how to enable "kinit -n"
by Charles Hedrick
OK, I finally took time to figure out what is going on with kinit -n. This is an issue for us because we use one-time passwords, and kinit -n is useful for bootstrapping kinit.
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the resulting file someplace on the clients. I’m using /etc/kdc.crt.
* make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the instructions for installing ipa client mentioned it.
* in /etc/krb5.conf change the pkinit_anchors line
pkinit_anchors = FILE:/etc/kdc.crt
Of course you could avoid changing pkinit_anchors by putting the file in whatever location it currently points to.
Is this somehow automated in ipa-client-install? We recently upgraded the servers to 4.5 but haven’t done ipa-client-install since.
6 years, 5 months
回复:Re: ipa host-del fail
by michael_ly@sina.cn
Thanks, Rob.I ran the command one another node and it worked for me.
None via FreeIPA-users wrote:
> Dear,
>
> I am trying to install replica by "ipa-replica-install
> replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed,
>
> ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg
> ...
> The host namenode2.hadoop.gxdwdc already exists on the master server.
> You should remove it before procedding:
> % ipa host-del namenode2.hadoop.gxdwdc
>
> Then I ran "ipa -host-del namenode2.hadoop.gxdwdc" but it still failed,
> [root@namenode2 ~] ipa host-del namenode2.hadoop.gxdwdc
> ipa: ERROR: did not receive Kerberos credentials
>
> I thought i need to run "kinit" first, than I ran "kinit admin", it
> still failed,
> [root@namenode2 ~] kinit admin
> kinit: Configuration file does not sepcify default realm when parsing
> name admin
>
> can anyone inform me how can i overcome this issue?
You need to do the kinit/ipa host-del on an enrolled machine. Another
master would be a good place.
rob
6 years, 5 months
ipa host-del fail
by michael_ly@sina.cn
Dear,
I am trying to install replica by "ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed,
ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg...The host namenode2.hadoop.gxdwdc already exists on the master server.You should remove it before procedding: % ipa host-del namenode2.hadoop.gxdwdc
Then I ran "ipa -host-del namenode2.hadoop.gxdwdc" but it still failed,[root@namenode2 ~] ipa host-del namenode2.hadoop.gxdwdcipa: ERROR: did not receive Kerberos credentials
I thought i need to run "kinit" first, than I ran "kinit admin", it still failed,[root@namenode2 ~] kinit adminkinit: Configuration file does not sepcify default realm when parsing name admin
can anyone inform me how can i overcome this issue?
Thanks ahead.
6 years, 5 months
Encoding Error in Initial Replication
by Nevada Sanchez
I've been trying to set up a replica for a FreeIPA server (3.3.5 on Fedora
19) and am running into what appears to be an encoding issue on the server
as it tries to deliver data to the replica. It is line 9 below:
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7
repl="dc=example,dc=com": Acquired replica
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7
repl="dc=example,dc=com": StartNSDS90ReplicationRequest: response=0 rc=0
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7
Relinquishing consumer connection extension
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8
Acquired consumer connection extension
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8
repl="dc=example,dc=com": Released replica held by locking_purl=conn=1275
id=7
[09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8
Relinquishing consumer connection extension
[09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Replica was successfully
acquired.
[09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=meToipa-replica.example.com" (ipa-replica:389)".
