Hi,
I recently deployed a new FreeIPA domain running on CentOS 7.4 and FreeIPA
4.5
The installation went without hiccups but the WebUI isn't working as
expected. Logging in with admin failed with this error:
Login failed due to an unknow reason.
I've seen this issue with every FreeIPA 4.5 replica I've built. As you may
know this is pretty common error with 4.5. I usually just chmod 444
/var/lib/ipa-client/pki/* as pointed out in
https://access.redhat.com/solutions/3178971 and the logging start working
again but not this time with a brand new domain installation.
Permissions are correct for the PEM
ll /var/lib/pki/*
-r--r--r-- 1 root root 4406 Jan 9 14:49 ca-bundle.pem
-r--r--r-- 1 root root 4406 Jan 9 14:49 kdc-ca-bundle.pem
Here's the output of /var/log/httpd/error_log
[Thu Jan 18 01:14:40.543272 2018] [suexec:notice] [pid 12537] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 18 01:14:40.543348 2018] [:warn] [pid 12537]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Jan 18 01:14:40.766070 2018] [auth_digest:notice] [pid 12537] AH01757:
generating secret for digest authentication ...
[Thu Jan 18 01:14:40.766623 2018] [lbmethod_heartbeat:notice] [pid 12537]
AH02282: No slotmem from mod_heartmonitor
[Thu Jan 18 01:14:40.766640 2018] [:warn] [pid 12537]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Jan 18 01:14:40.843105 2018] [mpm_prefork:notice] [pid 12537] AH00163:
Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4
mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Thu Jan 18 01:14:40.843134 2018] [core:notice] [pid 12537] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Jan 18 01:14:48.465191 2018] [:error] [pid 12545] ipa: INFO: ***
PROCESS START ***
[Thu Jan 18 01:14:48.470206 2018] [:error] [pid 12546] ipa: INFO: ***
PROCESS START ***
[Thu Jan 18 01:15:14.020600 2018] [:error] [pid 12545] ipa: INFO: 401
Unauthorized: [Errno 13] Permission denied
Output of /var/log/messages show weird errors:
Jan 18 01:14:36 bo2-tnt-ipa-001 ipa-dnskeysyncd: ipa : ERROR
syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"})
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.102629780
+0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.115268733
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=groups,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.116680963
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=computers,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.117878580
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=ng,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.119338367
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
ou=sudoers,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.120503775
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=users,cn=compat,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.122000132
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.123149308
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.124282277
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.125837472
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.126966928
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.128085824
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.129501796
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.130686657
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.132301267
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.134575956
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.135778559
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=domain,dc=com does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.142405173
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not
exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.143655721
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=com does not
exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.233078350
+0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember
rebuild membership,cn=tasks,cn=config does not exist
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.238586332
+0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definitcomn
cn=Password Policy,cn=accounts,dc=ipa,dc=domain,dc=com--no CoS Templates
found, which should be added before the CoS Definitcomn.
Jan 18 01:14:38 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:38.261575767
+0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will
start in about 5 seconds!
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.268319379
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.272302862
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
cn=ng, cn=compat,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.279547839
+0000] - ERR - schema-compat-plugin - warning: no entries set up under
cn=computers, cn=compat,dc=ipa,dc=domain,dc=com
Jan 18 01:14:43 bo2-tnt-ipa-001 ns-slapd: [18/Jan/2018:01:14:43.285336505
+0000] - ERR - schema-compat-plugin - Finished plugin initializatcomn.
Any ideas why ?
Thanks
Alexandre Pitre