dc=ivscloud, dc=local $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' '(objectClass=idnsConfigObject)' [...] # search result search: 4 result: 32 No such object My mistake, here is the result : ldapsearch -Y GSSAPI -b 'cn=dns,dc=ivscloud,dc=local' '(objectClass=idnsConfigObject)' SASL/GSSAPI authentication started SASL username: admin@IVSCLOUD.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=dns,dc=ivscloud,dc=local with scope subtree # filter: (objectClass=idnsConfigObject) # requesting: ALL # # dns, ivscloud.local dn: cn=dns,dc=ivscloud,dc=local objectClass: idnsConfigObject objectClass: nsContainer objectClass: top cn: dns # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Anyway, your configuration in /etc/named.conf seems correct. Please let us know if you are able to reproduce the crash, I don't see a way how to fix it without a reproducer. I don't know how to reproduce. Maybe try to put a cron '/sbin/service named reload' and see if it crash. Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed
We need more information about your configuration. Please add details mentioned at https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Aboutyouroperatingsystemdistribution and https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Abouttheplugin What distribution/version/architecture you use? Centos 6.5 (2.6.32-431.el6.x86_64) up to date What plugin version you use? bind-dyndb-ldap-2.3-5.el6.x86_64 Do you use bind-dyndb-ldap as part of FreeIPA installation? Yes Which version of BIND you use ? bind-9.8.2-0.17.rc1.el6_4.6.x86_64 Please provide dynamic-db section from configuration file /etc/named.conf : dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-IVSCLOUD-LOCAL.socket; arg base cn=dns, dc=ivscloud,dc=local; arg fake_mname ipa-master.ivscloud.local.; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/ipa-master.ivscloud.local; arg zone_refresh 0; arg psearch yes; arg serial_autoincrement yes; arg connections 4; }; Do you have some other text based or DLZ zones configured? no Do you have some global forwarders configured in BIND configuration file? no options { […] forward first; forwarders { }; […] }; Do you have some settings in global configuration object in LDAP? no (not sure) $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' '(objectClass=idnsConfigObject)' SASL/GSSAPI authentication started SASL username: admin@IVSCLOUD.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=dns,dc=example,dc=com with scope subtree # filter: (objectClass=idnsConfigObject) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Do you see any messages complaining about broken connection or something like that? Did the server worked fine before the reload? The server worked fine before reload (caused by logrotate). I've searched in log file /var/log/dirsrv/*, /var/log/messages but didn't find anything interesting. Thanks for your help ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] named failure
Hi, This night, named crashed on my IPA server (Centos 6.5) : Dec 29 02:27:02 ipa-master named[1537]: received control channel command 'reload' Dec 29 02:27:03 ipa-master named[1537]: ldap_helper.c:640: REQUIRE(pthread_kill(ldap_inst-watcher, 10) == 0) failed, back trace Dec 29 02:27:03 ipa-master named[1537]: #0 0x7f6f443a0eff in ?? Dec 29 02:27:03 ipa-master named[1537]: #1 0x7f6f42d0c89a in ?? Dec 29 02:27:03 ipa-master named[1537]: #2 0x7f6f3e48acbf in ?? Dec 29 02:27:03 ipa-master named[1537]: #3 0x7f6f3e48efd6 in ?? Dec 29 02:27:03 ipa-master named[1537]: #4 0x7f6f3e48f591 in ?? Dec 29 02:27:03 ipa-master named[1537]: #5 0x7f6f43bfca54 in ?? Dec 29 02:27:03 ipa-master named[1537]: #6 0x7f6f443c1b87 in ?? Dec 29 02:27:03 ipa-master named[1537]: #7 0x7f6f443c4726 in ?? Dec 29 02:27:03 ipa-master named[1537]: #8 0x7f6f443c4b36 in ?? Dec 29 02:27:03 ipa-master named[1537]: #9 0x7f6f443c4cf8 in ?? Dec 29 02:27:03 ipa-master named[1537]: #10 0x7f6f44399f55 in ?? Dec 29 02:27:03 ipa-master named[1537]: #11 0x7f6f4439d616 in ?? Dec 29 02:27:03 ipa-master named[1537]: #12 0x7f6f42d2b2f8 in ?? Dec 29 02:27:03 ipa-master named[1537]: #13 0x7f6f426e09d1 in ?? Dec 29 02:27:03 ipa-master named[1537]: #14 0x7f6f41c41b6d in ?? Dec 29 02:27:03 ipa-master named[1537]: exiting (due to assertion failure) DNS was setup during installation time and didn't notify any problem since this server is in production (several months). Can you please advice about how to investigate to find the root cause of this crash ? Should I worry about that or is this just a isolated case ? Thanks for your support. Alexandre.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cross-realm trust with AD and ssh keys management
Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Does winsync method provide a way to add ssh key to an AD user ? Your suggestions are welcome. Thanks. Alexandre. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo rule applied to a host group