*[09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa-replica.example.com <http://meToipa-replica.example.com>"
(ipa-replica:389): send_entry: Encoding Error*
[09/Nov/2017:12:34:09 +0000] - repl5_tot_waitfor_async_results: 400 403
[09/Nov/2017:12:34:10 +0000] - repl5_tot_waitfor_async_results: 403 403
[09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Successfully released
consumer
[09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Beginning linger on the
connection
*[09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin -
agmt="cn=meToipa-replica.example.com <http://meToipa-replica.example.com>"
(ipa-replica:389): repl5_tot_run: failed to obtain data to send to the
consumer; LDAP error - -1*
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Cancelling linger on the
connection
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Disconnected from the
consumer
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): State: start ->
ready_to_acquire_replica
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): Trying non-secure
slapi_ldap_init_ext
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): binddn = , passwd =
[09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn=
meToipa-replica.example.com" (ipa-replica:389): No linger to cancel on the
connection
I've traced this to the `repl5_tot_run` in the 389 source code and the logs
indicate that it makes it through acquiring the replica, but fails on the
`slapi_search_internal_callback_pb` call which seems like it's supposed to
transmit data to the replica. Continuing through the source, it seems like
the Encoding error is the key since the `slapi_search` calls `send_entry`
to encode the LDAP transaction and the `entry2bere` function must be
unhappy with something it's receiving.
Any ideas on what could be causing this? Is there a rogue data entry in my
directory that's hitting a corner case of the encoder?
I've attached replica logs below for further context, though I'm currently
thinking the problem is master side. The "LDAP error: Can't contact LDAP
server" you see below is actually what the ipa master put into
'nsds5ReplicaLastInitStatus' attribute of the replica agreement and I've
confirmed ldapsearch (389 and 636) are both happy going either way.
Connection check OK
Adding [10.0.3.78 ipa-replica.example.com] to your /etc/hosts file
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/42]: creating directory server user
[2/42]: creating directory server instance
[3/42]: updating configuration in dse.ldif
[4/42]: restarting directory server
[5/42]: adding default schema
[6/42]: enabling memberof plugin
[7/42]: enabling winsync plugin
[8/42]: configuring replication version plugin
[9/42]: enabling IPA enrollment plugin
[10/42]: enabling ldapi
[11/42]: configuring uniqueness plugin
[12/42]: configuring uuid plugin
[13/42]: configuring modrdn plugin
[14/42]: configuring DNS plugin
[15/42]: enabling entryUSN plugin
[16/42]: configuring lockout plugin
[17/42]: configuring topology plugin
[18/42]: creating indices
[19/42]: enabling referential integrity plugin
[20/42]: configuring ssl for ds instance
[21/42]: configuring certmap.conf
[22/42]: configure autobind for root
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
[ipa.example.com] reports: Update failed! Status: [-1 Total update
abortedLDAP error: Can't contact LDAP server]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start
replication
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
6 years, 5 months
Question about FreeIPA-pki-tomcatd fails to start
by michael_ly@sina.cn
Dear,
I encountered an issue on FreeIPA, could someone give some
suggestion? thanks ahead~
ipactl start
Starting Directory Service
Staring krb5kdc service
Staring kadmin Service
…
Starting pki-tomcatd Service
Failed
to start pki-tomcatd server
..
The Linux version is CentOS7.2 and IPA version is 4.2.
I know I can use “ipactl -f start” to work around this issue,
but I still need to fix it because the issue influence function of “ipa-replica-prepare xxx”.
Looking into log files under /var/log/pki-tomcat, there are some error
logs. I found some similar issue from others, but not exactly the same with
mine. Mine issue is about cannot create RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
successfully.
Do you know what could be
the root cause?
Catalina.xxx.log(happened many times):
WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@291f37e1 background process
java.lang.NullPointerException
at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:108)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1360)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519)
at java.lang.Thread.run(Thread.java:745)
localhost.xxx.log:
Mar 23, 2017 11:49:24 AM
org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at
com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797)
at
com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1610)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native
Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Mar 23, 2017 11:49:24 AM org.apache.catalina.core.StandardContext
loadOnStartup
SEVERE: Servlet /ca threw load()
exception
java.lang.NullPointerException
at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859)
at
com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1610)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native
Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
debug:
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: done init id=debug
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: initialized debug
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: initSubsystem id=log
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: ready to init id=log
[23/Mar/2017:11:49:24][localhost-startStop-1]:
Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
SignedAudit:Failed to instantiate class
com.netscape.cms.logging.RollingLogFile error: Caught unexpected exception:
java.io.FileNotFoundException:
/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit (No such file or
directory)
at com.netscape.cmscore.logging.LogSubsystem.init(LogSubsystem.java:139)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
6 years, 5 months
Reply:Question about FreeIPA-pki-tomcatd fails to start
by michael_ly@sina.cn
Hi,
Thanks ('Rob Crittenden' <rcritten(a)redhat.com>) to inform me that /var/lib/pki/pki-tomcat/logs/ca/signedAudit not exsited.
