August 2023 - FreeIPA-users - Fedora mailing-lists

Errors in dirsrv log
by Ranbir 14 Mar '25

14 Mar '25

I'm seeing errors like the ones below on my ipa servers (excuse the wrapping): [11/Aug/2023:22:07:37.684144411 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d5d558000400130000 [11/Aug/2023:22:07:37.686865097 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d5d8d00004003e0000 [11/Aug/2023:22:07:37.689902756 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d5dc51000700190000 [11/Aug/2023:22:07:37.693576614 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d5ff800005002d0000 [11/Aug/2023:22:07:37.696088129 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d60301000400380000 [11/Aug/2023:22:07:37.698351038 -0700] - ERR - get_value_from_string - type does not match: dsEntryDN != dsEntryDN;vucsn-64d606800007000d0000 I can't find anything about what they mean. What do these errors mean? How do I resolve the problem? -- Ranbir

3 5

Disabling "kinit admin" on all machines
by Dominik Vogt 18 Nov '24

18 Nov '24

What is the correct way to disable "kinit admin" on all ipa clients? In our setup, becoming admin should only possible on the ipa server. (Everything is done by scripts runn through ssh; nobody ever logs in to the server directly.) Ciao Dominik ^_^ ^_^ -- Dominik Vogt

3 12

Unable to install KRA Replica - 4.8.7
by David Andrzejewski 04 Nov '24

04 Nov '24

I'm attempting to reinstall a replica that I had previously removed. When I run ipa-replica-install and include the --setup-kra option, it eventually fails. I've included the output of the ipa-replica-install command, and the only "bad" thing I can find is the following in the tomcat debug log: > 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE: addConnector: Connector is already defined I've gone through and run ipa-healthcheck, all is well there. After uninstalling, I couldn't find any old references to the replica in the LDAP database.... the ipa-replica-install works fine if I do not include --setup-kra. Any help would be appreciated. I'm happy to provide whatever additional logs that may be needed. I've replaced my internal DNS suffix with 'example.com'. Thanks! - Dave Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpf6kaucv2', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to security domain at https://ipa.example.com:443\nINFO: Getting security domain info\nINFO: Logging into security domain IPA\nDEBUG: Installing Maven dependencies: False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO: Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG: Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO: Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO: Setting up infrastructure\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating /var/lib/pki/pki-tomcat\nINFO: Creating /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /etc/pki/pki-tomcat\nWARNING: Directory already exists: /etc/pki/pki-tomcat\nINFO: Creating /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database password\nINFO: Using specified internal database password\nINFO: Reusing replication manager password\nINFO: Installing pki-tomcat instance\nINFO: Creating KRA subsystem\nINFO: Creating /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra\nINFO: Creating /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /etc/pki/pki-tomcat/kra\nINFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO: Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Deploying /kra web application\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships, permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file: /etc/pki/pki-tomcat/pfile\nINFO: Updating /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12 file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO: Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nINFO: - auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: - caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert cert-pki-ca\nINFO: Importing user certificates:\nINFO: - auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra" "storageCert cert-pki-kra" "subsystemCert cert-pki-ca" "transportCert cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG: Result of CA certificate export: \nINFO: Removing /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING: Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command: certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux contexts\nINFO: Generating system keys\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to true\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO: Importing sslserver request data from CA\nINFO: Importing subsystem request data from CA\nINFO: Joining existing domain\nINFO: Getting install token\nINFO: Using CA at https://ipa.example.com:443\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating com.netscape.cmsutil.password.PlainPasswordFile\nFINE: PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo: init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is internaldb\nFINE: LdapAuthInfo: init: try getting from memory cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE: LdapAuthInfo: getPasswordFromStore: try to get it from password store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore: password store available\nFINE: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store\nFINE: LdapAuthInfo: password ok: store in memory cache\nFINE: LdapBoundConnection: Connecting to ipa.example.com:636 with basic auth as cn=Directory Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE: PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH\nFINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE: PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO: Configuring directory\nINFO: Importing /usr/share/pki/server/conf/database.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO: Modifying cn=config\nINFO: - replacing nsslapd-maxbersize: 209715200\nINFO: Enabling USN\nINFO: Importing /usr/share/pki/server/conf/usn.