[Freeipa-devel] Internal Server Error on Add User, Delegations and Self Service

David O'Brien david.obrien at redhat.com
Fri Nov 30 03:35:30 UTC 2007 

Rob Crittenden wrote:
> David O'Brien wrote:
>> Rob Crittenden wrote:
>>> David O'Brien wrote:
>>>> I've just updated my server and client on F7, 32-bit.
>>>>
>>>> Apart from the webUI being a bit reluctant to authorize[1] all seems to
>>>> be working so far, but I get "An unexpected error occured (sic) HTTP
>>>> Error Message: 500 - Internal Server Error" when I try to use Add User
>>>> or Self Service. I'm logged in as admin running on the server.
>>>>
>>>> When I click Manage Policy, and then click IPA Policy, I get the same
>>>> error.
>>>>
>>>> The other pages appear to work ok. I can add a user from the command
>>>> line; there were no objections to anything there.
>>>>
>>>> I'm using the 2007-11-20_09_31 build.
>>>>
>>>> [1]I'm not sure if it was the various restarts of services or the time
>>>> lag while I did it all, but the first few times I tried to connect to
>>>> the server I got Kerberos authentication errors, even though I had a
>>>> ticket, FF was set up properly, etc. I tried a couple of kdestroys and
>>>> kinits again, and it eventually connected.
>>>>
>>>> Anyone else encountered this or know what would cause it?
>>> Can you post a snippet from /var/log/ipa_error.log?
>>>
>>> rob
>>
> Something is out of sync. Can you try a newer build of IPA and a fresh
> install? This works in the tip.
> 
> rob

I updated my repo to this:

baseurl=http://apoc.dsdev.sjc.redhat.com/tet/results/FC7/i386/2007-11-29_07_32-build/dist

I ran the commands on the ipa page about stopping dirsrv, removing the
directories, etc (always do that before upgrading) and reinstalled ipa.

Then I got this during the server install:

[11/15]: adding default layout
Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D
cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero
exit status 32
root        : CRITICAL Failed to add default ds layout Command
'/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f
/tmp/tmpgkg7cC' returned non-zero exit status 32
  [12/15]: configuring Posix uid/gid generation as first master

This doesn't *appear* to have stopped anything from working (so far). I
can still get a ticket, bring up the webUI, etc., but that's all I've
tried so far.

I think there are more SELinux denials occurring too, as features get
added. I'm  not going to try to describe them all. Here's a snippet:

tail -50 /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1196374877.700:22): avc:  denied  { write } for
pid=3697 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374877.700:22): avc:  denied  { read write } for
 pid=3697 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374892.221:23): avc:  denied  { write } for
pid=3743 comm="httpd" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374892.221:23): avc:  denied  { read write } for
 pid=3743 comm="httpd" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374896.627:24): avc:  denied  { write } for
pid=3809 comm="radiusd" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:radiusd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374896.627:24): avc:  denied  { read write } for
 pid=3809 comm="radiusd" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:radiusd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374897.129:25): avc:  denied  { search } for
pid=3809 comm="radiusd" name="tmp" dev=dm-0 ino=816001
scontext=user_u:system_r:radiusd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1196374901.612:26): avc:  denied  { write } for
pid=3947 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374901.612:26): avc:  denied  { read write } for
 pid=3947 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket


Using the same repo on the client, I get this:

/usr/sbin/ipa-client-install
Discovery was successful!
Realm: BRISBANE.REDHAT.COM
DNS Domain: brisbane.redhat.com
IPA Server: dhcp-127.brisbane.redhat.com
BaseDN: dc=brisbane,dc=redhat,dc=com
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 226, in <module>
    main()
  File "/usr/sbin/ipa-client-install", line 134, in main
    defopts.append({'name':'server', 'type':'option',
'value':ds.getServerName()})
NameError: global name 'defopts' is not defined


-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071130/f63feb14/attachment.sig>

More information about the Freeipa-devel mailing list