November 2017 - FreeIPA-users - Fedora Mailing-Lists

by Charles Hedrick

OK, I finally took time to figure out what is going on with kinit -n. This is an issue for us because we use one-time passwords, and kinit -n is useful for bootstrapping kinit. * concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the resulting file someplace on the clients. I’m using /etc/kdc.crt. * make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the instructions for installing ipa client mentioned it. * in /etc/krb5.conf change the pkinit_anchors line pkinit_anchors = FILE:/etc/kdc.crt Of course you could avoid changing pkinit_anchors by putting the file in whatever location it currently points to. Is this somehow automated in ipa-client-install? We recently upgraded the servers to 4.5 but haven’t done ipa-client-install since.

6 years, 5 months

2
1
0 / 0

回复：Re: ipa host-del fail

by michael_ly＠sina.cn

Thanks, Rob.I ran the command one another node and it worked for me. None via FreeIPA-users wrote: > Dear, > > I am trying to install replica by "ipa-replica-install > replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed, > > ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg > ... > The host namenode2.hadoop.gxdwdc already exists on the master server. > You should remove it before procedding: > % ipa host-del namenode2.hadoop.gxdwdc > > Then I ran "ipa -host-del namenode2.hadoop.gxdwdc" but it still failed, > [root@namenode2 ~] ipa host-del namenode2.hadoop.gxdwdc > ipa: ERROR: did not receive Kerberos credentials > > I thought i need to run "kinit" first, than I ran "kinit admin", it > still failed, > [root@namenode2 ~] kinit admin > kinit: Configuration file does not sepcify default realm when parsing > name admin > > can anyone inform me how can i overcome this issue? You need to do the kinit/ipa host-del on an enrolled machine. Another master would be a good place. rob

6 years, 5 months

1
0
0 / 0

ipa host-del fail

by michael_ly＠sina.cn

Dear, I am trying to install replica by "ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed, ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg...The host namenode2.hadoop.gxdwdc already exists on the master server.You should remove it before procedding: % ipa host-del namenode2.hadoop.gxdwdc Then I ran "ipa -host-del namenode2.hadoop.gxdwdc" but it still failed,[root@namenode2 ~] ipa host-del namenode2.hadoop.gxdwdcipa: ERROR: did not receive Kerberos credentials I thought i need to run "kinit" first, than I ran "kinit admin", it still failed,[root@namenode2 ~] kinit adminkinit: Configuration file does not sepcify default realm when parsing name admin can anyone inform me how can i overcome this issue? Thanks ahead.

