Re: [Freeipa-users] ipa host-del not authorised
On 09/25/2014 04:11 AM, Alex Harvey wrote: Hi all I'm new to IPA and struggling a bit to automate some tasks. I am unable to delete hosts from the command line although have no problem doing this using the GUI, e.g. [root@myipaserver ~]# ipa host-del myhost.example.com ipa: ERROR: Insufficient access: not allowed to perform this command I guess I need to somehow pass the admin user's username and password? However the man page doesn't seem to provide any option for doing this. Thanks Alex Hello Alex, I assume you created a non-admin user with some permissions allow deleting a host. This error message is thrown when a virtual operation check fails. This is raised for example when a user is trying to do unathorized operation with certificates, like if user having host deletion permission does not also have permission to revoke certificates for deleted users. Does the privileged user has Revoke Certificate permission assigned through some privilege/role? The mismatch of behavior between CLI and UI is strange. They call the same code, maybe you run it with different users. Also, what is your FreeIPA version? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del not authorised
Did you try executing this first: kinit admin On Sep 24, 2014 8:13 PM, Alex Harvey alexharv...@gmail.com wrote: Hi all I'm new to IPA and struggling a bit to automate some tasks. I am unable to delete hosts from the command line although have no problem doing this using the GUI, e.g. [root@myipaserver ~]# ipa host-del myhost.example.com ipa: ERROR: Insufficient access: not allowed to perform this command I guess I need to somehow pass the admin user's username and password? However the man page doesn't seem to provide any option for doing this. Thanks Alex -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del
On 09/05/2012 07:47 PM, Alexander Bokovoy wrote: I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks. Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same). https://bugzilla.redhat.com/show_bug.cgi?id=855413 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 9:49 PM Subject: Re: [Freeipa-users] ipa host-del george he wrote: both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation
Re: [Freeipa-users] ipa host-del
george he wrote: here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket Hmm. Is there any additional information in the debug log? Any AVCs in /var/log/audit/audit.log? Have you updated any packages recently? I'm not sure why dogtag would be throwing this exception. rob *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 9:49 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com *To:* george he george_...@yahoo.com mailto:george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com mailto:jden...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot
Re: [Freeipa-users] ipa host-del
there are somethign like these:
type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for pid=4243
comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for pid=4243
comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
From: Rob Crittenden rcrit...@redhat.com
To: george he george_...@yahoo.com
Cc: Ade Lee a...@redhat.com; freeipa-users@redhat.com
freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
george he wrote:
here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug log? Any AVCs in
/var/log/audit/audit.log?
Have you updated any packages recently? I'm not sure why dogtag would be
throwing this exception.
rob
*From:* Rob Crittenden rcrit...@redhat.com
*To:* george he george_...@yahoo.com
*Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com
freeipa-users@redhat.com
*Sent:* Tuesday, September 4, 2012 9:49 PM
*Subject:* Re: [Freeipa-users] ipa host-del
george he wrote:
both of the commands service dirsrv restart and service pki-cad
restart reported:
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does not mean it kept
running.
rob
Thanks,
George
*From:* Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com
*To:* george he george_...@yahoo.com
mailto:george_...@yahoo.com
*Cc:* John Dennis jden...@redhat.com
mailto:jden...@redhat.com; freeipa-users@redhat.com
mailto:freeipa-users@redhat.com
freeipa-users@redhat.com mailto:freeipa-users@redhat.com
*Sent:* Tuesday, September 4, 2012 4:20 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is this a
new instance?
Ade
On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
there are somethign like these:
type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
__
From: Rob Crittenden rcrit...@redhat.com
To: george he george_...@yahoo.com
Cc: Ade Lee a...@redhat.com; freeipa-users@redhat.com
freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
george he wrote:
here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
removing
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
initializing
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
Protocol
handler initialization failed:
java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol
handler
initialization failed: java.lang.ClassNotFoundException:
Error loading
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web
application
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol
handler
initialization failed: java.lang.ClassNotFoundException:
Error loading
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug log? Any
AVCs in
/var/log/audit/audit.log?
Have you updated any packages recently? I'm not sure why
dogtag would be
throwing this exception.
rob
*From:* Rob Crittenden rcrit...@redhat.com
*To:* george he george_...@yahoo.com
*Cc:* John
Re: [Freeipa-users] ipa host-del
This is a newly installed system. It does most of the things, but I just cannot
del the host that I have uninstalled ipa-client, which prvents me from
re-installing ipa-client.
Here are the versions:
pki-ca.noarch 9.0.3-24.el6
pki-common.noarch 9.0.3-24.el6
jss.x86_64 4.2.6-22.el6
nss.x86_64 3.13.5-1.el6_3
tomcat6.noarch 6.0.24-45.el6
java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64 1:0.10k-5.el6
Thanks for your help.
George
From: Ade Lee a...@redhat.com
To: george he george_...@yahoo.com
Cc: Rob Crittenden rcrit...@redhat.com; freeipa-users@redhat.com
freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 10:46 AM
Subject: Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is this a
new instance?
