[Freeipa-users] Upgrade to 3.1.2: web UI no longer works
Hi, I've just upgraded from F16 to F18 and thus freeipa v3.1.2. It basically works, on the command line. ipa user-show xxx works. The Web UI however no longer works. I get the login window with Your session has expired. Please re-login., no matter whether I use kerberos or password login. The httpd logs don't seem to be very informative. /var/cache/ipa/sessions/ is empty. Could someone point me to where I could find more information to debug this problem? Thanks, Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 09:52 AM, Thomas Sailer wrote: Hi, I've just upgraded from F16 to F18 and thus freeipa v3.1.2. It basically works, on the command line. ipa user-show xxx works. The Web UI however no longer works. I get the login window with Your session has expired. Please re-login., no matter whether I use kerberos or password login. The httpd logs don't seem to be very informative. /var/cache/ipa/sessions/ is empty. Could someone point me to where I could find more information to debug this problem? In /etc/ipa/default.conf on the server add this line: debug=True Then restart the server (actually you only need to restart httpd, e.g. systemctl restart httpd.service) Then you should see a lot of debug messages in /var/log/httpd/error_log /var/cache/ipa/sessions is historical cruft, you won't find anything there. Once you get the debug trace one of us can help diagnose it. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
Thanks, John! See the log below. The only thing that looks strange to me is expiration_timestamp=1970-01-01T01:00:00. Where does this time come from? Tom [Tue Feb 05 16:16:53.798117 2013] [:error] [pid 6843] ipa: INFO: *** PROCESS START *** [Tue Feb 05 16:16:53.914486 2013] [:error] [pid 6844] ipa: INFO: *** PROCESS START *** [Tue Feb 05 18:09:25.829937 2013] [:error] [pid 6843] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Feb 05 18:09:25.830261 2013] [:error] [pid 6843] ipa: DEBUG: WSGI jsonserver_session.__call__: [Tue Feb 05 18:09:25.830910 2013] [:error] [pid 6843] ipa: DEBUG: found session cookie_id = bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 18:09:25.831823 2013] [:error] [pid 6843] ipa: DEBUG: no session data in cache with id=bcc81ee57dd1b0dc068a6b049618dfa8, generating empty session data [Tue Feb 05 18:09:25.832551 2013] [:error] [pid 6843] ipa: DEBUG: store session: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:25 access_timestamp=2013-02-05T18:09:25 expiration_timestamp=1970-01-01T01:00:00 [Tue Feb 05 18:09:25.833104 2013] [:error] [pid 6843] ipa: DEBUG: jsonserver_session.__call__: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:25 access_timestamp=2013-02-05T18:09:25 expiration_timestamp=1970-01-01T01:00:00 [Tue Feb 05 18:09:25.833325 2013] [:error] [pid 6843] ipa: DEBUG: no ccache, need login [Tue Feb 05 18:09:25.833472 2013] [:error] [pid 6843] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login [Tue Feb 05 18:09:26.265310 2013] [:error] [pid 6844] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Feb 05 18:09:26.265601 2013] [:error] [pid 6844] ipa: DEBUG: WSGI login_kerberos.__call__: [Tue Feb 05 18:09:26.266719 2013] [:error] [pid 6844] ipa: DEBUG: found session cookie_id = bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 18:09:26.268036 2013] [:error] [pid 6844] ipa: DEBUG: no session data in cache with id=bcc81ee57dd1b0dc068a6b049618dfa8, generating empty session data [Tue Feb 05 18:09:26.268517 2013] [:error] [pid 6844] ipa: DEBUG: store session: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:26 access_timestamp=2013-02-05T18:09:26 expiration_timestamp=1970-01-01T01:00:00 [Tue Feb 05 18:09:26.269176 2013] [:error] [pid 6844] ipa: DEBUG: finalize_kerberos_acquisition: login_kerberos ccache_name=FILE:/run/httpd/krbcache/krb5cc_apache_MxFRBf session_id=bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 18:09:26.269420 2013] [:error] [pid 6844] ipa: DEBUG: reading ccache data from file /run/httpd/krbcache/krb5cc_apache_MxFRBf [Tue Feb 05 18:09:26.271728 2013] [:error] [pid 6844] ipa: DEBUG: get_credential_times: principal=krbtgt/@.com, authtime=02/05/13 14:28:55, starttime=02/05/13 18:09:26, endtime=02/06/13 14:25:28, renew_till=01/01/70 01:00:00 [Tue Feb 05 18:09:26.272044 2013] [:error] [pid 6844] ipa: DEBUG: KRB5_CCache FILE:/run/httpd/krbcache/krb5cc_apache_MxFRBf endtime=1360157128 (02/06/13 14:25:28) [Tue Feb 05 18:09:26.272554 2013] [:error] [pid 6844] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1360156828 expiration=1360085366.27 (2013-02-05T18:29:26) [Tue Feb 05 18:09:26.272877 2013] [:error] [pid 6844] ipa: DEBUG: store session: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:26 access_timestamp=2013-02-05T18:09:26 expiration_timestamp=2013-02-05T18:29:26 [Tue Feb 05 18:09:26.273477 2013] [:error] [pid 6844] ipa: DEBUG: release_ipa_ccache: KRB5CCNAME environment variable not set [Tue Feb 05 18:09:26.296615 2013] [:error] [pid 6843] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Feb 05 18:09:26.297201 2013] [:error] [pid 6843] ipa: DEBUG: WSGI jsonserver_session.__call__: [Tue Feb 05 18:09:26.298296 2013] [:error] [pid 6843] ipa: DEBUG: found session cookie_id = bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 18:09:26.298995 2013] [:error] [pid 6843] ipa: DEBUG: no session data in cache with id=bcc81ee57dd1b0dc068a6b049618dfa8, generating empty session data [Tue Feb 05 18:09:26.299561 2013] [:error] [pid 6843] ipa: DEBUG: store session: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:26 access_timestamp=2013-02-05T18:09:26 expiration_timestamp=1970-01-01T01:00:00 [Tue Feb 05 18:09:26.300515 2013] [:error] [pid 6843] ipa: DEBUG: jsonserver_session.__call__: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T18:09:26 access_timestamp=2013-02-05T18:09:26 expiration_timestamp=1970-01-01T01:00:00 [Tue Feb 05 18:09:26.300903 2013] [:error] [pid 6843] ipa: DEBUG: no ccache, need login [Tue Feb 05 18:09:26.301258 2013] [:error] [pid 6843] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 12:11 PM, Thomas Sailer wrote: Thanks, John! See the log below. The only thing that looks strange to me is expiration_timestamp=1970-01-01T01:00:00. Where does this time come from? That's the initial value of zero on the expiration timestamp, the beginning of the UNIX epoch, it's reset later, nothing to worry about here. Could you please check if ipa-memcached is running? The easiest way is with % ipactl status Also when you send log snippets could you either send them as a text attachment or via a pastebin, your mailer is wrapping the lines which makes it hard to read. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 03:52 PM, Thomas Sailer wrote: Hi, I've just upgraded from F16 to F18 and thus freeipa v3.1.2. It basically works, on the command line. ipa user-show xxx works. The Web UI however no longer works. I get the login window with Your session has expired. Please re-login., no matter whether I use kerberos or password login. The httpd logs don't seem to be very informative. /var/cache/ipa/sessions/ is empty. Could someone point me to where I could find more information to debug this problem? Thanks, Tom You can also look for unusual stuff on Web UI side. Open Web Console in browser (in FF: 'Tools/Web Developer/Web Console', in Chrome hit F12). First check if there are some JavaScript errors. Then check communication of authentication process - requests to 'ipa/session/login_password' and 'ipa/session/login_kerberos'). When password login fails, there should be filled http header named X-IPA-Rejection-Reason. If you manage to get session, check expiration of ipa_session cookie. -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 06:32 PM, John Dennis wrote: % ipactl status # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING pki-cad Service: RUNNING ipa: INFO: The ipactl command was successful Apparently, it isn't... I've started it using: # systemctl restart ipa_memcached.service # systemctl enable ipa_memcached.service But still, it's not listed with ipactl status (systemctl says it started successfully) Now I'm getting IPA Error 903. Thanks, Tom [Tue Feb 05 19:38:27.394919 2013] [:error] [pid 7520] ipa: INFO: *** PROCESS START *** [Tue Feb 05 19:38:27.410930 2013] [:error] [pid 7519] ipa: INFO: *** PROCESS START *** [Tue Feb 05 19:38:55.828540 2013] [:error] [pid 7520] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Feb 05 19:38:55.829826 2013] [:error] [pid 7520] ipa: DEBUG: WSGI jsonserver_session.