FreeIPA, OSX, DockerDesktop
by james liu
PREP
====
git clone https://github.com/freeipa/freeipa-container.git
cd freeipa-container
mkdir /tmp/ipa-data
docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /tmp/ip-data :/data:Z freeipa-server --sysctl net.ipv6.conf.all.disable_ipv6=1
RESULT
======
tar: etc/sysconfig/selinux: Cannot utime: No such file or directory
tar: Exiting with failure status due to previous errors
QUESTION
=========
I'm running DockerDesktop 2.0.4, OSX 10.13.6.
Is there a set of commands that will work?
Thanks
3 months, 1 week
ipa-replica-install failing
by Mitchell Smith
Hi list,
I wanted to repost this issue with a more appropriate subject line, in
case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA
4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch
and adding them to the new instance with ldapadd but it is a bit messy
and will result in all users having to reset their password, as it
won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then
eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run
‘ipa-replica-install’ it failed while configuring the directory server
component.
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: modification
of attribute nsds5replicareleasetimeout is not allowed in replica
entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between
4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly
easier transition to the new FreeIPA instance.
Cheers,
Mitch
4 months, 4 weeks
kinit -n asking for password on clients
by John Ratliff
When trying to do pkinit, if I do kinit -n on one of the IdM servers, it
works fine. If I try on a client machine, it asks me for the password
for WELLKNOWN/ANONYMOUS@REALM.
I have the pkinit_anchors setup for the realm. As I'm trying to do
anonymous pkinit, I think I don't need a client certificate.
On the server, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n
[13061] 1518402857.924212: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
[13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM
[13061] 1518402857.931830: Initiating TCP connection to stream
10.77.9.101:88
[13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402857.939162: Received answer (359 bytes) from stream
10.77.9.101:88
[13061] 1518402857.939180: Terminating TCP connection to stream
10.77.9.101:88
[13061] 1518402857.939284: Response was from master KDC
[13061] 1518402857.939380: Received error from KDC:
-1765328359/Additional pre-authentication required
[13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136,
19, 147, 2, 133
[13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402857.939509: Received cookie: MIT
[13061] 1518402857.939563: Preauth module pkinit (147) (info) returned:
0/Success
[13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum
9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143
[13061] 1518402857.940369: PKINIT client making DH request
[13061] 1518402858.935: Preauth module pkinit (16) (real) returned:
0/Success
[13061] 1518402858.956: Produced preauth for next request: 133, 16
[13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM
[13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88
[13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402858.43063: Received answer (2880 bytes) from stream
10.77.9.101:88
[13061] 1518402858.43088: Terminating TCP connection to stream
10.77.9.101:88
[13061] 1518402858.43198: Response was from master KDC
[13061] 1518402858.43258: Processing preauth types: 17, 19, 147
[13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402858.43300: Preauth module pkinit (147) (info) returned:
0/Success
[13061] 1518402858.44150: PKINIT client verified DH reply
[13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert:
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM
[13061] 1518402858.44199: PKINIT client matched KDC principal
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM against id-pkinit-san; no EKU
check required
[13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to
compute reply key aes256-cts/00E0
[13061] 1518402858.62395: Preauth module pkinit (17) (real) returned:
0/Success
[13061] 1518402858.62402: Produced preauth for next request: (empty)
[13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0
[13061] 1518402858.62547: Decrypted AS reply; session key is:
aes256-cts/96F0
[13061] 1518402858.62589: FAST negotiation: available
[13061] 1518402858.62692: Initializing
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 with default princ
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[13061] 1518402858.62770: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1
[13061] 1518402858.62846: Storing config in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: fast_avail: yes
[13061] 1518402858.62878: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
[13061] 1518402858.62933: Storing config in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: pa_type: 16
[13061] 1518402858.62954: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
But on the client, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n
[2941] 1518402820.155827: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
[2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM
[2941] 1518402820.158723: Resolving hostname paine.example.com.
[2941] 1518402820.159975: Resolving hostname phantom.example.com.
[2941] 1518402820.160757: Resolving hostname paine.example.com.
[2941] 1518402820.161411: Initiating TCP connection to stream
204.89.253.101:88
[2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88
[2941] 1518402820.168495: Received answer (359 bytes) from stream
204.89.253.101:88
[2941] 1518402820.168532: Terminating TCP connection to stream
204.89.253.101:88
[2941] 1518402820.169917: Response was from master KDC
[2941] 1518402820.169974: Received error from KDC:
-1765328359/Additional pre-authentication required
[2941] 1518402820.170029: Processing preauth types: 16, 15, 14, 136, 19,
147, 2, 133
[2941] 1518402820.170051: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[2941] 1518402820.170062: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM:
[2941] 1518402833.34612: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
kinit: Pre-authentication failed: Password read interrupted while
getting initial credentials
Suggestions on what I'm missing?