Ade
On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
there are somethign like these:
type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
__
From: Rob Crittenden rcrit...@redhat.com
To: george he george_...@yahoo.com
Cc: Ade Lee a...@redhat.com; freeipa-users@redhat.com
freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
george he wrote:
here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
removing
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
initializing
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
Protocol
handler initialization failed:
java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol
handler
initialization failed: java.lang.ClassNotFoundException:
Error loading
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web
application
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException
Re: [Freeipa-users] ipa host-del
weird. Can you try putting selinux in permissive mode, and then
restarting ipa?
On Wed, 2012-09-05 at 08:21 -0700, george he wrote:
This is a newly installed system. It does most of the things, but I
just cannot del the host that I have uninstalled ipa-client, which
prvents me from re-installing ipa-client.
Here are the versions:
pki-ca.noarch9.0.3-24.el6
pki-common.noarch 9.0.3-24.el6
jss.x86_64 4.2.6-22.el6
nss.x86_643.13.5-1.el6_3
tomcat6.noarch 6.0.24-45.el6
java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64 1:0.10k-5.el6
Thanks for your help.
George
__
From: Ade Lee a...@redhat.com
To: george he george_...@yahoo.com
Cc: Rob Crittenden rcrit...@redhat.com;
freeipa-users@redhat.com freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 10:46 AM
Subject: Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or
is this a
new instance?
Ade
On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
there are somethign like these:
type=AVC msg=audit(1346710042.243:56): avc: denied
{ execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied
{ execute } for
pid=4243 comm=gdm name=arch dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc: denied
{ search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied
{ search } for
pid=17155 comm=java name=gridengine dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
__
From: Rob Crittenden rcrit...@redhat.com
To: george he george_...@yahoo.com
Cc: Ade Lee a...@redhat.com;
freeipa-users@redhat.com
freeipa-users@redhat.com
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
george he wrote:
here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING:
Error while
removing
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
Error
initializing
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
Protocol
handler initialization failed:
java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException:
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
Error
deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error
initializing
socket factory
Re: [Freeipa-users] ipa host-del
On 09/05/2012 10:46 AM, Ade Lee wrote: The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George From: John Dennis jden...@redhat.com To: a...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 2:04 PM Subject: Re: [Freeipa-users] ipa host-del On 09/05/2012 10:46 AM, Ade Lee wrote: The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Glad it's working. I just wanted to follow up on this though. The host-del failure was just one symptom of the problem. Eventually you'd have hit a harder wall, such as not being able to prepare a new replica. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/05/2012 02:40 PM, george he wrote: Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George Glad it's working. Obviously we would like to know how you got into this situation and perhaps open a bug. But unfortunately since you've manually changed links it's hard to know if the logic used to update an existing system is robust or not. I recall when the issue of where to locate native jars on 64bit came up there was a fair amount of back and forth over where things would be installed and which links to introduce. Unfortunately I do not recall the final resolution, it might be that the tomcat instances were supposed to continue to point to /usr/lib/java and links would be set up there to point to the 64bit version. In any event I don't think we can file a bug at this point, but perhaps we need to pay attention and see if anyone else gets bitten by this. John *From:* John Dennis jden...@redhat.com *To:* a...@redhat.com *Cc:* george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Wednesday, September 5, 2012 2:04 PM *Subject:* Re: [Freeipa-users] ipa host-del On 09/05/2012 10:46 AM, Ade Lee wrote: The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis jden...@redhat.com mailto:jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On Wed, 2012-09-05 at 15:41 -0400, John Dennis wrote: On 09/05/2012 02:40 PM, george he wrote: Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George Glad it's working. Obviously we would like to know how you got into this situation and perhaps open a bug. But unfortunately since you've manually changed links it's hard to know if the logic used to update an existing system is robust or not. I recall when the issue of where to locate native jars on 64bit came up there was a fair amount of back and forth over where things would be installed and which links to introduce. Unfortunately I do not recall the final resolution, it might be that the tomcat instances were supposed to continue to point to /usr/lib/java and links would be set up there to point to the 64bit version. In any event I don't think we can file a bug at this point, but perhaps we need to pay attention and see if anyone else gets bitten by this. I just recently had to fix this for my 'stable' install too, seem like we need to do better on upgrades going forward. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks. Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same). -- / Alexander Bokovoy - Original Message - From: george he george_...@yahoo.com To: John Dennis jden...@redhat.com, a...@redhat.com Cc: freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 9:40:10 PM Subject: Re: [Freeipa-users] ipa host-del Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George From: John Dennis jden...@redhat.com To: a...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 2:04 PM Subject: Re: [Freeipa-users] ipa host-del On 09/05/2012 10:46 AM, Ade Lee wrote: Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/03/2012 06:00 PM, george he wrote: Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker Thanks for your help, George From: John Dennis jden...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 8:10 AM Subject: Re: [Freeipa-users] ipa host-del On 09/03/2012 06:00 PM, george he wrote: Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/04/2012 08:28 AM, george he wrote: There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf debug=True and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a fault 4301 being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George From: John Dennis jden...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 8:53 AM Subject: Re: [Freeipa-users] ipa host-del On 09/04/2012 08:28 AM, george he wrote: There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf debug=True and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a fault 4301 being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 dogtag does not appear to be running. I'd suggest looking at /var/log/pki-ca/catalina.out or debug to see if it has any hints as what the problem is. What distribution is this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/04/2012 10:23 AM, george he wrote: First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a fault 4301 being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 4:20 PM Subject: Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