Hi, I'm trying to get working a sudo rule for a group of user, basically if want to allow all the developers (dev-users) to become root on developers servers (dev-servers). When this rule is applied to a single host or all hosts or severals named host, it works fine : dev-users can sudo without prompting for a password (I have sudo option !authenticate) But if I apply the rule to the dev-servers group, it doesn't work : when a member of dev-users try to sudo, it prompt for a password and even the password is correct, password is asked again. I use ipa-server-3.0.0-26.el6_4.4 and RHEL 6 and a custom Debian package for clients (based on freeipa 3.0.2). I checked /etc/sudo-ldap.conf, /etc/nsswitch.conf and /etc/rc.local on clients and everything seems correct. Do i missed something ? Thanks for your help. Alexandre. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. = Failed to upload host SSH public keys. This is strange because SSH key are correctly uploaded ! Here is the complete stack trace : ... HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin Thanks Alexandre ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Here is the traceback : Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys updatedns=False File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward response = command(*xml_wrap(params)) File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__ return self.__send(self.__name, args) File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request verbose=self.__verbose File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request self.close() File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close self._conn.close() AttributeError: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. - Key are correctly uploaded on the new VM. Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit : Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): pass except StandardError, e: root_logger.info(host_mod: %s, str(e)) +import traceback +traceback.print_exc() root_logger.warning(Failed to upload host SSH public keys.) return Martin Thanks Alexandre ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Sorry, mistake from me. I remove all patch from RHEL and just keep 0053-Cookie-Expires-date-should-be-locale-insensitive.patch. Everything seems fine now. I'm going to test. Thanks for you help Le 19 juil. 2013 à 17:53, Alexandre Ellert aell...@numeezy.com a écrit : It's based on 3.0.2 with 1011-xmlrpc_response.patch (found in ipa-3.0.0-26.el6_4.4.src.rpm) and self._conn.close() is added by this patch. I included it because it correct this problem : unable to parse cookie header 'ipa_session=83701130bf434d20cf8c5a3fe2a0ac56; Domain=inf-ipa.numeezy.fr; Path=/ipa; Expires=Fri, 19 Jul 2013 16:08:31 GMT; Secure; HttpOnly': unable to parse expires datetime 'Fri, 19 Jul 2013 16:08:31' Le 19 juil. 2013 à 17:08, Martin Kosek mko...@redhat.com a écrit : Thanks, this should help. Maybe the IPA just tries to close the connection twice _after_ keys were uploaded to the server. Anyway, what version of IPA software is the Debian package based on? I cannot find line self._conn.close() in ipalib/rpc.py in any of our active branches. Martin On 07/19/2013 05:03 PM, Alexandre Ellert wrote: Here is the traceback : Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1234, in update_ssh_keys updatedns=False File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.7/dist-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 748, in forward response = command(*xml_wrap(params)) File /usr/lib/python2.7/xmlrpclib.py, line 1224, in __call__ return self.__send(self.__name, args) File /usr/lib/python2.7/xmlrpclib.py, line 1578, in __request verbose=self.__verbose File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 490, in request self.close() File /usr/lib/python2.7/dist-packages/ipalib/rpc.py, line 457, in close self._conn.close() AttributeError: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. - Key are correctly uploaded on the new VM. Le 19 juil. 2013 à 16:30, Alexandre Ellert aell...@numeezy.com a écrit : Le 19 juil. 2013 à 16:24, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 03:28 PM, Alexandre Ellert wrote: Le 19 juil. 2013 à 10:20, Martin Kosek mko...@redhat.com a écrit : On 07/19/2013 02:59 AM, Alexandre Ellert wrote: Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the /var/run/ipa/ directory is there (or update debian platform file to override PlatformService class in ipapython/platform/base/__init__.py). I managed to fix that and will update soon my repo with a new package version. Thanks for the information. = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? This means that there was some issue with XMLRPC call to IPA server (the error message is indeed unfortunate) - does ipaclient-install.log contain more details? Unfortunately there is no more details in ipaclient-install.log, here is the relevant part : 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn' 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys. Is there any way to get more debug log ? In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server. Are you sure the SSH keys aren't there from previous installation attempt or similar? The _conn generally means there was some problem with the connection to server in the xmlrpclib python library. I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian. To be sure, I will create a new VM and try an ipa-client-install with modifications you give me. We need to find out what and why triggers it, a change in ipa-client-install script like below may shed more light on what is the source of the error: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd7..f82b9f6
Re: [Freeipa-users] freeipa-client on Debian Wheezy