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO: Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: ( usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME \'extension\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME \'notBefore\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( password-oid NAME \'password\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME \'requestId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME \'requestState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME \'serialno\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME \'endRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME \'transOps\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME \'userMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SubsystemName-oid NAME \'SubsystemName\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( securityDomainSessionEntry-oid NAME \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME \'modified\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME \'profileID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( classId-oid NAME \'classId\' DESC \'Certificate profile class ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certProfileConfig-oid NAME \'certProfileConfig\' DESC \'Certificate profile configuration\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\' DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO: Setting up ACME schema\nINFO: Importing /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: ( acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )\nINFO: Adding attributetypes: ( acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO: Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: ( acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\' STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST ( acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\' STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: ( acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST ( acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO: Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nINFO: Setting up database manager\nINFO: Importing /usr/share/pki/server/conf/manager.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO: Adding ou=csusers,cn=config\nWARNING: Unable to add ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nINFO: Modifying cn=ldbm database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO: Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex, cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex, cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex, cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex, cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex, cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcatIndex, cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex, cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex, cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcatIndex, cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex, cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex, cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcatIndex, cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO: Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO: Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE: PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: begins\nFINE: PKIClientSocketListener.alertSent: got description:0\nFINE: PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request request --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting request range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request serialNo --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 167\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request replicaId --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting replicaId range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating configuration for KRA clone\nINFO: Updating configuration\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-config-export --names internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type --substores internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Getting configuration properties\nINFO: HTTP request: POST /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status: 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: - internaldb._001\nINFO: - internaldb._002\nINFO: - internaldb.basedn\nINFO: - internaldb.database\nINFO: - internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: - internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO: - internaldb.ldapauth.bindPWPrompt\nINFO: - internaldb.ldapauth.clientCertNickname\nINFO: - internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: - internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: - kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: - kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: - kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: - kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: - kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: - kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: - kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: - kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: - internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Restarting server\nDEBUG: Command: systemctl restart pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO: Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO: Setting up clone\nINFO: Creating clone setup request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for ipa.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)\n SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating database setup request\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpef27un35/password.txt\nINFO: Setting up transport certificate\nINFO: transport certificate is already set up\nINFO: Setting up storage certificate\nINFO: storage certificate is already set up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate is already set up\nINFO: Setting up subsystem certificate\nINFO: subsystem certificate is already set up\nINFO: Setting up audit_signing certificate\nINFO: audit_signing certificate is already set up\nINFO: Backing up keys into /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command: pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO: Creating security domain setup request\nINFO: Finalizing KRA configuration\nINFO: Creating finalize config request\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. KRA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa]~#