__call__: [Tue Feb 05 19:38:55.831338 2013] [:error] [pid 7520] ipa: DEBUG: found session cookie_id = bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 19:38:55.832468 2013] [:error] [pid 7520] ipa: DEBUG: found session data in cache with id=bcc81ee57dd1b0dc068a6b049618dfa8 [Tue Feb 05 19:38:55.852098 2013] [:error] [pid 7520] ipa: DEBUG: jsonserver_session.__call__: session_id=bcc81ee57dd1b0dc068a6b049618dfa8 start_timestamp=2013-02-05T19:34:48 access_timestamp=2013-02-05T19:38:55 expiration_timestamp=2013-02-05T19:57:31 [Tue Feb 05 19:38:55.853918 2013] [:error] [pid 7520] ipa: DEBUG: storing ccache data into file /var/run/ipa_memcached/krbcc_7520 [Tue Feb 05 19:38:55.857797 2013] [:error] [pid 7520] ipa: DEBUG: get_credential_times: principal=krbtgt/@.com, authtime=02/05/13 14:28:55, starttime=02/05/13 19:34:48, endtime=02/06/13 14:25:28, renew_till=01/01/70 01:00:00 [Tue Feb 05 19:38:55.858643 2013] [:error] [pid 7520] ipa: DEBUG: get_credential_times: principal=krbtgt/@.com, authtime=02/05/13 14:28:55, starttime=02/05/13 19:34:48, endtime=02/06/13 14:25:28, renew_till=01/01/70 01:00:00 [Tue Feb 05 19:38:55.863192 2013] [:error] [pid 7520] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_7520 endtime=1360157128 (02/06/13 14:25:28) [Tue Feb 05 19:38:55.864570 2013] [:error] [pid 7520] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1360156828 expiration=1360090735.86 (2013-02-05T19:58:55) [Tue Feb 05 19:38:56.67 2013] [:error] [pid 7520] ipa: DEBUG: Created connection context.ldap2 [Tue Feb 05 19:38:56.000523 2013] [:error] [pid 7520] ipa: DEBUG: WSGI jsonserver.__call__: [Tue Feb 05 19:38:56.000831 2013] [:error] [pid 7520] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Tue Feb 05 19:38:56.001809 2013] [:error] [pid 7520] ipa: DEBUG: raw: batch(({u'params': [[], {}], u'method': u'i18n_messages'}, {u'params': [[], {}], u'method': u'config_show'}, {u'params': [[], {u'all': True, u'whoami': True}], u'method': u'user_find'}, {u'params': [[], {}], u'method': u'env'}, {u'params': [[], {}], u'method': u'dns_is_enabled'})) [Tue Feb 05 19:38:56.002558 2013] [:error] [pid 7520] ipa: DEBUG: batch(({u'params': [[], {}], u'method': u'i18n_messages'}, {u'params': [[], {}], u'method': u'config_show'}, {u'params': [[], {u'all': True, u'whoami': True}], u'method': u'user_find'}, {u'params': [[], {}], u'method': u'env'}, {u'params': [[], {}], u'method': u'dns_is_enabled'})) [Tue Feb 05 19:38:56.003219 2013] [:error] [pid 7520] ipa: DEBUG: raw: i18n_messages() [Tue Feb 05 19:38:56.003633 2013] [:error] [pid 7520] ipa: DEBUG: i18n_messages() [Tue Feb 05 19:38:56.011433 2013] [:error] [pid 7520] ipa: INFO: u...@.com: batch: i18n_messages(): SUCCESS [Tue Feb 05 19:38:56.011971 2013] [:error] [pid 7520] ipa: DEBUG: raw: config_show() [Tue Feb 05 19:38:56.012526 2013] [:error] [pid 7520] ipa: DEBUG: config_show(rights=False, all=False, raw=False) [Tue Feb 05 19:38:56.016416 2013] [:error] [pid 7520] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd--COM.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x7f1d487dad40 [Tue Feb 05 19:38:56.322078 2013] [:error] [pid 7520] ipa: INFO: u...@.com: batch: config_show(): SUCCESS [Tue Feb 05 19:38:56.322640 2013] [:error] [pid 7520] ipa: DEBUG: raw: user_find(None, whoami=True, all=True) [Tue Feb 05 19:38:56.323390 2013] [:error] [pid 7520] ipa: DEBUG: user_find(None, whoami=True, all=True, raw=False, pkey_only=False) [Tue Feb 05 19:38:56.335920 2013] [:error] [pid 7520] ipa: DEBUG: get_memberof: entry_dn=uid=user,cn=users,cn=accounts,dc=,dc=com memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=,dc=com'), ipapython.dn.DN('cn=Replication Administrators,cn=privileges,cn=pbac,dc=,dc=com'), ipapython.dn.DN('cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=,dc=com'), ipapython.dn.DN('cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=,dc=com'), ipapython.dn.DN('cn=Remove Replication