6 years, 5 months

3
2
0 / 0

Encoding Error in Initial Replication

by Nevada Sanchez

I've been trying to set up a replica for a FreeIPA server (3.3.5 on Fedora 19) and am running into what appears to be an encoding issue on the server as it tries to deliver data to the replica. It is line 9 below: [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 repl="dc=example,dc=com": Acquired replica [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 repl="dc=example,dc=com": StartNSDS90ReplicationRequest: response=0 rc=0 [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=7 Relinquishing consumer connection extension [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 Acquired consumer connection extension [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 repl="dc=example,dc=com": Released replica held by locking_purl=conn=1275 id=7 [09/Nov/2017:12:34:08 +0000] NSMMReplicationPlugin - conn=1275 op=8 Relinquishing consumer connection extension [09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Replica was successfully acquired. [09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meToipa-replica.example.com" (ipa-replica:389)". *[09/Nov/2017:12:34:09 +0000] NSMMReplicationPlugin - agmt="cn=meToipa-replica.example.com <http://meToipa-replica.example.com>" (ipa-replica:389): send_entry: Encoding Error* [09/Nov/2017:12:34:09 +0000] - repl5_tot_waitfor_async_results: 400 403 [09/Nov/2017:12:34:10 +0000] - repl5_tot_waitfor_async_results: 403 403 [09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Successfully released consumer [09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Beginning linger on the connection *[09/Nov/2017:12:34:11 +0000] NSMMReplicationPlugin - agmt="cn=meToipa-replica.example.com <http://meToipa-replica.example.com>" (ipa-replica:389): repl5_tot_run: failed to obtain data to send to the consumer; LDAP error - -1* [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Cancelling linger on the connection [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Disconnected from the consumer [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): State: start -> ready_to_acquire_replica [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): Trying non-secure slapi_ldap_init_ext [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): binddn = , passwd = [09/Nov/2017:12:34:12 +0000] NSMMReplicationPlugin - agmt="cn= meToipa-replica.example.com" (ipa-replica:389): No linger to cancel on the connection I've traced this to the `repl5_tot_run` in the 389 source code and the logs indicate that it makes it through acquiring the replica, but fails on the `slapi_search_internal_callback_pb` call which seems like it's supposed to transmit data to the replica. Continuing through the source, it seems like the Encoding error is the key since the `slapi_search` calls `send_entry` to encode the LDAP transaction and the `entry2bere` function must be unhappy with something it's receiving. Any ideas on what could be causing this? Is there a rogue data entry in my directory that's hitting a corner case of the encoder? I've attached replica logs below for further context, though I'm currently thinking the problem is master side. The "LDAP error: Can't contact LDAP server" you see below is actually what the ipa master put into 'nsds5ReplicaLastInitStatus' attribute of the replica agreement and I've confirmed ldapsearch (389 and 636) are both happy going either way. Connection check OK Adding [10.0.3.78 ipa-replica.example.com] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/42]: creating directory server user [2/42]: creating directory server instance [3/42]: updating configuration in dse.ldif [4/42]: restarting directory server [5/42]: adding default schema [6/42]: enabling memberof plugin [7/42]: enabling winsync plugin [8/42]: configuring replication version plugin [9/42]: enabling IPA enrollment plugin [10/42]: enabling ldapi [11/42]: configuring uniqueness plugin [12/42]: configuring uuid plugin [13/42]: configuring modrdn plugin [14/42]: configuring DNS plugin [15/42]: enabling entryUSN plugin [16/42]: configuring lockout plugin [17/42]: configuring topology plugin [18/42]: creating indices [19/42]: enabling referential integrity plugin [20/42]: configuring ssl for ds instance [21/42]: configuring certmap.conf [22/42]: configure autobind for root [23/42]: configure new location for managed entries [24/42]: configure dirsrv ccache [25/42]: enabling SASL mapping fallback [26/42]: restarting directory server [27/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed [ipa.example.com] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

6 years, 5 months

2
2
0 / 0

Trouble with AD Trust

by Justin Smith

I have FreeIPA and Active Directory on our network and am attempting to follow the [ https://www.freeipa.org/page/Active_Directory_trust_setup | official instructions ] for getting a trust set up. I'm down to the section where I run ipa trust-add to set up the trust. I've set up and verified DNS forwarding on both ends. Here is the output I'm stuck on: [root@ipa2 conf.d]# ipa -v trust-add --type ad ad.mimsoftware.com --admin Administrator --password ipa: INFO: trying https://ipa2.mimsoftware.com/ipa/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipa2.mimsoftware.com/ipa/json' ipa: INFO: trying https://ipa2.mimsoftware.com/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipa2.mimsoftware.com/ipa/session/json' ipa: ERROR: an internal error has occurred Any ideas where to begin troubleshooting? If I try this same process in the browser interface, it throws an error: "AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue" However, I've verified that it can't be DNS. What about firewall configuration on the Windows end? The official instructions just say "to be added." --- Justin Smith IT Analyst MIM Software, Inc. [ https://www.mimsoftware.com/ | https://www.mimsoftware.com ]

6 years, 5 months

3
5
0 / 0

Question about FreeIPA-pki-tomcatd fails to start

by michael_ly＠sina.cn

Dear, I encountered an issue on FreeIPA, could someone give some suggestion? thanks ahead~ ipactl start Starting Directory Service Staring krb5kdc service Staring kadmin Service … Starting pki-tomcatd Service Failed to start pki-tomcatd server .. The Linux version is CentOS7.2 and IPA version is 4.2. I know I can use “ipactl -f start” to work around this issue, but I still need to fix it because the issue influence function of “ipa-replica-prepare xxx”. Looking into log files under /var/log/pki-tomcat, there are some error logs. I found some similar issue from others, but not exactly the same with mine. Mine issue is about cannot create RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) successfully. Do you know what could be the root cause? Catalina.xxx.log(happened many times): WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@291f37e1 background process java.lang.NullPointerException at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:108) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1360) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519) at java.lang.Thread.run(Thread.java:745) localhost.xxx.log: Mar 23, 2017 11:49:24 AM org.apache.catalina.core.ApplicationContext log SEVERE: StandardWrapper.Throwable java.lang.NullPointerException at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233) at com.netscape.certsrv.apps.CMS.start(CMS.java:1610) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Mar 23, 2017 11:49:24 AM org.apache.catalina.core.StandardContext loadOnStartup SEVERE: Servlet /ca threw load() exception java.lang.NullPointerException at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233) at com.netscape.certsrv.apps.CMS.start(CMS.java:1610) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) debug: [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: done init id=debug [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: initialized debug [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: initSubsystem id=log [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: ready to init id=log [23/Mar/2017:11:49:24][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) SignedAudit:Failed to instantiate class com.netscape.cms.logging.RollingLogFile error: Caught unexpected exception: java.io.FileNotFoundException: /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit (No such file or directory) at com.netscape.cmscore.logging.LogSubsystem.init(LogSubsystem.java:139) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

