From ftweedal at redhat.com Tue Mar 1 05:34:01 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 1 Mar 2016 15:34:01 +1000 Subject: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing? In-Reply-To: References: Message-ID: <20160301053401.GC12127@dhcp-40-8.bne.redhat.com> On Mon, Feb 22, 2016 at 06:42:04PM +0100, Natxo Asenjo wrote: > On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher wrote: > > > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a > > traceback every time pki-cad starts: > > > > Traceback (most recent call last): > > File "/usr/sbin/pki-server", line 89, in > > cli.execute(sys.argv) > > File "/usr/sbin/pki-server", line 84, in execute > > super(PKIServerCLI, self).execute(args) > > File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in execute > > module.execute(module_args) > > File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line > > 103, in execute > > scriptlet.execute() > > File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py", > > line 50, in execute > > cert = self.subsystem.get_system_cert('subsystem') > > File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line 93, > > in get_system_cert > > cert['request'] = base64.b64decode(self.config['%s.%s.certreq' % > > (self.prefix, tag)]) > > KeyError: 'ca.subsystem.certreq' > > Starting pki-ca: [ OK ] > > > > As you can see, the daemon does still start successfully, and the > > traceback doesn't appear in any of the pki-cad logs. > > > > > yes, I see this too after the last round of updates. Curiously enough, just > on one of the kdcs, the other does not have this traceback. > > Both are centos 6.7 fully patched, 32 bits. > You can resolve the issue by stopping pki-cad, adding 'ca.subsystem.certreq=' (empty value) to CS.cfg, then restarting pki-cad. AFAICT the absense of the certreq field will not cause any problems. I'm still investigating what caused the 'ca.subsystem.certreq' config to disappear from CS.cfg in the first place. From mkosek at redhat.com Tue Mar 1 08:10:13 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 1 Mar 2016 09:10:13 +0100 Subject: [Freeipa-users] version compatibility between server and client In-Reply-To: References: <56D4313B.9030105@redhat.com> Message-ID: <56D54E65.1090401@redhat.com> On 02/29/2016 07:03 PM, Rakesh Rajasekharan wrote: > the only reason for me to avoid ipa-client-install was few of our machines > are Amazon Linux and I was having a tough time setting up ipa over there as > the yum does not get the repo even with epel enabled. Ah, right. This was already discussed to some extent there: https://www.redhat.com/archives/freeipa-users/2016-February/msg00311.html Amazon Linux does not really fly with FreeIPA and SSSD. So if you want to avoid these painful processes, I would recommend either increasing the pressure on Amazon Linux to support it or switching to other AMIs, like CentOS (or even RHEL). > Otherwise, I was able to get this working on all of the other systems , > which are centos 6.3 Good! (note that 6.3 is pretty old, IPA server on this version is known to have some bugs and gaps. Current version is 6.7 or even better, 7.2) > Are there any documentations on setting IPA on an Amazon Linux, if not, the > only option would to try compiling this. CCing Alexander in case he has any resources. But as I said above, current situation of FreeIPA&SSSD on Amazon Linux is not great. > > Thanks, > Rakesh > > On Mon, Feb 29, 2016 at 5:23 PM, Martin Kosek wrote: > >> On 02/26/2016 05:23 PM, Rakesh Rajasekharan wrote: >>> Hi!, >>> >>> I had successfully set up ipa in our qa environment, but since we are >>> running cenots 6, i just got 3.0.25 version of IPA. >>> >>> I wanted to try out the latest 4.x version, for server by using a centos >> 7 >>> OS. But have few questions regarding that >>> >>> Will there be compatibility issues, if I use a server at 4.x and clients >> at >>> 3.0.25 >> >> Please see >> http://www.freeipa.org/page/Client#Compatibility >> There are plans for FreeIPA 4.4 to improve the "ipa" tool/API >> compatibility too. >> >>> Another question is, >>> >From the documentation, I see that theres an option to manually >> configure a >>> client where in we do not have to install freeipa-client using >>> ipa-client-install >>> >>> >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html >> >> Please note that this is a quite old documentation, see here for other >> options: >> http://www.freeipa.org/page/Upstream_User_Guide >> >>> So that way , I can install the latest version of freeipa server and make >>> my clients also be able to use the latest verison without actually >>> installing it. >>> >>> But, are there any issues with this approach, and how does it differ from >>> doing a ipa-client-install on the client machine. >> >> I can hardly imagine when manually configuring a FreeIPA client would be a >> good >> idea. In vast majority of cases, ipa-client-install is what you want, to >> configure a client against newer or older FreeIPA server version. >> >> Martin >> > From gparente at redhat.com Tue Mar 1 08:18:34 2016 From: gparente at redhat.com (German Parente) Date: Tue, 1 Mar 2016 03:18:34 -0500 (EST) Subject: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing? In-Reply-To: <20160301053401.GC12127@dhcp-40-8.bne.redhat.com> References: <20160301053401.GC12127@dhcp-40-8.bne.redhat.com> Message-ID: <716289032.23527823.1456820314761.JavaMail.zimbra@redhat.com> Hi Fraser, thanks for the workaround. As I have a customer who hit this bug, I have created BZ 1313207 to trace this issue in the case. Regards, German. ----- Original Message ----- > From: "Fraser Tweedale" > To: "Ian Pilcher" , "Natxo Asenjo" > Cc: freeipa-users at redhat.com > Sent: Tuesday, March 1, 2016 6:34:01 AM > Subject: Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing? > > On Mon, Feb 22, 2016 at 06:42:04PM +0100, Natxo Asenjo wrote: > > On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher wrote: > > > > > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a > > > traceback every time pki-cad starts: > > > > > > Traceback (most recent call last): > > > File "/usr/sbin/pki-server", line 89, in > > > cli.execute(sys.argv) > > > File "/usr/sbin/pki-server", line 84, in execute > > > super(PKIServerCLI, self).execute(args) > > > File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in > > > execute > > > module.execute(module_args) > > > File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line > > > 103, in execute > > > scriptlet.execute() > > > File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py", > > > line 50, in execute > > > cert = self.subsystem.get_system_cert('subsystem') > > > File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line > > > 93, > > > in get_system_cert > > > cert['request'] = base64.b64decode(self.config['%s.%s.certreq' % > > > (self.prefix, tag)]) > > > KeyError: 'ca.subsystem.certreq' > > > Starting pki-ca: [ OK ] > > > > > > As you can see, the daemon does still start successfully, and the > > > traceback doesn't appear in any of the pki-cad logs. > > > > > > > > yes, I see this too after the last round of updates. Curiously enough, just > > on one of the kdcs, the other does not have this traceback. > > > > Both are centos 6.7 fully patched, 32 bits. > > > You can resolve the issue by stopping pki-cad, adding > 'ca.subsystem.certreq=' (empty value) to CS.cfg, then restarting > pki-cad. AFAICT the absense of the certreq field will not cause any > problems. > > I'm still investigating what caused the 'ca.subsystem.certreq' > config to disappear from CS.cfg in the first place. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From pspacek at redhat.com Tue Mar 1 09:29:14 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 1 Mar 2016 10:29:14 +0100 Subject: [Freeipa-users] DNSSEC KSK rollover In-Reply-To: <56D42363.4080806@0xc0dedbad.com> References: <56D2FB73.3000003@0xc0dedbad.com> <56D41BFD.9010709@redhat.com> <56D42363.4080806@0xc0dedbad.com> Message-ID: <56D560EA.4050708@redhat.com> On 29.2.2016 11:54, Peter Fern wrote: > On 02/29/2016 21:22, Petr Spacek wrote: >> On 28.2.2016 14:51, Peter Fern wrote: >>> Hi all, >>> A new KSK has been auto-generated, and it's transitioned through >>> 'published' and is now sitting in the 'ready' state, but does not appear >>> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked >>> up the state change correctly and logged a DSChanged event with the >>> correct output for the new DNSKEY record, and it appears as expected in >>> localhsm, but is not published on the zone. >>> >>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with >>> the rollover? >> Hi, >> >> I would recommend you to wait until fix >> https://fedorahosted.org/freeipa/ticket/5334 >> is released in 4.3.1 or so. >> >> After that you can use procedure described on page >> http://www.freeipa.org/page/Howto/DNSSEC >> to run ds-seen command. >> >> I hope this helps. > > That ticket was reported by me ;-) > > The issue here is that the new KSK did not appear as a DNSKEY record, so > running ds-seen would have been a bad idea, since the zone would be > entirely invalid if the old key was rotated out before the new key was > published, and the new DS record would be invalid without the > corresponding KSK anyway. This should be fixed in 4.3.1 too. > I did also have some more rotated keys get stuck per #5334, and had > cleared them prior to this issue, but I was having trouble getting the > zone resigned correctly, and I was hoping to roll all the keys to deal > with that. In the end, I had to un-sign the domain and re-sign it to > recover. > > I was wondering if there were possibly some known issues/tricks with KSK > rollover, but wasn't certain if my #5334 issues may have thrown a > spanner in the works at some key point in the lifecycle. I've got some > more KSKs due to roll in a couple of months, so hopefully I can get > 4.3.1 deployed before then, and I'll be able to see if the process goes > smoothly without the extraneous issues. > > I've also discovered the replication ACI issues in 4.3.0 (#5575 and > friends), which are causing me some grief. Is there a feel for how > close we are to a 4.3.1 release? We intent to release it in week or two (if everything goes as planned). Stay tuned. -- Petr^2 Spacek From kprprl at gmail.com Tue Mar 1 14:26:57 2016 From: kprprl at gmail.com (PARTH MONGA) Date: Wed, 2 Mar 2016 01:26:57 +1100 Subject: [Freeipa-users] Cross Forest Transitive AD Trust Message-ID: Hi List Members, I have a situation I am having a hard time getting a clean answer on. I have a IDM/IPA domain setup and I have a trust setup with my Windows domain. That part is working perfectly. I have a one way forest transitive trust (outgoing) with a second windows domain. I want users in this second domain to be able to authenticate to my IDM/IPA domain. I was hoping that this would be possible through my transitive trust with my primary windows domain. When I issue the command ipa trust-fetch-domains for my primary domain I get the response no new domains found. The second domain is never found. Here is my question. Is this even possible without creating a trust with the second domain directly? The documentation states that IPA will traverse all trusts and add them. However I am starting to believe that reference is for domains in only one forest. Can anyone clear up that point for me? Regards, Parth -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Mar 1 14:41:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 1 Mar 2016 16:41:24 +0200 Subject: [Freeipa-users] Cross Forest Transitive AD Trust In-Reply-To: References: Message-ID: <20160301144124.GA4492@redhat.com> On Wed, 02 Mar 2016, PARTH MONGA wrote: >Hi List Members, > >I have a situation I am having a hard time getting a clean answer on. > >I have a IDM/IPA domain setup and I have a trust setup with my Windows >domain. That part is working perfectly. > >I have a one way forest transitive trust (outgoing) with a second windows >domain. I want users in this second domain to be able to authenticate to my >IDM/IPA domain. I was hoping that this would be possible through my >transitive trust with my primary windows domain. No, that's not possible by AD architecture. > >When I issue the command ipa trust-fetch-domains for my primary domain I >get the response no new domains found. The second domain is never found. That's correct. >Here is my question. Is this even possible without creating a trust with >the second domain directly? The documentation states that IPA will traverse >all trusts and add them. However I am starting to believe that reference is >for domains in only one forest. Can anyone clear up that point for me? The documentation is correct, you can have multiple trusts to separate forests and domains from all of them will be usable via trust to IPA. However, we cannot access any domains from forests that AD forest trusts itself because while forest trust is transitive, the transition is only extends to domains within the forests that trust each other, there is no transitivity across forest trusts. If forest A's root domain A trusts forest B's root domain B, and forest B's root domain B trusts forest C's root domain C, then A only can transit to domains in forest B, not forest C. See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx, search for the section named "Forest trusts": --------- Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. --------- -- / Alexander Bokovoy From kprprl at gmail.com Tue Mar 1 14:50:18 2016 From: kprprl at gmail.com (PARTH MONGA) Date: Wed, 2 Mar 2016 01:50:18 +1100 Subject: [Freeipa-users] Cross Forest Transitive AD Trust In-Reply-To: <20160301144124.GA4492@redhat.com> References: <20160301144124.GA4492@redhat.com> Message-ID: Thanks Alexander for the prompt reply. Appreciated. Now i am wondering how likewise is able to do this stuff under the hood for me. I have similar setup with likewise and same one way incoming trust relationships towards my primary domain (dom1) from another external domain (dom2). And i am able to login to my client machines using user accounts created in dom1 and dom2. Magic Any thoughts > On Wednesday, 2 March 2016, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, PARTH MONGA wrote: > >> Hi List Members, >> >> I have a situation I am having a hard time getting a clean answer on. >> >> I have a IDM/IPA domain setup and I have a trust setup with my Windows >> domain. That part is working perfectly. >> >> I have a one way forest transitive trust (outgoing) with a second windows >> domain. I want users in this second domain to be able to authenticate to >> my >> IDM/IPA domain. I was hoping that this would be possible through my >> transitive trust with my primary windows domain. >> > No, that's not possible by AD architecture. > > >> When I issue the command ipa trust-fetch-domains for my primary domain I >> get the response no new domains found. The second domain is never found. >> > That's correct. > > Here is my question. Is this even possible without creating a trust with >> the second domain directly? The documentation states that IPA will >> traverse >> all trusts and add them. However I am starting to believe that reference >> is >> for domains in only one forest. Can anyone clear up that point for me? >> > The documentation is correct, you can have multiple trusts to separate > forests and domains from all of them will be usable via trust to IPA. > However, we cannot access any domains from forests that AD forest trusts > itself because while forest trust is transitive, the transition is only > extends to domains within the forests that trust each other, there is no > transitivity across forest trusts. > > If forest A's root domain A trusts forest B's root domain B, and forest > B's root domain B trusts forest C's root domain C, then A only can > transit to domains in forest B, not forest C. > > See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx, > search for the section named "Forest trusts": > --------- > Forest trusts can be created between two forests only and cannot be > implicitly extended to a third forest. --------- > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Mar 1 14:56:00 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 1 Mar 2016 20:26:00 +0530 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth Message-ID: Hi, I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. I've installed ipa-client on a server and connected it to ipa. Shibboleth is installed on this server and I'm able to get the Kerberos authentication working. Documented here . However if I bring OTP into picture, authentication fails. Error message is like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". Any pointers on how to make OTP work? Regards. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Mar 1 15:19:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 1 Mar 2016 17:19:56 +0200 Subject: [Freeipa-users] Cross Forest Transitive AD Trust In-Reply-To: References: <20160301144124.GA4492@redhat.com> Message-ID: <20160301151956.GB4492@redhat.com> On Wed, 02 Mar 2016, PARTH MONGA wrote: >Thanks Alexander for the prompt reply. >Appreciated. > >Now i am wondering how likewise is able to do this stuff under the hood for >me. > >I have similar setup with likewise and same one way incoming trust >relationships towards my primary domain (dom1) from another external domain >(dom2). You need to get your terminology right. Can you explain which of the cases from https://kb.vmware.com/kb/2064250 would apply to your situation? There are quite a number of differences between different types of trust. >And i am able to login to my client machines using user accounts created in >dom1 and dom2. >Magic >Any thoughts > There is no magic here, your likewise setup is using different trust mode than what IPA does. Most likely your likewise setup is a domain in dom1 forest already. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Mar 1 15:31:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 1 Mar 2016 17:31:29 +0200 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: References: Message-ID: <20160301153129.GC4492@redhat.com> On Tue, 01 Mar 2016, Prashant Bapat wrote: >Hi, > >I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. >I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. > >I've installed ipa-client on a server and connected it to ipa. Shibboleth >is installed on this server and I'm able to get the Kerberos authentication >working. Documented here > >. > >However if I bring OTP into picture, authentication fails. Error message is >like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". > >Any pointers on how to make OTP work? http://www.freeipa.org/page/V4/OTP http://www.freeipa.org/page/V4/OTP/Detail -- / Alexander Bokovoy From prashant at apigee.com Wed Mar 2 10:55:00 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 2 Mar 2016 16:25:00 +0530 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: <20160301153129.GC4492@redhat.com> References: <20160301153129.GC4492@redhat.com> Message-ID: Thanks. But my problem is not OTP per se but Kerberos thru Java. Specifically i'm getting below error. javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) - PREAUTH_FAILED at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) Caused by: sun.security.krb5.KrbException: Pre-authentication information was invalid (24) - PREAUTH_FAILED at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) Any pointers ? On 1 March 2016 at 21:01, Alexander Bokovoy wrote: > On Tue, 01 Mar 2016, Prashant Bapat wrote: > >> Hi, >> >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. >> >> I've installed ipa-client on a server and connected it to ipa. Shibboleth >> is installed on this server and I'm able to get the Kerberos >> authentication >> working. Documented here >> < >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration >> > >> . >> >> However if I bring OTP into picture, authentication fails. Error message >> is >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". >> >> Any pointers on how to make OTP work? >> > http://www.freeipa.org/page/V4/OTP > http://www.freeipa.org/page/V4/OTP/Detail > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Mar 2 11:00:42 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 13:00:42 +0200 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: References: <20160301153129.GC4492@redhat.com> Message-ID: <20160302110042.GM4492@redhat.com> On Wed, 02 Mar 2016, Prashant Bapat wrote: >Thanks. But my problem is not OTP per se but Kerberos thru Java. >Specifically i'm getting below error. > >javax.security.auth.login.LoginException: Pre-authentication information >was invalid (24) - PREAUTH_FAILED >at >com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) >Caused by: sun.security.krb5.KrbException: Pre-authentication information >was invalid (24) - PREAUTH_FAILED >at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) >Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match >expected value (906) >at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > >Any pointers ? Read the page, please. It has all the details what you need to implement -- most importantly, you need to implement FAST channel support. > >On 1 March 2016 at 21:01, Alexander Bokovoy wrote: > >> On Tue, 01 Mar 2016, Prashant Bapat wrote: >> >>> Hi, >>> >>> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. >>> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. >>> >>> I've installed ipa-client on a server and connected it to ipa. Shibboleth >>> is installed on this server and I'm able to get the Kerberos >>> authentication >>> working. Documented here >>> < >>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration >>> > >>> . >>> >>> However if I bring OTP into picture, authentication fails. Error message >>> is >>> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". >>> >>> Any pointers on how to make OTP work? >>> >> http://www.freeipa.org/page/V4/OTP >> http://www.freeipa.org/page/V4/OTP/Detail >> >> -- >> / Alexander Bokovoy >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From simo at redhat.com Wed Mar 2 18:50:54 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 02 Mar 2016 13:50:54 -0500 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: References: <20160301153129.GC4492@redhat.com> Message-ID: <1456944654.8257.72.camel@redhat.com> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote: > Thanks. But my problem is not OTP per se but Kerberos thru Java. > Specifically i'm getting below error. > > javax.security.auth.login.LoginException: Pre-authentication information > was invalid (24) - PREAUTH_FAILED > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) > Caused by: sun.security.krb5.KrbException: Pre-authentication information > was invalid (24) - PREAUTH_FAILED > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match > expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > > Any pointers ? Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs an APIs (years behind). In this case what happens is that your Java module probably does not support FAST preauth. > On 1 March 2016 at 21:01, Alexander Bokovoy wrote: > > > On Tue, 01 Mar 2016, Prashant Bapat wrote: > > > >> Hi, > >> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. > >> > >> I've installed ipa-client on a server and connected it to ipa. Shibboleth > >> is installed on this server and I'm able to get the Kerberos > >> authentication > >> working. Documented here > >> < > >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration > >> > > >> . > >> > >> However if I bring OTP into picture, authentication fails. Error message > >> is > >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". > >> > >> Any pointers on how to make OTP work? > >> > > http://www.freeipa.org/page/V4/OTP > > http://www.freeipa.org/page/V4/OTP/Detail > > > > -- > > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York From prashant at apigee.com Thu Mar 3 09:10:48 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 3 Mar 2016 14:40:48 +0530 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: <1456944654.8257.72.camel@redhat.com> References: <20160301153129.GC4492@redhat.com> <1456944654.8257.72.camel@redhat.com> Message-ID: Thanks. Let me figure out possible alternatives. On 3 March 2016 at 00:20, Simo Sorce wrote: > > > On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote: > > Thanks. But my problem is not OTP per se but Kerberos thru Java. > > Specifically i'm getting below error. > > > > javax.security.auth.login.LoginException: Pre-authentication information > > was invalid (24) - PREAUTH_FAILED > > at > > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) > > Caused by: sun.security.krb5.KrbException: Pre-authentication information > > was invalid (24) - PREAUTH_FAILED > > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) > > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match > > expected value (906) > > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > > > > Any pointers ? > > Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs > an APIs (years behind). In this case what happens is that your Java > module probably does not support FAST preauth. > > > On 1 March 2016 at 21:01, Alexander Bokovoy wrote: > > > > > On Tue, 01 Mar 2016, Prashant Bapat wrote: > > > > > >> Hi, > > >> > > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos > Authentication. > > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use > case. > > >> > > >> I've installed ipa-client on a server and connected it to ipa. > Shibboleth > > >> is installed on this server and I'm able to get the Kerberos > > >> authentication > > >> working. Documented here > > >> < > > >> > https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration > > >> > > > >> . > > >> > > >> However if I bring OTP into picture, authentication fails. Error > message > > >> is > > >> like "Pre-authentication information was invalid (24) - > PREAUTH_FAILED". > > >> > > >> Any pointers on how to make OTP work? > > >> > > > http://www.freeipa.org/page/V4/OTP > > > http://www.freeipa.org/page/V4/OTP/Detail > > > > > > -- > > > / Alexander Bokovoy > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Mar 3 09:42:20 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 3 Mar 2016 15:12:20 +0530 Subject: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth In-Reply-To: References: <20160301153129.GC4492@redhat.com> <1456944654.8257.72.camel@redhat.com> Message-ID: I guess I was looking at this wrongly! Simo, you're right! Java and Kerberos wont work ! However password+OTP against LDAP server directly works! I can use that! Thanks for your help! On 3 March 2016 at 14:40, Prashant Bapat wrote: > Thanks. > > Let me figure out possible alternatives. > > On 3 March 2016 at 00:20, Simo Sorce wrote: > >> >> >> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote: >> > Thanks. But my problem is not OTP per se but Kerberos thru Java. >> > Specifically i'm getting below error. >> > >> > javax.security.auth.login.LoginException: Pre-authentication information >> > was invalid (24) - PREAUTH_FAILED >> > at >> > >> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) >> > Caused by: sun.security.krb5.KrbException: Pre-authentication >> information >> > was invalid (24) - PREAUTH_FAILED >> > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82) >> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match >> > expected value (906) >> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) >> > >> > Any pointers ? >> >> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs >> an APIs (years behind). In this case what happens is that your Java >> module probably does not support FAST preauth. >> >> > On 1 March 2016 at 21:01, Alexander Bokovoy >> wrote: >> > >> > > On Tue, 01 Mar 2016, Prashant Bapat wrote: >> > > >> > >> Hi, >> > >> >> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos >> Authentication. >> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use >> case. >> > >> >> > >> I've installed ipa-client on a server and connected it to ipa. >> Shibboleth >> > >> is installed on this server and I'm able to get the Kerberos >> > >> authentication >> > >> working. Documented here >> > >> < >> > >> >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration >> > >> > >> > >> . >> > >> >> > >> However if I bring OTP into picture, authentication fails. Error >> message >> > >> is >> > >> like "Pre-authentication information was invalid (24) - >> PREAUTH_FAILED". >> > >> >> > >> Any pointers on how to make OTP work? >> > >> >> > > http://www.freeipa.org/page/V4/OTP >> > > http://www.freeipa.org/page/V4/OTP/Detail >> > > >> > > -- >> > > / Alexander Bokovoy >> > > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stijn.geselle at ypto.be Thu Mar 3 12:11:42 2016 From: stijn.geselle at ypto.be (Geselle Stijn) Date: Thu, 3 Mar 2016 12:11:42 +0000 Subject: [Freeipa-users] Some high level questions (DNS & CA) Message-ID: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be> Hello, We have a large Windows environment and around 50 RHEL servers (which will grow to a few hundred in the future). Our goal is to be able to login with our AD credentials and have sudo centrally managed. To be able to manage users and their access/permissions we are looking into IdM combined with a unidirectional non-transitive AD-trust so our existing AD users can authenticate on the RHEL servers. I have a few (high level) questions regarding the setup of IdM: 1) There is an integrated DNS component (BIND). Is this component required? Because we would like to keep DNS managed by Windows (A and CNAME records). I have seen that there's a forward only policy, but what's the point of that? Can't we just directly use the Windows DNS then instead of forwarding, i.e. point the client's nameservers to the Windows nameservers? I'm obviously missing something crucial, sorry :) 2) A Certificate Authority will be installed as well. What's the function of this CA? Is it required? Can we do a CA-less setup? What are the limitations of a CA-less setup? 3) Is IPv6 a requirement or can it be disabled? 4) How could disaster recovery be implemented? Is it easy to backup and restore? 5) Is it correct that we can achieve high availability by setting up a replica IdM server and configure the clients to use both servers? Thank you if you can answer any (or maybe all, who knows!) of the questions above! Regards, Stijn -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 3 12:26:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 13:26:56 +0100 Subject: [Freeipa-users] Some high level questions (DNS & CA) In-Reply-To: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be> References: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be> Message-ID: <56D82D90.3000109@redhat.com> Hello, comments inline On 03.03.2016 13:11, Geselle Stijn wrote: > > Hello, > > We have a large Windows environment and around 50 RHEL servers (which > will grow to a few hundred in the future). Our goal is to be able to > login with our AD credentials and have sudo centrally managed. To be > able to manage users and their access/permissions we are looking into > IdM combined with a unidirectional non-transitive AD-trust so our > existing AD users can authenticate on the RHEL servers. > > I have a few (high level) questions regarding the setup of IdM: > > 1)There is an integrated DNS component (BIND). Is this component > required? Because we would like to keep DNS managed by Windows (A and > CNAME records). I have seen that there?s a forward only policy, but > what?s the point of that? Can?t we just directly use the Windows DNS > then instead of forwarding, i.e. point the client?s nameservers to the > Windows nameservers? I?m obviously missing something crucial, sorry J > DNS subsytem is optional, you can use windows DNS for IPA (manual configuration needed for each replica) > 2)A Certificate Authority will be installed as well. What?s the > function of this CA? Is it required? Can we do a CA-less setup? What > are the limitations of a CA-less setup? > You can do CA-less install. > 3)Is IPv6 a requirement or can it be disabled? > IPv6 is not required, but you cannot disable whole IPv6 stack due some bugs in IPA components (I don't remember which) > > 4)How could disaster recovery be implemented? Is it easy to backup and > restore? > The best backup is to have multiple replicas, then snapshots and also we have ipa-backup feature, but as I said replicas are the best > > 5)Is it correct that we can achieve high availability by setting up a > replica IdM server and configure the clients to use both servers? > Clients should be able to detect replicas using SRV records, so yes. > > Thank you if you can answer any (or maybe all, who knows!) of the > questions above! > > Regards, > > Stijn > > > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Thu Mar 3 14:17:55 2016 From: bahanw042014 at gmail.com (bahan w) Date: Thu, 3 Mar 2016 15:17:55 +0100 Subject: [Freeipa-users] ipa python client - group_remove_member Message-ID: Hello everyone ! I send you this mail because I'm using the python libraries and I'm encountering a blocking problem when trying to use the api.Command['group_remove_member'] command. I don't really know what is the syntax of this command. I know how to make work the api.Command['user_show'](username) work but I don't really know for the group_remove_member. What is the right syntax for this function ? What may I put in the xxx below ? api.command['group_remove_member'](u'group1')xxx Thank you in advance for your help. BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 3 14:35:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 3 Mar 2016 09:35:01 -0500 Subject: [Freeipa-users] ipa python client - group_remove_member In-Reply-To: References: Message-ID: <56D84B95.4000003@redhat.com> bahan w wrote: > Hello everyone ! > > I send you this mail because I'm using the python libraries and I'm > encountering a blocking problem when trying to use the > api.Command['group_remove_member'] command. > > I don't really know what is the syntax of this command. > I know how to make work the api.Command['user_show'](username) work but > I don't really know for the group_remove_member. > > What is the right syntax for this function ? What may I put in the xxx > below ? > api.command['group_remove_member'](u'group1')xxx res = api.Command.group_remove_member(u'somegroup', user=u'someuser') Removing non-members will not raise an exception. You need to look at the failed entry in the result returned. rob From Steven.Auerbach at flbog.edu Thu Mar 3 17:52:37 2016 From: Steven.Auerbach at flbog.edu (Auerbach, Steven) Date: Thu, 3 Mar 2016 17:52:37 +0000 Subject: [Freeipa-users] I think I have an issue, but maybe not.....Is IPA Replica Clean-up Needed? Message-ID: We have IPA set up in active-active mode. The first node (ipa01) logs errors regularly (every few minutes) that seem to be based upon an attempt to communicate with a replica that no longer exists. Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for <> '<>.LOCAL') Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust "timeout" parameter Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/ipa02.<>.local@<>.LOCAL not found in Kerberos database) The only place I found any references to the server ipa02 is in dse.ldif files in the /etc/dirsrv/slapd-<>-LOCAL/ folders Quoted from dse.ldif: dn: cn=replica,cn=dc\3D<>\2Cdc\3Dlocal,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=<>,dc=local nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa02.<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local nsDS5ReplicaBindDN: krbprincipalname=ldap/ipa-r02.<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local creatorsName: cn=directory manager modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20130924144354Z modifyTimestamp: 20160225194116Z nsState:: BAAAAAAAAADcWM9WAAAAAAEAAAAAAAAAZQAAAAAAAAADAAAAAAAAAA== nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802 numSubordinates: 1 When I execute "ipa-replica-manage list" from either the master or replica server I get the same response: ipa01.<>.local: master ipa-r02.<>.local: master and when I execute "ipa-csreplica-manage list" from either the master or the replica server I get the same response: ipa01.<>.local: master ipa-r02.<>.local: CA not configured I would have expected one of these commands to include the "ipa02" server as well since it is in the dse.ldif file. I know we are configured in "active-active" mode and that the CA is only on ipa01. >From an operating perspective, identity management operations (including signing on to the browser-based interface and updates made one server showing up on the other) from the replica (ipa-r02) are much faster than from the master (ipa01). I am guessing that this is because any task executing on the replica has only a replica pointer to the master, whereas any operation on the master that tries to replicate has to timeout on the invalid pointer to "ipa02" before it can actually communicate with the replica (ipa-r02). Of course my intuition could be completely wrong and my actual understanding of how this process works is nil. I would like to clean up this environment before I hand the reins over to the next person on my team. So my questions are: 1) Is there a way to remove the invalid pointer without having to disrupt services on the ipa01? 2) Do I need to clean this up in this location at all? Thanks for your interest. Steven Auerbach, Systems Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at pabstatencio.com Thu Mar 3 20:12:23 2016 From: devin at pabstatencio.com (devin at pabstatencio.com) Date: Thu, 03 Mar 2016 20:12:23 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 / Replica / Join Issue Message-ID: I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I the Master node in the Data Center, then i created 3 replica's, one in the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm having major issues with the Replica's in the AWS Cloud. I am trying to have it so it auto-discovers the servers automatically so the failover is dynamic. I created the replica's as well to have a Certificate Authority. When I attempt to join a virtual machine in AWS to the domain it fails half way thru the process. I have attached a full debug of my ipa-client-install, hoping someone can assist me. I know prior to joining the 2 replicas in AWS I had absolutely no issues with joining servers in the DC to IDM. I built all my replica's from the Master server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built from rspsna-ipa01. The main part that seems to fail during the (client) join is: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' Starting external process args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'Local IPA host' '-r' Process finished, return code=255 stdout= stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Starting external process args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' 'IPA Machine Certificate - beanstalk01-ore.prod.cloud.myinc.local' '-r' Process finished, return code=255 stdout= stderr=certutil: Could not find cert: IPA Machine Certificate - beanstalk01-ore.prod.cloud.myinc.local : PR_FILE_NOT_FOUND_ERROR: File not found Starting external process args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' Process finished, return code=255 stdout= stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Starting external process args='/bin/systemctl' 'start' 'certmonger.service' Process finished, return code=0 stdout= stderr= Starting external process args='/bin/systemctl' 'is-active' 'certmonger.service' Process finished, return code=0 stdout=active stderr= Starting external process args='/bin/systemctl' 'stop' 'certmonger.service' Process finished, return code=0 stdout= stderr= Starting external process args='/bin/systemctl' 'disable' 'certmonger.service' Process finished, return code=0 stdout= stderr= Unenrolling client from IPA server Starting external process args='/usr/sbin/ipa-join' '--unenroll' '-h' 'beanstalk01-ore.prod.cloud.myinc.local' '-d' Process finished, return code=19 stdout= stderr=Error obtaining initial credentials: Cannot find KDC for requested realm. Unenrolling host failed: Error obtaining initial credentials: Cannot find KDC for requested realm. Removing Kerberos service principals from /etc/krb5.keytab Starting external process args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'MYINC.LOCAL' Process finished, return code=0 stdout= stderr=Removing principal host/beanstalk01-ore.prod.cloud.myinc.local at MYINC.LOCAL When I look at the slapd error log on one of the replica's i see this: [02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for LDAPS requests [02/Mar/2016:23:40:09 +0000] - Listening on /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests [02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth resumed [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): Replication bind with GSSAPI auth resumed [03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [03/Mar/2016:00:07:00 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Mar/2016:00:07:00 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [03/Mar/2016:00:07:03 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [03/Mar/2016:00:07:03 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Mar/2016:00:07:09 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [03/Mar/2016:00:07:09 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Mar/2016:00:07:21 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [03/Mar/2016:00:07:21 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [03/Mar/2016:00:07:45 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth resumed [03/Mar/2016:01:26:53 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:03:24:06 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:05:17:30 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:07:08:29 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:08:59:51 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:10:42:48 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:12:35:51 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:14:28:20 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:16:24:12 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:18:09:51 +0000] NSMMReplicationPlugin - replication keep alive entry already exists [03/Mar/2016:19:47:07 +0000] NSMMReplicationPlugin - replication keep alive entry already exists Thanks much. Devin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 3 20:30:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 3 Mar 2016 15:30:15 -0500 Subject: [Freeipa-users] I think I have an issue, but maybe not.....Is IPA Replica Clean-up Needed? In-Reply-To: References: Message-ID: <56D89ED7.4070805@redhat.com> Auerbach, Steven wrote: > We have IPA set up in active-active mode. The first node (ipa01) logs > errors regularly (every few minutes) that seem to be based upon an > attempt to communicate with a replica that no longer exists. > > > > Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:04 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:14 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:22 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Cannot contact any KDC for > <> '<>.LOCAL') > > Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:35 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:45 ipa01 named[2161]: LDAP query timed out. Try to adjust > "timeout" parameter > > Feb 25 14:38:45 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Server > ldap/ipa02.<>.local@<>.LOCAL not found in Kerberos database) > > > > The only place I found any references to the server ipa02 is in dse.ldif > files in the /etc/dirsrv/slapd-<>-LOCAL/ folders > > > > Quoted from dse.ldif: > > dn: cn=replica,cn=dc\3D<>\2Cdc\3Dlocal,cn=mapping tree,cn=config > > cn: replica > > nsDS5Flags: 1 > > objectClass: top > > objectClass: nsds5replica > > objectClass: extensibleobject > > nsDS5ReplicaType: 3 > > nsDS5ReplicaRoot: dc=<>,dc=local > > nsds5ReplicaLegacyConsumer: off > > nsDS5ReplicaId: 4 > > nsDS5ReplicaBindDN: cn=replication manager,cn=config > > _nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa02._<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local > > _nsDS5ReplicaBindDN: > krbprincipalname=ldap/ipa-r02._<>.local@<>.LOCAL,cn=services,cn=accounts,dc=<>,dc=local > > creatorsName: cn=directory manager > > modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config > > createTimestamp: 20130924144354Z > > modifyTimestamp: 20160225194116Z > > nsState:: BAAAAAAAAADcWM9WAAAAAAEAAAAAAAAAZQAAAAAAAAADAAAAAAAAAA== > > nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802 > > numSubordinates: 1 > > > > > > When I execute ?ipa-replica-manage list? from either the master or > replica server I get the same response: > > ipa01.<>.local: master > > ipa-r02.<>.local: master You should run it as this on each host: $ ipa-replica-manage list -v `hostname` This will show the current agreements it has and the status. > > > and when I execute ?ipa-csreplica-manage list? from either the master or > the replica server I get the same response: > > ipa01.<>.local: master > > ipa-r02.<>.local: CA not configured You should strongly consider adding a second CA. Right now you have a single point of failure. > > I would have expected one of these commands to include the ?ipa02? > server as well since it is in the dse.ldif file. > > > > I know we are configured in ?active-active? mode and that the CA is only > on ipa01. 389-ds uses multi-master replication. active-active is typically a term used with load balancers and clusters and this isn't really that. > > > From an operating perspective, identity management operations (including > signing on to the browser-based interface and updates made one server > showing up on the other) from the replica (ipa-r02) are much faster than > from the master (ipa01). I am guessing that this is because any task > executing on the replica has only a replica pointer to the master, > whereas any operation on the master that tries to replicate has to > timeout on the invalid pointer to ?ipa02? before it can actually > communicate with the replica (ipa-r02). Of course my intuition could be > completely wrong and my actual understanding of how this process works > is nil. I'm not intimately familiar with low-level 389-ds replication but I don't believe it is done serially. > > I would like to clean up this environment before I hand the reins over > to the next person on my team. > > > > So my questions are: > > 1) Is there a way to remove the invalid pointer without having to > disrupt services on the ipa01? The ipa-replica-manage command will show the current agreements. Removing a stale one won't affect operations. > 2) Do I need to clean this up in this location at all? If there is bogus agreement then yes. It is a resource drag as the server needs to calculate and store any changes for something that will never get sent. rob > > > > Thanks for your interest. > > > > > > *Steven Auerbach, Systems Administrator* > > > From rcritten at redhat.com Thu Mar 3 20:33:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 3 Mar 2016 15:33:51 -0500 Subject: [Freeipa-users] FreeIPA 4.2.0 / Replica / Join Issue In-Reply-To: References: Message-ID: <56D89FAF.70506@redhat.com> devin at pabstatencio.com wrote: > > I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I > the Master node in the Data Center, then i created 3 replica's, one in > the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm > having major issues with the Replica's in the AWS Cloud. I am trying to > have it so it auto-discovers the servers automatically so the failover > is dynamic. I created the replica's as well to have a Certificate > Authority. When I attempt to join a virtual machine in AWS to the domain > it fails half way thru the process. I have attached a full debug of my > ipa-client-install, hoping someone can assist me. I know prior to > joining the 2 replicas in AWS I had absolutely no issues with joining > servers in the DC to IDM. I built all my replica's from the Master > server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built > from rspsna-ipa01. > > The main part that seems to fail during the (client) join is: The important bits are needed. This part of the log is just trying to clean things up (so failures are expected and ok). We'd really need to see a full ipaclient-install.log. > > When I look at the slapd error log on one of the replica's i see this: > > [02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for > LDAPS requests > [02/Mar/2016:23:40:09 +0000] - Listening on > /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests > [02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > [02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - > agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials available)) > [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): > Replication bind with GSSAPI auth resumed > [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - > agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): > Replication bind with GSSAPI auth resumed Up to here is ok and expected, this is just 389-ds realizing it doesn't have Kerberos credentials yet and obtaining them. > [03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is > not connected) For these I'd run: $ ipa-replica-manage list -v `hostname` to see the status of the agreements. It seems that one is unable to connect. rob From devin at pabstatencio.com Thu Mar 3 21:05:50 2016 From: devin at pabstatencio.com (devin at pabstatencio.com) Date: Thu, 03 Mar 2016 21:05:50 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 / Replica / Join Issue In-Reply-To: <56D89FAF.70506@redhat.com> References: <56D89FAF.70506@redhat.com> Message-ID: <619d1438a663543ddc0e1cd4507e7169@webmail.pabstatencio.com> Rob, Yeah i forgot to attach the file when I initially sent. I also attached the output from all the nodes. I guess what i realized is that my agreements are a little different than i originally thought. What is also strange is on a few hosts that initially did enroll from AWS, when I look at the host via the GUI the host shows: Kerberos Key Present, Host Provisioned One-Time-Password Not Present Host Certificate, No Valid Certificate So the few that enrolled, they don't show having any Host certificates but they show Kerberos Key present and Host provisioned. Is there a problem with the way I provisioned the Replicas? I'm just using subdomains for human clarification but they all use the same Kerberos domain, etc. [root at ipa02-ore ~]# ipa-replica-manage list -v `hostname` Directory Manager password: ipa01-ore.prod.cloud.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:39:30+00:00 [root at ipa01-ore ~]# ipa-replica-manage list -v `hostname` ipa02-ore.prod.cloud.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:41:20+00:00 rspsna-ipa01.prod.i2x.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:41:29+00:00 [root at rspsna-ipa01 ~]# ipa-replica-manage list -v `hostname` ipa01-ore.prod.cloud.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:43:35+00:00 rspsna-ipa02.prod.i2x.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:43:35+00:00 [root at rspsna-ipa02 ~]# ipa-replica-manage list -v `hostname` rspsna-ipa01.prod.i2x.myinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-03-03 20:44:14+00:00 See attached file for the initial fail. Thanks very much for your help. Devin Acosta arch 3 2016 1:34 PM, "Rob Crittenden" wrote: > devin at pabstatencio.com wrote: > >> I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I >> the Master node in the Data Center, then i created 3 replica's, one in >> the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm >> having major issues with the Replica's in the AWS Cloud. I am trying to >> have it so it auto-discovers the servers automatically so the failover >> is dynamic. I created the replica's as well to have a Certificate >> Authority. When I attempt to join a virtual machine in AWS to the domain >> it fails half way thru the process. I have attached a full debug of my >> ipa-client-install, hoping someone can assist me. I know prior to >> joining the 2 replicas in AWS I had absolutely no issues with joining >> servers in the DC to IDM. I built all my replica's from the Master >> server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built >> from rspsna-ipa01. >> >> The main part that seems to fail during the (client) join is: > > The important bits are needed. This part of the log is just trying to > clean things up (so failures are expected and ok). We'd really need to > see a full ipaclient-install.log. > >> When I look at the slapd error log on one of the replica's i see this: >> >> [02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for >> LDAPS requests >> [02/Mar/2016:23:40:09 +0000] - Listening on >> /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests >> [02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 >> (Local error) >> [02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - >> agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials available)) >> [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - >> agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): >> Replication bind with GSSAPI auth resumed >> [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - >> agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): >> Replication bind with GSSAPI auth resumed > > Up to here is ok and expected, this is just 389-ds realizing it doesn't > have Kerberos credentials yet and obtaining them. > >> [03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is >> not connected) > > For these I'd run: > > $ ipa-replica-manage list -v `hostname` to see the status of the > agreements. It seems that one is unable to connect. > > rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipa-issue.txt URL: From natxo.asenjo at gmail.com Thu Mar 3 21:20:06 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 3 Mar 2016 22:20:06 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication Message-ID: hi, I am testing certificate authentication to ipa ldap ( centos 7.2 ). I have generated a user certificate following the instructions on https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ After that I modified my $HOME/.ldaprc with these settings: TLS_CERT /path/to/user10.pem TLS_KEY /path/to/user10.key The certificate has this subject: $ openssl x509 -in user10.pem -subject -noout subject= /O=SUB.DOMAIN.TLD/CN=user10 Then I try ldapsearch: using GSSAPI, ldapsearch works fine: ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn .... # search result search: 5 result: 0 Success # numResponses: 1002 # numEntries: 1001 Using EXTERNAL, no cookie: $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: client certificate mapping failed I came accross this page in the 389 wiki: http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html But I am not really sure how to accomplish this. Is this possible in freeipa? Thanks in advance. Regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 3 21:57:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 3 Mar 2016 16:57:33 -0500 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: Message-ID: <56D8B34D.7050304@redhat.com> Natxo Asenjo wrote: > hi, > > I am testing certificate authentication to ipa ldap ( centos 7.2 ). > > I have generated a user certificate following the instructions on > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > After that I modified my $HOME/.ldaprc with these settings: > > TLS_CERT /path/to/user10.pem > TLS_KEY /path/to/user10.key > > The certificate has this subject: > $ openssl x509 -in user10.pem -subject -noout > subject= /O=SUB.DOMAIN.TLD/CN=user10 > > Then I try ldapsearch: > > using GSSAPI, ldapsearch works fine: > ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s > sub -b dc=sub,dc=domain,dc=tld cn > > .... > # search result > search: 5 > result: 0 Success > > # numResponses: 1002 > # numEntries: 1001 > > Using EXTERNAL, no cookie: > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: client certificate mapping failed > > I came accross this page in the 389 wiki: > > http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html > > But I am not really sure how to accomplish this. > > Is this possible in freeipa? I don't see why not. You just need to be able to map the subject of the cert to a single entry. That's what certmap.conf attempts to do. Given that the certificate is stored with the user you can probably even set verifycert to on (this compares the cert in LDAP to the one presented, it is a poor-man's CRL). I haven't used certmap.conf in longer than I'd like to admit and it was usually a pain to setup. It looks like the 389-ds docs are far better than anything I used in the past so I think it may be fairly easy. Let the 389-ds access log be your guide to getting the filter and dn comps right. rob From Lachlan.Simpson at petermac.org Fri Mar 4 00:13:38 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Fri, 4 Mar 2016 00:13:38 +0000 Subject: [Freeipa-users] Version name changed? Message-ID: <0137003026EBE54FBEC540C5600C03C434BBB5@PMC-EXMBX02.petermac.org.au> Hi, I have just installed Spacewalk to manage my servers and I noticed that the FreeIPA wanted to update some packages. My FreeIPA server is Centos 7. I notices in Spacewalk that the ipa-server package (and various bits) wanted to update, and the relevant versions were: Installed packages: ipa-server-4.2.0-15.el7.centos.3.x86_64 Update candidates: ipa-server-4.2.0-15.el7_2.6.x86_64 Why has the naming structure changed from *el7.centos.3.* to *el7_2.6* ? Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From mbasti at redhat.com Fri Mar 4 08:04:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 4 Mar 2016 09:04:24 +0100 Subject: [Freeipa-users] Version name changed? In-Reply-To: <0137003026EBE54FBEC540C5600C03C434BBB5@PMC-EXMBX02.petermac.org.au> References: <0137003026EBE54FBEC540C5600C03C434BBB5@PMC-EXMBX02.petermac.org.au> Message-ID: <56D94188.10606@redhat.com> On 04.03.2016 01:13, Simpson Lachlan wrote: > Hi, > > I have just installed Spacewalk to manage my servers and I noticed that the FreeIPA wanted to update some packages. > > My FreeIPA server is Centos 7. > > I notices in Spacewalk that the ipa-server package (and various bits) wanted to update, and the relevant versions were: > > Installed packages: > > ipa-server-4.2.0-15.el7.centos.3.x86_64 > > Update candidates: > > ipa-server-4.2.0-15.el7_2.6.x86_64 > > > Why has the naming structure changed from > > *el7.centos.3.* > > to > > *el7_2.6* > > ? > > Cheers > L. Hello, I do not know why this change was done in centos, please ask directly on centos related lists. However, version ipa-server-4.2.0-15.el7_2.6.x86_64 is the latest version in RHEL and it should be valid. Martin From pspacek at redhat.com Fri Mar 4 08:43:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 09:43:32 +0100 Subject: [Freeipa-users] FreeIPA 4.2.0 / Replica / Join Issue In-Reply-To: <619d1438a663543ddc0e1cd4507e7169@webmail.pabstatencio.com> References: <56D89FAF.70506@redhat.com> <619d1438a663543ddc0e1cd4507e7169@webmail.pabstatencio.com> Message-ID: <56D94AB4.9090803@redhat.com> On 3.3.2016 22:05, devin at pabstatencio.com wrote: > Rob, > > Yeah i forgot to attach the file when I initially sent. I also attached the output from all the nodes. I guess what i realized is that my agreements are a little different than i originally thought. What is also strange is on a few hosts that initially did enroll from AWS, when I look at the host via the GUI the host shows: > > Kerberos Key Present, Host Provisioned > One-Time-Password Not Present > Host Certificate, No Valid Certificate > > So the few that enrolled, they don't show having any Host certificates but they show Kerberos Key present and Host provisioned. Is there a problem with the way I provisioned the Replicas? I'm just using subdomains for human clarification but they all use the same Kerberos domain, etc. > > > [root at ipa02-ore ~]# ipa-replica-manage list -v `hostname` > Directory Manager password: > > ipa01-ore.prod.cloud.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:39:30+00:00 > > > [root at ipa01-ore ~]# ipa-replica-manage list -v `hostname` > ipa02-ore.prod.cloud.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:41:20+00:00 > rspsna-ipa01.prod.i2x.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:41:29+00:00 > > [root at rspsna-ipa01 ~]# ipa-replica-manage list -v `hostname` > > ipa01-ore.prod.cloud.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:43:35+00:00 > rspsna-ipa02.prod.i2x.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:43:35+00:00 > > [root at rspsna-ipa02 ~]# ipa-replica-manage list -v `hostname` > > rspsna-ipa01.prod.i2x.myinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental update succeeded > last update ended: 2016-03-03 20:44:14+00:00 > > See attached file for the initial fail. Thanks very much for your help. > > Devin Acosta > > arch 3 2016 1:34 PM, "Rob Crittenden" wrote: >> devin at pabstatencio.com wrote: >> >>> I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I >>> the Master node in the Data Center, then i created 3 replica's, one in >>> the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm >>> having major issues with the Replica's in the AWS Cloud. I am trying to >>> have it so it auto-discovers the servers automatically so the failover >>> is dynamic. I created the replica's as well to have a Certificate >>> Authority. When I attempt to join a virtual machine in AWS to the domain >>> it fails half way thru the process. I have attached a full debug of my >>> ipa-client-install, hoping someone can assist me. I know prior to >>> joining the 2 replicas in AWS I had absolutely no issues with joining >>> servers in the DC to IDM. I built all my replica's from the Master >>> server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built >>> from rspsna-ipa01. >>> >>> The main part that seems to fail during the (client) join is: >> >> The important bits are needed. This part of the log is just trying to >> clean things up (so failures are expected and ok). We'd really need to >> see a full ipaclient-install.log. Hmm, I'm not sure if realm name "myinc.LOCAL" is a obfuscation artifact or real configuration. As usual, attempts to obfuscate things make debugging harder :-) Generally it is not a good idea to have realm != uppercase primary IPA DNS domain. It seems that for some reason client is failing to find KDC's addresses. Try to run kinit in debug mode. Before you try that you might need to replace krb5.conf on the client with following values (taken form client install log): [libdefaults] default_realm = myinc.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] myinc.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .prod.cloud.myinc.local = myinc.LOCAL prod.cloud.myinc.local = myinc.LOCAL Then you might try following command on the not-yet-enrolled host: KRB5_TRACE=/dev/stdout kinit 'host/beanstalk01-ore.prod.cloud.myinc.local at myinc.LOCAL' and see what it prints into the stdout. Very important is to follow recommendations about DNS in the official docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_DNS_Traffic_with_DNSSEC.html#sec-Recommended_Naming_Practices (In short: do *not* invent your own names like myinc.LOCAL, ever. Just a DNS domain you actually own, always.) Also, section "?Verifying the DNS Configuration" might get handy: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings (just skip the Active Directory parts and test only IPA) I hope this will help. Petr^2 Spacek >>> When I look at the slapd error log on one of the replica's i see this: >>> >>> [02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [02/Mar/2016:23:40:09 +0000] - Listening on >>> /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests >>> [02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -2 >>> (Local error) >>> [02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - >>> agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials available)) >>> [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - >>> agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): >>> Replication bind with GSSAPI auth resumed >>> [02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - >>> agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): >>> Replication bind with GSSAPI auth resumed >> >> Up to here is ok and expected, this is just 389-ds realizing it doesn't >> have Kerberos credentials yet and obtaining them. >> >>> [03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is >>> not connected) >> >> For these I'd run: >> >> $ ipa-replica-manage list -v `hostname` to see the status of the >> agreements. It seems that one is unable to connect. >> >> rob From natxo.asenjo at gmail.com Fri Mar 4 13:11:49 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 4 Mar 2016 14:11:49 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <56D8B34D.7050304@redhat.com> References: <56D8B34D.7050304@redhat.com> Message-ID: hi, On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: > > > Using EXTERNAL, no cookie: > > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn > > SASL/EXTERNAL authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: client certificate mapping failed > > > > I came accross this page in the 389 wiki: > > > > > http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html > > > > But I am not really sure how to accomplish this. > > > > Is this possible in freeipa? > > I don't see why not. You just need to be able to map the subject of the > cert to a single entry. That's what certmap.conf attempts to do. > > ok, I got it working but it took some effort. Let's see, in certmap.conf the config is like this out of the box: certmap default default #default:DNComps #default:FilterComps e, uid #default:verifycert on #default:CmapLdapAttr certSubjectDN #default:library #default:InitFn default:DNComps default:FilterComps uid certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD ipaca:CmapLdapAttr seeAlso ipaca:verifycert on So, there is an additional mapping for ipaca, which is handy. But the CmapLdapAttr points to 'seeAlso', and if you change that to usercertificate;binary (where the usercertificates are), the tomcat pki service will no longer start because DN: uid=pkidbuser,ou=people,o=ipaca has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD so we cannot change te cmapldapattr to something else, but we can add a seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD . And then it works. This could be very handy for web applications. Nice. Thanks for the pointer. Regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Mar 4 14:43:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 4 Mar 2016 09:43:57 -0500 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> Message-ID: <56D99F2D.2000909@redhat.com> Natxo Asenjo wrote: > hi, > > > On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden > wrote: > > Natxo Asenjo wrote: > > > > > Using EXTERNAL, no cookie: > > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn > > SASL/EXTERNAL authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: client certificate mapping failed > > > > I came accross this page in the 389 wiki: > > > > > http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html > > > > But I am not really sure how to accomplish this. > > > > Is this possible in freeipa? > > I don't see why not. You just need to be able to map the subject of the > cert to a single entry. That's what certmap.conf attempts to do. > > > > ok, I got it working but it took some effort. > > Let's see, in certmap.conf the config is like this out of the box: > > certmap default default > #default:DNComps > #default:FilterComps e, uid > #default:verifycert on > #default:CmapLdapAttr certSubjectDN > #default:library > #default:InitFn > default:DNComps > default:FilterComps uid > certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD > ipaca:CmapLdapAttr seeAlso > ipaca:verifycert on > > So, there is an additional mapping for ipaca, which is handy. But the > CmapLdapAttr points to 'seeAlso', and if you change that to > usercertificate;binary (where the usercertificates are), the tomcat pki > service will no longer start because > > DN: uid=pkidbuser,ou=people,o=ipaca > > has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD > > so we cannot change te cmapldapattr to something else, but we can add a > seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD > . And then it works. Ah right. Because all the subjects are the same base the same map will be used for both DS and the CA. Any chance you could write up a HOWTO on this? rob From pspacek at redhat.com Fri Mar 4 15:24:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 16:24:44 +0100 Subject: [Freeipa-users] Some high level questions (DNS & CA) In-Reply-To: <56D82D90.3000109@redhat.com> References: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be> <56D82D90.3000109@redhat.com> Message-ID: <56D9A8BC.1040502@redhat.com> On 3.3.2016 13:26, Martin Basti wrote: > Hello, > > comments inline > > On 03.03.2016 13:11, Geselle Stijn wrote: >> >> Hello, >> >> We have a large Windows environment and around 50 RHEL servers (which will >> grow to a few hundred in the future). Our goal is to be able to login with >> our AD credentials and have sudo centrally managed. To be able to manage >> users and their access/permissions we are looking into IdM combined with a >> unidirectional non-transitive AD-trust so our existing AD users can >> authenticate on the RHEL servers. >> >> I have a few (high level) questions regarding the setup of IdM: >> >> 1)There is an integrated DNS component (BIND). Is this component required? >> Because we would like to keep DNS managed by Windows (A and CNAME records). >> I have seen that there?s a forward only policy, but what?s the point of >> that? Can?t we just directly use the Windows DNS then instead of forwarding, >> i.e. point the client?s nameservers to the Windows nameservers? I?m >> obviously missing something crucial, sorry J >> > DNS subsytem is optional, you can use windows DNS for IPA (manual > configuration needed for each replica) Today we released new version of docs, please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ipa-linux-services.html#dns for further details regarding DNS. -- Petr^2 Spacek From natxo.asenjo at gmail.com Fri Mar 4 15:58:25 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 4 Mar 2016 16:58:25 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <56D99F2D.2000909@redhat.com> References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> Message-ID: On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden wrote: > Ah right. Because all the subjects are the same base the same map will > be used for both DS and the CA. > > Any chance you could write up a HOWTO on this? Gladly, but I seem unable to login using my recently created fedora account. I will try later in the evening again. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Mar 4 19:29:17 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 4 Mar 2016 20:29:17 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> Message-ID: On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo wrote: > > > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden > wrote: > >> Ah right. Because all the subjects are the same base the same map will >> be used for both DS and the CA. >> >> Any chance you could write up a HOWTO on this? > > > Gladly, but I seem unable to login using my recently created fedora > account. I will try later in the evening again. > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login with the fedora account I get OpenID error An error occurred: an invalid token was found. Return to Main Page . So, sorry, I cannot edit the contribute to the wiki. I will write something down in my own wiki and post the link here, search engines will index this mailing list posts as well, so this knowledge will not go lost. -- regards, natxo -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Mar 4 19:34:25 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 4 Mar 2016 14:34:25 -0500 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> Message-ID: <56D9E341.8010900@redhat.com> Natxo Asenjo wrote: > > > On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo > wrote: > > > > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden > wrote: > > Ah right. Because all the subjects are the same base the same > map will > be used for both DS and the CA. > > Any chance you could write up a HOWTO on this? > > > Gladly, but I seem unable to login using my recently created fedora > account. I will try later in the evening again. > > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login > with the fedora account I get > > > OpenID error > > An error occurred: an invalid token was found. > > Return to Main Page . > > > So, sorry, I cannot edit the contribute to the wiki. I will write > something down in my own wiki and post the link here, search engines > will index this mailing list posts as well, so this knowledge will not > go lost. It's not just you. I can't login either. I think Martin will need to poke at this on Monday. rob From simo at redhat.com Fri Mar 4 22:00:26 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 Mar 2016 17:00:26 -0500 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <56D9E341.8010900@redhat.com> References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> Message-ID: <1457128826.8257.160.camel@redhat.com> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: > Natxo Asenjo wrote: > > > > > > On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo > > wrote: > > > > > > > > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden > > wrote: > > > > Ah right. Because all the subjects are the same base the same > > map will > > be used for both DS and the CA. > > > > Any chance you could write up a HOWTO on this? > > > > > > Gladly, but I seem unable to login using my recently created fedora > > account. I will try later in the evening again. > > > > > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login > > with the fedora account I get > > > > > > OpenID error > > > > An error occurred: an invalid token was found. > > > > Return to Main Page . > > > > > > So, sorry, I cannot edit the contribute to the wiki. I will write > > something down in my own wiki and post the link here, search engines > > will index this mailing list posts as well, so this knowledge will not > > go lost. > > It's not just you. I can't login either. I think Martin will need to > poke at this on Monday. I tried this just now and it worked, maybe there was an issue that has since resolved itself ? Simo. -- Simo Sorce * Red Hat, Inc * New York From natxo.asenjo at gmail.com Fri Mar 4 23:08:06 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 5 Mar 2016 00:08:06 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <1457128826.8257.160.camel@redhat.com> References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> Message-ID: On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce wrote: > On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: > > Natxo Asenjo wrote: > > > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login > > > with the fedora account I get > > > > > > > > > OpenID error > > > > > > An error occurred: an invalid token was found. > > > > > > Return to Main Page . > > > > > > > > > So, sorry, I cannot edit the contribute to the wiki. I will write > > > something down in my own wiki and post the link here, search engines > > > will index this mailing list posts as well, so this knowledge will not > > > go lost. > > > > It's not just you. I can't login either. I think Martin will need to > > poke at this on Monday. > > I tried this just now and it worked, maybe there was an issue that has > since resolved itself ? > no, same error. O well, I have this howto, just copy paste it from my mediawiki (public domain): https://asenjo.nl/wiki/index.php/Client_certificate_authentication_ipa -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Mar 4 23:57:55 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 5 Mar 2016 00:57:55 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> Message-ID: By the way, revoking the certificate does not block applications using it from ldap. I can still access the ldap server using this cert/key pair *after* revoking the certificate using ipa cert-revoke . In order to block it I need to remove the seeAlso value of the user account, or the certificate attribute. I do not know if this is a security issue, but maybe worthwhile documenting just in case. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Mar 5 05:00:04 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 5 Mar 2016 00:00:04 -0500 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> Message-ID: <56DA67D4.30803@redhat.com> Natxo Asenjo wrote: > > By the way, revoking the certificate does not block applications using > it from ldap. > > I can still access the ldap server using this cert/key pair *after* > revoking the certificate using ipa cert-revoke . In order to > block it I need to remove the seeAlso value of the user account, or the > certificate attribute. > > I do not know if this is a security issue, but maybe worthwhile > documenting just in case. SSL/TLS servers don't automatically check for cert revocation. You need to add the CRL to the 389-ds NSS database periodically. I don't know for sure but I don't think 389-ds can use OCSP to validate incoming client certs. There is an IPA ticket in the backlog to investigate this for the web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542 And yeah, as you discovered, managing the value of CmapLdapAttr is a poor man's revocation. rob From csaba at jighi.com Fri Mar 4 17:16:38 2016 From: csaba at jighi.com (Csaba Patyi) Date: Fri, 4 Mar 2016 18:16:38 +0100 Subject: [Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync Message-ID: Hi Everybody, We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0 (CentOS 7) and we run into an issue. We are following this documentation: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html I know it is a little bit old and now the preferred method is trust and not sync. But if my understanding is correct in trust you has to use 2 different domain like company.net <--> company.com and can not be user as company.com <--> company.com So anyway we are struggling with the full sync. Currently username sync is working, but their password are not. Replication was specified: ipa-replica-manage connect --winsync --binddn cn=Syncadmin,cn=users,dc=company,dc=com --bindpw ad_password --passsync syncpassword --cacert /etc/openldap/certs/company.cer companypdc.company.com On the Windows we installed and configured 389-PassSync-1.1.5-x86_64 and it was configured as a following: Hostname: name_of_centos_server Password: syncpassword Password field: userpassword Port Number: 636 Search base cn=users,cn=compat,dc=company,dc=com User Name uid/passync,cn=sysaccounts,cn=etc,dc=company,dc=com User Name Field: ntuserdomainid Log from passwordsync on windows: 03/04/16 16:45:07: Attempting to sync password for test.user 03/04/16 16:45:07: Searching for (ntuserdomainid=test.user) 03/04/16 16:45:07: There are no entries that match: test.user 03/04/16 16:45:07: Deferring password change for test.user 03/04/16 16:45:07: Backing off for 1024000ms Trying user on CentOS: kinit test.user -V Using new cache: persistent:0:krb_ccache_wyIa8Nj Using principal: test.user at COMPANY.COM kinit: Generic preauthentication failure while getting initial credentials log from /var/log/dirsrv/slapd-COMPANY-COM/access [04/Mar/2016:17:10:08 +0000] conn=4 op=677 SRCH base="dc=jighi,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName= test.user at JIGHI.COM))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Mar/2016:17:10:08 +0000] conn=4 op=677 RESULT err=0 tag=101 nentries=1 etime=0 [04/Mar/2016:17:10:08 +0000] conn=4 op=678 SRCH base="cn=JIGHI.COM,cn=kerberos,dc=jighi,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [04/Mar/2016:17:10:08 +0000] conn=4 op=678 RESULT err=0 tag=101 nentries=1 etime=0 Can somebody help in what we are missing? Regards, Csaba Patyi -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Mar 6 17:27:55 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 6 Mar 2016 19:27:55 +0200 Subject: [Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync In-Reply-To: References: Message-ID: <20160306172755.GD4492@redhat.com> On Fri, 04 Mar 2016, Csaba Patyi wrote: >Hi Everybody, > >We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0 >(CentOS 7) and we run into an issue. > >We are following this documentation: >https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html > >I know it is a little bit old and now the preferred method is trust and not >sync. But if my understanding is correct in trust you has to use 2 >different domain like company.net <--> company.com and can not be user as >company.com <--> company.com Youre understanding is not fully correct. You cannot have IPA machines in the same DNS zone as Active Directory. You can have IPA machines in a subdomain or a completely separate zone. If you need to present IPA machines as part of Active Directory DNS zone, you can use CNAME trick where machines are actually in .ipa.company.com (A/AAAA in that DNS zone) and have a CNAME in .company.com that points to the true name in .ipa.company.com. Again, the reason for this is due to the fact that FreeIPA presents itself as a separate Active Directory forest and it is impossible to have two Active Directory forests to be in the same DNS zone. This is Active Directory limitation, not FreeIPA. -- / Alexander Bokovoy From f.zoske at euroimmun.de Mon Mar 7 07:34:34 2016 From: f.zoske at euroimmun.de (Zoske, Fabian) Date: Mon, 7 Mar 2016 07:34:34 +0000 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore Message-ID: Hi, in our environment server (ipa-server-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 7.2) and client (ipa-client-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 7.2) SUDO rules doesn?t get fetched anymore. I debugged SSSD and SUDO and found out, that the first LDAP filter is (objectClass=sudoRule) and in our IPA-LDAP every rule has the class ?sudoRole? not ?sudoRule?. Is there a way to fix this behavior? Best regards, Fabian -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Mar 7 07:55:13 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 08:55:13 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> Message-ID: <56DD33E1.8000707@redhat.com> On 03/05/2016 12:08 AM, Natxo Asenjo wrote: > On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce wrote: > >> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: >>> Natxo Asenjo wrote: >> >>>> when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login >>>> with the fedora account I get >>>> >>>> >>>> OpenID error >>>> >>>> An error occurred: an invalid token was found. >>>> >>>> Return to Main Page . >>>> >>>> >>>> So, sorry, I cannot edit the contribute to the wiki. I will write >>>> something down in my own wiki and post the link here, search engines >>>> will index this mailing list posts as well, so this knowledge will not >>>> go lost. >>> >>> It's not just you. I can't login either. I think Martin will need to >>> poke at this on Monday. >> >> I tried this just now and it worked, maybe there was an issue that has >> since resolved itself ? >> > > no, same error. > > O well, I have this howto, just copy paste it from my mediawiki (public > domain): > > https://asenjo.nl/wiki/index.php/Client_certificate_authentication_ipa I checked and I was also able to log in. I suspect it is a problem with your browser then, maybe testing it with a clear session would help. From abokovoy at redhat.com Mon Mar 7 08:07:16 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 7 Mar 2016 10:07:16 +0200 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore In-Reply-To: References: Message-ID: <20160307080716.GE4492@redhat.com> On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Hi, > >in our environment server (ipa-server-4.2.0-15.el7_2.6.x86_64 and >sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 7.2) and client >(ipa-client-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64 >on CentOS 7.2) SUDO rules doesn?t get fetched anymore. > >I debugged SSSD and SUDO and found out, that the first LDAP filter is >(objectClass=sudoRule) and in our IPA-LDAP every rule has the class >?sudoRole? not ?sudoRule?. This has nothing to do with your problem. sudoRole is a known artefact from SUDO LDAP support -- the schema SUDO uses to store data in LDAP has this object class. SSSD searches in its own cache first and in that cache it uses an object class named sudoRule. These are searches against different databases and they are perfectly fine. >Is there a way to fix this behavior? You need to find out what exactly is failing in your case, the 'difference' above is not a problem. See https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- / Alexander Bokovoy From mkosek at redhat.com Mon Mar 7 08:14:25 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 09:14:25 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <56DA67D4.30803@redhat.com> References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> <56DA67D4.30803@redhat.com> Message-ID: <56DD3861.202@redhat.com> On 03/05/2016 06:00 AM, Rob Crittenden wrote: > Natxo Asenjo wrote: >> >> By the way, revoking the certificate does not block applications using >> it from ldap. >> >> I can still access the ldap server using this cert/key pair *after* >> revoking the certificate using ipa cert-revoke . In order to >> block it I need to remove the seeAlso value of the user account, or the >> certificate attribute. >> >> I do not know if this is a security issue, but maybe worthwhile >> documenting just in case. > > SSL/TLS servers don't automatically check for cert revocation. You need > to add the CRL to the 389-ds NSS database periodically. I don't know for > sure but I don't think 389-ds can use OCSP to validate incoming client > certs. There is an IPA ticket in the backlog to investigate this for the > web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542 > > And yeah, as you discovered, managing the value of CmapLdapAttr is a > poor man's revocation. I saved Natxo's contributed article here: http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP for now. My take on this is that it probably works, but I am curious actually what problem you are solving. Are you interested only in allowing Certificate authentication with FreeIPA LDAP or rather in allowing certificate authentication in your application, whatever are the means? If this is the case, would leveraging SSSD Smart Card/certificate authentication help? At minimum, it can lookup users by certificate: https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate With leveraging SSSD, you should be able to avoid manual user mapping in FreeIPA LDAP. I am not sure though how the revocation would work. CCing Sumit on this one. Martin From f.zoske at euroimmun.de Mon Mar 7 08:37:30 2016 From: f.zoske at euroimmun.de (Zoske, Fabian) Date: Mon, 7 Mar 2016 08:37:30 +0000 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore In-Reply-To: <20160307080716.GE4492@redhat.com> References: <20160307080716.GE4492@redhat.com> Message-ID: Thank you for your explanation. I looked in the sssd_.log and found the actual LDAP-Filter. The problem seems to be the first part again: (&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))). In the LDAP-Tree I can't see any attribute named entryUSN. Is this related to the problem? Best regards, Fabian -----Urspr?ngliche Nachricht----- Von: Alexander Bokovoy [mailto:abokovoy at redhat.com] Gesendet: Montag, 7. M?rz 2016 09:07 An: Zoske, Fabian Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Hi, > >in our environment server (ipa-server-4.2.0-15.el7_2.6.x86_64 and >sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 7.2) and client >(ipa-client-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64 >on CentOS 7.2) SUDO rules doesn?t get fetched anymore. > >I debugged SSSD and SUDO and found out, that the first LDAP filter is >(objectClass=sudoRule) and in our IPA-LDAP every rule has the class >?sudoRole? not ?sudoRule?. This has nothing to do with your problem. sudoRole is a known artefact from SUDO LDAP support -- the schema SUDO uses to store data in LDAP has this object class. SSSD searches in its own cache first and in that cache it uses an object class named sudoRule. These are searches against different databases and they are perfectly fine. >Is there a way to fix this behavior? You need to find out what exactly is failing in your case, the 'difference' above is not a problem. See https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- / Alexander Bokovoy From abokovoy at redhat.com Mon Mar 7 08:54:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 7 Mar 2016 10:54:43 +0200 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore In-Reply-To: References: <20160307080716.GE4492@redhat.com> Message-ID: <20160307085443.GF4492@redhat.com> On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Thank you for your explanation. > >I looked in the sssd_.log and found the actual LDAP-Filter. >The problem seems to be the first part again: (&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))). >In the LDAP-Tree I can't see any attribute named entryUSN. > >Is this related to the problem? No, it is not. entryUSN is an attribute that is not stored in the entry, it is a feature that adds a monotonically increased value to any update of an entry. It is used to check whether entries were changed since last search. -- / Alexander Bokovoy From natxo.asenjo at gmail.com Mon Mar 7 08:58:20 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 7 Mar 2016 09:58:20 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: <56DD3861.202@redhat.com> References: <56D8B34D.7050304@redhat.com> <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> <56DA67D4.30803@redhat.com> <56DD3861.202@redhat.com> Message-ID: On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek wrote: > On 03/05/2016 06:00 AM, Rob Crittenden wrote: > > Natxo Asenjo wrote: > >> > >> By the way, revoking the certificate does not block applications using > >> it from ldap. > >> > >> I can still access the ldap server using this cert/key pair *after* > >> revoking the certificate using ipa cert-revoke . In order to > >> block it I need to remove the seeAlso value of the user account, or the > >> certificate attribute. > >> > >> I do not know if this is a security issue, but maybe worthwhile > >> documenting just in case. > > > > SSL/TLS servers don't automatically check for cert revocation. You need > > to add the CRL to the 389-ds NSS database periodically. I don't know for > > sure but I don't think 389-ds can use OCSP to validate incoming client > > certs. There is an IPA ticket in the backlog to investigate this for the > > web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542 > > > > And yeah, as you discovered, managing the value of CmapLdapAttr is a > > poor man's revocation. > > I saved Natxo's contributed article here: > > http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP > for now. > Thanks! > My take on this is that it probably works, but I am curious actually what > problem you are solving. Are you interested only in allowing Certificate > authentication with FreeIPA LDAP or rather in allowing certificate > authentication in your application, whatever are the means? > both :-). Having name/password combinations in application settings is less desirable than having certificate/key paths. I know both accomplish the same thing (authenticate to the directory), but having certificates is less controversial (no need for third parties to know *that* password that is probably being used somewhere else as well, for instance. Having a simple way to 'revoke' the access is nice as well. > If this is the case, would leveraging SSSD Smart Card/certificate > authentication help? At minimum, it can lookup users by certificate: > > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate > > With leveraging SSSD, you should be able to avoid manual user mapping in > FreeIPA LDAP. I am not sure though how the revocation would work. CCing > Sumit > on this one Interesting, I did not know about this possibility of sssd. I need to read it through, it might address our needs. Thanks for pointing me to it. What in my opinion would be really interesting would be to have something similar to the submission port on smtp servers. A different instance of the directory where only some kind of authentication are possible. Right now when using port 389 I can choose between a combination of SASL mechanisms, and if in dse.ldif anonymous auth and minssf are modified, then I can force the usage of secure protocols. What I would like is to have a way to disable password authentication mechanisms on a ldap port, while keeping it enabled on the other. So we could close one port to the outside world, and keep it open on the LAN, for instance. Is this even possible? -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From f.zoske at euroimmun.de Mon Mar 7 10:12:00 2016 From: f.zoske at euroimmun.de (Zoske, Fabian) Date: Mon, 7 Mar 2016 10:12:00 +0000 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore In-Reply-To: <20160307085443.GF4492@redhat.com> References: <20160307080716.GE4492@redhat.com> <20160307085443.GF4492@redhat.com> Message-ID: Hi, I looked in the sudo_debug log and found the following line: Mar 7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home//f.zoske ; USER=root ; COMMAND=/bin/bash On our IPA-Server I have following rules: HBAC: Name: allow_all_admins Who: Group: admins Accessing: Any Host Via Service: Any Service SUDO: Name: allow_all_all Who: Group: admins Access this host: Any Host Run Commands: Any Command As Whom: Anyone In our setup I have AD-Trust established to a multi domain forest and in our sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub): subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr Is anything of this related to the problem? Shall I send you the log files of sssd and sudo? Best regards, Fabian -----Urspr?ngliche Nachricht----- Von: Alexander Bokovoy [mailto:abokovoy at redhat.com] Gesendet: Montag, 7. M?rz 2016 09:55 An: Zoske, Fabian Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Thank you for your explanation. > >I looked in the sssd_.log and found the actual LDAP-Filter. >The problem seems to be the first part again: (&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))). >In the LDAP-Tree I can't see any attribute named entryUSN. > >Is this related to the problem? No, it is not. entryUSN is an attribute that is not stored in the entry, it is a feature that adds a monotonically increased value to any update of an entry. It is used to check whether entries were changed since last search. -- / Alexander Bokovoy From sbose at redhat.com Mon Mar 7 10:20:01 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 7 Mar 2016 11:20:01 +0100 Subject: [Freeipa-users] user certificate ldap EXTERNAL authentication In-Reply-To: References: <56D99F2D.2000909@redhat.com> <56D9E341.8010900@redhat.com> <1457128826.8257.160.camel@redhat.com> <56DA67D4.30803@redhat.com> <56DD3861.202@redhat.com> Message-ID: <20160307102001.GQ3079@p.redhat.com> On Mon, Mar 07, 2016 at 09:58:20AM +0100, Natxo Asenjo wrote: > On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek wrote: > > > On 03/05/2016 06:00 AM, Rob Crittenden wrote: > > > Natxo Asenjo wrote: > > >> > > >> By the way, revoking the certificate does not block applications using > > >> it from ldap. > > >> > > >> I can still access the ldap server using this cert/key pair *after* > > >> revoking the certificate using ipa cert-revoke . In order to > > >> block it I need to remove the seeAlso value of the user account, or the > > >> certificate attribute. > > >> > > >> I do not know if this is a security issue, but maybe worthwhile > > >> documenting just in case. > > > > > > SSL/TLS servers don't automatically check for cert revocation. You need > > > to add the CRL to the 389-ds NSS database periodically. I don't know for > > > sure but I don't think 389-ds can use OCSP to validate incoming client > > > certs. There is an IPA ticket in the backlog to investigate this for the > > > web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542 > > > > > > And yeah, as you discovered, managing the value of CmapLdapAttr is a > > > poor man's revocation. > > > > I saved Natxo's contributed article here: > > > > http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP > > for now. > > > > > Thanks! > > > > My take on this is that it probably works, but I am curious actually what > > problem you are solving. Are you interested only in allowing Certificate > > authentication with FreeIPA LDAP or rather in allowing certificate > > authentication in your application, whatever are the means? > > > > both :-). Having name/password combinations in application settings is less > desirable than having certificate/key paths. I know both accomplish the > same thing (authenticate to the directory), but having certificates is less > controversial (no need for third parties to know *that* password that is > probably being used somewhere else as well, for instance. Having a simple > way to 'revoke' the access is nice as well. > > > > > If this is the case, would leveraging SSSD Smart Card/certificate > > authentication help? At minimum, it can lookup users by certificate: > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate > > > > With leveraging SSSD, you should be able to avoid manual user mapping in Yes, but as you can see on the page SSSD currently requires that the whole certificate is stored in the IPA user entry. But if your applications a web-based mod_lookup_identity might be what you are looking for http://www.adelton.com/apache/mod_lookup_identity/ . > > FreeIPA LDAP. I am not sure though how the revocation would work. CCing > > Sumit > > on this one SSSD itself can use OCSP or CRLs added to the systems NSS database /etc/pki/nss when the authentication is run through SSSD which means that SSSD must have access to the Smartcard. For other applications like e.g. apache revocation must be configured in the application becasue currently SSSD only checks if a certificate is valid during authentication but not when the user is looked up by a certificate because this check might delay the user lookup considerable. Additionally e.g. in the apache use case the user lookup only happens after the whole TLS/SSL handshake is finished and authentication is successful but authentication should only be successful if the certificate is valid. bye, Sumit > > > Interesting, I did not know about this possibility of sssd. I need to read > it through, it might address our needs. Thanks for pointing me to it. > > What in my opinion would be really interesting would be to have something > similar to the submission port on smtp servers. A different instance of the > directory where only some kind of authentication are possible. > > Right now when using port 389 I can choose between a combination of SASL > mechanisms, and if in dse.ldif anonymous auth and minssf are modified, then > I can force the usage of secure protocols. What I would like is to have a > way to disable password authentication mechanisms on a ldap port, while > keeping it enabled on the other. So we could close one port to the outside > world, and keep it open on the LAN, for instance. > > Is this even possible? > > -- > Groeten, > natxo > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Mon Mar 7 10:31:18 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 7 Mar 2016 12:31:18 +0200 Subject: [Freeipa-users] SSSD does not fetch Sudo Rules anymore In-Reply-To: References: <20160307080716.GE4492@redhat.com> <20160307085443.GF4492@redhat.com> Message-ID: <20160307103117.GG4492@redhat.com> On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Hi, > >I looked in the sudo_debug log and found the following line: >Mar 7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home//f.zoske ; USER=root ; COMMAND=/bin/bash > >On our IPA-Server I have following rules: > >HBAC: >Name: allow_all_admins >Who: Group: admins >Accessing: Any Host >Via Service: Any Service > >SUDO: >Name: allow_all_all >Who: Group: admins >Access this host: Any Host >Run Commands: Any Command >As Whom: Anyone > >In our setup I have AD-Trust established to a multi domain forest and in our sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub): >subdomain_inherit = ldap_user_principal >ldap_user_principal = nosuchattr > >Is anything of this related to the problem? >Shall I send you the log files of sssd and sudo? Off-list, please. -- / Alexander Bokovoy From thomas.raehalme at aitiofinland.com Mon Mar 7 21:03:44 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Mon, 7 Mar 2016 23:03:44 +0200 Subject: [Freeipa-users] ipa-getcert and SELinux Message-ID: Hi! I have setup certificates for Puppet as described here: http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet Unfortunately SELinux is giving me hard time when invoking "ipa-getcert request" to generate the private/public key for the Puppet agent (permission denied when trying to write the key pair to /var/lib/puppet/ssl). Disabling SELinux temporarily solves the issue, but the same problem reappears when renewing the certificate (ipa-getcert reports status NEED_CERTSAVE_PERMS for the request). What would be the proper way to enable the necessary permissions on SELinux? Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 7 21:20:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 7 Mar 2016 16:20:01 -0500 Subject: [Freeipa-users] ipa-getcert and SELinux In-Reply-To: References: Message-ID: <56DDF081.7030807@redhat.com> Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for the Puppet agent > (permission denied when trying to write the key pair to > /var/lib/puppet/ssl). > > Disabling SELinux temporarily solves the issue, but the same problem > reappears when renewing the certificate (ipa-getcert reports status > NEED_CERTSAVE_PERMS for the request). > > What would be the proper way to enable the necessary permissions on SELinux? There is probably no rule that allows certmonger to read/write/etc in /var/lib/puppet/ssl. The short-term fix would be to use audit2allow to generate the rule: # setenforce permissive # getcert request ... # ausearch -m AVC -ts recent | audit2allow -M puppet # semodule -i puppet.pp # setenforce enforcing # getcert resubmit ... It may be preferable to label the /var/lib/puppet/ssl/* directories as certmonger_var_lib_t but I don't know what would do to puppet. You could trade one problem for another. A BZ against selinux might be warranted to see what they think. Note that the first route would give certmonger access to anything labeled as var_lib_t which might not be so nice. And you'd probably want to resubmit with SELinux in permissive to see if any additional perms are needed, like unlink perhaps. rob From matt.wells at mosaic451.com Mon Mar 7 21:33:44 2016 From: matt.wells at mosaic451.com (Matt Wells) Date: Mon, 7 Mar 2016 13:33:44 -0800 Subject: [Freeipa-users] Users directory Browsing - Message-ID: Hi all, I had a quick question. I swear I had this before but that could be the voices telling me it's true.... A normal user is logging into IPA (4.2.0) and filling in their phone number and info no problem. However when that user clicks on accounts above they are then able to peruse the entire directory and all the other user accounts. I'm trying to remove that but for the life of me can't recall the ACI or where that may be. I really appreciate it, I'll continue to search through the previous questions and if I find it before a reply will mark this closed with the link. Thank you all - Wells -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Mar 8 07:05:28 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 8 Mar 2016 12:35:28 +0530 Subject: [Freeipa-users] Users directory Browsing - In-Reply-To: References: Message-ID: A user will be able to list all other users and be able to read their attributes. But will not be able to change anything. Is that an issue ? I mean on a Linux box you can read /etc/passwd file which has info about all users on that box. This doesn't cause issues. On 8 March 2016 at 03:03, Matt Wells wrote: > Hi all, I had a quick question. I swear I had this before but that could > be the voices telling me it's true.... > A normal user is logging into IPA (4.2.0) and filling in their phone > number and info no problem. However when that user clicks on accounts > above they are then able to peruse the entire directory and all the other > user accounts. > I'm trying to remove that but for the life of me can't recall the ACI or > where that may be. > > I really appreciate it, I'll continue to search through the previous > questions and if I find it before a reply will mark this closed with the > link. > Thank you all - > Wells > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From karl.forner at gmail.com Tue Mar 8 14:22:03 2016 From: karl.forner at gmail.com (Karl Forner) Date: Tue, 8 Mar 2016 15:22:03 +0100 Subject: [Freeipa-users] cups problem that may be related to freeIPA Message-ID: Hello, On an ubuntu 14.04 box, freeIPA enrolled, I am no longer authorized to administer cups via the web UI. It used to work before the freeIPA enrollment and it works with a local account, so I strongly suspect that it is related to freeIPA. Steps to reproduce: open http://localhost:631/admin click on "Add Printer" a popup opens asking for CUPS credentials. If I type my credentials (freeIPA user), it fails. >From the /var/log/auth.log: Mar 8 15:14:58 pyro cupsd: pam_unix(cups:auth): authentication failure; logname= uid=0 euid=0 tty=cups ruser= rhost=localhost user=karl Mar 8 15:14:58 pyro cupsd: pam_sss(cups:auth): Request to sssd failed. Permission denied M I added many local groups to my freeIPA user: (sys),4(adm),7(lp),27(sudo),109(lpadmin), If I enter the credentials of a local account (non managed by freeIPA), it works. What's wrong ? Thanks, Karl Forner -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt.wells at mosaic451.com Tue Mar 8 14:29:04 2016 From: matt.wells at mosaic451.com (Matt Wells) Date: Tue, 8 Mar 2016 06:29:04 -0800 Subject: [Freeipa-users] Users directory Browsing - In-Reply-To: References: Message-ID: For my use case it is. Essentially the system will be application auth for separate groups that have no need to know of one another, almost a multi-tenant mode. I wanted to expose a 'self service' url. I've found a community ipa portal for password resets and perhaps that with slight changes can resolve this. I understand why it's that way but had hoped to be able to apply a bit more of an ACI; I've been able to ratchet the accounts down to just this one item thus far by restricting access to attributes. I appreciate the response and if / when I find a solution I'll post it for anyone else that would require it. On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat wrote: > A user will be able to list all other users and be able to read their > attributes. But will not be able to change anything. > > Is that an issue ? I mean on a Linux box you can read /etc/passwd file > which has info about all users on that box. This doesn't cause issues. > > On 8 March 2016 at 03:03, Matt Wells wrote: > >> Hi all, I had a quick question. I swear I had this before but that could >> be the voices telling me it's true.... >> A normal user is logging into IPA (4.2.0) and filling in their phone >> number and info no problem. However when that user clicks on accounts >> above they are then able to peruse the entire directory and all the other >> user accounts. >> I'm trying to remove that but for the life of me can't recall the ACI or >> where that may be. >> >> I really appreciate it, I'll continue to search through the previous >> questions and if I find it before a reply will mark this closed with the >> link. >> Thank you all - >> Wells >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Matt Wells Chief Systems Architect RHCA, RHCVA - #110-000-353 (702) 808-0424 matt.wells at mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Mar 8 14:40:53 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 8 Mar 2016 16:40:53 +0200 Subject: [Freeipa-users] cups problem that may be related to freeIPA In-Reply-To: References: Message-ID: <20160308144053.GV4492@redhat.com> On Tue, 08 Mar 2016, Karl Forner wrote: >Hello, > >On an ubuntu 14.04 box, freeIPA enrolled, I am no longer authorized to >administer cups via the web UI. >It used to work before the freeIPA enrollment and it works with a local >account, so I strongly suspect that it is related to freeIPA. > >Steps to reproduce: >open http://localhost:631/admin >click on "Add Printer" >a popup opens asking for CUPS credentials. >If I type my credentials (freeIPA user), it fails. > >>From the /var/log/auth.log: >Mar 8 15:14:58 pyro cupsd: pam_unix(cups:auth): authentication failure; >logname= uid=0 euid=0 tty=cups ruser= rhost=localhost user=karl >Mar 8 15:14:58 pyro cupsd: pam_sss(cups:auth): Request to sssd failed. >Permission denied >M > >I added many local groups to my freeIPA user: >(sys),4(adm),7(lp),27(sudo),109(lpadmin), >If I enter the credentials of a local account (non managed by freeIPA), it >works. > >What's wrong ? Just an idea: You probably have AppArmor running and its default policy might prevent cupsd to talk to sssd socket. -- / Alexander Bokovoy From bob at jackland.demon.co.uk Tue Mar 8 14:48:17 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Tue, 8 Mar 2016 14:48:17 +0000 Subject: [Freeipa-users] Cannot add password policy Message-ID: <56DEE631.2090904@jackland.demon.co.uk> Hi, I've been trying to add a password policy for an existing user group called "services" in IPA version 4.2.0. ipa pwpolicy-add services ipa: ERROR: entry with name "services" already exists ipa pwpolicy-show services ipa: ERROR: services: password policy not found ipa pwpolicy-del services ipa: ERROR: services: password policy not found ipa pwpolicy-mod services ipa: ERROR: services: password policy not found ipa pwpolicy-find doesn't list it. As an experiment I've tried to add additional pwpolicy entries. If these fail due to insufficient privileges then I get the same symptoms, so it's possible that this is what happened with the services pwpolicy. How do I correct this situation? Many thanks Bob Hinton From karl.forner at gmail.com Tue Mar 8 15:21:01 2016 From: karl.forner at gmail.com (Karl Forner) Date: Tue, 8 Mar 2016 16:21:01 +0100 Subject: [Freeipa-users] cups problem that may be related to freeIPA In-Reply-To: <20160308144053.GV4492@redhat.com> References: <20160308144053.GV4492@redhat.com> Message-ID: Very good idea indeed. Disabling the apparmor profile for cups solved the problem. Thanks a lot ! Just an idea: > You probably have AppArmor running and its default policy might prevent > cupsd to talk to sssd socket. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From darren.poulson at genesys.com Wed Mar 9 01:29:14 2016 From: darren.poulson at genesys.com (Darren Poulson) Date: Wed, 9 Mar 2016 01:29:14 +0000 Subject: [Freeipa-users] Adding RID base to existing range Message-ID: Hi, We?re currently trying to set up an AD domain (great fun for a bunch of linux admins? not) so that we can get authentication working with various bits of hardware that only support AD. We want this domain to trust our existing FreeIPA setup. When trying to ipa-adtrust-install I?m getting: [10/22]: adding RID bases ipa : CRITICAL Found more than one local domain ID range with no RID base set. >From reading up, I need to have the id ranges configured with primary and secondary RIDs. Is there any way to do this, or do I have to delete and recreate the ranges? And if I do that, what are the implications? IPA 4.2.0 (CentOS 7) AD 2012R2 Cheers, Darren. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2414 bytes Desc: not available URL: From pspacek at redhat.com Wed Mar 9 08:31:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 9 Mar 2016 09:31:27 +0100 Subject: [Freeipa-users] Users directory Browsing - In-Reply-To: References: Message-ID: <56DFDF5F.8030704@redhat.com> On 8.3.2016 15:29, Matt Wells wrote: > For my use case it is. Essentially the system will be application auth for > separate groups that have no need to know of one another, almost a > multi-tenant mode. I wanted to expose a 'self service' url. I've found a > community ipa portal for password resets and perhaps that with slight > changes can resolve this. I understand why it's that way but had hoped to > be able to apply a bit more of an ACI; I've been able to ratchet the > accounts down to just this one item thus far by restricting access to > attributes. I appreciate the response and if / when I find a solution I'll > post it for anyone else that would require it. Be sure you fully think though your use cases and understand the implications. E.g. if the LDAP is used by unix clients, locking it down to one user or group may prevent clients from translating UIDs to names and vice-versa, prevent resolving group membership etc. That would certainly break things. In this case you might want to craft ACI which exposes POSIX attributes only and nothing else or so. Again, think about it :-) Petr^2 Spacek > On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat wrote: > >> A user will be able to list all other users and be able to read their >> attributes. But will not be able to change anything. >> >> Is that an issue ? I mean on a Linux box you can read /etc/passwd file >> which has info about all users on that box. This doesn't cause issues. >> >> On 8 March 2016 at 03:03, Matt Wells wrote: >> >>> Hi all, I had a quick question. I swear I had this before but that could >>> be the voices telling me it's true.... >>> A normal user is logging into IPA (4.2.0) and filling in their phone >>> number and info no problem. However when that user clicks on accounts >>> above they are then able to peruse the entire directory and all the other >>> user accounts. >>> I'm trying to remove that but for the life of me can't recall the ACI or >>> where that may be. >>> >>> I really appreciate it, I'll continue to search through the previous >>> questions and if I find it before a reply will mark this closed with the >>> link. >>> Thank you all - >>> Wells From sbose at redhat.com Wed Mar 9 09:45:45 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 9 Mar 2016 10:45:45 +0100 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: References: Message-ID: <20160309094545.GV3079@p.redhat.com> On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: > Hi, > > We?re currently trying to set up an AD domain (great fun for a bunch of > linux admins? not) so that we can get authentication working with various > bits of hardware that only support AD. We want this domain to trust our > existing FreeIPA setup. > > When trying to ipa-adtrust-install I?m getting: > > [10/22]: adding RID bases > ipa : CRITICAL Found more than one local domain ID range with no RID > base set. > > >From reading up, I need to have the id ranges configured with primary and > secondary RIDs. Is there any way to do this, or do I have to delete and You can use 'ipa idrange-mod ...' to add the RID bases to existing ranges. HTH bye, Sumit > recreate the ranges? And if I do that, what are the implications? > > IPA 4.2.0 (CentOS 7) > AD 2012R2 > > Cheers, > > Darren. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From prashant at apigee.com Wed Mar 9 12:36:20 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 9 Mar 2016 18:06:20 +0530 Subject: [Freeipa-users] Kerberos process coredump | authentication fails In-Reply-To: References: <20160128082401.GX19151@p.redhat.com> <20160128112357.GC19151@p.redhat.com> <20160128175423.GF19151@p.redhat.com> Message-ID: To follow up on this. I think the issue is resolved. We have 8 IPA servers. And the primary server on which this error was occurring had 7 replication agreements! Ended up changing the replication agreements so that 2 servers had 4 agreements (3 + 1 amongst themselves) and all others with 2 agreements each. This seems to have resolved the core-dump of kerberos. No upgrade was done. Hope this helps someone. On 29 January 2016 at 15:13, Prashant Bapat wrote: > We will have to run with F21 for now. There are plans for moving to CentOS > 7.x in the near future. Until then, I'm afraid I will have to live with > this. > > Thanks much Sumit for all your help in identifying this. > > Regards. > --Prashant? > > On 28 January 2016 at 23:24, Sumit Bose wrote: > >> On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote: >> > Sure. Attached the stack trace with debuginfo installed. >> > >> > Thanks much! >> >> This looks very much like the issue Simo fixed recently, but >> unfortunately I think it is so recent that it is not available in any >> release package. Additionally it would be quite some effort for me the >> generate a F21 test build because as Lukas said F21 is already >> End-of-life and there is not infrastructure anymore to easily build F21 >> package. If it would be possible to upgrade to a newer version of Fedora >> I'd be happy to provide a test build with the patch. >> >> bye, >> Sumit >> >> > >> > On 28 January 2016 at 16:53, Sumit Bose wrote: >> > >> > > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote: >> > > > gdb stacktrace attached. >> > > >> > > Can you install the debuginfo with >> > > >> > > debuginfo-install krb5-server-1.12.2-19.fc21.x86_64 >> > > >> > > as suggested by gdb and then call 'bt full' again to get more details. >> > > Additionally the debuginfo of the freeipa package might be missing as >> > > well. >> > > >> > > bye, >> > > Sumit >> > > > >> > > > On 28 January 2016 at 16:27, Prashant Bapat >> wrote: >> > > > >> > > > > Thanks Sumit. >> > > > > >> > > > > From the logs there is nothing unusual around the time of core >> dump. I >> > > > > found this one line odd though. >> > > > > >> > > > > *Jan 26 03:15:58 ipa.example.net >> > > > > krb5kdc[4471](Error): worker 4473 exited with status 134* >> > > > > >> > > > > >> > > > > Let me try to get the full BT. >> > > > > >> > > > > On 28 January 2016 at 13:54, Sumit Bose wrote: >> > > > > >> > > > >> On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote: >> > > > >> > Hi, >> > > > >> > >> > > > >> > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 >> master and >> > > 7 >> > > > >> > replicas in different regions. Earlier there was only 1 >> replica. >> > > Since I >> > > > >> > added new replicas, on the master node, once in a while the >> kerberos >> > > > >> > process dumps core and everything stops working - >> authentication, >> > > > >> > replication etc. If we restart everything using "ipactl >> restart" >> > > things >> > > > >> are >> > > > >> > back to normal. >> > > > >> > >> > > > >> > Attached is the output from journalctl for kerberos. >> > > > >> > >> > > > >> > Has anyone come across this ? Are there any pointers to >> > > troubleshooting >> > > > >> > this ? >> > > > >> >> > > > >> This might be fixed recently by a patch from Simo >> > > > >> (2144b1eeb789639b8a3df287b580aeb6196188a8). But to help to better >> > > > >> identify the issue the content of the kdc logs around the time >> of the >> > > > >> crash might be useful. Additionally a full backtrace which you >> can get >> > > > >> by calling >> > > > >> >> > > > >> coredumpclt gdb 4475 >> > > > >> >> > > > >> and then >> > > > >> >> > > > >> bt full >> > > > >> >> > > > >> bye, >> > > > >> Sumit >> > > > >> >> > > > >> > >> > > > >> > Any help is appreciated. >> > > > >> > >> > > > >> > Thanks. >> > > > >> > --Prashant >> > > > >> >> > > > >> > Jan 26 03:15:59 ipa.example.net systemd-coredump[5000]: >> Process >> > > 4475 >> > > > >> (krb5kdc) of user 0 dumped core. >> > > > >> > >> > > > >> > Stack >> trace >> > > of >> > > > >> thread 4475: >> > > > >> > #0 >> > > > >> 0x00007f99de8c18d7 raise (libc.so.6) >> > > > >> > #1 >> > > > >> 0x00007f99de8c353a abort (libc.so.6) >> > > > >> > #2 >> > > > >> 0x00007f99de8ba47d __assert_fail_base (libc.so.6) >> > > > >> > #3 >> > > > >> 0x00007f99de8ba532 __assert_fail (libc.so.6) >> > > > >> > #4 >> > > > >> 0x00007f99d783a78f ldap_get_values_len (libldap_r-2.4.so.2) >> > > > >> > #5 >> > > > >> 0x00007f99d7c8173e ipadb_ldap_attr_to_int (ipadb.so) >> > > > >> > #6 >> > > > >> 0x00007f99d7c83f9c ipadb_parse_ldap_entry (ipadb.so) >> > > > >> > #7 >> > > > >> 0x00007f99d7c849ab ipadb_get_principal (ipadb.so) >> > > > >> > #8 >> > > > >> 0x00007f99e0433b14 krb5_db_get_principal (libkdb5.so.7) >> > > > >> > #9 >> > > > >> 0x000055768457c230 process_tgs_req (krb5kdc) >> > > > >> > #10 >> > > > >> 0x0000557684579fe3 dispatch (krb5kdc) >> > > > >> > #11 >> > > > >> 0x000055768458d8a0 process_packet (krb5kdc) >> > > > >> > #12 >> > > > >> 0x00007f99dec4cc78 verto_fire (libverto.so.1) >> > > > >> > #13 >> > > > >> 0x00007f99d6fb72a3 epoll_event_loop_once (libtevent.so.0) >> > > > >> > #14 >> > > > >> 0x00007f99d6fb5787 std_event_loop_once (libtevent.so.0) >> > > > >> > #15 >> > > > >> 0x00007f99d6fb1fed _tevent_loop_once (libtevent.so.0) >> > > > >> > #16 >> > > > >> 0x00007f99dec4c3f7 verto_run (libverto.so.1) >> > > > >> > #17 >> > > > >> 0x00005576845795ab main (krb5kdc) >> > > > >> > #18 >> > > > >> 0x00007f99de8acfe0 __libc_start_main (libc.so.6) >> > > > >> > #19 >> > > > >> 0x00005576845798f0 _start (krb5kdc) >> > > > >> > >> > > > >> > Jan 26 03:15:59 ipa.example.net systemd-coredump[4999]: >> Process >> > > 4473 >> > > > >> (krb5kdc) of user 0 dumped core. >> > > > >> > >> > > > >> > Stack >> trace >> > > of >> > > > >> thread 4473: >> > > > >> > #0 >> > > > >> 0x00007f99de8c18d7 raise (libc.so.6) >> > > > >> > #1 >> > > > >> 0x00007f99de8c353a abort (libc.so.6) >> > > > >> > #2 >> > > > >> 0x00007f99de8ba47d __assert_fail_base (libc.so.6) >> > > > >> > #3 >> > > > >> 0x00007f99de8ba532 __assert_fail (libc.so.6) >> > > > >> > #4 >> > > > >> 0x00007f99d783a78f ldap_get_values_len (libldap_r-2.4.so.2) >> > > > >> > #5 >> > > > >> 0x00007f99d7c8173e ipadb_ldap_attr_to_int (ipadb.so) >> > > > >> > #6 >> > > > >> 0x00007f99d7c83f9c ipadb_parse_ldap_entry (ipadb.so) >> > > > >> > #7 >> > > > >> 0x00007f99d7c849ab ipadb_get_principal (ipadb.so) >> > > > >> > #8 >> > > > >> 0x00007f99e0433b14 krb5_db_get_principal (libkdb5.so.7) >> > > > >> > #9 >> > > > >> 0x000055768457c230 process_tgs_req (krb5kdc) >> > > > >> > #10 >> > > > >> 0x0000557684579fe3 dispatch (krb5kdc) >> > > > >> > #11 >> > > > >> 0x000055768458d8a0 process_packet (krb5kdc) >> > > > >> > #12 >> > > > >> 0x00007f99dec4cc78 verto_fire (libverto.so.1) >> > > > >> > #13 >> > > > >> 0x00007f99d6fb72a3 epoll_event_loop_once (libtevent.so.0) >> > > > >> > #14 >> > > > >> 0x00007f99d6fb5787 std_event_loop_once (libtevent.so.0) >> > > > >> > #15 >> > > > >> 0x00007f99d6fb1fed _tevent_loop_once (libtevent.so.0) >> > > > >> > #16 >> > > > >> 0x00007f99dec4c3f7 verto_run (libverto.so.1) >> > > > >> > #17 >> > > > >> 0x00005576845795ab main (krb5kdc) >> > > > >> > #18 >> > > > >> 0x00007f99de8acfe0 __libc_start_main (libc.so.6) >> > > > >> > #19 >> > > > >> 0x00005576845798f0 _start (krb5kdc) >> > > > >> >> > > > >> > -- >> > > > >> > Manage your subscription for the Freeipa-users mailing list: >> > > > >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > >> > Go to http://freeipa.org for more info on the project >> > > > >> >> > > > >> -- >> > > > >> Manage your subscription for the Freeipa-users mailing list: >> > > > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > >> Go to http://freeipa.org for more info on the project >> > > > >> >> > > > > >> > > > > >> > > >> > > >> > > >> > > >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From darren.poulson at genesys.com Wed Mar 9 13:31:00 2016 From: darren.poulson at genesys.com (Darren Poulson) Date: Wed, 9 Mar 2016 13:31:00 +0000 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: <20160309094545.GV3079@p.redhat.com> References: <20160309094545.GV3079@p.redhat.com> Message-ID: Hi, I?d tried that, but get this: [root at freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information Thanks, Darren. On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of Sumit Bose" wrote: >On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: >> Hi, >> >> We?re currently trying to set up an AD domain (great fun for a bunch of >> linux admins? not) so that we can get authentication working with >>various >> bits of hardware that only support AD. We want this domain to trust our >> existing FreeIPA setup. >> >> When trying to ipa-adtrust-install I?m getting: >> >> [10/22]: adding RID bases >> ipa : CRITICAL Found more than one local domain ID range with >>no RID >> base set. >> >> >From reading up, I need to have the id ranges configured with primary >>and >> secondary RIDs. Is there any way to do this, or do I have to delete and > >You can use 'ipa idrange-mod ...' to add the RID bases to existing >ranges. > >HTH > >bye, >Sumit > >> recreate the ranges? And if I do that, what are the implications? >> >> IPA 4.2.0 (CentOS 7) >> AD 2012R2 >> >> Cheers, >> >> Darren. >> >> >> > > > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2414 bytes Desc: not available URL: From sbose at redhat.com Wed Mar 9 14:15:42 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 9 Mar 2016 15:15:42 +0100 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: References: <20160309094545.GV3079@p.redhat.com> Message-ID: <20160309141542.GB3059@p.redhat.com> On Wed, Mar 09, 2016 at 01:31:00PM +0000, Darren Poulson wrote: > Hi, > > I?d tried that, but get this: > > [root at freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 > ipa: ERROR: This command can not be used to change ID allocation for local > IPA domain. Run `ipa help idrange` for more information 'ipa idrange-find' should show a second idrange with 'Range type: local domain range'. Can you try if you can add the RID bases there? bye, Sumit > > > Thanks, > > Darren. > > > On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of Sumit > Bose" > wrote: > > >On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: > >> Hi, > >> > >> We?re currently trying to set up an AD domain (great fun for a bunch of > >> linux admins? not) so that we can get authentication working with > >>various > >> bits of hardware that only support AD. We want this domain to trust our > >> existing FreeIPA setup. > >> > >> When trying to ipa-adtrust-install I?m getting: > >> > >> [10/22]: adding RID bases > >> ipa : CRITICAL Found more than one local domain ID range with > >>no RID > >> base set. > >> > >> >From reading up, I need to have the id ranges configured with primary > >>and > >> secondary RIDs. Is there any way to do this, or do I have to delete and > > > >You can use 'ipa idrange-mod ...' to add the RID bases to existing > >ranges. > > > >HTH > > > >bye, > >Sumit > > > >> recreate the ranges? And if I do that, what are the implications? > >> > >> IPA 4.2.0 (CentOS 7) > >> AD 2012R2 > >> > >> Cheers, > >> > >> Darren. > >> > >> > >> > > > > > > > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > >-- > >Manage your subscription for the Freeipa-users mailing list: > >https://www.redhat.com/mailman/listinfo/freeipa-users > >Go to http://freeipa.org for more info on the project > > From darren.poulson at genesys.com Wed Mar 9 14:21:31 2016 From: darren.poulson at genesys.com (Darren Poulson) Date: Wed, 9 Mar 2016 14:21:31 +0000 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: References: <20160309094545.GV3079@p.redhat.com> Message-ID: Hi, Here?s what I get. The initial default range as created by freeipa and contains all our users, and a second one that I created for system accounts. [root at freeipa1-01 ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: BUR.US.GENOPS_id_range First Posix ID of the range: 50000 Number of IDs in the range: 10000 Range type: local domain range Range name: System Users First Posix ID of the range: 500 Number of IDs in the range: 1000 Range type: local domain range ---------------------------- Number of entries returned 2 ?????????????? If it makes any difference, this install was initially (I believe) freeipa 3.3. Darren. On 3/9/16, 1:31 PM, "freeipa-users-bounces at redhat.com on behalf of Darren Poulson" wrote: >Hi, > >I?d tried that, but get this: > >[root at freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 >ipa: ERROR: This command can not be used to change ID allocation for local >IPA domain. Run `ipa help idrange` for more information > > >Thanks, > >Darren. > > >On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of Sumit >Bose" >wrote: > >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: >>> Hi, >>> >>> We?re currently trying to set up an AD domain (great fun for a bunch of >>> linux admins? not) so that we can get authentication working with >>>various >>> bits of hardware that only support AD. We want this domain to trust our >>> existing FreeIPA setup. >>> >>> When trying to ipa-adtrust-install I?m getting: >>> >>> [10/22]: adding RID bases >>> ipa : CRITICAL Found more than one local domain ID range with >>>no RID >>> base set. >>> >>> >From reading up, I need to have the id ranges configured with primary >>>and >>> secondary RIDs. Is there any way to do this, or do I have to delete and >> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing >>ranges. >> >>HTH >> >>bye, >>Sumit >> >>> recreate the ranges? And if I do that, what are the implications? >>> >>> IPA 4.2.0 (CentOS 7) >>> AD 2012R2 >>> >>> Cheers, >>> >>> Darren. >>> >>> >>> >> >> >> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go to http://freeipa.org for more info on the project >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2414 bytes Desc: not available URL: From aebruno2 at buffalo.edu Wed Mar 9 14:46:57 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 9 Mar 2016 09:46:57 -0500 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore Message-ID: <20160309144657.GA24736@dead.ccr.buffalo.edu> Hello, We had a replica fail today with: [09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 dirsrv just hangs here. Doesn't seem to want to start up.. any pointers on where how to debug? This is our first master so want to try and save it if possible. Thanks, --Andrew From mkosek at redhat.com Wed Mar 9 15:03:55 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 9 Mar 2016 16:03:55 +0100 Subject: [Freeipa-users] ipa-getcert and SELinux In-Reply-To: References: Message-ID: <56E03B5B.3060003@redhat.com> On 03/07/2016 10:03 PM, Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for the Puppet agent > (permission denied when trying to write the key pair to > /var/lib/puppet/ssl). > > Disabling SELinux temporarily solves the issue, but the same problem > reappears when renewing the certificate (ipa-getcert reports status > NEED_CERTSAVE_PERMS for the request). > > What would be the proper way to enable the necessary permissions on SELinux? > > Best regards, > Thomas Hi Thomas, Just for the record, I moved the page to http://www.freeipa.org/page/Howto/Using_IPA%27s_CA_for_Puppet and linked it from http://www.freeipa.org/page/HowTos#Certificates I see there was a similar page in the past, now claimed as rather outdated: http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ From lkrispen at redhat.com Wed Mar 9 15:13:28 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 09 Mar 2016 16:13:28 +0100 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160309144657.GA24736@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> Message-ID: <56E03D98.9030705@redhat.com> On 03/09/2016 03:46 PM, Andrew E. Bruno wrote: > Hello, > > We had a replica fail today with: > > [09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 the nspr error means: /* Cannot create or rename a filename that already exists */ #define PR_FILE_EXISTS_ERROR (-5943L) could you check if the file exists and if there is a permission problem for the dirsrv user to recreate it ? if the process hangs, could you get a pstack from the process ? > > > dirsrv just hangs here. Doesn't seem to want to start up.. any pointers on where how to debug? > > This is our first master so want to try and save it if possible. > > Thanks, > > --Andrew > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From sbose at redhat.com Wed Mar 9 15:17:10 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 9 Mar 2016 16:17:10 +0100 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: References: <20160309094545.GV3079@p.redhat.com> Message-ID: <20160309151710.GC3059@p.redhat.com> On Wed, Mar 09, 2016 at 02:21:31PM +0000, Darren Poulson wrote: > Hi, > > Here?s what I get. The initial default range as created by freeipa and > contains all our users, and a second one that I created for system > accounts. The 'ipa idrange' utility does various checks to prevent that idranges which are in use are modified or deleted. Did you create the 'System Users' idrange just to block the IDs because they are used by accounts in /etc/passwd or do you have users with a UID between 500 and 1500 in IPA? In the former case you can just delete the idrange and recreate it with the RID bases set. Please note the IPA won't create idranges with POSIX IDs below 200000 automatically. So it might be even possible to just delete the idrange in this case. In the latter case you cannot remove the idrange, because there are users in it, and unfortunately you cannot modify it with 'ipa idrange-mod' either. Nevertheless you have to add the RID bases so that ipa-adtrust-install can run successfully. This can be done manually with ldapmodify as root: ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops changetype: modify add: ipabaserid ipabaserid: 200000000 - add: ipasecondarybaserid ipasecondarybaserid: 210000000 - EOF As an alternative you can remove the check from the 'ipa idrange' utility but I would recommend ldapmodify. After this ipa-adtrust-install should run successfully because it is able to add the missing RID bases to one idrange already. I guess we should enhance it to handle multiple idranges as in your case as well. HTH bye, Sumit > > [root at freeipa1-01 ~]# ipa idrange-find > ---------------- > 2 ranges matched > ---------------- > Range name: BUR.US.GENOPS_id_range > First Posix ID of the range: 50000 > Number of IDs in the range: 10000 > Range type: local domain range > > Range name: System Users > First Posix ID of the range: 500 > Number of IDs in the range: 1000 > Range type: local domain range > ---------------------------- > Number of entries returned 2 > ?????????????? > > If it makes any difference, this install was initially (I believe) freeipa > 3.3. > > Darren. > > > > On 3/9/16, 1:31 PM, "freeipa-users-bounces at redhat.com on behalf of Darren > Poulson" darren.poulson at genesys.com> wrote: > > >Hi, > > > >I?d tried that, but get this: > > > >[root at freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 > >ipa: ERROR: This command can not be used to change ID allocation for local > >IPA domain. Run `ipa help idrange` for more information > > > > > >Thanks, > > > >Darren. > > > > > >On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of Sumit > >Bose" > >wrote: > > > >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: > >>> Hi, > >>> > >>> We?re currently trying to set up an AD domain (great fun for a bunch of > >>> linux admins? not) so that we can get authentication working with > >>>various > >>> bits of hardware that only support AD. We want this domain to trust our > >>> existing FreeIPA setup. > >>> > >>> When trying to ipa-adtrust-install I?m getting: > >>> > >>> [10/22]: adding RID bases > >>> ipa : CRITICAL Found more than one local domain ID range with > >>>no RID > >>> base set. > >>> > >>> >From reading up, I need to have the id ranges configured with primary > >>>and > >>> secondary RIDs. Is there any way to do this, or do I have to delete and > >> > >>You can use 'ipa idrange-mod ...' to add the RID bases to existing > >>ranges. > >> > >>HTH > >> > >>bye, > >>Sumit > >> > >>> recreate the ranges? And if I do that, what are the implications? > >>> > >>> IPA 4.2.0 (CentOS 7) > >>> AD 2012R2 > >>> > >>> Cheers, > >>> > >>> Darren. > >>> > >>> > >>> > >> > >> > >> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > >> From matt.wells at mosaic451.com Wed Mar 9 15:32:38 2016 From: matt.wells at mosaic451.com (Matt Wells) Date: Wed, 09 Mar 2016 15:32:38 +0000 Subject: [Freeipa-users] Users directory Browsing - In-Reply-To: <56DFDF5F.8030704@redhat.com> References: <56DFDF5F.8030704@redhat.com> Message-ID: A really good point however I'm fortunate enough that the only items authentication are applications. I agree with you also that it's a bit of a Pandoras box; I've decided that it's best to leave the systems in default state and use a tool like PWM for this self service component. On Wed, Mar 9, 2016 at 12:37 AM Petr Spacek wrote: > On 8.3.2016 15:29, Matt Wells wrote: > > For my use case it is. Essentially the system will be application auth > for > > separate groups that have no need to know of one another, almost a > > multi-tenant mode. I wanted to expose a 'self service' url. I've found > a > > community ipa portal for password resets and perhaps that with slight > > changes can resolve this. I understand why it's that way but had hoped > to > > be able to apply a bit more of an ACI; I've been able to ratchet the > > accounts down to just this one item thus far by restricting access to > > attributes. I appreciate the response and if / when I find a solution > I'll > > post it for anyone else that would require it. > > Be sure you fully think though your use cases and understand the > implications. > > E.g. if the LDAP