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 06:47 PM, Petr Vobornik wrote: Open Web Console in browser (in FF: 'Tools/Web Developer/Web Console', in Chrome hit F12). I'm using firefox. I'm getting a javascript warning about getAttributeNode being deprecated, and some css complaints. The first post just gets one's own principal (which is correct), and i18 messages, the second post returns the Error 903... Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
Thomas Sailer wrote: On 02/05/2013 06:32 PM, John Dennis wrote: % ipactl status # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING pki-cad Service: RUNNING ipa: INFO: The ipactl command was successful Apparently, it isn't... I've started it using: # systemctl restart ipa_memcached.service # systemctl enable ipa_memcached.service But still, it's not listed with ipactl status (systemctl says it started successfully) Now I'm getting IPA Error 903. Thanks, Tom 903 is a non-public error caused by the backtrace. Apparently something went awry with the upgrade which is why memcached isn't a configured service too. Can you see if you have 60basev3.ldif in /etc/dirsrv/slapd-YOUR-REALM/schema ? If not, stop dirsrv and copy it there from /usr/share/ipa/60basev3.ldif Restart dirsrv, try ipa user-show admin or something simple. You'll want to look at /var/log/ipaupgrade.log as well (it may be huge). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 01:40 PM, Thomas Sailer wrote: On 02/05/2013 06:32 PM, John Dennis wrote: % ipactl status # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING pki-cad Service: RUNNING ipa: INFO: The ipactl command was successful Apparently, it isn't... I've started it using: # systemctl restart ipa_memcached.service # systemctl enable ipa_memcached.service But still, it's not listed with ipactl status (systemctl says it started successfully) Now I'm getting IPA Error 903. Thanks, Tom The fact ipactl does not know about ipa-memcache indicates something went wrong with your upgrade, most likely related to ldap. We probably want to look in /var/log/ipaupgrade.log to see if there were problems. After manually starting ipa-memcached your log shows sessions are working correctly, that's good. That also means the ipa code was installed correctly, once again this points to an LDAP upgrade error, not an RPM install error. (FWIW ipactl reads LDAP to learn what services it has to run). Also, thank you very much for attaching the log, it's *much* easier to read :-) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
On 02/05/2013 08:02 PM, Rob Crittenden wrote: Can you see if you have 60basev3.ldif in /etc/dirsrv/slapd-YOUR-REALM/schema ? That was indeed not there (only 60basev2.ldif). I've copied it, restarted dirsrv. ipa user-show admin works (it did work before though). You'll want to look at /var/log/ipaupgrade.log as well (it may be huge). I reran ipa-upgradeconfig, there are a few errors; see the attachment. Seems to be mostly ldap errors; I don't know why named and pki-cad didn't restart, when I do that manually, they start fine. Thanks, Tom 2012-02-24 14:48:01,062 ERROR Update failed: Type or value exists: 2012-02-24 14:48:01,240 ERROR Add failure Object class violation: missing required attribute objectclass 2012-02-24 14:48:01,382 ERROR Add failure cn=anonymous-limits,cn=etc,dc=,dc=com 2012-02-24 14:48:01,392 ERROR Add failure cn=Managed Entries,cn=etc,dc=,dc=com 2012-02-24 14:48:01,447 ERROR Add failure Object class violation: missing required attribute objectclass 2012-02-24 14:48:01,510 