By "mkdir -p /var/lib/pki/pki-tomcat/logs/ca/signedAudit" automatically, pki-tomcatd can be started normally.
----- 原始邮件 -----
发件人:None via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
收件人:"freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
抄送人:michael_ly(a)sina.cn
主题:[Freeipa-users] Question about FreeIPA-pki-tomcatd fails to start
日期:2017年11月09日 16点18分
Dear,
I encountered an issue on FreeIPA, could someone give some
suggestion? thanks ahead~
ipactl start
Starting Directory Service
Staring krb5kdc service
Staring kadmin Service
…
Starting pki-tomcatd Service
Failed
to start pki-tomcatd server
..
The Linux version is CentOS7.2 and IPA version is 4.2.
I know I can use “ipactl -f start” to work around this issue,
but I still need to fix it because the issue influence function of “ipa-replica-prepare xxx”.
Looking into log files under /var/log/pki-tomcat, there are some error
logs. I found some similar issue from others, but not exactly the same with
mine. Mine issue is about cannot create RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
successfully.
Do you know what could be
the root cause?
Catalina.xxx.log(happened many times):
WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@291f37e1 background process
java.lang.NullPointerException
at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:108)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1360)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519)
at java.lang.Thread.run(Thread.java:745)
localhost.xxx.log:
Mar 23, 2017 11:49:24 AM
org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at
com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797)
at
com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1610)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native
Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Mar 23, 2017 11:49:24 AM org.apache.catalina.core.StandardContext
loadOnStartup
SEVERE: Servlet /ca threw load()
exception
java.lang.NullPointerException
at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859)
at
com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1610)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native
Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
debug:
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: done init id=debug
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: initialized debug
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: initSubsystem id=log
[23/Mar/2017:11:49:24][localhost-startStop-1]:
CMSEngine: ready to init id=log
[23/Mar/2017:11:49:24][localhost-startStop-1]:
Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
SignedAudit:Failed to instantiate class
com.netscape.cms.logging.RollingLogFile error: Caught unexpected exception:
java.io.FileNotFoundException:
/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit (No such file or
directory)
at com.netscape.cmscore.logging.LogSubsystem.init(LogSubsystem.java:139)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
6 years, 5 months
FreeIPA sudoers
by Andrew Meyer
Hello, i'm having some trouble getting sudoers to work.
I have 5 machines joined to the FreeIPA domain and I have a user group called ops and ops_sudoers. Both have permission to full sudo.
[andrew.meyer@jira02 ~]$ ipa sudorule-find ALL-------------------1 Sudo Rule matched------------------- Rule name: All Enabled: TRUE Host category: all Command category: all Sudo Option: !authenticate----------------------------Number of entries returned 1----------------------------
[andrew.meyer@jira02 ~]$ ipa sudorule-show ALL Rule name: All Enabled: TRUE Host category: all Command category: all Users: brian.keithly, andrew.meyer User Groups: ops_sudoers, ops RunAs Users: process Sudo Option: !authenticate
[andrew.meyer@jira02 ~]$ sudo su -[sudo] password for andrew.meyer:Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root on jira02.mgt.example.net.[andrew.meyer@jira02 ~]$
My HBAC is set to allow_all.