4 4

Removal & clean up certificates from o=ipaca
by David Goudet 30 Sep '24

30 Sep '24

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

4 7

Help with Ghost Replica removal please.
by Nicholas Cross 01 Aug '24

01 Aug '24

I am on a long journey upgrading from a mixture of different versions of freeipa to the lastest and i am almost there, currently on 4.10. After removing some older replicas yesterday, a new replica had a fault and we had to restart dirsrv. When it came back up we saw we have ghost replicas across the whole estate 6x replicas in two locations. Issues are reported via `cipa` Digging into the tombstone records, i find there are not the usual tombstone replica records but more like the below. My question is, how do i remove these redundant records? As I believe this is what `cipa` is counting to report the errors. (marked with <<<<<<<<<<<<<<) The usual things do not work: # ipa-replica-manage -p $pass clean-ruv 15 Replica ID 15 not found $ cat remove_ruv.ldif dn: cn=clean 15,cn=cleanallruv,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject replica-base-dn: dc=ad,dc=companyx,dc=fm replica-id: 15 cn: clean 15 ldapmodify -Y GSSAPI -f remove_ruv.ldif Thanks in advance. Nick $ ldapsearch -D "cn=Directory Manager" -w $pass -Q -o ldif-wrap=no -LLL -b "dc=ad,dc=companyx,dc=fm" '(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))' dn: cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ad,dc=companyx,dc=fm nsDS5ReplicaBindDnGroupCheckInterval: 60 nsDS5ReplicaId: 56 nsDS5ReplicaName: a6b5640c-ad3911ed-a50980fb-6203228c nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm nsDS5ReplicaType: 3 nsState:: OAAAAAAAAABSPEJkAAAAAAAAAAAAAAAA7AAAAAAAAAAGAAAAAAAAAA== nsds5ReplicaBackoffMax: 300 nsds5ReplicaLegacyConsumer: off nsds5ReplicaReleaseTimeout: 60 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsds50ruv: {replicageneration} 5d9e2076000000040000 nsds50ruv: {replica 56 ldap://ipa006.ad.companyx.fm:389} 63ece66f000000380000 64423d4e000000380000 nsds50ruv: {replica 46 ldap://ipa005.ad.companyx.fm:389} 63dbcc200001002e0000 64423cf6000f002e0000 nsds50ruv: {replica 21 ldap://etcd0dc.ad.companyx.fm:389} 5f2d4bc1000000150000 64319ec3276200150000 nsds50ruv: {replica 48 ldap://ipa007.ad.companyx.fm:389} 63ea4e54000100300000 6442397e000a00300000 nsds50ruv: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 643d03280001003a0000 644232c00001003a0000 nsds50ruv: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 643d19680001003c0000 644232660004003c0000 nsds50ruv: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 643d491e0001003e0000 644233340000003e0000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa003dc.ad.companyx.fm;ipa003dc.ad.companyx.fm ;389;62;644238c9000000380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa007.ad.companyx.fm;ipa007.ad.companyx.fm ;389;48;644238c9000000380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-etcd2dc.ad.companyx.fm;etcd2dc.ad.companyx.fm;389;unavailable;64423cf6000f002e0000 <<<<<<<<<<<<<< nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa005.ad.companyx.fm;ipa005.ad.companyx.fm ;389;46;644238c9000000380000 nsruvReplicaLastModified: {replica 56 ldap://ipa006.ad.companyx.fm:389} 64423c62 nsruvReplicaLastModified: {replica 46 ldap://ipa005.ad.companyx.fm:389} 64423c0c nsruvReplicaLastModified: {replica 21 ldap://etcd0dc.ad.companyx.fm:389} 00000000 nsruvReplicaLastModified: {replica 48 ldap://ipa007.ad.companyx.fm:389} 64423894 nsruvReplicaLastModified: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 644231da nsruvReplicaLastModified: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 6442317a nsruvReplicaLastModified: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 64423249 nsruvReplicaLastModified: {replica 12} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 15} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 25} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 23} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 40} 644180f7 <<<<<<<<<<<<<< nsds5ReplicaChangeCount: 734077 nsds5replicareapactive: 0

3 14

How to use ipa-dsu
by Duarte Petiz 28 May '24

28 May '24

Hello freeipa users! I'm trying to follow the guide that is available here: https://freeipa.readthedocs.io/en/latest/designs/disable-stale-users.html about ipa-dsu. I was trying to do a dry-run in order to check what it really does on my env but the package seems to not be present. I'm using the freeipa-server:rocky-9 docker image. root@prod-us-freeipa:~# docker exec -ti ipa_freeipa_1 bash [root@prod-us-freeipa /]# ipa-dsu --dry-run bash: ipa-dsu: command not found What could I do? Regards

3 4

KDC Self Signed Certificate Creation
by Mark Selby 22 May '24

22 May '24

My company has 6 FreeIPA servers across 3 different locations. Five of the six servers are ok, but one we could not login to. The error messages pointed to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt` My question is how do I "properly" renew or recreate this certificate. I have been able to renew it with the command listed below - but the renewed cert does not have the same characteristics as the other certs. The existing ones all see to be self signed with the specified profile while my new one does not have these features. It seems to be working Ok but it would great to understand how to generate this cert correctly. All is any help is greatly appreciated. The servers that work all display the following with using getcert list -f /var/kerberos/krb5kdc/kdc.crt Request ID '20191003181545': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG subject: CN=ipa01.sub1.acme.org,O=ACME.ORG expires: 2022-08-09 22:06:33 UTC principal name: krbtgt/ACME.ORG(a)ACME.ORG certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Using the local-getcert start-tracking command below gets me an updated cert but it is not self signed and does not have the specified profile. local-getcert start-tracking \ -k /var/kerberos/krb5kdc/kdc.key \ -f /var/kerberos/krb5kdc/kdc.crt \ -T KDCs_PKINIT_Certs \ -C /usr/libexec/ipa/certmonger/renew_kdc_cert Request ID '20220117193849': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: local issuer: CN=Certificate Authority,O=ACME.ORG subject: CN=vipa06.sub3.acme.org,O=ACME.ORG expires: 2024-01-18 17:32:20 UTC principal name: krbtgt/ACME.ORG(a)ACME.ORG key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes

2 2

How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight 16 Apr '24

16 Apr '24

When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.