ERROR Add failure cn=replication,cn=etc,dc=,dc=com 2012-02-24 14:48:01,515 ERROR Add failure cn=automember,cn=etc,dc=,dc=com 2012-02-24 14:48:01,544 ERROR Add failure cn=Templates,cn=Managed Entries,cn=etc,dc=,dc=com 2012-02-24 14:48:01,550 ERROR Add failure cn=Definitions,cn=Managed Entries,cn=etc,dc=,dc=com 2012-02-24 14:48:01,555 ERROR Add failure cn=replicas,cn=ipa,cn=etc,dc=,dc=com 2012-02-24 14:48:01,561 ERROR Add failure cn=Hostgroup,cn=automember,cn=etc,dc=,dc=com 2012-02-24 14:48:01,566 ERROR Add failure cn=Group,cn=automember,cn=etc,dc=,dc=com 2012-02-24 14:48:01,571 ERROR Add failure cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,577 ERROR Add failure cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,582 ERROR Add failure cn=Add HBAC rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,586 ERROR Add failure cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,592 ERROR Add failure cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,597 ERROR Add failure cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,602 ERROR Add failure cn=Add HBAC services,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,607 ERROR Add failure cn=Delete HBAC services,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,613 ERROR Add failure cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,618 ERROR Add failure cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,623 ERROR Add failure cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,628 ERROR Add failure cn=HBAC Administrator,cn=privileges,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,634 ERROR Add failure cn=Add Sudo rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,638 ERROR Add failure cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,643 ERROR Add failure cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,648 ERROR Add failure cn=Add Sudo command,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,654 ERROR Add failure cn=Delete Sudo command,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,659 ERROR Add failure cn=Modify Sudo command,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,664 ERROR Add failure cn=Add Sudo command group,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,669 ERROR Add failure cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,674 ERROR Add failure cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,679 ERROR Add failure cn=Sudo Administrator,cn=privileges,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,684 ERROR Add failure cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,689 ERROR Add failure cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,694 ERROR Add failure cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,699 ERROR Add failure cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,704 ERROR Add failure cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,710 ERROR Add failure cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,715 ERROR Add failure cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,721 ERROR Add failure cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=,dc=com 2012-02-24 14:48:01,813 ERROR Add failure Object class violation: missing required attribute objectclass
Re: [Freeipa-users] Upgrade to 3.1.2: web UI no longer works
Thomas Sailer wrote: On 02/05/2013 08:02 PM, Rob Crittenden wrote: Can you see if you have 60basev3.ldif in /etc/dirsrv/slapd-YOUR-REALM/schema ? That was indeed not there (only 60basev2.ldif). I've copied it, restarted dirsrv. ipa user-show admin works (it did work before though). You'll want to look at /var/log/ipaupgrade.log as well (it may be huge). I reran ipa-upgradeconfig, there are a few errors; see the attachment. Seems to be mostly ldap errors; I don't know why named and pki-cad didn't restart, when I do that manually, they start fine. Thanks, Tom What version did you upgrade from in F-16? Can you send me the full ipupgrade.log privately? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users