6 years, 5 months

2
1
0 / 0

Reply：Question about FreeIPA-pki-tomcatd fails to start

by michael_ly＠sina.cn

Hi, Thanks ('Rob Crittenden' <rcritten(a)redhat.com>) to inform me that /var/lib/pki/pki-tomcat/logs/ca/signedAudit not exsited. By "mkdir -p /var/lib/pki/pki-tomcat/logs/ca/signedAudit" automatically, pki-tomcatd can be started normally. ----- 原始邮件 ----- 发件人：None via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> 收件人："freeipa-users" <freeipa-users(a)lists.fedorahosted.org> 抄送人：michael_ly(a)sina.cn 主题：[Freeipa-users] Question about FreeIPA-pki-tomcatd fails to start 日期：2017年11月09日 16点18分 Dear, I encountered an issue on FreeIPA, could someone give some suggestion? thanks ahead~ ipactl start Starting Directory Service Staring krb5kdc service Staring kadmin Service … Starting pki-tomcatd Service Failed to start pki-tomcatd server .. The Linux version is CentOS7.2 and IPA version is 4.2. I know I can use “ipactl -f start” to work around this issue, but I still need to fix it because the issue influence function of “ipa-replica-prepare xxx”. Looking into log files under /var/log/pki-tomcat, there are some error logs. I found some similar issue from others, but not exactly the same with mine. Mine issue is about cannot create RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) successfully. Do you know what could be the root cause? Catalina.xxx.log(happened many times): WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@291f37e1 background process java.lang.NullPointerException at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:108) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1360) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1530) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1540) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1519) at java.lang.Thread.run(Thread.java:745) localhost.xxx.log: Mar 23, 2017 11:49:24 AM org.apache.catalina.core.ApplicationContext log SEVERE: StandardWrapper.Throwable java.lang.NullPointerException at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233) at com.netscape.certsrv.apps.CMS.start(CMS.java:1610) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Mar 23, 2017 11:49:24 AM org.apache.catalina.core.StandardContext loadOnStartup SEVERE: Servlet /ca threw load() exception java.lang.NullPointerException at com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1875) at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:1859) at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:1797) at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233) at com.netscape.certsrv.apps.CMS.start(CMS.java:1610) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) debug: [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: done init id=debug [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: initialized debug [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: initSubsystem id=log [23/Mar/2017:11:49:24][localhost-startStop-1]: CMSEngine: ready to init id=log [23/Mar/2017:11:49:24][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) SignedAudit:Failed to instantiate class com.netscape.cms.logging.RollingLogFile error: Caught unexpected exception: java.io.FileNotFoundException: /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit (No such file or directory) at com.netscape.cmscore.logging.LogSubsystem.init(LogSubsystem.java:139) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org

6 years, 5 months

1
0
0 / 0

FreeIPA sudoers

by Andrew Meyer

Hello, i'm having some trouble getting sudoers to work. I have 5 machines joined to the FreeIPA domain and I have a user group called ops and ops_sudoers. Both have permission to full sudo. [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL-------------------1 Sudo Rule matched------------------- Rule name: All Enabled: TRUE Host category: all Command category: all Sudo Option: !authenticate----------------------------Number of entries returned 1---------------------------- [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL Rule name: All Enabled: TRUE Host category: all Command category: all Users: brian.keithly, andrew.meyer User Groups: ops_sudoers, ops RunAs Users: process Sudo Option: !authenticate [andrew.meyer@jira02 ~]$ sudo su -[sudo] password for andrew.meyer:Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root on jira02.mgt.example.net.[andrew.meyer@jira02 ~]$ My HBAC is set to allow_all. [root@jira02 log]# cat /etc/sssd/sssd.conf[domain/mgt.example.net] cache_credentials = Truekrb5_store_password_if_offline = Truekrb5_realm = EXAMPLE.NETipa_domain = mgt.example.netid_provider = ipaauth_provider = ipaaccess_provider = ipaipa_hostname = jira02.mgt.example.netchpass_provider = ipadyndns_update = Trueipa_server = _srv_, infra-test-ipa.example.netdyndns_iface = ens160ldap_tls_cacert = /etc/ipa/ca.crt[sssd]services = nss, pam, ssh, sudo domains = mgt.example.net[nss]homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [root@jira02 log]#