Thanks.
6 months, 1 week
automember hostgroup by account?
by Amos
Is it possible to have an automember rule to add a host to a hostgroup
based on the account used with ipa-install-client?
Amos
7 months, 1 week
IPA and legacy systems
by Ronald Wimmer
What would be a good solution to add systems where the FQDN cannot be
changed?
Would it make sense to add a second DNS A Record in the IPA domain for
each of these systems?
Is there any experience on how to deal with such a situation?
Thanks a lot in advance!
Cheers,
Ronald
7 months, 4 weeks
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
by Bernard Lheureux
Hi all,
After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully updated from update repo on a CentOS7 x64 server, it appears that it is totally impossible to establish a trust with an AD running on local AD servers, we did it a few times ago with exactly the same distribution and had really no problem, we tried to completely reinstall the machine and the IPA wit always the same results,
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are going nuts on this ?
We found some tips in the /var/log/httpd/errors, but nothing seems to provide sufficient infos...
[Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin(a)DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError
The IPA server and the AD servers are in the same VLan with no firewall between them
samba version on the IPA server is the latest available: 4.9.1-6.el7.noarch
Thanks for your help...
9 months
freeipa with sudo and 2FA (OTP)
by John Ratliff
I'm trying to setup freeipa with OTP. I created a TOTP under my user in
freeipa and updated my user to use 2FA (password + OTP).
When I try to do sudo, it only asks for my password and it fails every
time (presumably because it isn't getting the OTP first).
I didn't see anything useful in the sss_sudo logs, even after adding
debug_level = 6 in the config.
What can I do to further troubleshoot this?
Thanks.
10 months
How to make ipa root certificate available system wide
by Kevin Vasko
Hello,
I’m wanting to make our https servers use a trusted certificate within our LAN only. So for example if I have websrv1.ny.example.com when a user uses a machine that’s enrolled into our realm and they visit https://websrv1.ny.example.com they shouldn’t be prompted to accept the self signed certificate.
I think I’m pretty close but I’m missing a small part.
The ipa server is all setup and working. Hosts are enrolled to ipa and have the /etc/ipa/ca.crt.
I have created a service for the http server in IPA. I have obtained a .key file and .crt file for my web server. Those keys for the web server are in the appropriate location and the web server is pointing at the certs correctly.
On my clients when I go to the web servers URl I am no longer getting a “self signed cert” error message in the browser.
That message has now changed to “unverified certificate authority”. Which basically indicates to me that the browser doesn’t know if this certificate authority should/can be trusted.
If i go in the browser (firefox or chrome) in the certificate authority section and import the /etc/ipa/ca.crt i get no errors in the browser about it being unverified.
So my question is, what am I missing to make the /etc/ipa/ca.crt file globally available for browsers to pick up the certificate automatically?
when we enroll a host we simply do
freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
Accept the defaults, put in the password to enroll and that’s it. Is there something I’m missing?
-Kevin
10 months, 3 weeks
ipa-server-install error [37/44] initializing group membership: [error] NotFound: no such entry
by Michael Schefczyk
Dear All,
Trying to install ipa-server (4.7.1-11.module_el8.0.0+79+bbd20d7b package from @AppStream) on a new virtual CentOS Linux 8.0.1905 server within my LAN (fresh test install, the previous version on CentOS 7 did work), I persistently get the following error message when freipa-install tries to configure the dirsrv:
[37/44]: initializing group membership
[error] NotFound: no such entry
I would very much welcome if anyone could point me to the right direction. I find the log content (below) not very telling.
Regards,
Michael Schefczyk
2019-10-13T07:21:07Z DEBUG step duration: dirsrv __add_topology_entries 0.05 sec
2019-10-13T07:21:07Z DEBUG [37/44]: initializing group membership
2019-10-13T07:21:07Z DEBUG Starting external process
2019-10-13T07:21:07Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpm2nl4f4x', '-H', 'ldapi://%2fvar%2frun%2fslapd-B72-COM.socket', '-Y', 'EXTERNAL']
2019-10-13T07:21:07Z DEBUG Process finished, return code=0
2019-10-13T07:21:07Z DEBUG stdout=add objectClass:
top
extensibleObject
add cn:
IPA install
add basedn:
dc=b72,dc=com
add filter:
(objectclass=*)
add ttl:
10
adding new entry "cn=IPA install 1570951250, cn=memberof task, cn=tasks, cn=config"
modify complete
2019-10-13T07:21:07Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-B72-COM.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
2019-10-13T07:21:07Z DEBUG Waiting for memberof task to complete.