is used by unix clients, locking it down to one user or > group > may prevent clients from translating UIDs to names and vice-versa, prevent > resolving group membership etc. That would certainly break things. > > In this case you might want to craft ACI which exposes POSIX attributes > only > and nothing else or so. > > Again, think about it :-) > > Petr^2 Spacek > > > On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat > wrote: > > > >> A user will be able to list all other users and be able to read their > >> attributes. But will not be able to change anything. > >> > >> Is that an issue ? I mean on a Linux box you can read /etc/passwd file > >> which has info about all users on that box. This doesn't cause issues. > >> > >> On 8 March 2016 at 03:03, Matt Wells wrote: > >> > >>> Hi all, I had a quick question. I swear I had this before but that > could > >>> be the voices telling me it's true.... > >>> A normal user is logging into IPA (4.2.0) and filling in their phone > >>> number and info no problem. However when that user clicks on accounts > >>> above they are then able to peruse the entire directory and all the > other > >>> user accounts. > >>> I'm trying to remove that but for the life of me can't recall the ACI > or > >>> where that may be. > >>> > >>> I really appreciate it, I'll continue to search through the previous > >>> questions and if I find it before a reply will mark this closed with > the > >>> link. > >>> Thank you all - > >>> Wells > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Matt Wells Chief Systems Architect RHCA, RHCVA - #110-000-353 (702) 808-0424 matt.wells at mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Wed Mar 9 15:37:05 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 9 Mar 2016 10:37:05 -0500 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <56E03D98.9030705@redhat.com> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> Message-ID: <20160309153705.GB24736@dead.ccr.buffalo.edu> On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: > > On 03/09/2016 03:46 PM, Andrew E. Bruno wrote: > >Hello, > > > >We had a replica fail today with: > > > >[09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 > the nspr error means: > /* Cannot create or rename a filename that already exists */ > #define PR_FILE_EXISTS_ERROR (-5943L) > > could you check if the file exists and if there is a permission problem for > the dirsrv user to recreate it ? Looks like the file exists: # ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema -rw-r--r-- 1 dirsrv dirsrv 0 Mar 9 09:39 /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema > if the process hangs, could you get a pstack from the process ? We did a systemctl restart ipa.. which failed.. but looks like the dirsrv is still running. The logs are now filling up with: [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272988 (rc: 32) [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272989 (rc: 32) [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272990 (rc: 32) However, if I do a kinit: kinit: Cannot contact any KDC for realm 'CBLS.CCR.BUFFALO.EDU' while getting initial credentials Should I be concerned that this will end up corrupting the other replicas? Should we just let this finish? We have 3 replicas in our system. Looks like we just lost a second one. This feels very similar to the error we hit a while back: https://www.redhat.com/archives/freeipa-users/2015-September/msg00006.html We're seeing the exact same behavior.. access logs are filling up with: [09/Mar/2016:10:26:03 -0500] conn=6877203 fd=4003 slot=4003 connection from 10.113.14.131 to 10.113.14.131 [09/Mar/2016:10:26:03 -0500] conn=6877204 fd=4004 slot=4004 connection from 10.116.28.10 to 10.113.14.131 [09/Mar/2016:10:26:09 -0500] conn=6877205 fd=4005 slot=4005 connection from 10.113.14.131 to 10.113.14.131 [09/Mar/2016:10:26:15 -0500] conn=6877206 fd=4006 slot=4006 connection from 10.113.14.131 to 10.113.14.131 [09/Mar/2016:10:26:21 -0500] conn=6877207 fd=4007 slot=4007 connection from 10.113.14.131 to 10.113.14.131 [09/Mar/2016:10:26:27 -0500] conn=6877208 fd=4008 slot=4008 connection from 10.113.14.131 to 10.113.14.131 [09/Mar/2016:10:26:28 -0500] conn=6877209 fd=4009 slot=4009 connection from 10.116.28.33 to 10.113.14.131 [09/Mar/2016:10:26:30 -0500] conn=6877210 fd=4010 slot=4010 connection from 10.116.28.23 to 10.113.14.131 [09/Mar/2016:10:26:33 -0500] conn=6877211 fd=4011 slot=4011 connection from 10.113.14.131 to 10.113.14.131 The ns-slapd proccess is showing this from top: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 24951 dirsrv 20 0 15.477g 0.013t 6.067g S 0.0 27.3 101566:54 ns-slapd I'd be happy to provide a pstack but can't seem to get the correct debuginfo packages installed.. we're running centos7 and 389-ds-base 1.3.3.1. We haven't upgraded to 1.3.4.0. How can I get the debuginfo packages installed for that specific version. Thanks! --Andrew From aebruno2 at buffalo.edu Wed Mar 9 15:46:31 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 9 Mar 2016 10:46:31 -0500 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160309153705.GB24736@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> Message-ID: <20160309154631.GC24736@dead.ccr.buffalo.edu> On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: > On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: > > > > if the process hangs, could you get a pstack from the process ? > > > I'd be happy to provide a pstack but can't seem to get the correct debuginfo > packages installed.. we're running centos7 and 389-ds-base 1.3.3.1. We haven't > upgraded to 1.3.4.0. How can I get the debuginfo packages installed for that > specific version. Nevermind.. i got the debuginfo packages. Attached is the stacktrace of our second failed replicate that's currently hung. Should we systemctl restart ipa? What's the best way to recover here. reboot? Thanks again. --Andrew -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 24951 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /lib64/libpcre.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /lib64/libldap_r-2.4.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /lib64/liblber-2.4.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /lib64/libssl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /lib64/libnss3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /lib64/libsasl2.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /lib64/libsvrcore.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [New LWP 12059] [New LWP 12057] [New LWP 25001] [New LWP 24998] [New LWP 24997] [New LWP 24996] [New LWP 24995] [New LWP 24994] [New LWP 24993] [New LWP 24992] [New LWP 24991] [New LWP 24990] [New LWP 24989] [New LWP 24988] [New LWP 24987] [New LWP 24986] [New LWP 24985] [New LWP 24984] [New LWP 24983] [New LWP 24982] [New LWP 24981] [New LWP 24980] [New LWP 24979] [New LWP 24978] [New LWP 24977] [New LWP 24976] [New LWP 24975] [New LWP 24974] [New LWP 24973] [New LWP 24972] [New LWP 24971] [New LWP 24970] [New LWP 24969] [New LWP 24968] [New LWP 24966] [New LWP 24965] [New LWP 24964] [New LWP 24963] [New LWP 24962] [New LWP 24961] [New LWP 24960] [New LWP 24959] [New LWP 24958] [New LWP 24955] [New LWP 24954] [New LWP 24953] [New LWP 24952] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /lib64/libsmime3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /lib64/libicui18n.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /lib64/libicuuc.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /lib64/libicudata.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdes-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdes-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdes-plugin.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib64/sasl2/libcrammd5.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /lib64/libcrypto.so.10...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib64/sasl2/libanonymous.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib64/sasl2/libsasldb.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /lib64/libdb-5.3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /lib64/libkrad.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /lib64/libpam.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...Reading symbols from /usr/lib64/krb5/plugins/preauth/pkinit.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/preauth/pkinit.so Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /usr/lib64/gssproxy/proxymech.so...Reading symbols from /usr/lib64/gssproxy/proxymech.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/gssproxy/proxymech.so Reading symbols from /lib64/libgssrpc.so.4...Reading symbols from /lib64/libgssrpc.so.4...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libgssrpc.so.4 Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...Reading symbols from /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so 0x00007f9832799b7d in poll () from /lib64/libc.so.6 Thread 48 (Thread 0x7f968b259700 (LWP 24952)): #0 0x00007f983279b8f3 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f9834d16459 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 46817} #2 0x00007f98291f94a7 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4504 rval = priv = 0x7f98364e8c90 li = interval = #3 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 47 (Thread 0x7f968aa58700 (LWP 24953)): #0 0x00007f983279b8f3 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f9834d16459 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 33686} #2 0x00007f98291fd576 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4713 time_of_last_checkpoint_completion = 1457538031 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f98366ec5e0 time_of_last_comapctdb_completion = 1455113247 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 46 (Thread 0x7f968a257700 (LWP 24954)): #0 0x00007f983279b8f3 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f9834d16459 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 246579} #2 0x00007f98291f971f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4930 interval = 250 rval = priv = 0x7f98364e8c90 li = debug_checkpointing = 0 #3 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 45 (Thread 0x7f9689a56700 (LWP 24955)): #0 0x00007f983279b8f3 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f9834d16459 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 55104} #2 0x00007f982924bd44 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:277 interval = #3 0x00007f98291f4437 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4004 priv = 0x7f98364e8c90 li = #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 44 (Thread 0x7f968904c700 (LWP 24958)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d0050 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f9834d06438 in slapi_wait_condvar (cvar=0x7f983bbca020, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f982b91a64e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:436 No locals. #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 43 (Thread 0x7f98350fa700 (LWP 24959)): #0 0x00007f9832a7aab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330cfb07 in pt_TimedWait () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98330cffce in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #3 0x00007f9828f56fc4 in _cl5TrimMain (param=) at ldap/servers/plugins/replication/cl5_api.c:3466 timePrev = 1457538064 timeCompactPrev = 1455113160 timeNow = 1457538064 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 42 (Thread 0x7f968884b700 (LWP 24960)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d0050 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f9828f6d374 in protocol_sleep (prp=0x7f983bbd1480, duration=4294967295) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #3 0x00007f9828f6ff5b in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:879 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f96800034d0 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1457532244 busywaittime = 3 pausetime = 0 loops = wait_change_timer_set = current_state = next_state = 5 optype = 5 ldaprc = -5 done = 0 e1 = #4 0x00007f9828f7440c in prot_thread_main (arg=0x7f983bb9a5b0) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f983bb9a5b0 done = 0 agmt = 0x7f983bbb7ea0 #5 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #6 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #7 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 41 (Thread 0x7f967bfff700 (LWP 24961)): #0 0x00007f9832a7aab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330cfb07 in pt_TimedWait () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98330cffce in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #3 0x00007f9828f6d374 in protocol_sleep (prp=0x7f983bba5620, duration=300000) at ldap/servers/plugins/replication/repl5_inc_protocol.c:1236 No locals. #4 0x00007f9828f70576 in repl5_inc_run (prp=) at ldap/servers/plugins/replication/repl5_inc_protocol.c:797 rc = prp_priv = replica = 0x0 cons_schema_csn = 0x7f9674049790 ruv = 0x0 num_changes_sent = 0 use_busy_backoff_timer = next_fire_time = now = 1444747420 busywaittime = 0 pausetime = 0 loops = wait_change_timer_set = 1 current_state = 2 next_state = 2 optype = 5 ldaprc = 0 done = 0 e1 = #5 0x00007f9828f7440c in prot_thread_main (arg=0x7f983bbaa350) at ldap/servers/plugins/replication/repl5_protocol.c:296 rp = 0x7f983bbaa350 done = 0 agmt = 0x7f983bba4cf0 #6 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #7 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #8 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 40 (Thread 0x7f967b5e0700 (LWP 24962)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d0050 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f9834d06438 in slapi_wait_condvar (cvar=0x7f983bbc51b0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f982789bedd in roles_cache_wait_on_change (arg=0x7f983bb9e8b0) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f983bb9e8b0 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 39 (Thread 0x7f967addf700 (LWP 24963)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d0050 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f9834d06438 in slapi_wait_condvar (cvar=0x7f983bbc5140, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f982789bedd in roles_cache_wait_on_change (arg=0x7f983bb9e7a0) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f983bb9e7a0 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 38 (Thread 0x7f967a5de700 (LWP 24964)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d0050 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f9834d06438 in slapi_wait_condvar (cvar=0x7f983bbd1c20, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:179 prit = #3 0x00007f982789bedd in roles_cache_wait_on_change (arg=0x7f983bb9e690) at ldap/servers/plugins/roles/roles_cache.c:433 roles_def = 0x7f983bb9e690 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 37 (Thread 0x7f9679bd9700 (LWP 24965)): #0 0x00007f9832a7aab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330cfb07 in pt_TimedWait () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98330cffce in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #3 0x00007f98351baa93 in housecleaning (cur_time=) at ldap/servers/slapd/house.c:77 interval = 30000 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 36 (Thread 0x7f96793d8700 (LWP 24966)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f96793d58a0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f966c00b750 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f966c00fe10 addr = 0x7f966c00fee8 is_fixup_operation = 16 is_ruv = 131072 opcsn = repl_op = 8 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f966c00f8c0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f966c006270 referral = 0x0 e = 0x0 dn = 0x7f983bbdb4b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f983bbdb460 passin_sdn = 1 mods = 0x7f966c00b750 pw_mod = tmpmods = 0x7f966c00b750 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 8 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f966c00fe10 errorbuf = '\000' , "\001\000\000\000\000\000\000\000\200\020J6\230\177\000\000\000\000\000\000\000\000\000\000 \037\000l\226\177\000\000\000\000\000\000\000\000\000\000\020\312\000l\226\177\000\000\000\320\002l\226\177", '\000' , "\213\000l\226\177", '\000' , "\016\000\000\000\r\000\000\000\t\000\000\000s\000\000\000\002\000\000\000\035\001\000\000\020\343\002l\226\177\000\000?\002l\226\177\000\000?2\230\177\000\000\020\\=y\226\177", '\000' , "\300tn"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=pb at entry=0x7f966c00f8c0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f966c00fe10 opresult = 0 normalized_mods = 0x7f966c00b750 mods = 0x7f96793d7c70 mod = 0x7f966c00b768 smods = {mods = 0x7f9600000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 1812003008, free_mods = 32662} pw_change = old_pw = 0x0 #7 0x00007f9834cd36a3 in slapi_modify_internal_pb (pb=pb at entry=0x7f966c00f8c0) at ldap/servers/slapd/modify.c:486 No locals. #8 0x00007f9828f7a7d4 in replica_write_ruv (r=r at entry=0x7f983bbb1100) at ldap/servers/plugins/replication/repl5_replica.c:2767 rc = 0 smod = {mod = 0x7f966c02d000, num_elements = 5, num_values = 4, iterator = 0, free_mod = 1} rmod = {mod = 0x7f966c0034b0, num_elements = 3, num_values = 1, iterator = 0, free_mod = 1} smod_last_modified = {mod = 0x7f966c0076f0, num_elements = 4, num_values = 3, iterator = 0, free_mod = 1} mods = {0x7f966c02d000, 0x7f966c0076f0, 0x7f966c0034b0, 0x0} pb = 0x7f966c00f8c0 #9 0x00007f9828f7aa5d in replica_update_state (when=, arg=) at ldap/servers/plugins/replication/repl5_replica.c:2700 rc = 0 replica_name = replica_object = 0x7f983bbde420 r = 0x7f983bbb1100 smod = {mod = 0x7f966c010420, num_elements = 2, num_values = 1, iterator = 0, free_mod = 1} mods = {0x7f966c010420, 0x0, 0x56e02dbc} pb = 0x7f966c006270 dn = 0x7f966c001f20 "cn=replica,cn=\"dc=cbls,dc=ccr,dc=buffalo,dc=edu\",cn=mapping tree,cn=config" vals = {0x7f9836677a20, 0x0} val = {bv_len = 140291661601923, bv_val = 0x1
} mod = {mod_op = 1457532345, mod_type = 0xc25a5fce5a9d5a00
, mod_vals = {modv_strvals = 0x7f9836694e80, modv_bvals = 0x7f9836694e80}} #10 0x00007f9834cad26a in eq_call_all () at ldap/servers/slapd/eventq.c:312 p = 0x7f983bb9bc10 #11 eq_loop (arg=) at ldap/servers/slapd/eventq.c:359 timeout = until = #12 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #13 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #14 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 35 (Thread 0x7f966bfff700 (LWP 24968)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f9646548920, key=key at entry=0x7f966bff5b70, data=data at entry=0x7f966bff5ba0, comp_key=0x7f9523a48e90 "cn=etc", elem=elem at entry=0x7f966bff5b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f949d61d330 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f9646548920, srdn=srdn at entry=0x7f966bff7c90, elem=elem at entry=0x7f966bff7c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f949f731a50 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f9523a48e90 "cn=etc" rdnidx = 3 keybuf = 0x7f949e80e770 "C1" key = {data = 0x7f949e80e770, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f949ff0e030, flags = 2056} data = {data = 0x7f949d61d330, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f949f0dc300 tmpelem = 0x7f949d61d330 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f949f4aa6f0, id=id at entry=0x7f966bff7d24, flags=flags at entry=0, txn=txn at entry=0x7f966bff7f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f9523a505d0 "cn=cpn-d09-17-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f949f4be420, all_nrdns = 0x7f949c4310e0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f9646548920 elem = 0x7f952104e690 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f949f4aa6f0, txn=txn at entry=0x7f966bff7f00, flags=flags at entry=0, err=err at entry=0x7f966bff7ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f95210d0cd0 "cn=cpn-d09-17-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f966bff7f00, lock=0, sdn=0x7f949f4aa6f0, be=0x7f98366e74c0, pb=0x7f966bffeae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc1b080 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f966bffeae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f966bff7f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f966bffeae0 txn = 0x7f966bff7f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f966bffeae0, be=, addr=, txn=txn at entry=0x7f966bff7f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f966bffeae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f9523a43ae0 "cn=cpn-d09-17-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f949f4aa6f0 scope = 0 controls = 0x0 operation = 0x7f9838ddae00 addr = 0x7f9838ddaed8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f966bffeae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f949c43f0a0 "cn=cpn-d09-17-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f949f4b64f0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f966bff8250, 0x0, 0x0, 0x6bff8280, 0x100000000, 0x7f949e7d9710, 0x0, 0xffffffff00000000, 0x7f949e7d9b80, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f949d60b900, 0x0, 0x0, 0x56e02d28, 0x0, 0x7f9523a2df50, 0x0, 0x0, 0x7f949d637460, 0xc25a5fce5a9d5a00, 0x7f966bff84c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f966bff84c4, 0xc25a5fce5a9d5a00, 0x7f949f0d1170, 0x0, 0x7f949f0d1170, 0x0, 0x0, 0x0, 0x7f966bff8508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f949f0d1170, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f949d637460, 0x7f9523a2d5a0, 0x1, 0x0, 0x7f966bff8558, 0x7f966bff8510, 0x7f966bff8500, 0x7f966bff8508, 0x0, 0x0, 0x7f966bff8558, 0xc25a5fce5a9d5a00, 0x7f949f0d1170, 0x0, 0x7f949f0d1170, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f966bffc400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f966bff8520, 0x1, 0x7f966bff8510, 0x100000001, 0x7f966bff8550, 0x0, 0x0, 0x7f966bff8548, 0x7f966bff84c4, 0x0, 0x0, 0x7f966bff8508, 0x1, 0x7f966bff84cc, 0x7f966bff84e0, 0x9f0d8130, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f949c442dd0, 0x7f9834d34290, 0x7f949f4c7860, 0x0, 0x0, 0x7f949d637460, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f949c42ebb0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f966bffa410, 0x7f966bffa420, 0x7f966bffa1ae, 0x7f9630ffa1ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f966bffeae0, 0xe, 0x7f966bffa3a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f966bffa3a2, 0x7f9838401660, 0x7f966bffeae0, 0xe, 0x7f966bffa3a0, 0x7f9834d2bcea, 0x7f966bffa3d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f966bffa320, 0x7f966bffa240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e390, 0x1, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9658000070, 0xffff806994005d31, 0x7f966bffa2d0, 0x7f966bffa2cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f966bffa370, 0x0, 0x7f9834cc261b , 0x7f966bffeae0, 0x7f9834cf6e23 , 0x0, 0x7f966bffa3a0, 0x7f9834d2bcea, 0x7f966bffa3d0, 0xaf, 0x0, 0xaf, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f966bffa3b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f966bffa3af, 0x7f9834ce171c , 0x7f966bff0030, 0x7f9834cdd18c , 0x7f966bffa5a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9837ef4d00, 0x7f98330d5cbf , 0x7f966bffa410, 0xc25a5fce5a9d5a00, 0x7f966bffeae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f966bffeae0, 0x7f966bffeae0, 0x8, 0x7f9834ce5397 , 0x9c, 0x118000000af, 0xffffffd60000003a, 0x7f9400000000, 0x7f949f4b4f10, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f949f4b4f10, 0x200, 0x7f966bffeae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f966bffeae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f966bffeae0, 0xaf, 0x7f9834cf6566 , 0x9c, 0x0, 0xaf, 0xc25a5fce5a9d5a00, 0x7f949f4c8cc5, 0xe, 0x7f966bffeae0, 0x7f949f4b4f10, 0xa9, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f966bffeae0, 0x7f966bffeae0, 0x7f983bc266f0, 0x0, 0x0, 0x61, 0xffffffcb, 0x7f9401000000, 0x5, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f966bffeae0, 0x7f966bffeae0, 0x7f9834f64db4 , 0x0, 0x7f966bffa6b0, 0x7f966bffa6a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f966bffeae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x6bffa680, 0x0, 0x9c, 0x7f949f797e50, 0x7f9837403ff0, 0x7f98414adfa4, 0x0, 0x7f9521045640, 0x7f98414ae0b0, 0x0, 0x7f949c436560, 0x7f966bffc8a0, 0x0, 0x0, 0x0, 0x9c, 0x7f949c436560, 0x7f98351cb141, 0x7f98381077c8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f95210381c0, 0x535347204c534153, 0x7f9600495041, 0x7f966bffa760, 0x0, 0x7f9834f70f00 , 0x7f949f6817a0, 0x7f966bffeae0, 0x7f966bffa778, 0x0, 0x7f952104a238, 0x1, 0x0, 0x7f9834f70f00 , 0x7f949f6817a0, 0x7f966bffeae0, 0x7f966bffa870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f949f6817a0...} attrlistbuf = "\"krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration\"\000yTimestamp entryusn shadowLastChange shadowMin sh"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f9521160d50 sdn = 0x7f949f4aa6f0 operation = 0x7f9838ddae00 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000e\205\236\224\177\000\000\320\304\377k\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\370\246J\237\224\177\000\000\030`B\234\224\177\000\000(\305\377k\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000p\255?\224\177\000\000\000\000\000\000\000\000\000\000(\256?\224\177\000\000\330P?\177\000\000\001", '\000' , "\320K\003!\225\177", '\000' , "Z\235Z\316_Z\302\370yh\237\224\177\000\000\370yh\237\224\177\000\000\000zh\237\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f966bffeae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838ddae00 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f949c43f0a0 "cn=cpn-d09-17-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f949f4b64f0 "(objectClass=*)" filter = 0x7f949f0e8510 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1896424048 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f966bffeae0, op=0x7f9838ddae00, conn=0x7f983bc1b080) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc1b080, pb_op = 0x7f9838ddae00, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9837f49630, pb_aci_target_check = 0} pb = 0x7f966bffeae0 conn = 0x7f983bc1b080 op = 0x7f9838ddae00 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 34 (Thread 0x7f966b7fe700 (LWP 24969)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f966b7f92b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f94d4150c80 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f94d4168220 addr = 0x7f94d41682f8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f94d40b0580, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f94d41653a0 referral = 0x0 e = 0x0 dn = 0x7f94d7477ed0 "fqdn=cpn-d09-11-01.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f93a10df630 passin_sdn = 0 mods = 0x7f94d4150c80 pw_mod = tmpmods = 0x7f95949c1f90 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f94d4168220 errorbuf = "\000S\026?\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\226\177k\226\177\000\000\360??\177\000\000\200\225\177k\226\177\000\000\260\225\177k\226\177\000\000?\177k\226\177\000\000\340\340\067?\177\000\000\260\226\177k\226\177\000\000\250\226\177k\226\177\000\000\240S\026?\177\000\000\350\225\177k\226\177\000\000\264M\366\064\230\177\000\000\340\340\067?\177\000\000\260\226\177k\226\177\000\000\b\226\177k\226\177\000\000\264M\366\064\230\177\000\000\340\340\067?\177\000\000\260\226\177k\226\177\000\000\250\226\177k\226\177\000\000\240S\026?\177\000\000\066Y\311\064\230\177\000\000\340\340\067?\177\000\000\024I\312\064\230\177\000\000\340\332"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f94d40b0580) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f94d4168220 opresult = 0 normalized_mods = 0x7f95949c1f90 mods = 0x7f94d411d330 mod = 0x7f95949c1f98 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -737475200, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f966b7fdae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f966b7fdae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f966b7fdae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f966b7fdae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f94d7e115b0 "\320??\177" dn = saslmech = 0x7f94d41ad520 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f94d40ab2c0 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f93a10a27e0 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\336'\027\a6\375\224\t\307\000\331\032\025<\275\016)B\235\003\235\"\341\004\314;q\fj\202X\a\314\375\344\b\256\346\061\024\227D\"\n\365\247\321\n\207>?\vlF\027\033@\352\316\003\250O\267\002\033\"\n\v\032\267l\n\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\376\230T\b\033\256$\004\325me\025v\372N\025X\bw+I\327\256\020M\222c5T\000L\025Ky+\005/Gc\004:G\356\004=\333 \017?"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000H\272F?\177\000\000@\272F?\177\000\000 \272F?\177\000\000\001\000\000\000\000\000\000\000?\177k\226\177\000\000\340\332\177k\226\177\000\000\300\211\070?\177\000\000\022\006\322\064\230\177\000\000\340\271\177k\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\271\177k\226\177\000\000\000\000\000\000\000\000\000\000\270\271\177k\226\177\000\000?\177k\226\177\000\000=B\366\fE\265\257\005\b\262\001\032\002\000\000\000\300\346\301]\224\177\000\000\377\377\377\377\377\377\377\377 \272F?\177\000\000\000\000\000\000\000\000\000\000\236\022\024?\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f966b7fdae0, op=0x7f98384ef700, conn=0x7f983bc2cea0) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc2cea0, pb_op = 0x7f98384ef700, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f94d7463e20, op_stack_elem = 0x7f983acef160, pb_aci_target_check = 0} pb = 0x7f966b7fdae0 conn = 0x7f983bc2cea0 op = 0x7f98384ef700 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 33 (Thread 0x7f966affd700 (LWP 24970)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f961adfe0c0, key=key at entry=0x7f966aff3b70, data=data at entry=0x7f966aff3ba0, comp_key=0x7f94830a98b0 "cn=etc", elem=elem at entry=0x7f966aff3b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f953b6d7a40 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f961adfe0c0, srdn=srdn at entry=0x7f966aff5c90, elem=elem at entry=0x7f966aff5c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f948316afe0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94830a98b0 "cn=etc" rdnidx = 3 keybuf = 0x7f94812ac7a0 "C1" key = {data = 0x7f94812ac7a0, size = 3, ulen = 3, dlen = 739961895, doff = 32664, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f953b6d7a40, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f94830b71d0 tmpelem = 0x7f953b6d7a40 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9480eee080, id=id at entry=0x7f966aff5d24, flags=flags at entry=0, txn=txn at entry=0x7f966aff5f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f953b6a5330 "cn=cpn-k16-06-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f953b6c7650, all_nrdns = 0x7f9483e73ad0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f961adfe0c0 elem = 0x7f953b6a65c0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9480eee080, txn=txn at entry=0x7f966aff5f00, flags=flags at entry=0, err=err at entry=0x7f966aff5ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f9481fbbe70 "cn=cpn-k16-06-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f966aff5f00, lock=0, sdn=0x7f9480eee080, be=0x7f98366e74c0, pb=0x7f966affcae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc43100 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f966affcae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f966aff5f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f966affcae0 txn = 0x7f966aff5f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f966affcae0, be=, addr=, txn=txn at entry=0x7f966aff5f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f966affcae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f953b1655c0 "cn=cpn-k16-06-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f9480eee080 scope = 0 controls = 0x0 operation = 0x7f983825bec0 addr = 0x7f983825bf98 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f966affcae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f953b6e1c00 "cn=cpn-k16-06-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f953b16d1b0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02d9f, 0x7f9482c1d280, 0x0, 0x0, 0x7f9482cafd20, 0x7f966aff62e0, 0x7f966aff6280, 0x0, 0x7f93806c53d0, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a393135303431, 0x7f9481fc2650, 0xffffffff34d0620f, 0x7f9481ffab00, 0x7f966aff6350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f966aff64d8, 0x0, 0x7f9834c916bf , 0x7f9481ffabc0, 0x0, 0x6e73757972746e65, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f93806b3c80, 0x7f953b0fa070, 0x1, 0x0, 0x7f966aff6558, 0x7f966aff6510, 0x7f966aff6508, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f966aff6450, 0x7f966aff6450, 0x7f9830b70d5b , 0x7f9481943cf0, 0x7f94816089d3, 0x7f94816089c2, 0x7f9830b71229 , 0x7f94816089d4, 0xc25a5fce5a9d5a00, 0x7f94816089d3, 0x7f966aff6450, 0x0, 0x0, 0x7f9480f1ca70, 0x7f9830b6c4d5 , 0x7f94816089d3, 0x0, 0x7f966aff64e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f966affcae0, 0x2000, 0x7f966aff64e0, 0x7f966aff64e0, 0x7f9482b40e70, 0x7f966aff64d8, 0x200000001, 0xffffffff, 0x7f9482c60200, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f953b6a3750, 0x7f9481943d50, 0x7f9481943d4d, 0x7f9830b71229 , 0x7f9481943d51, 0xc25a5fce5a9d5a00, 0x7f9481943d50, 0x7f966aff6550, 0x1, 0x0, 0x7f9481943cf0, 0x7f9830b7143c , 0x7f9481943d50, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f966affcae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f9481943cf0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f9837889950, 0x7f966affcae0, 0x0, 0x7f966aff8310, 0x7f9834d2bcea, 0x7f966aff8340, 0x7f9834cc9f3f , 0x3000000030, 0x7f966aff8290, 0x7f966aff81b0, 0x7f98330bdcc0 , 0xffffffff00000000, 0x7f966aff843e, 0x63744f, 0xc25a5fce5a9d5a00, 0x0, 0x7f9828fb0094, 0x7f966aff8490, 0x0, 0xa, 0x7f9828fb0093, 0x7f966aff84e0, 0x7f98330be19e , 0x7f9600000000, 0x0, 0x7f98366f8d00, 0x7f966aff826f, 0x7f966aff8270, 0x7f9834cdc17f , 0x7f966aff83c0, 0x7f966aff83c1, 0x7f980b25a2cc, 0x7f9837889950, 0x7f966affcae0, 0x7f9834cf6d68 , 0x48f0b, 0x7f966aff8310, 0x7f9834d2bcea, 0x7f966aff8340, 0x10, 0x0, 0x10, 0x67, 0xff, 0xffffffff0000003f, 0x6f, 0x7, 0x7f966aff8320, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f966aff831f, 0x7f9834ce171c , 0x7f966aff0030, 0x7f966aff8328, 0x6230653230653635, 0x3330303031303030, 0x7f0030303030, 0x0, 0x6536353d6e736320, 0x3030306230653230, 0x3030303330303031, 0xc25a5fce5a9d0030, 0x7f966affcae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f966affcae0, 0x7f966affcae0, 0x8, 0x7f9834ce5397 , 0x7f9834d1fcca, 0x11800000010, 0xffffffd60000003a, 0x7f9500000000, 0x7f953b6a6f40, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f953b6a6f40, 0x200, 0x7f966affcae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f966affcae0, 0x2, 0x7f9834ce54eb , 0x7f98364e9f80, 0xc25a5fce5a9d5a00, 0x0, 0x393236966affcae0, 0x33363738, 0xc25a5fce5a9d5a00, 0x0, 0x7f966aff8670, 0x0, 0x7f966affcae0, 0x7f966aff8658, 0x0, 0x7f98364feb10, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0x7f966aff8670, 0x7f966aff8687, 0x7f9400000040, 0x7f9481aee078, 0x7f9481aee078, 0x7f9481aee078, 0xc25a5fce5a9d5a00, 0x7f98366efcc8, 0x7f98330cfe78 , 0x1, 0x7f983bb9a400, 0xffffffff, 0x0 , 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364feb10, 0x7f983bba4cf0, 0x7f966affcae0, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x8263573a0, 0x7f9834cd5fbe , 0x7f9482b40e50, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f966aff8658, 0x0, 0x7f966aff8658, 0x7f966aff8670, 0x0, 0x7f98364feb10, 0x7f9834c95936 , 0x7f966affcae0, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f966aff8680, 0x0, 0x0, 0x7f953b6e63c0, 0x7f966aff8680, 0x7f966affcae0, 0x7f9834c95936 , 0x0, 0x7f953b6e63b8, 0x7f9480e8b4e0, 0x7f94815d3390, 0x7f9480e8b4e0, 0x7f9480e8b4e0, 0x7f9480e8b4e0, 0x0, 0x7f9834f70f00 , 0x7f94820046a0, 0x7f966affcae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9480e8b4d0, 0x7f966aff8710, 0x7f966aff8740, 0x7f966aff8760, 0x0, 0x7f9834f70f00 , 0x7f94820046a0, 0x7f966affcae0, 0x7f966aff8778, 0x0, 0x7f9482c60208, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94820046a0, 0x7f966affcae0, 0x7f966aff8870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94820046a0, 0x7f966affcae0, 0x7f9834c95936 ...