[Freeipa-devel] Internal Server Error on Add User, Delegations and Self Service

Karl MacMillan kmacmill at redhat.com
Fri Nov 30 16:54:07 UTC 2007 

On Fri, 2007-11-30 at 13:35 +1000, David O'Brien wrote:
> Rob Crittenden wrote:
> > David O'Brien wrote:
> >> Rob Crittenden wrote:
> >>> David O'Brien wrote:
> >>>> I've just updated my server and client on F7, 32-bit.
> >>>>
> >>>> Apart from the webUI being a bit reluctant to authorize[1] all seems to
> >>>> be working so far, but I get "An unexpected error occured (sic) HTTP
> >>>> Error Message: 500 - Internal Server Error" when I try to use Add User
> >>>> or Self Service. I'm logged in as admin running on the server.
> >>>>
> >>>> When I click Manage Policy, and then click IPA Policy, I get the same
> >>>> error.
> >>>>
> >>>> The other pages appear to work ok. I can add a user from the command
> >>>> line; there were no objections to anything there.
> >>>>
> >>>> I'm using the 2007-11-20_09_31 build.
> >>>>
> >>>> [1]I'm not sure if it was the various restarts of services or the time
> >>>> lag while I did it all, but the first few times I tried to connect to
> >>>> the server I got Kerberos authentication errors, even though I had a
> >>>> ticket, FF was set up properly, etc. I tried a couple of kdestroys and
> >>>> kinits again, and it eventually connected.
> >>>>
> >>>> Anyone else encountered this or know what would cause it?
> >>> Can you post a snippet from /var/log/ipa_error.log?
> >>>
> >>> rob
> >>
> > Something is out of sync. Can you try a newer build of IPA and a fresh
> > install? This works in the tip.
> > 
> > rob
> 
> I updated my repo to this:
> 
> baseurl=http://apoc.dsdev.sjc.redhat.com/tet/results/FC7/i386/2007-11-29_07_32-build/dist
> 
> I ran the commands on the ipa page about stopping dirsrv, removing the
> directories, etc (always do that before upgrading) and reinstalled ipa.
> 
> Then I got this during the server install:
> 
> [11/15]: adding default layout
> Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D
> cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero
> exit status 32
> root        : CRITICAL Failed to add default ds layout Command
> '/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f
> /tmp/tmpgkg7cC' returned non-zero exit status 32
>   [12/15]: configuring Posix uid/gid generation as first master
> 

A fix for this will be merged today.

> This doesn't *appear* to have stopped anything from working (so far). I
> can still get a ticket, bring up the webUI, etc., but that's all I've
> tried so far.
> 
> I think there are more SELinux denials occurring too, as features get
> added. I'm  not going to try to describe them all. Here's a snippet:
> 
> tail -50 /var/log/audit/audit.log | grep avc
> type=AVC msg=audit(1196374877.700:22): avc:  denied  { write } for
> pid=3697 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
> ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file

Not much we can do about this - harmless.

> type=AVC msg=audit(1196374877.700:22): avc:  denied  { read write } for
>  pid=3697 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
> scontext=user_u:system_r:krb5kdc_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Can you file a bug for this one?

> type=AVC msg=audit(1196374892.221:23): avc:  denied  { write } for
> pid=3743 comm="httpd" path="/root/ipaserver-install.log" dev=dm-0
> ino=163219 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file

Harmless.

> type=AVC msg=audit(1196374892.221:23): avc:  denied  { read write } for
>  pid=3743 comm="httpd" path="socket:[14728]" dev=sockfs ino=14728
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Put in above bug.

> type=AVC msg=audit(1196374896.627:24): avc:  denied  { write } for
> pid=3809 comm="radiusd" path="/root/ipaserver-install.log" dev=dm-0
> ino=163219 scontext=user_u:system_r:radiusd_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file

Harmless.

> type=AVC msg=audit(1196374896.627:24): avc:  denied  { read write } for
>  pid=3809 comm="radiusd" path="socket:[14728]" dev=sockfs ino=14728
> scontext=user_u:system_r:radiusd_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Put in above bug.

> type=AVC msg=audit(1196374897.129:25): avc:  denied  { search } for
> pid=3809 comm="radiusd" name="tmp" dev=dm-0 ino=816001
> scontext=user_u:system_r:radiusd_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Put in above bug.

> type=AVC msg=audit(1196374901.612:26): avc:  denied  { write } for
> pid=3947 comm="krb5kdc" path="/root/ipaserver-install.log" dev=dm-0
> ino=163219 scontext=user_u:system_r:krb5kdc_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file

Harmless.

> type=AVC msg=audit(1196374901.612:26): avc:  denied  { read write } for
>  pid=3947 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728
> scontext=user_u:system_r:krb5kdc_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket
> 

Put in above bug.

> 
> Using the same repo on the client, I get this:
> 
> /usr/sbin/ipa-client-install
> Discovery was successful!
> Realm: BRISBANE.REDHAT.COM
> DNS Domain: brisbane.redhat.com
> IPA Server: dhcp-127.brisbane.redhat.com
> BaseDN: dc=brisbane,dc=redhat,dc=com
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 226, in <module>
>     main()
>   File "/usr/sbin/ipa-client-install", line 134, in main
>     defopts.append({'name':'server', 'type':'option',
> 'value':ds.getServerName()})
> NameError: global name 'defopts' is not defined
> 

If there isn't a bug for this, please file one.

Thanks - Karl

> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list