[Freeipa-devel] Internal Server Error on Add User, Delegations and Self Service
David O'Brien
david.obrien at redhat.com
Fri Nov 30 03:35:30 UTC 2007
Rob Crittenden wrote:
> David O'Brien wrote:
>> Rob Crittenden wrote:
>>> David O'Brien wrote:
>>>> I've just updated my server and client on F7, 32-bit.
>>>>
>>>> Apart from the webUI being a bit reluctant to authorize[1] all seems to
>>>> be working so far, but I get "An unexpected error occured (sic) HTTP
>>>> Error Message: 500 - Internal Server Error" when I try to use Add User
>>>> or Self Service. I'm logged in as admin running on the server.
>>>>
>>>> When I click Manage Policy, and then click IPA Policy, I get the same
>>>> error.
>>>>
>>>> The other pages appear to work ok. I can add a user from the command
>>>> line; there were no objections to anything there.
>>>>
>>>> I'm using the 2007-11-20_09_31 build.
>>>>
>>>> [1]I'm not sure if it was the various restarts of services or the time
>>>> lag while I did it all, but the first few times I tried to connect to
>>>> the server I got Kerberos authentication errors, even though I had a
>>>> ticket, FF was set up properly, etc. I tried a couple of kdestroys and
>>>> kinits again, and it eventually connected.
>>>>
>>>> Anyone else encountered this or know what would cause it?
>>> Can you post a snippet from /var/log/ipa_error.log?
>>>
>>> rob
>>
> Something is out of sync. Can you try a newer build of IPA and a fresh
> install? This works in the tip.
>
> rob
I updated my repo to this:
baseurl=http://apoc.dsdev.sjc.redhat.com/tet/results/FC7/i386/2007-11-29_07_32-build/dist
I ran the commands on the ipa page about stopping dirsrv, removing the
directories, etc (always do that before upgrading) and reinstalled ipa.
Then I got this during the server install:
[11/15]: adding default layout
Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D
cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero
exit status 32
root : CRITICAL Failed to add default ds layout Command
'/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f
/tmp/tmpgkg7cC' returned non-zero exit status 32
[12/15]: configuring Posix uid/gid generation as first master
This doesn't *appear* to have stopped anything from working (so far). I
can still get a ticket, bring up the webUI, etc., but that's all I've
tried so far.
I think there are more SELinux denials occurring too, as features get
added. I'm not going to try to describe them all. Here's a snippet:
tail -50 /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1196374877.700:22): avc: denied { write } for
pid=3697 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374877.700:22): avc: denied { read write } for
pid=3697 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374892.221:23): avc: denied { write } for
pid=3743 comm="httpd" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374892.221:23): avc: denied { read write } for
pid=3743 comm="httpd" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374896.627:24): avc: denied { write } for
pid=3809 comm="radiusd" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:radiusd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374896.627:24): avc: denied { read write } for
pid=3809 comm="radiusd" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:radiusd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
type=AVC msg=audit(1196374897.129:25): avc: denied { search } for
pid=3809 comm="radiusd" name="tmp" dev=dm-0 ino=816001
scontext=user_u:system_r:radiusd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1196374901.612:26): avc: denied { write } for
pid=3947 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1196374901.612:26): avc: denied { read write } for
pid=3947 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
scontext=user_u:system_r:krb5kdc_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
Using the same repo on the client, I get this:
/usr/sbin/ipa-client-install
Discovery was successful!
Realm: BRISBANE.REDHAT.COM
DNS Domain: brisbane.redhat.com
IPA Server: dhcp-127.brisbane.redhat.com
BaseDN: dc=brisbane,dc=redhat,dc=com
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 226, in <module>
main()
File "/usr/sbin/ipa-client-install", line 134, in main
defopts.append({'name':'server', 'type':'option',
'value':ds.getServerName()})
NameError: global name 'defopts' is not defined
--
David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071130/f63feb14/attachment.sig>
More information about the Freeipa-devel
mailing list