Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Fraser Tweedale
On Fri, Jul 01, 2016 at 09:00:03AM +0200, Andreas Ladanyi wrote:
> Hi Fraser.
> >>> Hi,
> >>>
> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> >>>
> >>> When i want to start IPA with ipactl start i run into the situation
> >>> starting pki-tomcat take a long time and ipactl aborts the starting
> >>> process and shutdown services. So IPA doesnt start.
> >> Sounds like 
> >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
> >>
> > I concur - it is likely to be the same issue.  A new release of pki
> > on f23 is going to happen in the next day or so.  If it is the same
> > issue, that will fix it.
> yes it was the same issue. I could fix it.
> 
> Andreas
> 
Glad to hear it, Andreas.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi
Hi Tomasz,
> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
>> Hi,
>>
>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>
>> When i want to start IPA with ipactl start i run into the situation
>> starting pki-tomcat take a long time and ipactl aborts the starting
>> process and shutdown services. So IPA doesnt start.
> Sounds like 
> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
Thank you. You are right. The not imported certificate profiles in ldap
during upgrade process is the problem. I solved this issue with the
information of the above link.


Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi
Hi Fraser.
>>> Hi,
>>>
>>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>>
>>> When i want to start IPA with ipactl start i run into the situation
>>> starting pki-tomcat take a long time and ipactl aborts the starting
>>> process and shutdown services. So IPA doesnt start.
>> Sounds like 
>> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
>>
> I concur - it is likely to be the same issue.  A new release of pki
> on f23 is going to happen in the next day or so.  If it is the same
> issue, that will fix it.
yes it was the same issue. I could fix it.

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Fraser Tweedale
On Thu, Jun 30, 2016 at 03:36:22PM +0200, Tomasz Torcz wrote:
> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
> > Hi,
> > 
> > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> > 
> > When i want to start IPA with ipactl start i run into the situation
> > starting pki-tomcat take a long time and ipactl aborts the starting
> > process and shutdown services. So IPA doesnt start.
> 
> Sounds like 
> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
> 
I concur - it is likely to be the same issue.  A new release of pki
on f23 is going to happen in the next day or so.  If it is the same
issue, that will fix it.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi
>
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
> [false], canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> roblem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
> canRead: [false]
rpm -qa | grep tomcat
tomcatjss-7.1.3-1.fc23.noarch
tomcat-servlet-3.1-api-8.0.32-5.fc23.noarch
tomcat-8.0.32-5.fc23.noarch
tomcat-jsp-2.3-api-8.0.32-5.fc23.noarch
tomcat-el-3.0-api-8.0.32-5.fc23.noarch
tomcat-lib-8.0.32-5.fc23.noarch

ls -la /var/lib/pki/pki-tomcat/lib/
insgesamt 20
drwxrwx---. 2 pkiuser pkiuser 4096 28. Jun 15:59 .
drwxrwx---. 8 pkiuser pkiuser 4096 22. Mai 2015  ..
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser   34 28. Jun 15:59 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser   46 28. Jun 15:59
catalina-storeconfig.jar -> /usr/share/tomcat/lib/catalina-storeconfig.jar
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser   45 28. Jun 15:59 commons-collections.jar
-> /usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser   35 28. Jun 15:59 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser   32 28. Jun 15:59 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 22. Mai 2015  log4j.properties ->
/etc/pki/pki-tomcat/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat7-websocket.jar
-> /usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-dbcp.jar ->
/usr/share/tomcat/lib/tomcat-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-3.0-api.jar
-> /usr/share/tomcat/lib/tomcat-el-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-jni.jar ->
/usr/share/tomcat/lib/tomcat-jni.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.3-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.1-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.1-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-util-scan.jar ->
/usr/share/tomcat/lib/tomcat-util-scan.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-websocket.jar ->
/usr/share/tomcat/lib/tomcat-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar

For example:
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar -> File is not available
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar -> File is ok.



> 

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Tomasz Torcz
On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
> Hi,
> 
> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> 
> When i want to start IPA with ipactl start i run into the situation
> starting pki-tomcat take a long time and ipactl aborts the starting
> process and shutdown services. So IPA doesnt start.

Sounds like 
https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/


-- 
Tomasz Torcz"Funeral in the morning, IDE hacking
xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi
Here are some more infos.

journal -xe tells me some error:

INFO: Initializing ProtocolHandler ["http-bio-8443"]
Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported
by NSS
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS

..

org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs.
Enable debug logging for this logger for a complete list o

...

org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
[false], canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
roblem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.Catalina stopServer
SEVERE: Could not contact localhost:8005. Tomcat may not be running.
org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused

.

pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1

> Hi,
>
> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>
> When i want to start IPA with ipactl start i run into the situation
> starting pki-tomcat take a long time and ipactl aborts the starting
> process and shutdown services. So IPA doesnt start.
>
> ipactl start:
>
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
>
> ...hangs...
>
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
>
>
> systemctl status shows the errors:
>
> ipa.service   
>
> loaded failed failedIdentity, Policy, Audit
> kadmin.service
>
> loaded failed failedKerberos 5 Password-changing and Administration
> pki-tomcatd@pki-tomcat.service
>
> loaded failed failedPKI Tomcat Server pki-tomcat
>
>
> Which logfiles are important to analyse this issue of IPA ?
>
>
> Andreas
>
>
>
>


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project