} attrlistbuf = "\"objectClass posixgroup cn userPassword gidNumber member ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn uid\"\000xpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94830b7940 sdn = 0x7f9480eee080 operation = 0x7f983825bec0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000j\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\370+\v;\225\177\000\000\350\252?\177\000\000(\245\377j\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\020\214\020;\225\177\000\000\000\000\000\000\000\000\000\000?\020;\225\177\000\000\310\034\n\203\224\177\000\000\001", '\000' , "\240\357m;\225\177", '\000' , "Z\235Z\316_Z\302\330\071\361\200\224\177\000\000\330\071\361\200\224\177\000\000\340\071\361\200\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f966affcae0) at ldap/servers/slapd/search.c:378 operation = 0x7f983825bec0 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f953b6e1c00 "cn=cpn-k16-06-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f953b16d1b0 "(objectClass=*)" filter = 0x7f953b6b6d90 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1386609152 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f966affcae0, op=0x7f983825bec0, conn=0x7f983bc43100) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc43100, pb_op = 0x7f983825bec0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9838253770, pb_aci_target_check = 0} pb = 0x7f966affcae0 conn = 0x7f983bc43100 op = 0x7f983825bec0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 32 (Thread 0x7f966a7fc700 (LWP 24971)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f966a7f72b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f944e0f7a30 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f944e26a6d0 addr = 0x7f944e26a7a8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f944f2ea160, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f944d9af660 referral = 0x0 e = 0x0 dn = 0x7f944ee284b0 "fqdn=cpn-d07-25-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f944f5b5ff0 passin_sdn = 0 mods = 0x7f944e0f7a30 pw_mod = tmpmods = 0x7f944e0f46d0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f944e26a6d0 errorbuf = "\000\366\232M\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260v\177j\226\177\000\000\220\201\233M\224\177\000\000\200u\177j\226\177\000\000\260u\177j\226\177\000\000\320u\177j\226\177\000\000\260\020AO\224\177\000\000\260v\177j\226\177\000\000\250v\177j\226\177\000\000`\366\232M\224\177\000\000\350u\177j\226\177\000\000\264M\366\064\230\177\000\000\260\020AO\224\177\000\000\260v\177j\226\177\000\000\bv\177j\226\177\000\000\264M\366\064\230\177\000\000\260\020AO\224\177\000\000\260v\177j\226\177\000\000\250v\177j\226\177\000\000`\366\232M\224\177\000\000\066Y\311\064\230\177\000\000\260\020AO\224\177\000\000"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f944f2ea160) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f944e26a6d0 opresult = 0 normalized_mods = 0x7f944e0f46d0 mods = 0x7f95bf1746b0 mod = 0x7f944e0f46d8 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 1328456032, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f966a7fbae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f966a7fbae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f966a7fbae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f966a7fbae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f944e0c6300 "modifytimestamp" dn = saslmech = 0x7f944e140870 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f944ff1fba0 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f944e0c5920 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\036\331\\\016%`\377\016\376\346M\031U\aD\n\370(\004\b\000\306\337\f\253?\033\375\202\025\r\272\214{\002\021\324\305\005\322\377\214\v\255$\235\036h*\255\b\353p\337\a\343*S\002\275\265y\004\000\342\230\016\305!\221\003\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\251\370w\027\355m\021\t\035\067\252\a\177.p\024\241_\004:\300\254\305\037DT\304#y\203m\025g\253R\037!\332\367\n?^\017\320\006i\t\205?"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\230\323\003N\224\177\000\000\220\323\003N\224\177\000\000p\323\003N\224\177\000\000\001\000\000\000\000\000\000\000?\177j\226\177\000\000\340\272\177j\226\177\000\000\300\021\325N\224\177\000\000\022\006\322\064\230\177\000\000\340\231\177j\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\231\177j\226\177\000\000\000\000\000\000\000\000\000\000\270\231\177j\226\177\000\000?\177j\226\177\000\000\215\217\350\a\303_\214\ap\360i\035\002\000\000\000P\231\210\067\230\177\000\000\377\377\377\377\377\377\377\377p\323\003N\224\177\000\000\000\000\000\000\000\000\000\000\016\220.O\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f966a7fbae0, op=0x7f94fe2e5c00, conn=0x7f983bc28280) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc28280, pb_op = 0x7f94fe2e5c00, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f944f2ff200, op_stack_elem = 0x7f94ff1d89f0, pb_aci_target_check = 0} pb = 0x7f966a7fbae0 conn = 0x7f983bc28280 op = 0x7f94fe2e5c00 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 31 (Thread 0x7f9669ffb700 (LWP 24972)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f96516e2ad0, key=key at entry=0x7f9669ff1b70, data=data at entry=0x7f9669ff1ba0, comp_key=0x7f94790dd480 "cn=accounts", elem=elem at entry=0x7f9669ff1b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f947aca8790 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f96516e2ad0, srdn=srdn at entry=0x7f9669ff3c90, elem=elem at entry=0x7f9669ff3c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f9541902a00 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94790dd480 "cn=accounts" rdnidx = 2 keybuf = 0x7f947be7afa0 "C1" key = {data = 0x7f947be7afa0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f9479509430, flags = 2056} data = {data = 0x7f947aca8790, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f947bd7c840 tmpelem = 0x7f947aca8790 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9479afec20, id=id at entry=0x7f9669ff3d24, flags=flags at entry=0, txn=txn at entry=0x7f9669ff3f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f947b6966f0 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f947b6966c0, all_nrdns = 0x7f9479acc760} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f96516e2ad0 elem = 0x7f947888e0f0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9479afec20, txn=txn at entry=0x7f9669ff3f00, flags=flags at entry=0, err=err at entry=0x7f9669ff3ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f947bd703b0 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9669ff3f00, lock=0, sdn=0x7f9479afec20, be=0x7f98366e74c0, pb=0x7f9669ffaae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc35720 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9669ffaae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9669ff3f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9669ffaae0 txn = 0x7f9669ff3f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9669ffaae0, be=, addr=, txn=txn at entry=0x7f9669ff3f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9669ffaae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94796d7750 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f9479afec20 scope = 2 controls = 0x0 operation = 0x7f983862b430 addr = 0x7f983862b508 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9669ffaae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f947917b9a0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f9479a24f40 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:a2cc4cb8-2cdc-11e5-848b-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f9669ff4250, 0x0, 0x0, 0x69ff4280, 0x100000000, 0x7f947bd73480, 0x0, 0xffffffff00000000, 0x7f94790a5e80, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f947b6ab5c0, 0x0, 0x0, 0x56e02d99, 0x0, 0x7f9478962480, 0x0, 0x0, 0x7f947aca1ab0, 0xc25a5fce5a9d5a00, 0x7f9669ff44c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f9669ff44c4, 0xc25a5fce5a9d5a00, 0x7f947af24760, 0x0, 0x7f947af24760, 0x0, 0x0, 0x0, 0x7f9669ff4508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f947af24760, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f947aca1ab0, 0x7f947b69fe50, 0x1, 0x0, 0x7f9669ff4558, 0x7f9669ff4510, 0x7f9669ff4508, 0x7f9669ff4508, 0x0, 0x0, 0x7f9669ff4558, 0xc25a5fce5a9d5a00, 0x7f947af24760, 0x0, 0x7f947af24760, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f9669ff8400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f9669ff4520, 0x1, 0x7f9669ff4510, 0x100000001, 0x7f9669ff4550, 0x0, 0x0, 0x7f9669ff4548, 0x7f9669ff44c4, 0x0, 0x0, 0x7f9669ff4508, 0x1, 0x7f9669ff44cc, 0x7f9669ff44e0, 0x79a31870, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f94791a4e20, 0x7f9834d34290, 0x7f947b34a720, 0x0, 0x0, 0x7f947aca1ab0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x65653830, 0x7f98362b1b70, 0x5e, 0x7f954242ce30, 0x42010004, 0x313731633d010025, 0x3363322d61653830, 0x63612d3565313134, 0x652d653766386230, 0x37373361316230, 0x41010004, 0x313731633d010025, 0x3363322d38653830, 0x63612d3565313134, 0x652d653766386230, 0x37373361316230, 0x40010004, 0x313731633d010025, 0x3363322d33653830, 0x63612d3565313134, 0x652d653766386230, 0x37373361316230, 0x3f010004, 0x313731633d010025, 0x3363322d31653830, 0x63612d3565313134, 0x652d653766386230, 0x37373361316230, 0x3e010004, 0x336530333d010025, 0x3263322d32643966, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x3d010004, 0x336530333d010025, 0x3263322d31643966, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x3c010004, 0x336530333d010025, 0x3263322d30643966, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x3b010004, 0x336530333d010025, 0x3263322d66633966, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x3a010004, 0x386634323d010025, 0x3263322d35303733, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x39010004, 0x386634323d010025, 0x3263322d34303733, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x38010004, 0x386634323d010025, 0x3263322d33303733, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x37010004, 0x386634323d010025, 0x3263322d32303733, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x36010004, 0x386634323d010025, 0x3263322d31303733, 0x63612d3565313166, 0x652d653766386230, 0x37373361316230, 0x1, 0x0, 0x7f9669ff4e70, 0x7f983282d870 , 0x7f9834d2be00, 0x7f983271b770 <__GI__IO_padn+160>...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f9669ff6410, 0x7f9669ff6420, 0x7f9669ff61ae, 0x7f9630ff61ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f94fe2e5c00, 0x7f9669ffaae0, 0xe, 0x7f9669ff63a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f9669ff63a2, 0x7f94fe2e5c00, 0x7f9669ffaae0, 0xe, 0x7f9669ff63a0, 0x7f9834d2bcea, 0x7f9669ff63d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f9669ff6320, 0x7f9669ff6240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e39c, 0x1, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f964c000070, 0xffff806996009d31, 0x7f9669ff62d0, 0x7f9669ff62cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f9669ff6370, 0x0, 0x7f9834cc261b , 0x7f9669ffaae0, 0x7f9834cf6e23 , 0x0, 0x7f9669ff63a0, 0x7f9834d2bcea, 0x7f9669ff63d0, 0xaf, 0x0, 0xaf, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f9669ff63b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f9669ff63af, 0x7f9834ce171c , 0x7f9669ff0030, 0x7f9834cdd18c , 0x7f9669ff65a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9839331a00, 0x7f98330d5cbf , 0x7f9669ff6410, 0xc25a5fce5a9d5a00, 0x7f9669ffaae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f9669ffaae0, 0x7f9669ffaae0, 0x8, 0x7f9834ce5397 , 0x9c, 0x118000000af, 0xffffffd60000003a, 0x7f9400000000, 0x7f947917b9a0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f947917b9a0, 0x200, 0x7f9669ffaae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9669ffaae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9669ffaae0, 0xaf, 0x7f9834cf6566 , 0x9c, 0x0, 0xaf, 0xc25a5fce5a9d5a00, 0x7f94790c01d9, 0xe, 0x7f9669ffaae0, 0x7f947917b9a0, 0xa9, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f9669ffaae0, 0x7f9669ffaae0, 0x7f983bc28280, 0x0, 0x0, 0x61, 0xffffffcb, 0x7f9401000000, 0x5, 0xa300000000, 0x7f94fe2e5c00, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9669ffaae0, 0x7f9669ffaae0, 0x7f9834f64db4 , 0x0, 0x7f9669ff66b0, 0x7f9669ff66a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f9669ffaae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f9669ff6680, 0x0, 0x9c, 0x7f947bd8fdb0, 0x7f983d4e7eb0, 0x7f9669ffaae0, 0x0, 0x7f947888fca0, 0x7f947bd8fda8, 0x0, 0x7f947bd736d0, 0x7f9669ff88a0, 0x0, 0x0, 0x0, 0x9c, 0x7f947bd736d0, 0x7f9669ffaae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9542459fd0, 0x7f9669ff6710, 0x7f9669ff6740, 0x7f9669ff6760, 0x0, 0x7f9834f70f00 , 0x7f947bede7a0, 0x7f9669ffaae0, 0x7f9669ff6778, 0x0, 0x7f9479ad89c8, 0x1, 0x0, 0x7f9834f70f00 , 0x7f947bede7a0, 0x7f9669ffaae0, 0x7f9669ff6870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f947bede7a0...} attrlistbuf = "\"objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder entryusn\"\000er modifyTimestamp entryusn shadowLastChange shadowMin sh"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94791d6ed0 sdn = 0x7f9479afec20 operation = 0x7f983862b430 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000i\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\250!\342y\224\177\000\000H\a\037y\224\177\000\000(\205\377i\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\340?x\224\177\000\000\000\000\000\000\000\000\000\000\230?x\224\177\000\000\070?x\224\177\000\000\001", '\000' , "+\211x\224\177", '\000' , "Z\235Z\316_Z\302\350\355\207x\224\177\000\000\350\355\207x\224\177\000\000\360\355\207x\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9669ffaae0) at ldap/servers/slapd/search.c:378 operation = 0x7f983862b430 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f947917b9a0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f9479a24f40 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:a2cc4cb8-2cdc-11e5-848b-a0369f577818))" filter = 0x7f947b68b6d0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1486418016 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f9669ffaae0, op=0x7f983862b430, conn=0x7f983bc35720) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc35720, pb_op = 0x7f983862b430, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f983b608010, pb_aci_target_check = 0} pb = 0x7f9669ffaae0 conn = 0x7f983bc35720 op = 0x7f983862b430 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 30 (Thread 0x7f96697fa700 (LWP 24973)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f96495131f0, key=key at entry=0x7f96697f0b70, data=data at entry=0x7f96697f0ba0, comp_key=0x7f9565785890 "cn=etc", elem=elem at entry=0x7f96697f0b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f9437e7e100 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f96495131f0, srdn=srdn at entry=0x7f96697f2c90, elem=elem at entry=0x7f96697f2c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f9434862f30 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f9565785890 "cn=etc" rdnidx = 3 keybuf = 0x7f9435499450 "C1" key = {data = 0x7f9435499450, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f983273452a , flags = 2056} data = {data = 0x7f9437e7e100, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f95658b1ca0 tmpelem = 0x7f9437e7e100 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94365868b0, id=id at entry=0x7f96697f2d24, flags=flags at entry=0, txn=txn at entry=0x7f96697f2f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f95658abc60 "cn=cpn-p28-40.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94348d87f0, all_nrdns = 0x7f9437e6b6f0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f96495131f0 elem = 0x7f94355374d0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94365868b0, txn=txn at entry=0x7f96697f2f00, flags=flags at entry=0, err=err at entry=0x7f96697f2ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 92, bv_val = 0x7f9436572460 "cn=cpn-p28-40.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96697f2f00, lock=0, sdn=0x7f94365868b0, be=0x7f98366e74c0, pb=0x7f96697f9ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc39380 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96697f9ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96697f2f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96697f9ae0 txn = 0x7f96697f2f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96697f9ae0, be=, addr=, txn=txn at entry=0x7f96697f2f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96697f9ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f9437e83820 "cn=cpn-p28-40.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94365868b0 scope = 0 controls = 0x0 operation = 0x7f9838563750 addr = 0x7f9838563828 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96697f9ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f95657859e0 "cn=cpn-p28-40.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94349d6970 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02da1, 0x7f956577b280, 0x0, 0x0, 0x7f943570a200, 0x7f96697f32e0, 0x7f96697f3280, 0x0, 0x7f956589bc80, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a313235303431, 0x7f94348a5950, 0xffffffff34d0620f, 0x7f95658ab800, 0x7f96697f3350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f96697f34d8, 0x0, 0x7f9834c916bf , 0x7f95658ab820, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f943560a470, 0x7f9436bf0050, 0x1, 0x0, 0x7f96697f3558, 0x7f96697f3510, 0x7f96697f3500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f96697f3450, 0x7f96697f3450, 0x7f9830b70d5b , 0x7f94348be130, 0x7f943657acd3, 0x7f943657acc2, 0x7f9830b71229 , 0x7f943657acd4, 0xc25a5fce5a9d5a00, 0x7f943657acd3, 0x7f96697f3450, 0x0, 0x0, 0x7f9437ee4780, 0x7f9830b6c4d5 , 0x7f943657acd3, 0x0, 0x7f96697f34e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f96697f9ae0, 0x2000, 0x7f96697f34e0, 0x7f96697f34e0, 0x7f9435558e50, 0x7f96697f34d8, 0x200000001, 0xffffffff, 0x7f9437ec0320, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f9565791440, 0x7f94348be190, 0x7f94348be18d, 0x7f9830b71229 , 0x7f94348be191, 0xc25a5fce5a9d5a00, 0x7f94348be190, 0x7f96697f3550, 0x1, 0x0, 0x7f94348be130, 0x7f9830b7143c , 0x7f94348be190, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f96697f9ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94348be130, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f95658ab820, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x8697f52e0, 0x7f9834cd5fbe , 0x7f9565771ff0, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f96697f5268, 0x0, 0x7f96697f5268, 0x7f96697f5280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f95658ab820, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f96697f5290, 0x0, 0x0, 0x7f9436be7400, 0x7f96697f5290, 0x7f95658ab820, 0x7f9834c95936 , 0x0, 0x7f9436be73f8, 0x7f94348691a0, 0x7f94349ff710, 0x7f94348691a0, 0x7f94348691a0, 0x7f94348691a0, 0x0, 0x7f9834f70f00 , 0x7f94357ebeb0, 0x7f95658ab820, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9434869190, 0x7f96697f5320, 0x7f96697f5350, 0x7f96697f5370, 0x0, 0x7f9834f70f00 , 0x7f94357ebeb0, 0x7f95658ab820, 0x7f96697f5388, 0x0, 0x7f95658a3678, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94357ebeb0, 0x7f95658ab820, 0x7f96697f5480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94357ebeb0, 0x7f95658ab820, 0x7f9834c95936 , 0x7f937504eb40, 0x7f9834cd1823 , 0x7f96697f54d8, 0x7f96697f5510, 0x0, 0x20330d5cbf, 0x7f95658ab820, 0xc25a5fce5a9d5a00, 0x7f96697f5480, 0x7f96697f54a8, 0x0, 0x7f9834cfa31d , 0x7f96697f9ae0, 0x7f96697f9ae0, 0x0, 0x7f96697f5488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f94348a5830, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f95658ab4f0, 0x0, 0x7f94357ebe90, 0x7f937504eb40, 0x0, 0x7f94348c55d0, 0x0, 0x0, 0x0, 0x7f943658d720, 0x7f96697f54f0, 0x7f9437e825b0, 0x7f956588b710, 0x0, 0x7f943658d718, 0x0, 0x0, 0x0, 0x7f94348d3770, 0x7f9437e825b0, 0x7f94349e1be0, 0x7f96697f56b0, 0x7f96697f56a8, 0x7f9565785900, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f96697f56b0, 0x7f94348d3760, 0x7f96697f5580, 0x7f96697f55b0, 0x7f96697f55d0, 0x7f94349e1be0, 0x7f96697f56b0, 0x7f96697f56a8, 0x7f95657859e0, 0x7f96697f55e8, 0x7f9834f64db4 , 0x7f94349e1be0, 0x7f96697f56b0, 0x7f96697f5608, 0x7f9834f64db4 , 0x7f94349e1be0, 0x7f96697f56b0, 0x7f96697f56a8, 0x7f95657859e0, 0x7f9834c95936 , 0x7f94349e1be0, 0x7f9834ca4914 , 0x7f96697f9ae0, 0x0, 0x7f96697f9ae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x697f5680, 0x0, 0x0, 0x7f943733f900, 0x7f9839a7f910, 0x7f9839a801a4, 0x7f982dbdc64f, 0x7f9437e98990, 0x7f9839a802b0, 0x7f9437e710c0, 0x0, 0x7f96697f78a0, 0x0, 0x7f98364a1080, 0x0, 0x7f944f410790, 0x7f943663eba0, 0x7f98351cb141, 0x7f983851fb18, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9437ec89d0, 0x535347204c534153, 0x7f9600495041, 0x7f96697f5760, 0x0, 0x7f9834f70f00 , 0x7f943663eba0, 0x7f96697f9ae0, 0x7f96697f5778, 0x0, 0x7f9437ec0328, 0x1, 0x0, 0x7f9834f70f00 , 0x7f943663eba0, 0x7f96697f9ae0, 0x7f96697f5870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f943663eba0...} attrlistbuf = "\000\353W5\224\177\000\000P\332r2\230\177\000\000\020\216G6\230\177\000\000 \000\000@\226\177\000\000p6\212e\225\177\000\000`6\212e\225\177\000\000\037\000\000\000\000\000\000\000P\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\002\347r2\230\177\000\000\001\000\000\000\000\000\000\000\060\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\001", '\000' , "\252\060\323\064\230\177\000\000\000t\177i\226\177\000\000\001\000\000\000\000\000\000\000\037\000\000\000\000\000\000\000@\000\000\000\000\000\000\000Pt\177i\226\177\000\000y\336\v3\230\177\000\000\231\060\323\064\230\177\000\000\000t\177i\226\177\000\000\000\000\000\000\000\000\000\000"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94342f5ba0 sdn = 0x7f94365868b0 operation = 0x7f9838563750 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\343\254\066\224\177\000\000\320t\177i\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000X\342p5\224\177\000\000\310\177ye\225\177\000\000(u\177i\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\320U\214\064\224\177\000\000\000\000\000\000\000\000\000\000\210V\214\064\224\177\000\000\210\307\351\067\224\177\000\000\001", '\000' , "\340\320{6\224\177", '\000' , "Z\235Z\316_Z\302\350\027\211e\225\177\000\000\350\027\211e\225\177\000\000\360\027\211e\225\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96697f9ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838563750 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f95657859e0 "cn=cpn-p28-40.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94349d6970 "(objectClass=*)" filter = 0x7f9435fa6650 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1306841136 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f96697f9ae0, op=0x7f9838563750, conn=0x7f983bc39380) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc39380, pb_op = 0x7f9838563750, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9837cca680, pb_aci_target_check = 0} pb = 0x7f96697f9ae0 conn = 0x7f983bc39380 op = 0x7f9838563750 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 29 (Thread 0x7f9668ff9700 (LWP 24974)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f9668ff42b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f9411aa2290 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f9410fbe1f0 addr = 0x7f9410fbe2c8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f94116d7fc0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f94dd24a9f0 referral = 0x0 e = 0x0 dn = 0x7f94dcb7ea40 "fqdn=cpn-d07-31-01.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f94dd289b90 passin_sdn = 0 mods = 0x7f9411aa2290 pw_mod = tmpmods = 0x7f941100fc50 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f9410fbe1f0 errorbuf = "\000\251$?\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260F\377h\226\177\000\000\260\327\272?\177\000\000\200E\377h\226\177\000\000\260E\377h\226\177\000\000\320E\377h\226\177\000\000`\020\215?\177\000\000\260F\377h\226\177\000\000\250F\377h\226\177\000\000\360\251$?\177\000\000\350E\377h\226\177\000\000\264M\366\064\230\177\000\000`\020\215?\177\000\000\260F\377h\226\177\000\000\bF\377h\226\177\000\000\264M\366\064\230\177\000\000`\020\215?\177\000\000\260F\377h\226\177\000\000\250F\377h\226\177\000\000\360\251$?\177\000\000\066Y\311\064\230\177\000\000`\020\215?\177\000\000\024I\312\064\230\177\000\000\340"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f94116d7fc0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f9410fbe1f0 opresult = 0 normalized_mods = 0x7f941100fc50 mods = 0x7f94dc4a45f0 mod = 0x7f941100fc58 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 292388800, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f9668ff8ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f9668ff8ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f9668ff8ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f9668ff8ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f94dd2176c0 "`\305\343?\177" dn = saslmech = 0x7f94dcb99e70 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f94dd121820 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f94dd287b90 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\272hC\t\"\003Z\v\ti)\001B\225\\\n\212\071\217\026\016?\t\222\221\200\b\367\202\364\006\274\022\232\017\300\357\b\r\037G\201\016\023\033\203\r\331B\001\t\231\223\020\037\243\333D\a\261?\005\037\t\345n\005\036>w\v\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\361\237t\032\312\363e\n\201\260\350\033\355q\370\036\342\342\021%D\\\330\032\352xO0j\rY\022W\023c\a\026\216V\aY\303T\004.% \016\033"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000h\212\345?\177\000\000`\212\345?\177\000\000@\212\345?\177\000\000\001\000\000\000\000\000\000\000\330i\377h\226\177\000\000\340\212\377h\226\177\000\000P}\212\036\225\177\000\000\022\006\322\064\230\177\000\000\340i\377h\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340i\377h\226\177\000\000\000\000\000\000\000\000\000\000\270i\377h\226\177\000\000\330i\377h\226\177\000\000\267y\312\032\315\344\236\005\241?\036\002\000\000\000\300\276%8\230\177\000\000\377\377\377\377\377\377\377\377@\212\345?\177\000\000\000\000\000\000\000\000\000\000\236\367\371\020\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f9668ff8ae0, op=0x7f958f926310, conn=0x7f983bc29630) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc29630, pb_op = 0x7f958f926310, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f941132fa00, op_stack_elem = 0x7f958d5c7490, pb_aci_target_check = 0} pb = 0x7f9668ff8ae0 conn = 0x7f983bc29630 op = 0x7f958f926310 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 28 (Thread 0x7f96687f8700 (LWP 24975)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f965427d940, key=key at entry=0x7f96687eeb70, data=data at entry=0x7f96687eeba0, comp_key=0x7f945f60e940 "cn=accounts", elem=elem at entry=0x7f96687eeb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f945ffc6410 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f965427d940, srdn=srdn at entry=0x7f96687f0c90, elem=elem at entry=0x7f96687f0c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f945ebf3dc0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f945f60e940 "cn=accounts" rdnidx = 2 keybuf = 0x7f945f60cd10 "C1" key = {data = 0x7f945f60cd10, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f945ffc6410, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f945f4231e0 tmpelem = 0x7f945ffc6410 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f945f98c780, id=id at entry=0x7f96687f0d24, flags=flags at entry=0, txn=txn at entry=0x7f96687f0f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f945c786e10 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f945c786de0, all_nrdns = 0x7f957fb34970} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f965427d940 elem = 0x7f945f434ad0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f945f98c780, txn=txn at entry=0x7f96687f0f00, flags=flags at entry=0, err=err at entry=0x7f96687f0ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f945f97b8c0 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96687f0f00, lock=0, sdn=0x7f945f98c780, be=0x7f98366e74c0, pb=0x7f96687f7ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc58a30 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96687f7ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96687f0f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96687f7ae0 txn = 0x7f96687f0f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96687f7ae0, be=, addr=, txn=txn at entry=0x7f96687f0f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96687f7ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f945f426470 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f945f98c780 scope = 2 controls = 0x0 operation = 0x7f983763a7d0 addr = 0x7f983763a8a8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96687f7ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f957fb440c0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f957f1fe460 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:58a35a16-2ce4-11e5-b42b-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f96687f1278, 0x7f96687f123c, 0x0, 0x687f1280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f945e520430, 0x0, 0x1, 0x56e02dbd, 0x0, 0x7f945e520950, 0x0, 0x0, 0x7f945c28d610, 0xc25a5fce5a9d5a00, 0x7f96687f14c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f96687f14c4, 0xc25a5fce5a9d5a00, 0x7f957f1f9f60, 0x0, 0x7f957f1f9f60, 0x0, 0x0, 0x0, 0x7f96687f1508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f957f1f9f60, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f945c28d610, 0x7f945f8e35e0, 0x1, 0x0, 0x7f96687f1558, 0x7f96687f1510, 0x7f96687f1508, 0x7f96687f1508, 0x0, 0x0, 0x7f96687f1558, 0xc25a5fce5a9d5a00, 0x7f957f1f9f60, 0x0, 0x7f957f1f9f60, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f96687f5400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f96687f1520, 0x1, 0x7f96687f1510, 0x100000001, 0x7f96687f1550, 0x0, 0x0, 0x7f96687f1548, 0x7f96687f14c4, 0x0, 0x0, 0x7f96687f1508, 0x1, 0x7f96687f14cc, 0x7f96687f14e0, 0x5f60f930, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f945f424c00, 0x7f9834d34290, 0x7f957fb440c0, 0x0, 0x0, 0x7f945c28d610, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f957f2067a0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f96687f3410, 0x7f96687f3420, 0x7f96687f31ae, 0x7f96307f31ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f96687f7ae0, 0xe, 0x7f96687f33a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f96687f33a2, 0x7f9838401660, 0x7f96687f7ae0, 0xe, 0x7f96687f33a0, 0x7f9834d2bcea, 0x7f96687f33d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f96687f3320, 0x7f96687f3240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e389, 0x1, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9638000070, 0xffff80699780cd31, 0x7f96687f32d0, 0x7f96687f32cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f96687f3370, 0x0, 0x7f9834cc261b , 0x7f96687f7ae0, 0x7f9834cf6e23 , 0x0, 0x7f96687f33a0, 0x7f9834d2bcea, 0x7f96687f33d0, 0xaf, 0x0, 0xaf, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f96687f33b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f96687f33af, 0x7f9834ce171c , 0x7f96687f0030, 0x7f9834cdd18c , 0x7f96687f35a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9838412400, 0x7f98330d5cbf , 0x7f96687f3410, 0xc25a5fce5a9d5a00, 0x7f96687f7ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f96687f7ae0, 0x7f96687f7ae0, 0x8, 0x7f9834ce5397 , 0x9c, 0x118000000af, 0xffffffd60000003a, 0x7f9500000000, 0x7f957fb2d0d0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f957fb2d0d0, 0x200, 0x7f96687f7ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96687f7ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96687f7ae0, 0xaf, 0x7f9834cf6566 , 0x9c, 0x0, 0xaf, 0xc25a5fce5a9d5a00, 0x7f945e51dcd9, 0xe, 0x7f96687f7ae0, 0x7f957fb2d0d0, 0xa9, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f96687f7ae0, 0x7f96687f7ae0, 0x7f983bc26060, 0x0, 0x0, 0x61, 0xffffffcb, 0x7f9401000000, 0x5, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f96687f7ae0, 0x7f96687f7ae0, 0x7f9834f64db4 , 0x0, 0x7f96687f36b0, 0x7f96687f36a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f96687f7ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f96687f3680, 0x0, 0x9c, 0x7f945f445670, 0x7f983d5f0ec0, 0x7f96687f7ae0, 0x0, 0x7f945ffbb990, 0x7f945f445668, 0x0, 0x7f957f215150, 0x7f96687f58a0, 0x0, 0x0, 0x0, 0x9c, 0x7f957f215150, 0x7f96687f7ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f945c74fc20, 0x7f96687f3710, 0x7f96687f3740, 0x7f96687f3760, 0x0, 0x7f9834f70f00 , 0x7f957cba1af0, 0x7f96687f7ae0, 0x7f96687f3778, 0x0, 0x7f945f40e048, 0x1, 0x0, 0x7f9834f70f00 , 0x7f957cba1af0, 0x7f96687f7ae0, 0x7f96687f3870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f957cba1af0...