I've made packages from Debian Wheezy (actually only amd64). The goal is ti have a full functional and compatible client with Centos/RHEL 6.4 freeipa server 3.0.0. Actually join domain, ssh key upload, certificate enrollment and sudo integration works in my environment. If you want to test, just add this to /etc/apt/sources.list : deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main and import my GPG key : # wget -qO - http://apt.numeezy.fr/numeezy.asc | sudo apt-key add - Then, install package named freeipa-client. You can also download source using : apt-get source freeipa. Feel free to contact me if you have any issue using this package. PS : I've based my work on package done by Timo Aaltonen for Ubuntu. Thanks to him for his excellent work ! Alexandre Le 15 juil. 2013 à 08:37, Petr Spacek pspa...@redhat.com a écrit : On 12.7.2013 19:57, Alexandre Ellert wrote: Thanks for pointing that bug, compilation succeeded if adding X-Python-Version: 2.7 to debian/control file. Now, testing functionality... I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?) This list is not Fedora/RHEL specific. We are glad to hear about ports to another distributions, please continue! :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): = certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? = host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? = Failed to upload host SSH public keys. This is strange because SSH key are correctly uploaded ! Here is the complete stack trace : Server : ipa host-add test1.numeezy.fr --platform=VMware, Inc. --os=Debian GNU/Linux 7.1 (wheezy) --password= OTP_password Client : # ipa-client-install --server=inf-ipa.numeezy.fr --hostname=test1.numeezy.fr --domain=numeezy.fr --realm=NUMEEZY.FR --password=OTP_password --no-ntp --unattended Hostname: test1.numeezy.fr Realm: NUMEEZY.FR DNS Domain: numeezy.fr IPA Server: inf-ipa.numeezy.fr BaseDN: dc=numeezy,dc=fr Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Enrolled in IPA realm NUMEEZY.FR Created /etc/ipa/default.conf Domain numeezy.fr is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm NUMEEZY.FR trying https://inf-ipa.numeezy.fr/ipa/xml certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. Please let me know if more information is needed and thanks in advance for your help. Regards, Alexandre Le 18 juil. 2013 à 19:49, Arthur art...@deus.pro a écrit : В Fri, 12 Jul 2013 19:57:09 +0200 Alexandre Ellert aell...@numeezy.com пишет: Thanks for pointing that bug, compilation succeeded if adding X-Python-Version: 2.7 to debian/control file. Now, testing functionality... I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?) Le 12 juil. 2013 à 19:36, Alexander Bokovoy aboko...@redhat.com a écrit : On Fri, 12 Jul 2013, Alexandre Ellert wrote: Hi, I'm currently trying to get a functional .deb package working on Debian Wheezy. I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success. First error was about compiling ipa-join : ipa-join.c: In function ‘callRPC’: ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member named ‘gssapi_delegation’ = Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb : dh_install --list-missing dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs dh_installchangelogs dh_installexamples dh_installman dh_installcatalogs dh_installcron dh_installdebconf dh_installemacsen dh_installifupdown dh_installinfo dh_python2 E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2 Any idea or me advice about how to backport freeipa-client to wheezy ? Perhaps, you can fix it in a manner similar to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users That is great! I have to use some debian servers. It would be good to add them to IPA-domain :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa-client on Debian Wheezy
Hi, I'm currently trying to get a functional .deb package working on Debian Wheezy. I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success. First error was about compiling ipa-join : ipa-join.c: In function ‘callRPC’: ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member named ‘gssapi_delegation’ = Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb : dh_install --list-missing dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs dh_installchangelogs dh_installexamples dh_installman dh_installcatalogs dh_installcron dh_installdebconf dh_installemacsen dh_installifupdown dh_installinfo dh_python2 E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2 Any idea or me advice about how to backport freeipa-client to wheezy ? Thanks a lot. Alexandre___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Thanks for pointing that bug, compilation succeeded if adding X-Python-Version: 2.7 to debian/control file. Now, testing functionality... I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?) Le 12 juil. 2013 à 19:36, Alexander Bokovoy aboko...@redhat.com a écrit : On Fri, 12 Jul 2013, Alexandre Ellert wrote: Hi, I'm currently trying to get a functional .deb package working on Debian Wheezy. I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success. First error was about compiling ipa-join : ipa-join.c: In function ‘callRPC’: ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member named ‘gssapi_delegation’ = Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb : dh_install --list-missing dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs dh_installchangelogs dh_installexamples dh_installman dh_installcatalogs dh_installcron dh_installdebconf dh_installemacsen dh_installifupdown dh_installinfo dh_python2 E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2 Any idea or me advice about how to backport freeipa-client to wheezy ? Perhaps, you can fix it in a manner similar to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users