5 10

"Credential cache is empty" error preventing certmonger from renewing a host's certificate
by Sam Morris 11 Apr '24

11 Apr '24

I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20 08:24:49 [622035] Certificate submission attempt complete. 2023-06-20 08:24:49 [622035] Child status = 2. 2023-06-20 08:24:49 [622035] Child output: "Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is > " 2023-06-20 08:24:49 [622035] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more infor> Here's the tracking request, nothing looks out of the ordinary to me... # getcert list -i 20220519165212 Number of certificates and requests being tracked: 2. Request ID '20220519165212': status: MONITORING ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cre. stuck: no key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.key' certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=myhost.ipa.example.com,O=IPA.EXAMPLE.COM issued: 2023-03-25 16:52:45 UTC expires: 2023-06-23 16:52:45 UTC dns: myhost.ipa.example.com principal name: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes In order to rule out a problem with ipa5, I used 'ipactl' to stop everything on it, then re-ran 'getcert resubmit -i 20220519165212'. In the subsequent output of 'getcert list -i 20220519165212' I saw the same error message displayed but with the name of a different IPA server. So I don't think this is a problem with a particular IPA server. Next I extracted the CSR data from '/var/lib/certmonger/requests/20220519165212' to a file, authenticated as host/myhost.ipa.example.com (with 'kinit -k') and then ran 'ipa cert-request host.req --principal=host/myhost.ipa.example.com', which worked! So perhaps the problem is with certmonger, or with the way in which it interacts with the IPA server that differs from simply running 'ipa cert-request' as I did manually. I also tried to look for logs on the server side, but I didn't find anything very useful. /var/log/httpd/access_log has: 192.168.0.4 - - [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 401 2719 192.168.0.4 - host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 200 526 So it looks like certmonger is having no problem authenticating to ipaapi. httpd is logging: $ journalctl -u httpd -e Jun 20 13:21:56 [121899]: GSSAPI client step 1 Jun 20 13:21:56 [121899]: GSSAPI client step 1 Jun 20 13:21:57 [121899]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) So is looks like ipaapi might be having trouble using Kerberos as a client? I added KRB5_TRACE=/var/lib/httpd/krb5.trace to httpd.service's Environment= and restarted it, then re-ran 'getcert resubmit' on the tracking request. I got these messages: [124285] 1687270136.437160: Initializing FILE:/tmp/krb5cc-httpd with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124285] 1687270136.437161: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/tmp/krb5cc-httpd [124285] 1687270136.437163: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: from FILE:/tmp/krb5cc-httpd with result: 0/Success [124285] 1687270136.437165: Initializing FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124285] 1687270136.437166: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl No errors there either. I set KRB5_TRACE=/var/lib/gssproxy/krb5.trace in gssproxy.service's Environment= and got: [124798] 1687270460.854044: Resolving unique ccache of type MEMORY [124798] 1687270460.854045: Initializing MEMORY:GJanRRF with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854046: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854047: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854048: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854049: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:GJanRRF [124798] 1687270460.854052: Destroying ccache MEMORY:GJanRRF [124798] 1687270460.854054: Resolving unique ccache of type MEMORY [124798] 1687270460.854055: Initializing MEMORY:Cn5E8Va with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854056: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854057: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854058: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854059: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:Cn5E8Va [124798] 1687270460.854062: Destroying ccache MEMORY:Cn5E8Va [124798] 1687270460.854064: Resolving unique ccache of type MEMORY [124798] 1687270460.854065: Initializing MEMORY:8e5DNHy with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854066: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854067: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854068: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854069: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:8e5DNHy [124798] 1687270460.854071: Decrypted AP-REQ with server principal HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM: aes256-cts/E0A2 [124798] 1687270460.854072: AP-REQ ticket: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, session key aes256-cts/1952 [124798] 1687270460.854073: Negotiated enctype based on authenticator: aes256-cts [124798] 1687270460.854074: Authenticator contains subkey: aes256-cts/2098 [124798] 1687270460.854075: Resolving unique ccache of type MEMORY [124798] 1687270460.854076: Initializing MEMORY:FX6Yqgq with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854077: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq [124798] 1687270460.854078: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854079: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854080: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854081: Storing config in MEMORY:FX6Yqgq for : proxy_impersonator: HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854082: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854083: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq [124798] 1687270460.854085: Creating AP-REP, time 1687270460.725581, subkey aes256-cts/BB66, seqnum 668121546 [124798] 1687270461.005570: Destroying ccache MEMORY:FX6Yqgq [124798] 1687270461.005573: Destroying ccache MEMORY:8e5DNHy [124798] 1687270461.005575: Resolving unique ccache of type MEMORY [124798] 1687270461.005576: Initializing MEMORY:NmnNwyD with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005577: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD [124798] 1687270461.005578: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005579: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005580: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005581: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005582: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD [124798] 1687270461.005585: Destroying ccache MEMORY:NmnNwyD [124798] 1687270461.005587: Resolving unique ccache of type MEMORY [124798] 1687270461.005588: Initializing MEMORY:gUnl8Xt