} attrlistbuf = "\"* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommitt"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f945f647820 sdn = 0x7f945f98c780 operation = 0x7f983763a7d0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000h\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\350\334N9\226\177\000\000\270|P9\226\177\000\000(U\177h\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\060.\037\177\225\177\000\000\000\000\000\000\000\000\000\000\350.\037\177\225\177\000\000\270\362\214_\224\177\000\000\001", '\000' , "PZ\276^\224\177", '\000' , "Z\235Z\316_Z\302\350\177P9\226\177\000\000\350\177P9\226\177\000\000\360\177P9\226\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96687f7ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f983763a7d0 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f957fb440c0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f957f1fe460 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:58a35a16-2ce4-11e5-b42b-a0369f577818))" filter = 0x7f945f4268c0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1137235264 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f96687f7ae0, op=0x7f983763a7d0, conn=0x7f983bc58a30) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc58a30, pb_op = 0x7f983763a7d0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9838078440, pb_aci_target_check = 0} pb = 0x7f96687f7ae0 conn = 0x7f983bc58a30 op = 0x7f983763a7d0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 27 (Thread 0x7f9667ff7700 (LWP 24976)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f960088b8f0, key=key at entry=0x7f9667fedb70, data=data at entry=0x7f9667fedba0, comp_key=0x7f94aee4d200 "cn=accounts", elem=elem at entry=0x7f9667fedb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94ad490720 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f960088b8f0, srdn=srdn at entry=0x7f9667fefc90, elem=elem at entry=0x7f9667fefc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f94ad505950 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94aee4d200 "cn=accounts" rdnidx = 2 keybuf = 0x7f94ad602ae0 "C1" key = {data = 0x7f94ad602ae0, size = 3, ulen = 3, dlen = 739961895, doff = 32664, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f94ad490720, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f94ae6ec720 tmpelem = 0x7f94ad490720 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94afd7fa20, id=id at entry=0x7f9667fefd24, flags=flags at entry=0, txn=txn at entry=0x7f9667feff00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94ad5d1fa0 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94ad5d1f70, all_nrdns = 0x7f95a9e50260} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f960088b8f0 elem = 0x7f94aee31440 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94afd7fa20, txn=txn at entry=0x7f9667feff00, flags=flags at entry=0, err=err at entry=0x7f9667fefddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f95a9e74b00 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9667feff00, lock=0, sdn=0x7f94afd7fa20, be=0x7f98366e74c0, pb=0x7f9667ff6ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc55700 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9667ff6ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9667feff00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9667ff6ae0 txn = 0x7f9667feff00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9667ff6ae0, be=, addr=, txn=txn at entry=0x7f9667feff00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9667ff6ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f95aa3dcb80 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94afd7fa20 scope = 2 controls = 0x0 operation = 0x7f945d3bba20 addr = 0x7f945d3bbaf8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9667ff6ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f95ab806c90 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94ad564040 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:32c1434a-2ce3-11e5-8334-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02da5, 0x7f94ad0ea730, 0x0, 0x0, 0x7f94ade5e600, 0x7f9667ff02e0, 0x7f9667ff0280, 0x0, 0x7f94aee4cb80, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a353235303431, 0x7f95aa2e31b0, 0xffffffff34d0620f, 0x7f94ae93a600, 0x7f9667ff0350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f9667ff04d8, 0x0, 0x7f9834c916bf , 0x7f94ae93a680, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94ad5d5ed0, 0x7f95ab804590, 0x1, 0x0, 0x7f9667ff0558, 0x7f9667ff0510, 0x7f9667ff0500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f9667ff0450, 0x7f9667ff0450, 0x7f9830b70d5b , 0x7f94ad5b9680, 0x7f94ad53f543, 0x7f94ad53f532, 0x7f9830b71229 , 0x7f94ad53f544, 0xc25a5fce5a9d5a00, 0x7f94ad53f543, 0x7f9667ff0450, 0x0, 0x0, 0x7f93e44099e0, 0x7f9830b6c4d5 , 0x7f94ad53f543, 0x0, 0x7f9667ff04e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f9667ff6ae0, 0x2000, 0x7f9667ff04e0, 0x7f9667ff04e0, 0x7f95a9e67310, 0x7f9667ff04d8, 0x200000001, 0xffffffff, 0x7f94ad570610, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f95ab834680, 0x7f94ad5b96e0, 0x7f94ad5b96dd, 0x7f9830b71229 , 0x7f94ad5b96e1, 0xc25a5fce5a9d5a00, 0x7f94ad5b96e0, 0x7f9667ff0550, 0x1, 0x0, 0x7f94ad5b9680, 0x7f9830b7143c , 0x7f94ad5b96e0, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f9667ff6ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94ad5b9680, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x1, 0x0, 0x7f9667ff0e70, 0x7f983282d870 , 0x7f9834d2be00, 0x7f983271b770 <__GI__IO_padn+160>...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f94ad584e30, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x867ff22e0, 0x7f9834cd5fbe , 0x7f95ab83de00, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f9667ff2268, 0x0, 0x7f9667ff2268, 0x7f9667ff2280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f94ad584e30, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f9667ff2290, 0x0, 0x0, 0x7f95aa3b9440, 0x7f9667ff2290, 0x7f94ad584e30, 0x7f9834c95936 , 0x0, 0x7f95aa3b9438, 0x7f95aa3b93f0, 0x7f94ad56ca10, 0x7f95aa3b93f0, 0x7f95aa3b93f0, 0x7f95aa3b93f0, 0x0, 0x7f9834f70f00 , 0x7f94ac174da0, 0x7f94ad584e30, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f95aa3b93e0, 0x7f9667ff2320, 0x7f9667ff2350, 0x7f9667ff2370, 0x0, 0x7f9834f70f00 , 0x7f94ac174da0, 0x7f94ad584e30, 0x7f9667ff2388, 0x0, 0x7f95a9e6d948, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94ac174da0, 0x7f94ad584e30, 0x7f9667ff2480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94ac174da0, 0x7f94ad584e30, 0x7f9834c95936 , 0x7f94afd4fc40, 0x7f9834cd1823 , 0x7f9667ff24d8, 0x7f9667ff2510, 0x0, 0x20330d5cbf, 0x7f94ad584e30, 0xc25a5fce5a9d5a00, 0x7f9667ff2480, 0x7f9667ff24a8, 0x0, 0x7f9834cfa31d , 0x7f9667ff6ae0, 0x7f9667ff6ae0, 0x0, 0x7f9667ff2488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f94ad583cc0, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f94ad0e9b00, 0x0, 0x7f94ac174d80, 0x7f94afd4fc40, 0x0, 0x7f95ab7c5390, 0x0, 0x0, 0x0, 0x7f95aa329b00, 0x7f9667ff24f0, 0x7f94ade5e780, 0x7f94ae6eef80, 0x0, 0x7f95aa329af8, 0x0, 0x0, 0x0, 0x7f94aee559f0, 0x7f94ade5e780, 0x7f94afd3ad70, 0x7f9667ff26b0, 0x7f9667ff26a8, 0x7f94afd59f00, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9667ff26b0, 0x7f94aee559e0, 0x7f9667ff2580, 0x7f9667ff25b0, 0x7f9667ff25d0, 0x7f94afd3ad70, 0x7f9667ff26b0, 0x7f9667ff26a8, 0x7f94afd59f50, 0x7f9667ff25e8, 0x7f9834f64db4 , 0x7f94afd3ad70, 0x7f9667ff26b0, 0x7f9667ff2608, 0x7f9834f64db4 , 0x7f94afd3ad70, 0x7f9667ff26b0, 0x7f9667ff26a8, 0x7f94afd59f50, 0x7f9834c95936 , 0x7f94afd3ad70, 0x7f9834ca4914 , 0x7f9667ff6ae0, 0x0, 0x7f9667ff6ae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x67ff2680, 0x0, 0x0, 0x7f95a9e6d950, 0x7f98387b8f20, 0x7f98387b97b4, 0x7f982dbdc64f, 0x7f94ad5ff160, 0x7f98387b98c0, 0x7f95aa2d72f0, 0x0, 0x7f9667ff48a0, 0x0, 0x7f98364a1080, 0x0, 0x7f95319294b0, 0x7f94ad5b9880, 0x7f98351cb141, 0x7f9838394088, 0x5e00000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f95a9df4370, 0x535347204c534153, 0x7f9600495041, 0x7f9667ff2760, 0x0, 0x7f9834f70f00 , 0x7f94ad5b9880, 0x7f9667ff6ae0, 0x7f9667ff2778, 0x0, 0x7f94ad570618, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94ad5b9880, 0x7f9667ff6ae0, 0x7f9667ff2870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94ad5b9880...} attrlistbuf = "\"objectClass posixgroup cn userPassword gidNumber member ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn\"\000id\"\000rval krbPwdLockoutDuration\"\000ion krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f95a9f05d50 sdn = 0x7f94afd7fa20 operation = 0x7f945d3bba20 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\320_\255\224\177\000\000\320D\377g\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\b\326?\177\000\000\070\262W\255\224\177\000\000(E\377g\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\220S|\253\225\177\000\000\000\000\000\000\000\000\000\000HT|\253\225\177\000\000\350KH\255\224\177\000\000\001", '\000' , "\360\367S\255\224\177", '\000' , "Z\235Z\316_Z?@{\253\225\177\000\000\270@{\253\225\177\000\000\300@{\253\225\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9667ff6ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f945d3bba20 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f95ab806c90 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94ad564040 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:32c1434a-2ce3-11e5-8334-a0369f577818))" filter = 0x7f94ad5dd600 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -684531760 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f9667ff6ae0, op=0x7f945d3bba20, conn=0x7f983bc55700) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc55700, pb_op = 0x7f945d3bba20, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f957fe16d10, pb_aci_target_check = 0} pb = 0x7f9667ff6ae0 conn = 0x7f983bc55700 op = 0x7f945d3bba20 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 26 (Thread 0x7f96677f6700 (LWP 24977)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f96677f12b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f94c43db350 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f94c7ef4460 addr = 0x7f94c7ef4538 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f94c75f5980, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f94c75f8af0 referral = 0x0 e = 0x0 dn = 0x7f94c73761b0 "fqdn=cpn-k16-07-01.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f956f714000 passin_sdn = 0 mods = 0x7f94c43db350 pw_mod = tmpmods = 0x7f94c7ee1b70 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f94c7ef4460 errorbuf = "\000\212_?\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\026\177g\226\177\000\000\060??\177\000\000\200\025\177g\226\177\000\000\260\025\177g\226\177\000\000\320\025\177g\226\177\000\000\020S\205l\225\177\000\000\260\026\177g\226\177\000\000\250\026\177g\226\177\000\000\360\212_?\177\000\000\350\025\177g\226\177\000\000\264M\366\064\230\177\000\000\020S\205l\225\177\000\000\260\026\177g\226\177\000\000\b\026\177g\226\177\000\000\264M\366\064\230\177\000\000\020S\205l\225\177\000\000\260\026\177g\226\177\000\000\250\026\177g\226\177\000\000\360\212_?\177\000\000\066Y\311\064\230\177\000\000\020S\205l\225\177\000\000\024I\312\064\230"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f94c75f5980) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f94c7ef4460 opresult = 0 normalized_mods = 0x7f94c7ee1b70 mods = 0x7f956d4e68a0 mod = 0x7f94c7ee1b78 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -950052480, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f96677f5ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f96677f5ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f96677f5ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f96677f5ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f94c7f77930 "\020\211\065?\177" dn = saslmech = 0x7f94c72b9750 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f956f7282b0 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f94c75f6580 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\201\370Z\025\263/\030\001\264v%\024\251fX\tzL\033\f3\b\234\f\205\357\313\033\221\020\366\b\024\215\023\001\343\343\357\016\366&b\001(c\016\f\217\062\354\006\373\026)\r\236\024\344\017\331C\312\f\342e\301\boS\322\006\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\255\364:\021\373m\n\002\340\207\220\032\004M\026\033\b3\375\070\001i\245\025$?>\325\026N\ad\222;\036\253x\212\r\346\346\037\017\334X+\030\253"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\250\020yo\225\177\000\000\240\020yo\225\177\000\000\200\020yo\225\177\000\000\001\000\000\000\000\000\000\000\330\071\177g\226\177\000\000\340Z\177g\226\177\000\000\060\265ro\225\177\000\000\022\006\322\064\230\177\000\000\340\071\177g\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\071\177g\226\177\000\000\000\000\000\000\000\000\000\000\270\071\177g\226\177\000\000\330\071\177g\226\177\000\000MQ\203\036\305\374\330\v\000(\311\t\002\000\000\000\360u bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f96677f5ae0, op=0x7f98384deff0, conn=0x7f983bc27bf0) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc27bf0, pb_op = 0x7f98384deff0, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f956c78ad50, op_stack_elem = 0x7f983b38ba90, pb_aci_target_check = 0} pb = 0x7f96677f5ae0 conn = 0x7f983bc27bf0 op = 0x7f98384deff0 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 25 (Thread 0x7f9666ff5700 (LWP 24978)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f96143be0b0, key=key at entry=0x7f9666febb70, data=data at entry=0x7f9666febba0, comp_key=0x7f946fe2f370 "cn=etc", elem=elem at entry=0x7f9666febb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f946f1c13d0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f96143be0b0, srdn=srdn at entry=0x7f9666fedc90, elem=elem at entry=0x7f9666fedc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f946f2ce450 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f946fe2f370 "cn=etc" rdnidx = 3 keybuf = 0x7f946fd46400 "C1" key = {data = 0x7f946fd46400, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f946d828660, flags = 2056} data = {data = 0x7f946f1c13d0, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f946e2d4670 tmpelem = 0x7f946f1c13d0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f946de59140, id=id at entry=0x7f9666fedd24, flags=flags at entry=0, txn=txn at entry=0x7f9666fedf00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f946cde8440 "cn=cpn-k16-12-01.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f9531945360, all_nrdns = 0x7f946e2b6130} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f96143be0b0 elem = 0x7f95324409c0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f946de59140, txn=txn at entry=0x7f9666fedf00, flags=flags at entry=0, err=err at entry=0x7f9666fedddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f946d84b380 "cn=cpn-k16-12-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9666fedf00, lock=0, sdn=0x7f946de59140, be=0x7f98366e74c0, pb=0x7f9666ff4ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc2f4b0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9666ff4ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9666fedf00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9666ff4ae0 txn = 0x7f9666fedf00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9666ff4ae0, be=, addr=, txn=txn at entry=0x7f9666fedf00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9666ff4ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f946e68ef40 "cn=cpn-k16-12-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f946de59140 scope = 0 controls = 0x0 operation = 0x7f9836ba6620 addr = 0x7f9836ba66f8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9666ff4ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f946d83dac0 "cn=cpn-k16-12-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f946f127bb0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f9666fee278, 0x7f9666fee23c, 0x0, 0x66fee280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f946ff7f100, 0x0, 0x1, 0x56e02da9, 0x0, 0x7f946e709350, 0x0, 0x0, 0x7f946de3a670, 0xc25a5fce5a9d5a00, 0x7f9666fee4c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f9666fee4c4, 0xc25a5fce5a9d5a00, 0x7f946f125190, 0x0, 0x7f946f125190, 0x0, 0x0, 0x0, 0x7f9666fee508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f946f125190, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f946de3a670, 0x7f9531959870, 0x1, 0x0, 0x7f9666fee558, 0x7f9666fee510, 0x7f9666fee508, 0x7f9666fee508, 0x0, 0x0, 0x7f9666fee558, 0xc25a5fce5a9d5a00, 0x7f946f125190, 0x0, 0x7f946f125190, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f9666ff2400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f9666fee520, 0x1, 0x7f9666fee510, 0x100000001, 0x7f9666fee550, 0x0, 0x0, 0x7f9666fee548, 0x7f9666fee4c4, 0x0, 0x0, 0x7f9666fee508, 0x1, 0x7f9666fee4cc, 0x7f9666fee4e0, 0x6de50bd0, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f946fe42cf0, 0x7f9834d34290, 0x7f946f1bbe70, 0x0, 0x0, 0x7f946de3a670, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f9531988ce0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f9666ff0410, 0x7f9666ff0420, 0x7f9666ff01ae, 0x7f9630ff01ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f945dc1e6c0, 0x7f9666ff4ae0, 0xe, 0x7f9666ff03a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f9666ff03a2, 0x7f945dc1e6c0, 0x7f9666ff4ae0, 0xe, 0x7f9666ff03a0, 0x7f9834d2bcea, 0x7f9666ff03d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f9666ff0320, 0x7f9666ff0240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e38a, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9634000070, 0xffff80699900fd31, 0x7f9666ff02d0, 0x7f9666ff02cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f9666ff0370, 0x0, 0x7f9834cc261b , 0x7f9666ff4ae0, 0x7f9834cf6e23 , 0x0, 0x7f9666ff03a0, 0x7f9834d2bcea, 0x7f9666ff03d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f930000006f, 0x7, 0x7f9666ff03b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f9666ff03af, 0x7f9834ce171c , 0x7f9666ff0030, 0x7f9834cdd18c , 0x7f9666ff05a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f983af94e00, 0x7f98330d5cbf , 0x7f9666ff0410, 0xc25a5fce5a9d5a00, 0x7f9666ff4ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f9666ff4ae0, 0x7f9666ff4ae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9500000000, 0x7f95319c4510, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f95319c4510, 0x200, 0x7f9666ff4ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9666ff4ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9666ff4ae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f95319c4510, 0xe, 0x7f9666ff4ae0, 0x7f95319c4510, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f9666ff4ae0, 0x7f9666ff4ae0, 0x7f983bc46430, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f945dc1e6c0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9666ff4ae0, 0x7f9666ff4ae0, 0x7f9834f64db4 , 0x0, 0x7f9666ff06b0, 0x7f9666ff06a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f9666ff4ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f9666ff0680, 0x0, 0x20, 0x7f946f21a050, 0x7f98414939b0, 0x7f9666ff4ae0, 0x7f982dbdc64f, 0x7f946e2df6a0, 0x7f946f21a048, 0x0, 0x7f940ff26970, 0x7f9666ff28a0, 0x0, 0x0, 0x0, 0x20, 0x7f940ff26970, 0x7f9666ff4ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f93d036df20, 0x7f9666ff0710, 0x7f9666ff0740, 0x7f9666ff0760, 0x0, 0x7f9834f70f00 , 0x7f9532519240, 0x7f9666ff4ae0, 0x7f9666ff0778, 0x0, 0x7f9532486998, 0x1, 0x0, 0x7f9834f70f00 , 0x7f9532519240, 0x7f9666ff4ae0, 0x7f9666ff0870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f9532519240...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f946f1fac00 sdn = 0x7f946de59140 operation = 0x7f9836ba6620 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000f\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\250\245L2\225\177\000\000\250\030(n\224\177\000\000(%\377f\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\300?1\225\177\000\000\000\000\000\000\000\000\000\000x?1\225\177\000\000x\374\341o\224\177\000\000\001", '\000' , "\220\312\066?\177", '\000' , "Z\235Z\316_Z\302\210d\033o\224\177\000\000\210d\033o\224\177\000\000\220d\033o\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9666ff4ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9836ba6620 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f946d83dac0 "cn=cpn-k16-12-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f946f127bb0 "(objectClass=*)" filter = 0x7f946f25a0e0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 353718000 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f9666ff4ae0, op=0x7f9836ba6620, conn=0x7f983bc2f4b0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc2f4b0, pb_op = 0x7f9836ba6620, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9836ba65a0, pb_aci_target_check = 0} pb = 0x7f9666ff4ae0 conn = 0x7f983bc2f4b0 op = 0x7f9836ba6620 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 24 (Thread 0x7f96667f4700 (LWP 24979)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f9630159270, key=key at entry=0x7f96667eab70, data=data at entry=0x7f96667eaba0, comp_key=0x7f94bf128810 "cn=accounts", elem=elem at entry=0x7f96667eab60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94be5b1830 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f9630159270, srdn=srdn at entry=0x7f96667ecc90, elem=elem at entry=0x7f96667ecc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f94bf14af50 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94bf128810 "cn=accounts" rdnidx = 2 keybuf = 0x7f94be8f2890 "C1" key = {data = 0x7f94be8f2890, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f983273452a , flags = 2056} data = {data = 0x7f94be5b1830, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f954edffef0 tmpelem = 0x7f94be5b1830 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94bff65670, id=id at entry=0x7f96667ecd24, flags=flags at entry=0, txn=txn at entry=0x7f96667ecf00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94bc5264a0 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94bc526470, all_nrdns = 0x7f954ec9c250} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f9630159270 elem = 0x7f94be68b6c0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94bff65670, txn=txn at entry=0x7f96667ecf00, flags=flags at entry=0, err=err at entry=0x7f96667ecddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f94bf3cab60 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96667ecf00, lock=0, sdn=0x7f94bff65670, be=0x7f98366e74c0, pb=0x7f96667f3ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc440c0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96667f3ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96667ecf00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96667f3ae0 txn = 0x7f96667ecf00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96667f3ae0, be=, addr=, txn=txn at entry=0x7f96667ecf00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96667f3ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94bf114ea0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94bff65670 scope = 2 controls = 0x0 operation = 0x7f945dc1e6c0 addr = 0x7f945dc1e798 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96667f3ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94bc3c74c0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94bf1d8b30 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:2e0d393c-2cdc-11e5-8ba2-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f96667ed250, 0x0, 0x0, 0x0, 0x0, 0x7f954ece29e0, 0x0, 0x0, 0x7f954eceedb0, 0x0, 0x56e02d51, 0x7f94bc43d1f0, 0x0, 0x0, 0x7f94bf13e000, 0x7f96667ed2e0, 0x7f96667ed280, 0x0, 0x7f94bc5233e0, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a313034303431, 0x7f94bf42b510, 0xffffffff34d0620f, 0x7f94bf462000, 0x7f96667ed350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f96667ed4d8, 0x0, 0x7f9834c916bf , 0x7f94bf462090, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94bf3cd8e0, 0x7f94bc61f4a0, 0x1, 0x0, 0x7f96667ed558, 0x7f96667ed510, 0x7f96667ed500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f96667ed450, 0x7f96667ed450, 0x7f9830b70d5b , 0x7f94be680110, 0x7f94be670ac3, 0x7f94be670ab2, 0x7f9830b71229 , 0x7f94be670ac4, 0xc25a5fce5a9d5a00, 0x7f94be670ac3, 0x7f96667ed450, 0x0, 0x0, 0x7f94be686860, 0x7f9830b6c4d5 , 0x7f94be670ac3, 0x0, 0x7f96667ed4e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f96667f3ae0, 0x2000, 0x7f96667ed4e0, 0x7f96667ed4e0, 0x7f94be5280a0, 0x7f96667ed4d8, 0x200000001, 0xffffffff, 0x7f94bf401060, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f94bf140400, 0x7f94be680170, 0x7f94be68016d, 0x7f9830b71229 , 0x7f94be680171, 0xc25a5fce5a9d5a00, 0x7f94be680170, 0x7f96667ed550, 0x1, 0x0, 0x7f94be680110, 0x7f9830b7143c , 0x7f94be680170, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f96667f3ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94be680110, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f94bf142d80, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x8667ef2e0, 0x7f9834cd5fbe , 0x7f94bc523580, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f96667ef268, 0x0, 0x7f96667ef268, 0x7f96667ef280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f94bf142d80, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f96667ef290, 0x0, 0x0, 0x7f94be8df150, 0x7f96667ef290, 0x7f94bf142d80, 0x7f9834c95936 , 0x0, 0x7f94be8df148, 0x7f94bc4235a0, 0x7f94be94f030, 0x7f94bc4235a0, 0x7f94bc4235a0, 0x7f94bc4235a0, 0x0, 0x7f9834f70f00 , 0x7f954edb35f0, 0x7f94bf142d80, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94bc423590, 0x7f96667ef320, 0x7f96667ef350, 0x7f96667ef370, 0x0, 0x7f9834f70f00 , 0x7f954edb35f0, 0x7f94bf142d80, 0x7f96667ef388, 0x0, 0x7f954f942d88, 0x1, 0x0, 0x7f9834f70f00 , 0x7f954edb35f0, 0x7f94bf142d80, 0x7f96667ef480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f954edb35f0, 0x7f94bf142d80, 0x7f9834c95936 , 0x7f94bf470460, 0x7f9834cd1823 , 0x7f96667ef4d8, 0x7f96667ef510, 0x0, 0x20330d5cbf, 0x7f94bf142d80, 0xc25a5fce5a9d5a00, 0x7f96667ef480, 0x7f96667ef4a8, 0x0, 0x7f9834cfa31d , 0x7f96667f3ae0, 0x7f96667f3ae0, 0x0, 0x7f96667ef488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f94bc42a980, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f94bf46da20, 0x0, 0x7f954edb35d0, 0x7f94bf470460, 0x0, 0x7f94bf114290, 0x0, 0x0, 0x0, 0x7f94bd65fc50, 0x7f96667ef4f0, 0x7f94be5b26c0, 0x7f94bd627f30, 0x0, 0x7f94bd65fc48, 0x0, 0x0, 0x0, 0x7f94bc3c70e0, 0x7f94be5b26c0, 0x7f94be527640, 0x7f96667ef6b0, 0x7f96667ef6a8, 0x7f94be79f000, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f96667ef6b0, 0x7f94bc3c70d0, 0x7f96667ef580, 0x7f96667ef5b0, 0x7f96667ef5d0, 0x7f94be527640, 0x7f96667ef6b0, 0x7f96667ef6a8, 0x7f94be79f050, 0x7f96667ef5e8, 0x7f9834f64db4 , 0x7f94be527640, 0x7f96667ef6b0, 0x7f96667ef608, 0x7f9834f64db4 , 0x7f94be527640, 0x7f96667ef6b0, 0x7f96667ef6a8, 0x7f94be79f050, 0x7f9834c95936 , 0x7f94be527640, 0x7f9834ca4914 , 0x7f96667f3ae0, 0x0, 0x7f96667f3ae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x667ef680, 0x0, 0x0, 0x7f94be934860, 0x7f9837403ff0, 0x7f9837404884, 0x7f982dbdc64f, 0x7f94bc51fd50, 0x7f9837404990, 0x7f94be79ee30, 0x0, 0x7f96667f18a0, 0x0, 0x7f98364a1080, 0x0, 0x7f94b2f96310, 0x7f957f215150, 0x7f98351cb141, 0x7f9838afe7f8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94bf10ca80, 0x535347204c534153, 0x7f9600495041, 0x7f96667ef760, 0x0, 0x7f9834f70f00 , 0x7f954f9c6be0, 0x7f96667f3ae0, 0x7f96667ef778, 0x0, 0x7f94bf401068, 0x1, 0x0, 0x7f9834f70f00 , 0x7f954f9c6be0, 0x7f96667f3ae0, 0x7f96667ef870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f954f9c6be0...} attrlistbuf = "\"ipaConfigString ipaKrbAuthzData ipaUserAuthType\"\000\000\000\000\000\000\000P\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\002\347r2\230\177\000\000\001\000\000\000\000\000\000\000\060\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\001", '\000' , "\252\060\323\064\230\177\000\000\000\024\177f\226\177\000\000\001\000\000\000\000\000\000\000\037\000\000\000\000\000\000\000@\000\000\000\000\000\000\000P\024\177f\226\177\000\000y\336\v3\230\177\000\000\231\060\323\064\230\177\000\000\000\024\177f\226\177\000\000\000\000\000\000\000\000\000\000"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94bc51f360 sdn = 0x7f94bff65670 operation = 0x7f945dc1e6c0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\222\312N\225\177\000\000\320\024\177f\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\330^@\277\224\177\000\000ho\022\277\224\177\000\000(\025\177f\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\220B\021\277\224\177\000\000\000\000\000\000\000\000\000\000HC\021\277\224\177\000\000\250\237m\275\224\177\000\000\001", '\000' , "\200\230h\276\224\177", '\000' , "Z\235Z\316_Z\302HPa\275\224\177\000\000HPa\275\224\177\000\000PPa\275\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96667f3ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f945dc1e6c0 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f94bc3c74c0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94bf1d8b30 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:2e0d393c-2cdc-11e5-8ba2-a0369f577818))" filter = 0x7f94be675230 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1375079168 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f96667f3ae0, op=0x7f945dc1e6c0, conn=0x7f983bc440c0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc440c0, pb_op = 0x7f945dc1e6c0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f957d0751e0, pb_aci_target_check = 0} pb = 0x7f96667f3ae0 conn = 0x7f983bc440c0 op = 0x7f945dc1e6c0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 23 (Thread 0x7f9665ff3700 (LWP 24980)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f95f3e8ea20, key=key at entry=0x7f9665fe9b70, data=data at entry=0x7f9665fe9ba0, comp_key=0x7f94b28d8dd0 "cn=accounts", elem=elem at entry=0x7f9665fe9b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94b02dac50 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f95f3e8ea20, srdn=srdn at entry=0x7f9665febc90, elem=elem at entry=0x7f9665febc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f94b27b43b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94b28d8dd0 "cn=accounts" rdnidx = 2 keybuf = 0x7f94b07343e0 "C1" key = {data = 0x7f94b07343e0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f94b02dac50, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f9404c042e0 tmpelem = 0x7f94b02dac50 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94040c9910, id=id at entry=0x7f9665febd24, flags=flags at entry=0, txn=txn at entry=0x7f9665febf00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94b285ade0 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94b285adb0, all_nrdns = 0x7f94b2d0aa20} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f95f3e8ea20 elem = 0x7f94b1531e70 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94040c9910, txn=txn at entry=0x7f9665febf00, flags=flags at entry=0, err=err at entry=0x7f9665febddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f9404c495b0 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9665febf00, lock=0, sdn=0x7f94040c9910, be=0x7f98366e74c0, pb=0x7f9665ff2ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc487a0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9665ff2ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9665febf00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9665ff2ae0 txn = 0x7f9665febf00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9665ff2ae0, be=, addr=, txn=txn at entry=0x7f9665febf00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9665ff2ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f959f4d6640 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94040c9910 scope = 2 controls = 0x0 operation = 0x7f9838bce990 addr = 0x7f9838bcea68 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9665ff2ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94b15272a0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94b30fa1e0 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:b481e1d0-2d12-11e5-848b-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f9665fec250, 0x0, 0x0, 0x65fec280, 0x100000000, 0x7f94b30fd230, 0x0, 0xffffffff00000000, 0x7f9404c052a0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f94b1993ba0, 0x0, 0x0, 0x56e02dca, 0x0, 0x7f9404ba80c0, 0x0, 0x0, 0x7f94b2d3e040, 0xc25a5fce5a9d5a00, 0x7f9665fec4c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f9665fec4c4, 0xc25a5fce5a9d5a00, 0x7f9404c078b0, 0x0, 0x7f9404c078b0, 0x0, 0x0, 0x0, 0x7f9665fec508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f9404c078b0, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94b2d3e040, 0x7f94b1521660, 0x1, 0x0, 0x7f9665fec558, 0x7f9665fec510, 0x7f9665fec508, 0x7f9665fec508, 0x0, 0x0, 0x7f9665fec558, 0xc25a5fce5a9d5a00, 0x7f9404c078b0, 0x0, 0x7f9404c078b0, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f9665ff0400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f9665fec520, 0x1, 0x7f9665fec510, 0x100000001, 0x7f9665fec550, 0x0, 0x0, 0x7f9665fec548, 0x7f9665fec4c4, 0x0, 0x0, 0x7f9665fec508, 0x1, 0x7f9665fec4cc, 0x7f9665fec4e0, 0xb0327210, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f94b19a8f00, 0x7f9834d34290, 0x7f94b2f94180, 0x0, 0x0, 0x7f94b2d3e040, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94b2fcc350, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f9665fee410, 0x7f9665fee420, 0x7f9665fee1ae, 0x7f9630fee1ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f98384ef700, 0x7f9665ff2ae0, 0xe, 0x7f9665fee3a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f9665fee3a2, 0x7f98384ef700, 0x7f9665ff2ae0, 0xe, 0x7f9665fee3a0, 0x7f9834d2bcea, 0x7f9665fee3d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f9665fee320, 0x7f9665fee240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e3b0, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f962c000070, 0xffff80699a011d31, 0x7f9665fee2d0, 0x7f9665fee2cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f9665fee370, 0x0, 0x7f9834cc261b , 0x7f9665ff2ae0, 0x7f9834cf6e23 , 0x0, 0x7f9665fee3a0, 0x7f9834d2bcea, 0x7f9665fee3d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f9665fee3b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f9665fee3af, 0x7f9834ce171c , 0x7f9665ff0030, 0x7f9834cdd18c , 0x7f9665fee5a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f983b05f500, 0x7f98330d5cbf , 0x7f9665fee410, 0xc25a5fce5a9d5a00, 0x7f9665ff2ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f9665ff2ae0, 0x7f9665ff2ae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9400000000, 0x7f94b31078c0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f94b31078c0, 0x200, 0x7f9665ff2ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9665ff2ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9665ff2ae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f94b31078c0, 0xe, 0x7f9665ff2ae0, 0x7f94b31078c0, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f9665ff2ae0, 0x7f9665ff2ae0, 0x7f983bc2cea0, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f98384ef700, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9665ff2ae0, 0x7f9665ff2ae0, 0x7f9834f64db4 , 0x0, 0x7f9665fee6b0, 0x7f9665fee6a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f9665ff2ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x65fee680, 0x0, 0x20, 0x7f94b2443d80, 0x7f9838522fd0, 0x7f9836817294, 0x7f982dbdc64f, 0x7f94b1327130, 0x7f98368173a0, 0x0, 0x7f94d7491150, 0x7f9665ff08a0, 0x0, 0x0, 0x0, 0x20, 0x7f94d7491150, 0x7f98351cb141, 0x7f98368d8888, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94b336be90, 0x535347204c534153, 0x7f9600495041, 0x7f9665fee760, 0x0, 0x7f9834f70f00 , 0x7f94b19a3760, 0x7f9665ff2ae0, 0x7f9665fee778, 0x0, 0x7f94b3892e58, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94b19a3760, 0x7f9665ff2ae0, 0x7f9665fee870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94b19a3760...