[root@jira02 log]# cat /etc/sssd/sssd.conf[domain/mgt.example.net]
cache_credentials = Truekrb5_store_password_if_offline = Truekrb5_realm = EXAMPLE.NETipa_domain = mgt.example.netid_provider = ipaauth_provider = ipaaccess_provider = ipaipa_hostname = jira02.mgt.example.netchpass_provider = ipadyndns_update = Trueipa_server = _srv_, infra-test-ipa.example.netdyndns_iface = ens160ldap_tls_cacert = /etc/ipa/ca.crt[sssd]services = nss, pam, ssh, sudo
domains = mgt.example.net[nss]homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[root@jira02 log]#
6 years, 5 months
ipa-replica-install - DatabaseError: Server is unwilling to perform
by Outback Dingo
so its a fresh CentOS 7 box, i installed the "master" ok but getting
replicas done is pitching me fits... any ideas?
ipa-client-install --domain=optimcloud.com --realm=OPTIMCLOUD.COM --force-join
Skip ipa2.optimcloud.com: LDAP server is not responding, unable to
verify if this is an IPA server
Discovery was successful!
Client hostname: ipa2.optimcloud.com
Realm: OPTIMCLOUD.COM
DNS Domain: optimcloud.com
IPA Server: ipa3.optimcloud.com
BaseDN: dc=optimcloud,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for admin(a)OPTIMCLOUD.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=OPTIMCLOUD.COM
Issuer: CN=Certificate Authority,O=OPTIMCLOUD.COM
Valid From: 2017-11-08 09:51:27
Valid Until: 2037-11-08 09:51:27
Enrolled in IPA realm OPTIMCLOUD.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm OPTIMCLOUD.COM
trying https://ipa3.optimcloud.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://ipa3.optimcloud.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server
'https://ipa3.optimcloud.com/ipa/json'
Systemwide CA database updated.
Hostname (ipa2.optimcloud.com) does not have A/AAAA record.
Missing A/AAAA record(s) for host ipa2.optimcloud.com: 148.251.24.3.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server
'https://ipa3.optimcloud.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring optimcloud.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipa2 ~]# ipa-replica-install --skip-conncheck --setup-dns
--no-forwarders
ipa : ERROR Reverse DNS resolution of address 148.251.24.3
(ipa2.optimcloud.com) failed. Clients may not function properly.
Please che
ck your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)
Continue? [no]: yes
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/40]: creating directory server instance
[2/40]: enabling ldapi
[3/40]: configure autobind for root
[4/40]: stopping directory server
[5/40]: updating configuration in dse.ldif
[6/40]: starting directory server
[7/40]: adding default schema
[8/40]: enabling memberof plugin
[9/40]: enabling winsync plugin
[10/40]: configuring replication version plugin
[11/40]: enabling IPA enrollment plugin
[12/40]: configuring uniqueness plugin
[13/40]: configuring uuid plugin
[14/40]: configuring modrdn plugin
[15/40]: configuring DNS plugin
[16/40]: enabling entryUSN plugin
[17/40]: configuring lockout plugin
[18/40]: configuring topology plugin
[19/40]: creating indices
[20/40]: enabling referential integrity plugin
[21/40]: configuring certmap.conf
[22/40]: configure new location for managed entries
[23/40]: configure dirsrv ccache
[24/40]: enabling SASL mapping fallback
[25/40]: restarting directory server
[26/40]: creating DS keytab
[27/40]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: Entry is
managed by topology plugin. Adding of entry not allowed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR Server is unwilling to perform: Entry is managed by topology
plugin.
Adding of entry not allowed.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-inst
all.log for more information
6 years, 5 months
Multiboot and FreeIPA
by Pascal Ernster
Hi,
is it possible to use multiple operating systems (for example different
versions of Fedora and CentOS) at the same time on one and the same
computer, with the same IP address/hostname, with all of these OS
installations being valid FreeIPA clients at the same time?
Could this cause problems as every operating system gets its own
Kerberos TGT, its own SSH host keys, LDAP entries, etc?
In case it matters: I'm using the FreeIPA packages from the official
distro repos, which means that different OS installations may have
differing versions of the FreeIPA client and its dependency packages.
The use case would be a (hopefully) seamless distro upgrade, with an
easy fallback option for users if they experience problems with the new
distro release.
Regards
Pascal
6 years, 5 months