with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005589: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt [124798] 1687270461.005590: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005591: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005592: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005593: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005594: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt [124798] 1687270461.005597: Destroying ccache MEMORY:gUnl8Xt [124798] 1687270461.005599: Resolving unique ccache of type MEMORY [124798] 1687270461.005600: Initializing MEMORY:wBGblf3 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005601: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3 [124798] 1687270461.005602: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005603: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005604: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005605: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005606: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3 [124798] 1687270461.005609: Destroying ccache MEMORY:wBGblf3 [124798] 1687270461.005611: Resolving unique ccache of type MEMORY [124798] 1687270461.005612: Initializing MEMORY:4uHf47g with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005613: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g [124798] 1687270461.005614: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005615: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005616: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005617: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005618: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g [124798] 1687270461.005621: Destroying ccache MEMORY:4uHf47g [124798] 1687270461.005623: Resolving unique ccache of type MEMORY [124798] 1687270461.005624: Initializing MEMORY:9LUdBez with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005625: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez [124798] 1687270461.005626: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005627: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005628: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005629: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005630: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez [124798] 1687270461.005634: Initializing MEMORY:cred_allowed_0x7f85d9152380 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005635: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005636: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005637: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005638: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005639: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005640: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005641: Destroying ccache MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005644: Getting credentials host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ using ccache MEMORY:9LUdBez [124798] 1687270461.005645: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005646: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005647: Retrying host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM with result: -1765328243/Matching credential not found [124798] 1687270461.005648: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success [124798] 1687270461.005649: Getting credentials HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM using ccache MEMORY:9LUdBez [124798] 1687270461.005650: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005651: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success [124798] 1687270461.005652: Get cred via TGT krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM after requesting ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM (canonicalize on) [124798] 1687270461.005653: Generated subkey for TGS request: aes256-cts/FBB4 [124798] 1687270461.005654: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-cts, aes128-sha2, camellia128-cts [124798] 1687270461.005656: Encoding request body and padata into FAST request [124798] 1687270461.005657: Sending request (5335 bytes) to IPA.EXAMPLE.COM [124798] 1687270461.005658: Initiating TCP connection to stream 192.168.0.5:88 [124798] 1687270461.005659: Sending TCP request to stream 192.168.0.5:88 [124798] 1687270461.005660: Received answer (508 bytes) from stream 192.168.0.5:88 [124798] 1687270461.005661: Terminating TCP connection to stream 192.168.0.5:88 [124798] 1687270461.005662: Response was from master KDC [124798] 1687270461.005663: Decoding FAST response [124798] 1687270461.005664: Decoding FAST response [124798] 1687270461.005665: Got cred; -1765328371/KDC can't fulfill requested option [124798] 1687270461.005669: Destroying ccache MEMORY:9LUdBez The only thing that looks like an error in that output is "KDC can't fulfill requested option". The last place I can think of looking is in /var/log/krb5kdc.log: Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ : handle_authdata (-1765328371) Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.0.5: HANDLE_AUTHDATA: authtime 1687270653, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): ... CONSTRAINED-DELEGATION s4u-client=host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): closing down fd 12 There's another instance of "KDC can't fulfill requested option". My best guess is that there's something wrong with the constrained delegation setup that lets ipaapi access the directory on behalf of the client host? But this looks fine: $ ipa servicedelegationrule-show ipa-http-delegation Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Member principals: HTTP/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM $ ipa servicedelegationtarget-show ipa-ldap-delegation-targets Delegation name: ipa-ldap-delegation-targets Member principals: ldap/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM ... and in any case a simple 'ipa cert-request' as the host worked fine, it's only certmonger's attempts to request a certificate that are failing. The IPA client has: ipa-client-4.9.11-5.module+el8.8.0+18147+84fe6ec1.x86_64 certmonger-0.79.17-2.el8.x86_64 ... and the server has: ipa-server-4.9.11-5.module+el8.8.0+18146+a1d8660b.x86_64 Any troubleshooting help is really appreciated! -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

2 5

missing attribute "sambaGroupType" when attempting to create a new group - creating groups worked previously
by Tom Spettigue 19 Mar '24

19 Mar '24

Hey all - I seem to be getting the following error message whenever I try to create a group via the web interface: ``` IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" ``` I'm not sure exactly what's happening, except that I know I've created groups numerous times before, and never gotten this error message. Does anyone have any ideas?

1 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2023