We restored data (just the data) from an ipa-backup on a newly-installed and
configured host and with an LDAP browser we can see the data; however, the DNS
data doesn't appear to be available over port 53 (selinux & firewall
deactivated) and we can't login as any of the preserved users. In the httpd
error logs we see output like this:
[Sun Jun 12 13:02:56.669035 2016] [:error] [pid 15624] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Sun Jun 12 13:02:56.669118 2016] [:error] [pid 15624] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Sun Jun 12 13:02:56.669915 2016] [:error] [pid 15624] ipa: DEBUG: no session
id in request, generating empty session data with
id=70632094201d72deec8d6aed0a0c4ace
[Sun Jun 12 13:02:56.670014 2016] [:error] [pid 15624] ipa: DEBUG: store
session: session_id=70632094201d72deec8d6aed0a0c4ace
start_timestamp=2016-06-12T13:02:56 access_timestamp=2016-06-12T13:02:56
expiration_timestamp=1969-12-31T19:00:00
[Sun Jun 12 13:02:56.670231 2016] [:error] [pid 15624] ipa: DEBUG:
jsonserver_session.__call__: session_id=70632094201d72deec8d6aed0a0c4ace
start_timestamp=2016-06-12T13:02:56 access_timestamp=2016-06-12T13:02:56
expiration_timestamp=1969-12-31T19:00:00
[Sun Jun 12 13:02:56.670271 2016] [:error] [pid 15624] ipa: DEBUG: no ccache,
need login
[Sun Jun 12 13:02:56.670304 2016] [:error] [pid 15624] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login
[Sun Jun 12 13:03:06.961830 2016] [:error] [pid 15623] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Sun Jun 12 13:03:06.961921 2016] [:error] [pid 15623] ipa: DEBUG: WSGI
login_password.__call__:
[Sun Jun 12 13:03:07.070179 2016] [:error] [pid 15623] ipa: DEBUG: Obtaining
armor ccache: principal=HTTP/ipa.example....@example.com
keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_username
[Sun Jun 12 13:03:07.070264 2016] [:error] [pid 15623] ipa: DEBUG: Initializing
principal HTTP/ipa.example....@example.com using keytab
/etc/httpd/conf/ipa.keytab
[Sun Jun 12 13:03:07.070298 2016] [:error] [pid 15623] ipa: DEBUG: using ccache
/var/run/ipa_memcached/krbcc_A_username
[Sun Jun 12 13:03:07.088452 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
mod_wsgi (pid=15623): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
[Sun Jun 12 13:03:07.088498 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
Traceback (most recent call last):
[Sun Jun 12 13:03:07.088514 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/share/ipa/wsgi.py", line 49, in application
[Sun Jun 12 13:03:07.088587 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
return api.Backend.wsgi_dispatch(environ, start_response)
[Sun Jun 12 13:03:07.088596 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 258, in
__call__
[Sun Jun 12 13:03:07.088859 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
return self.route(environ, start_response)
[Sun Jun 12 13:03:07.088869 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 270, in
route
[Sun Jun 12 13:03:07.088883 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
return app(environ, start_response)
[Sun Jun 12 13:03:07.088888 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 944, in
__call__
[Sun Jun 12 13:03:07.088895 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
[Sun Jun 12 13:03:07.088899 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 966, in
kinit
[Sun Jun 12 13:03:07.088906 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
raise CCacheError(str(e))
[Sun Jun 12 13:03:07.088912 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in
__init__
[Sun Jun 12 13:03:07.089157 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
messages.process_message_arguments(self, format, message, **kw)
[Sun Jun 12 13:03:07.089174 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
File "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in
process_message_arguments
[Sun Jun 12 13:03:07.089252 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
name, format)
[Sun Jun 12 13:03:07.089271 2016] [:error] [pid 15623] [remote 10.55.200.1:148]
ValueError: non-generic 'CCacheError' needs format=None; got
format="(-1765328353, 'Decrypt integrity check failed')"
However, 'kinit username' works.
An 'ipa user-find username' fails with output like this:
[root@ipa httpd]# ipa user-find username
ipa: ERROR: cert validation failed for
"CN=ipa-replica-1.EXAMPLE.COM,O=EXAMPLE.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the user.)
(snip)
ipa: ERROR: Kerberos error: Service 'h...@ipa-replica-1.example.com' not found
in Kerberos database/
And those replicas also show up in 'ipa-replica-manage list' and
'ipa-csreplica-manage list' but not if I then try to remove them via
'ipa-replica-manage del <replica-name>'.
The crucial issues before me are
1) How do we restore WebUI login ability to the restored users, and
2) How do we restore DNS service for the restored DNS records in LDAP?
Best regards,
Dan
[cid:image001.jpg@01D1C4AC.42E52EB0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>,
Twitter<https://twitter.com/High5Games>,
YouTube<http://www.youtube.com/High5Games>,
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this message.
If you are not the intended recipient, please notify the sender by return
email, and delete or destroy this and all copies of this message and all
attachments. Any unauthorized disclosure, use, distribution, or reproduction of
this message or any attachments is prohibited and may be unlawful.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