2019-10-13T07:21:07Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1022, in error_handler
yield
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1514, in find_entries
raise e
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1474, in find_entries
result = self.conn.result3(id, 0)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'desc': 'No such object'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
ipalib.errors.NotFound: no such entry
2019-10-13T07:21:07Z DEBUG [error] NotFound: no such entry
2019-10-13T07:21:07Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 550, in main
master_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 253, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 800, in install
setup_pkinit=not options.no_pkinit)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 345, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
2019-10-13T07:21:07Z DEBUG The ipa-server-install command failed, exception: NotFound: no such entry
2019-10-13T07:21:07Z ERROR no such entry
2019-10-13T07:21:07Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
1 year, 1 month
FreeIPA having problem after upgrading from Fedora 30 to 31
by Patrick Dung
Hello,
I got problem upgrading from FC30 to FC31.
Before upgrade the FreeIPA in FC30 is running fine.
After OS upgrade, IPA cannot start and checked that it stuck at the CA part.
I run ipa-server-upgrade manually but there is problem.
2019-10-29T21:03:58Z DEBUG request GET
https://home.local.nonet:8443/ca/rest/account/login
2019-10-29T21:03:58Z DEBUG request body ''
2019-10-29T21:03:58Z DEBUG response status 500
2019-10-29T21:03:58Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: en
Content-Length: 2481
Date: Tue, 29 Oct 2019 21:03:58 GMT
Connection: close
2019-10-29T21:03:58Z DEBUG response body (decoded): b'<!doctype html><html
lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server
Error</title><style type="text/css">h1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
h2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
h3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
body
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
a {color:black;} a.name {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line"
/><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem
unavailable</p><p><b>Description</b> The server encountered an unexpected
condition that prevented it from fulfilling the
request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:515)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
The full stack trace of the root cause is available in the server
logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.26</h3></body></html>'
2019-10-29T21:03:58Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-10-29T21:03:58Z DEBUG File
"/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in
execute
return_value = self.run()
File
"/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File
"/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 2223, in upgrade
upgrade_configuration()
File
"/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 2093, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 414, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py",
line 1937, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py",
line 1943, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py", line
1315, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA
REST API'))
2019-10-29T21:03:58Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2019-10-29T21:03:58Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
2019-10-29T21:03:58Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
From /var/log/pki/pki-tomcat/ca/debug log file:
2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init()
2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init begins
2019-10-30 05:03:50 [main] FINEST: Getting
internaldb.ldapauth.authtype=SslClientAuth
2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init ends
2019-10-30 05:03:50 [main] FINEST: Property internaldb.errorIfDown not found
2019-10-30 05:03:50 [main] FINEST: Getting internaldb.errorIfDown=true
2019-10-30 05:03:50 [main] FINEST: Property internaldb.doCloning not found
2019-10-30 05:03:50 [main] FINEST: Getting internaldb.doCloning=true
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: host:
home.local.nonet
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: port: 636
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: secure: true
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: authentication: 2
2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: makeConnection(true)
2019-10-30 05:03:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2019-10-30 05:03:50 [main] FINEST: Property tcp.keepAlive not found
2019-10-30 05:03:50 [main] FINEST: Getting tcp.keepAlive=true
2019-10-30 05:03:50 [main] FINE: TCP Keep-Alive: true
2019-10-30 05:03:50 [main] FINE: LdapBoundConnection: Connecting to
home.local.nonet:636 with client cert auth
2019-10-30 05:03:50 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket:
begins
2019-10-30 05:03:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at java.net.Socket.connect(Socket.java:556)
at java.net.Socket.<init>(Socket.java:452)
at java.net.Socket.<init>(Socket.java:262)
Some error is logged to /var/log/messages:
Oct 30 05:26:50 home server[65722]: WARNING: Exception processing realm
[com.netscape.cms.tomcat.ProxyRealm@5647a92b] background process
Oct 30 05:26:50 home server[65722]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Oct 30 05:26:50 home server[65722]: #011at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Oct 30 05:26:50 home server[65722]: #011at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Oct 30 05:26:50 home server[65722]: #011at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Oct 30 05:26:50 home server[65722]: #011at
java.lang.Thread.run(Thread.java:748)
I am able to connect to my ldap server port 636 with TLS without problem.
Thanks,
Patrick
1 year, 2 months