6 years, 5 months

3
6
0 / 0

ipa-replica-install - DatabaseError: Server is unwilling to perform

by Outback Dingo

so its a fresh CentOS 7 box, i installed the "master" ok but getting replicas done is pitching me fits... any ideas? ipa-client-install --domain=optimcloud.com --realm=OPTIMCLOUD.COM --force-join Skip ipa2.optimcloud.com: LDAP server is not responding, unable to verify if this is an IPA server Discovery was successful! Client hostname: ipa2.optimcloud.com Realm: OPTIMCLOUD.COM DNS Domain: optimcloud.com IPA Server: ipa3.optimcloud.com BaseDN: dc=optimcloud,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds User authorized to enroll computers: admin Password for admin(a)OPTIMCLOUD.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=OPTIMCLOUD.COM Issuer: CN=Certificate Authority,O=OPTIMCLOUD.COM Valid From: 2017-11-08 09:51:27 Valid Until: 2037-11-08 09:51:27 Enrolled in IPA realm OPTIMCLOUD.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm OPTIMCLOUD.COM trying https://ipa3.optimcloud.com/ipa/json [try 1]: Forwarding 'ping' to json server 'https://ipa3.optimcloud.com/ipa/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa3.optimcloud.com/ipa/json' Systemwide CA database updated. Hostname (ipa2.optimcloud.com) does not have A/AAAA record. Missing A/AAAA record(s) for host ipa2.optimcloud.com: 148.251.24.3. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa3.optimcloud.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring optimcloud.com as NIS domain. Client configuration complete. The ipa-client-install command was successful [root@ipa2 ~]# ipa-replica-install --skip-conncheck --setup-dns --no-forwarders ipa : ERROR Reverse DNS resolution of address 148.251.24.3 (ipa2.optimcloud.com) failed. Clients may not function properly. Please che ck your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/40]: creating directory server instance [2/40]: enabling ldapi [3/40]: configure autobind for root [4/40]: stopping directory server [5/40]: updating configuration in dse.ldif [6/40]: starting directory server [7/40]: adding default schema [8/40]: enabling memberof plugin [9/40]: enabling winsync plugin [10/40]: configuring replication version plugin [11/40]: enabling IPA enrollment plugin [12/40]: configuring uniqueness plugin [13/40]: configuring uuid plugin [14/40]: configuring modrdn plugin [15/40]: configuring DNS plugin [16/40]: enabling entryUSN plugin [17/40]: configuring lockout plugin [18/40]: configuring topology plugin [19/40]: creating indices [20/40]: enabling referential integrity plugin [21/40]: configuring certmap.conf [22/40]: configure new location for managed entries [23/40]: configure dirsrv ccache [24/40]: enabling SASL mapping fallback [25/40]: restarting directory server [26/40]: creating DS keytab [27/40]: setting up initial replication [error] DatabaseError: Server is unwilling to perform: Entry is managed by topology plugin. Adding of entry not allowed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Server is unwilling to perform: Entry is managed by topology plugin. Adding of entry not allowed. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-inst all.log for more information

6 years, 5 months

1
0
0 / 0

Multiboot and FreeIPA

by Pascal Ernster

Hi, is it possible to use multiple operating systems (for example different versions of Fedora and CentOS) at the same time on one and the same computer, with the same IP address/hostname, with all of these OS installations being valid FreeIPA clients at the same time? Could this cause problems as every operating system gets its own Kerberos TGT, its own SSH host keys, LDAP entries, etc? In case it matters: I'm using the FreeIPA packages from the official distro repos, which means that different OS installations may have differing versions of the FreeIPA client and its dependency packages. The use case would be a (hopefully) seamless distro upgrade, with an easy fallback option for users if they experience problems with the new distro release. Regards Pascal

6 years, 5 months

4
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2017