} attrlistbuf = "\"objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin sh"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94b28000d0 sdn = 0x7f94040c9910 operation = 0x7f9838bce990 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000e\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\370\330O\237\225\177\000\000\270L\373\262\224\177\000\000(\005\377e\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000`\252\232\261\224\177\000\000\000\000\000\000\000\000\000\000\030\253\232\261\224\177\000\000\250%\267\263\224\177\000\000\001", '\000' , "\220\277\230\004\224\177", '\000' , "Z\235Z\316_Z\302\030\371.\261\224\177\000\000\030\371.\261\224\177\000\000 \371.\261\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9665ff2ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838bce990 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f94b15272a0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94b30fa1e0 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:b481e1d0-2d12-11e5-848b-a0369f577818))" filter = 0x7f94b23b6300 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 0 send_entchg_controls = 831678096 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f9665ff2ae0, op=0x7f9838bce990, conn=0x7f983bc487a0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc487a0, pb_op = 0x7f9838bce990, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9838bce970, pb_aci_target_check = 0} pb = 0x7f9665ff2ae0 conn = 0x7f983bc487a0 op = 0x7f9838bce990 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 22 (Thread 0x7f96657f2700 (LWP 24981)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f96657ed2b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f942d5dc100 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f942de729a0 addr = 0x7f942de72a78 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f942f16ef70, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f942f46cf30 referral = 0x0 e = 0x0 dn = 0x7f942f17e4c0 "fqdn=cpn-d07-24-01.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f942d6987a0 passin_sdn = 0 mods = 0x7f942d5dc100 pw_mod = tmpmods = 0x7f942ddcf140 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f942de729a0 errorbuf = "\000\317F/\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\326~e\226\177\000\000\300?-\224\177\000\000\200\325~e\226\177\000\000\260\325~e\226\177\000\000\320\325~e\226\177\000\000?\260\"\226\177\000\000\260\326~e\226\177\000\000\250\326~e\226\177\000\000\060\317F/\224\177\000\000\350\325~e\226\177\000\000\264M\366\064\230\177\000\000?\260\"\226\177\000\000\260\326~e\226\177\000\000\b\326~e\226\177\000\000\264M\366\064\230\177\000\000?\260\"\226\177\000\000\260\326~e\226\177\000\000\250\326~e\226\177\000\000\060\317F/\224\177\000\000\066Y\311\064\230\177\000\000?\260\"\226\177\000\000\024I\312\064\230"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f942f16ef70) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f942de729a0 opresult = 0 normalized_mods = 0x7f942ddcf140 mods = 0x7f942fef6b80 mod = 0x7f942ddcf148 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 790032240, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f96657f1ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f96657f1ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f96657f1ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f96657f1ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f942f247d30 "0\276$/\224\177" dn = saslmech = 0x7f942f24d4a0 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f942f1adaf0 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f942d5cf6e0 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "ny\205\023\bP\211\r\274xV\b\376\240\303\n\223\312\313\vH\242\272\r\247\310\320\023r?\r\312\323\062\004k\350V\b\374\222\374\n\020\212\025\021\251\270\203\001\260\347f\004\240*{\006p/\017\033o\\\035\006\234\260\234\001\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\237\203\244\016\335\321/\v\244\242>\004+\365}\026?F\221=\272Q\202\031+:w1\325;\201\022\034\217\071\023\210E\316\001\232i\310\b\335.\376\024\200"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000X\306\331-\224\177\000\000P\306\331-\224\177\000\000\060\306\331-\224\177\000\000\001\000\000\000\000\000\000\000\330\371~e\226\177\000\000\340\032\177e\226\177\000\000P\033\357/\224\177\000\000\022\006\322\064\230\177\000\000\340\371~e\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\371~e\226\177\000\000\000\000\000\000\000\000\000\000\270\371~e\226\177\000\000\330\371~e\226\177\000\000N\252'\020\366\321 \004\355\022\202\034\002\000\000\000P\231\210\067\230\177\000\000\377\377\377\377\377\377\377\377\060\306\331-\224\177\000\000\000\000\000\000\000\000\000\000\036\070\\-\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f96657f1ae0, op=0x7f98371e6380, conn=0x7f983bc28910) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc28910, pb_op = 0x7f98371e6380, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f942efcd210, op_stack_elem = 0x7f98371e6360, pb_aci_target_check = 0} pb = 0x7f96657f1ae0 conn = 0x7f983bc28910 op = 0x7f98371e6380 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 21 (Thread 0x7f9664ff1700 (LWP 24982)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f9664fec2b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f940e674fd0 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f940e7ef1d0 addr = 0x7f940e7ef2a8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f9388046060, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f940f089710 referral = 0x0 e = 0x0 dn = 0x7f95473251a0 "fqdn=cpn-k16-06-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f940c311290 passin_sdn = 0 mods = 0x7f940e674fd0 pw_mod = tmpmods = 0x7f938846eaf0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f940e7ef1d0 errorbuf = "\000\227\b\017\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\306\376d\226\177\000\000\340\303\n\210\223\177\000\000\200\305\376d\226\177\000\000\260\305\376d\226\177\000\000\320\305\376d\226\177\000\000\340vE\210\223\177\000\000\260\306\376d\226\177\000\000\250\306\376d\226\177\000\000\020\227\b\017\224\177\000\000\350\305\376d\226\177\000\000\264M\366\064\230\177\000\000\340vE\210\223\177\000\000\260\306\376d\226\177\000\000\b\306\376d\226\177\000\000\264M\366\064\230\177\000\000\340vE\210\223\177\000\000\260\306\376d\226\177\000\000\250\306\376d\226\177\000\000\020\227\b\017\224\177\000\000\066Y\311\064\230\177\000\000\340vE\210\223\177\000\000"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f9388046060) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f940e7ef1d0 opresult = 0 normalized_mods = 0x7f938846eaf0 mods = 0x7f940e7f3f90 mod = 0x7f938846eaf8 smods = {mods = 0x7f9500000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -2012979104, free_mods = 32659} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f9664ff0ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f9664ff0ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f9664ff0ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f9664ff0ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f9547317020 "\300)|\016\224\177" dn = saslmech = 0x7f93884559f0 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f9388044900 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f940e630d40 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\r?\nfK\334\r\351;\210\f\370\001d\000E\"\332\f\271\350\t\a\244\262[\000?\031\bX\004\374\tm\306\341\017\222?G\002\267\274[\vkc,\005\214 at w\004)m\v\006;\356U\000.\347\070\006\336\302\315\t\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\021 &\a\367\377\212\003\270A\276\022q\330\235\025\067A\220*a%7\020oQJ3\320\360\327\016?\236\021\002G\233\033?\364\000\371\tw\025\243(\273\036+"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\230\t\357\017\224\177\000\000\220\t\357\017\224\177\000\000p\t\357\017\224\177\000\000\001\000\000\000\000\000\000\000\330\351\376d\226\177\000\000\340\n\377d\226\177\000\000?\200\f\224\177\000\000\022\006\322\064\230\177\000\000\340\351\376d\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\351\376d\226\177\000\000\000\000\000\000\000\000\000\000\270\351\376d\226\177\000\000\330\351\376d\226\177\000\000Fn\024\002\036\267\371\b[k@\004\002\000\000\000`\026 at 8\230\177\000\000\377\377\377\377\377\377\377\377p\t\357\017\224\177\000\000\000\000\000\000\000\000\000\000^\357{\016\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f9664ff0ae0, op=0x7f983859e9b0, conn=0x7f983bc27020) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc27020, pb_op = 0x7f983859e9b0, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f940e7cb510, op_stack_elem = 0x7f983859e930, pb_aci_target_check = 0} pb = 0x7f9664ff0ae0 conn = 0x7f983bc27020 op = 0x7f983859e9b0 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 20 (Thread 0x7f96647f0700 (LWP 24983)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f96647eb2b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f94729961e0 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f9473be5820 addr = 0x7f9473be58f8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f95b22fceb0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f94733e1620 referral = 0x0 e = 0x0 dn = 0x7f95b21cf960 "fqdn=cpn-d14-10.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f9472dc5060 passin_sdn = 0 mods = 0x7f94729961e0 pw_mod = tmpmods = 0x7f94729b3820 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f9473be5820 errorbuf = "\000\026>s\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\266~d\226\177\000\000\240,6\262\225\177\000\000\200\265~d\226\177\000\000\260\265~d\226\177\000\000?~d\226\177\000\000\240\211\215s\224\177\000\000\260\266~d\226\177\000\000\250\266~d\226\177\000\000 \026>s\224\177\000\000\350\265~d\226\177\000\000\264M\366\064\230\177\000\000\240\211\215s\224\177\000\000\260\266~d\226\177\000\000\b\266~d\226\177\000\000\264M\366\064\230\177\000\000\240\211\215s\224\177\000\000\260\266~d\226\177\000\000\250\266~d\226\177\000\000 \026>s\224\177\000\000\066Y\311\064\230\177\000\000\240\211\215s\224\177\000\000\024"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f95b22fceb0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f9473be5820 opresult = 0 normalized_mods = 0x7f94729b3820 mods = 0x7f947298c1d0 mod = 0x7f94729b3828 smods = {mods = 0x7f9500000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -1305489744, free_mods = 32661} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f96647efae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f96647efae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f96647efae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f96647efae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f9472dbab20 "\200\226.\262\225\177" dn = saslmech = 0x7f94731ad1f0 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f95b2309b60 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f9472e16c20 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "b\321\352\034?;\006P+\035\035\204!\251\016p\203\025\022\347\224\312\f\a\207\347\002dGX\006vL2\001u\310\366\002\354{\374\a\237d\001\b\257\023\v\001\224?\037\340}c\006\027\356\204\016,\\P\003\356\313\334\b\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\r\003\017\025\373\322\a\016\370j\271\031\200\357\263\027\342Y!&?\201\035w\361\361>`iN\f\027/\304\032p~b\a{\265\244\004j\256z\016\"\350p"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\230\214\313r\224\177\000\000\220\214\313r\224\177\000\000p\214\313r\224\177\000\000\001\000\000\000\000\000\000\000\330\331~d\226\177\000\000\340\372~d\226\177\000\000\220\365\232r\224\177\000\000\022\006\322\064\230\177\000\000\340\331~d\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\331~d\226\177\000\000\000\000\000\000\000\000\000\000\270\331~d\226\177\000\000\330\331~d\226\177\000\000B\261k\bL\275\365\005\242\321L\027\002\000\000\000P7V8\230\177\000\000\377\377\377\377\377\377\377\377p\214\313r\224\177\000\000\000\000\000\000\000\000\000\000\v\270\313r\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f96647efae0, op=0x7f98374d4530, conn=0x7f983bc2bd90) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc2bd90, pb_op = 0x7f98374d4530, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f9472cb94f0, op_stack_elem = 0x7f9839e9aae0, pb_aci_target_check = 0} pb = 0x7f96647efae0 conn = 0x7f983bc2bd90 op = 0x7f98374d4530 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 19 (Thread 0x7f9663fef700 (LWP 24984)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f95f24a3c50, key=key at entry=0x7f9663fe5b70, data=data at entry=0x7f9663fe5ba0, comp_key=0x7f94cbc2dc00 "cn=accounts", elem=elem at entry=0x7f9663fe5b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94c9372d90 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f95f24a3c50, srdn=srdn at entry=0x7f9663fe7c90, elem=elem at entry=0x7f9663fe7c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f9555d42370 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94cbc2dc00 "cn=accounts" rdnidx = 2 keybuf = 0x7f9555c892c0 "C1" key = {data = 0x7f9555c892c0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f9555cc51a0, flags = 2056} data = {data = 0x7f94c9372d90, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f94cbbc8ba0 tmpelem = 0x7f94c9372d90 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94cbe131f0, id=id at entry=0x7f9663fe7d24, flags=flags at entry=0, txn=txn at entry=0x7f9663fe7f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f955625e080 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f955625e050, all_nrdns = 0x7f9555d303a0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f95f24a3c50 elem = 0x7f94c9c99f20 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94cbe131f0, txn=txn at entry=0x7f9663fe7f00, flags=flags at entry=0, err=err at entry=0x7f9663fe7ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f94cbc2a7b0 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9663fe7f00, lock=0, sdn=0x7f94cbe131f0, be=0x7f98366e74c0, pb=0x7f9663feeae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc58640 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9663feeae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9663fe7f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9663feeae0 txn = 0x7f9663fe7f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9663feeae0, be=, addr=, txn=txn at entry=0x7f9663fe7f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9663feeae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94c9287540 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94cbe131f0 scope = 2 controls = 0x0 operation = 0x7f98380b12c0 addr = 0x7f98380b1398 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9663feeae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94c9c94b70 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94cbc54880 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:e6b5e64e-2ce8-11e5-b068-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02da5, 0x7f94ca068460, 0x0, 0x0, 0x7f94cb617280, 0x7f9663fe82e0, 0x7f9663fe8280, 0x0, 0x7f94ca0767b0, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a353235303431, 0x7f94c9f0b890, 0xffffffff34d0620f, 0x7f9556249d00, 0x7f9663fe8350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f9663fe84d8, 0x0, 0x7f9834c916bf , 0x7f9556249d00, 0x0, 0x6e73757972746e65, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94cb6246a0, 0x7f9557b921b0, 0x1, 0x0, 0x7f9663fe8558, 0x7f9663fe8510, 0x7f9663fe8508, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f9663fe8450, 0x7f9663fe8450, 0x7f9830b70d5b , 0x7f94c9281210, 0x7f94c9f1ceb3, 0x7f94c9f1cea2, 0x7f9830b71229 , 0x7f94c9f1ceb4, 0xc25a5fce5a9d5a00, 0x7f94c9f1ceb3, 0x7f9663fe8450, 0x0, 0x0, 0x7f94cbc2dc00, 0x7f9830b6c4d5 , 0x7f94c9f1ceb3, 0x0, 0x7f9663fe84e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f9663feeae0, 0x2000, 0x7f9663fe84e0, 0x7f9663fe84e0, 0x7f9555c77100, 0x7f9663fe84d8, 0x200000001, 0xffffffff, 0x7f9557b96e10, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f94c93460c0, 0x7f94c9281270, 0x7f94c928126d, 0x7f9830b71229 , 0x7f94c9281271, 0xc25a5fce5a9d5a00, 0x7f94c9281270, 0x7f9663fe8550, 0x1, 0x0, 0x7f94c9281210, 0x7f9830b7143c , 0x7f94c9281270, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f9663feeae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94c9281210, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0xd93dbddb, 0x0, 0xd80000, 0x9eebb24ce290f793, 0x41061ab79713b5de, 0x772079ee022e23b, 0x38801507de22d9c, 0xa036c9d75a79849, 0x823f97e2cb4f6ac6, 0xb9018b52ea2f2a7a, 0x7f98330bdcc0 , 0xffffffffc0010000, 0x7f9663fea43d, 0x7f9663fea510, 0xc25a5fce5a9d5a00, 0x20, 0x7f9828fb0094, 0x7f9663fea490, 0x0, 0xa, 0x7f9828fb0093, 0x7f9663fea4e0, 0x7f98330be19e , 0x7f9800000000, 0x0, 0x7f98366f8d00, 0x7f9663fea26f, 0x7f9663fea270, 0x0, 0x7f9663fea3c0, 0x7f9663fea3c1, 0x0, 0x0, 0x0, 0x0, 0xf4ac7, 0x0 , 0xc25a5fce5a9d5a00, 0x7f9663feeae0, 0x7f9663fea510, 0x4, 0x4, 0x7f9663fea664, 0x7f98260ef8be , 0x8, 0x7f9834ce5397 , 0x7f9834d1fcca, 0x11800000010, 0x7f982635743e, 0x2000000000, 0x7f98263573a8, 0x7f9663fea510, 0x0, 0xc25a5fce5a9d5a00, 0x7f94cbc422b0, 0x200, 0x7f9663feeae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9663feeae0, 0x2, 0x7f9834ce54eb , 0x7f98364e9f80, 0xc25a5fce5a9d5a00, 0x0, 0x3030319663feeae0, 0x33383132, 0xc25a5fce5a9d5a00, 0x0, 0x7f9663fea670, 0x0, 0x7f9663feeae0, 0x7f9663fea658, 0x0, 0x7f98364feb10, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0x7f9663fea670, 0x7f9663fea688, 0x7f9400000040, 0x7f955625b988, 0x7f955625b988, 0x7f955625b988, 0xc25a5fce5a9d5a00, 0x7f98366efcc8, 0x7f98330cfe78 , 0x1, 0x7f983bb9a400, 0xffffffff, 0x0 , 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364feb10, 0x7f983bba4cf0, 0x7f9663feeae0, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x8263573a0, 0x7f9834cd5fbe , 0x7f9555c770e0, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f9663fea658, 0x0, 0x7f9663fea658, 0x7f9663fea670, 0x0, 0x7f98364feb10, 0x7f9834c95936 , 0x7f9663feeae0, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f9663fea680, 0x0, 0x0, 0x7f95562e10d0, 0x7f9663fea680, 0x7f9663feeae0, 0x7f9834c95936 , 0x0, 0x7f95562e10c8, 0x7f9555c9c0b0, 0x7f94cbc6a8a0, 0x7f9555c9c0b0, 0x7f9555c9c0b0, 0x7f9555c9c0b0, 0x0, 0x7f9834f70f00 , 0x7f9556307c50, 0x7f9663feeae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9555c9c0a0, 0x7f9663fea710, 0x7f9663fea740, 0x7f9663fea760, 0x0, 0x7f9834f70f00 , 0x7f9556307c50, 0x7f9663feeae0, 0x7f9663fea778, 0x0, 0x7f9557b96e18, 0x1, 0x0, 0x7f9834f70f00 , 0x7f9556307c50, 0x7f9663feeae0, 0x7f9663fea870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f9556307c50, 0x7f9663feeae0, 0x7f9834c95936 , 0x7f94c94267f0, 0x7f9834cd1823 , 0x7f9663fea8c8, 0x7f9663fea900, 0x7f9555c497f0, 0x34d18162, 0x7f9663feeae0, 0x5a9d5a00, 0x7f9663fea870, 0x7f9663fea898, 0x0, 0x0, 0x7f98366e74c0, 0x0, 0x0, 0x7f9663fea878, 0x0, 0x0...} attrlistbuf = "\"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags\"\000dMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration\"\000yTimestamp entryusn shadowLastChange shadowMin sh"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94c9430960 sdn = 0x7f94cbe131f0 operation = 0x7f98380b12c0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000c\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\270\326\064?\177\000\000\210I\313U\225\177\000\000(\305\376c\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\200\026\271W\225\177\000\000\000\000\000\000\000\000\000\000\070\027\271W\225\177\000\000\250m\216?\177\000\000\001", '\000' , "\320\343$V\225\177", '\000' , "Z\235Z\316_Z\302\350\347\337?\177\000\000\350\347\337?\177\000\000\360\347\337?\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9663feeae0) at ldap/servers/slapd/search.c:378 operation = 0x7f98380b12c0 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f94c9c94b70 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94cbc54880 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:e6b5e64e-2ce8-11e5-b068-a0369f577818))" filter = 0x7f94c9f21f50 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 385283168 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f9663feeae0, op=0x7f98380b12c0, conn=0x7f983bc58640) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc58640, pb_op = 0x7f98380b12c0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f983699cb00, pb_aci_target_check = 0} pb = 0x7f9663feeae0 conn = 0x7f983bc58640 op = 0x7f98380b12c0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 18 (Thread 0x7f96637ee700 (LWP 24985)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f962e4fd3a0, key=key at entry=0x7f96637e4b70, data=data at entry=0x7f96637e4ba0, comp_key=0x7f950ea56c50 "cn=etc", elem=elem at entry=0x7f96637e4b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94b9fe0350 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f962e4fd3a0, srdn=srdn at entry=0x7f96637e6c90, elem=elem at entry=0x7f96637e6c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f950ea5d500 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f950ea56c50 "cn=etc" rdnidx = 3 keybuf = 0x7f950d808710 "C1" key = {data = 0x7f950d808710, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f94b9fe0350, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f950eb7ccd0 tmpelem = 0x7f94b9fe0350 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94b9a8cfb0, id=id at entry=0x7f96637e6d24, flags=flags at entry=0, txn=txn at entry=0x7f96637e6f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94bbf71150 "cn=cpn-d07-11-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94bbdcab80, all_nrdns = 0x7f94b8d621b0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f962e4fd3a0 elem = 0x7f94bbfabee0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94b9a8cfb0, txn=txn at entry=0x7f96637e6f00, flags=flags at entry=0, err=err at entry=0x7f96637e6ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f94bbf37440 "cn=cpn-d07-11-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96637e6f00, lock=0, sdn=0x7f94b9a8cfb0, be=0x7f98366e74c0, pb=0x7f96637edae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc32930 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96637edae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96637e6f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96637edae0 txn = 0x7f96637e6f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96637edae0, be=, addr=, txn=txn at entry=0x7f96637e6f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96637edae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94bbf3edf0 "cn=cpn-d07-11-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94b9a8cfb0 scope = 0 controls = 0x0 operation = 0x7f954feaf590 addr = 0x7f954feaf668 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96637edae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94bbf4dbf0 "cn=cpn-d07-11-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94bbf2a790 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f96637e7278, 0x7f96637e723c, 0x0, 0x637e7280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f94bbe35f40, 0x0, 0x1, 0x56e02dbd, 0x0, 0x7f94b9b62060, 0x0, 0x0, 0x7f94bbdf6c30, 0xc25a5fce5a9d5a00, 0x7f96637e74c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f96637e74c4, 0xc25a5fce5a9d5a00, 0x7f94bb6cb550, 0x0, 0x7f94bb6cb550, 0x0, 0x0, 0x0, 0x7f96637e7508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f94bb6cb550, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94bbdf6c30, 0x7f950d8255c0, 0x1, 0x0, 0x7f96637e7558, 0x7f96637e7510, 0x7f96637e7508, 0x7f96637e7508, 0x0, 0x0, 0x7f96637e7558, 0xc25a5fce5a9d5a00, 0x7f94bb6cb550, 0x0, 0x7f94bb6cb550, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f96637eb400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f96637e7520, 0x1, 0x7f96637e7510, 0x100000001, 0x7f96637e7550, 0x0, 0x0, 0x7f96637e7548, 0x7f96637e74c4, 0x0, 0x0, 0x7f96637e7508, 0x1, 0x7f96637e74cc, 0x7f96637e74e0, 0xbbabfb80, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f94b85b0d60, 0x7f9834d34290, 0x7f950eb95020, 0x0, 0x0, 0x7f94bbdf6c30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94bb5deee0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x1, 0x0, 0x7f96637e7e70, 0x7f983282d870 , 0x7f9834d2be00, 0x7f983271b770 <__GI__IO_padn+160>...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f96637e9410, 0x7f96637e9420, 0x7f96637e91ae, 0x7f96307e91ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f96637edae0, 0xe, 0x7f96637e93a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f96637e93a2, 0x7f9838401660, 0x7f96637edae0, 0xe, 0x7f96637e93a0, 0x7f9834d2bcea, 0x7f96637e93d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f96637e9320, 0x7f96637e9240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e387, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9610000070, 0xffff80699c816d31, 0x7f96637e92d0, 0x7f96637e92cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f96637e9370, 0x0, 0x7f9834cc261b , 0x7f96637edae0, 0x7f9834cf6e23 , 0x0, 0x7f96637e93a0, 0x7f9834d2bcea, 0x7f96637e93d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f96637e93b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f96637e93af, 0x7f9834ce171c , 0x7f96637e0030, 0x7f9834cdd18c , 0x7f96637e95a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f983846c900, 0x7f98330d5cbf , 0x7f96637e9410, 0xc25a5fce5a9d5a00, 0x7f96637edae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f96637edae0, 0x7f96637edae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9400000000, 0x7f94bbf32200, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f94bbf32200, 0x200, 0x7f96637edae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96637edae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96637edae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f94bbf32200, 0xe, 0x7f96637edae0, 0x7f94bbf32200, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f96637edae0, 0x7f96637edae0, 0x7f983bc25880, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f96637edae0, 0x7f96637edae0, 0x7f9834f64db4 , 0x0, 0x7f96637e96b0, 0x7f96637e96a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f96637edae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x637e9680, 0x0, 0x20, 0x7f950d7fa390, 0x7f98398cb370, 0x7f983d50f674, 0x7f982dbdc64f, 0x7f94baa6c000, 0x7f983d50f780, 0x0, 0x7f9497c2a910, 0x7f96637eb8a0, 0x0, 0x0, 0x0, 0x20, 0x7f9497c2a910, 0x7f98351cb141, 0x7f98378a73e8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f950f50cc30, 0x535347204c534153, 0x7f9600495041, 0x7f96637e9760, 0x0, 0x7f9834f70f00 , 0x7f94baa98a70, 0x7f96637edae0, 0x7f96637e9778, 0x0, 0x7f94b9aa2d48, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94baa98a70, 0x7f96637edae0, 0x7f96637e9870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94baa98a70...} attrlistbuf = "\"krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration\"\000ality defaultnamingcontext lastusn highestcommitt"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f950f472b70 sdn = 0x7f94b9a8cfb0 operation = 0x7f954feaf590 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000v\204\314\b\002$a\377P@\302\300\003\262\255\335A\225(,\000\260,\234\021=h\024\001\000Z\235Z\316_Z?\304\365\273\224\177\000\000\060\266~c\226\177\000\000\000\266~c\226\177\000\000P\301~c\226\177\000\000 \301~c\226\177\000\000\060\266~c\226\177\000\000\000\266~c\226\177\000\000=\334\022&\230\177\000\000\340\301~c\226\177\000\000\020\302~c\226\177\000\000\220\271~c\226\177\000\000`\266~c\226\177\000\000\220\266~c\226\177\000\000\000Z\235Z\316_Z\302\000\271~c\226\177\000\000p\270~c\226\177\000\000`\236w\273@", '\000' , "\264M\366\064\230\177\000\000\016"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96637edae0) at ldap/servers/slapd/search.c:378 operation = 0x7f954feaf590 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f94bbf4dbf0 "cn=cpn-d07-11-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94bbf2a790 "(objectClass=*)" filter = 0x7f950ea7e550 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1514615008 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f96637edae0, op=0x7f954feaf590, conn=0x7f983bc32930) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc32930, pb_op = 0x7f954feaf590, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f96292bddc0, pb_aci_target_check = 0} pb = 0x7f96637edae0 conn = 0x7f983bc32930 op = 0x7f954feaf590 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 17 (Thread 0x7f9662fed700 (LWP 24986)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f9605da0c60, key=key at entry=0x7f9662fe3b70, data=data at entry=0x7f9662fe3ba0, comp_key=0x7f94a4068270 "cn=accounts", elem=elem at entry=0x7f9662fe3b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94a41d2fd0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f9605da0c60, srdn=srdn at entry=0x7f9662fe5c90, elem=elem at entry=0x7f9662fe5c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f94a4b90bf0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94a4068270 "cn=accounts" rdnidx = 2 keybuf = 0x7f94a6308390 "C1" key = {data = 0x7f94a6308390, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f94a6313300, flags = 2056} data = {data = 0x7f94a41d2fd0, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f94a4069740 tmpelem = 0x7f94a41d2fd0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94a7f376d0, id=id at entry=0x7f9662fe5d24, flags=flags at entry=0, txn=txn at entry=0x7f9662fe5f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94a450bf10 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94a450bee0, all_nrdns = 0x7f94a7f16ff0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f9605da0c60 elem = 0x7f94a7e03010 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94a7f376d0, txn=txn at entry=0x7f9662fe5f00, flags=flags at entry=0, err=err at entry=0x7f9662fe5ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f94a72e9250 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9662fe5f00, lock=0, sdn=0x7f94a7f376d0, be=0x7f98366e74c0, pb=0x7f9662fecae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc3a0a0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9662fecae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9662fe5f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9662fecae0 txn = 0x7f9662fe5f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9662fecae0, be=, addr=, txn=txn at entry=0x7f9662fe5f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9662fecae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94a4134980 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94a7f376d0 scope = 2 controls = 0x0 operation = 0x7f9838401660 addr = 0x7f9838401738 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9662fecae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94a6207fc0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94a5f4cb60 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:6c3e2dce-2cd7-11e5-aacd-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02d99, 0x7f94a61ffa70, 0x0, 0x0, 0x7f94a6208500, 0x7f9662fe62e0, 0x7f9662fe6280, 0x0, 0x7f94a5f35190, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a333135303431, 0x7f94a7fc04b0, 0xffffffff34d0620f, 0x7f94a62a7f00, 0x7f9662fe6350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f9662fe64d8, 0x0, 0x7f9834c916bf , 0x7f94a62a7f70, 0x0, 0x6e73757972746e65, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94a62aeda0, 0x7f94a632d9c0, 0x1, 0x0, 0x7f9662fe6558, 0x7f9662fe6510, 0x7f9662fe6508, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f9662fe6450, 0x7f9662fe6450, 0x7f9830b70d5b , 0x7f94a5f31770, 0x7f94a4040cc3, 0x7f94a4040cb2, 0x7f9830b71229 , 0x7f94a4040cc4, 0xc25a5fce5a9d5a00, 0x7f94a4040cc3, 0x7f9662fe6450, 0x0, 0x0, 0x7f94a41737f0, 0x7f9830b6c4d5 , 0x7f94a4040cc3, 0x0, 0x7f9662fe64e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f9662fecae0, 0x2000, 0x7f9662fe64e0, 0x7f9662fe64e0, 0x7f94a41cddc0, 0x7f9662fe64d8, 0x200000001, 0xffffffff, 0x7f94a67a9e90, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f94a7f255c0, 0x7f94a5f317d0, 0x7f94a5f317cd, 0x7f9830b71229 , 0x7f94a5f317d1, 0xc25a5fce5a9d5a00, 0x7f94a5f317d0, 0x7f9662fe6550, 0x1, 0x0, 0x7f94a5f31770, 0x7f9830b7143c , 0x7f94a5f317d0, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f9662fecae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94a5f31770, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f9662fe8410, 0x7f9662fe8420, 0x7f9662fe81ae, 0x7f9630fe81ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f9662fecae0, 0xe, 0x7f9662fe83a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f9662fe83a2, 0x7f9838401660, 0x7f9662fecae0, 0xe, 0x7f9662fe83a0, 0x7f9834d2bcea, 0x7f9662fe83d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f9662fe8320, 0x7f9662fe8240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e38e, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9614000070, 0xffff80699d017d31, 0x7f9662fe82d0, 0x7f9662fe82cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f9662fe8370, 0x0, 0x7f9834cc261b , 0x7f9662fecae0, 0x7f9834cf6e23 , 0x0, 0x7f9662fe83a0, 0x7f9834d2bcea, 0x7f9662fe83d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f9662fe83b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f9662fe83af, 0x7f9834ce171c , 0x7f9662fe0030, 0x7f9834cdd18c , 0x7f9662fe85a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9837606e00, 0x7f98330d5cbf , 0x7f9662fe8410, 0xc25a5fce5a9d5a00, 0x7f9662fecae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f9662fecae0, 0x7f9662fecae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9400000000, 0x7f94a5f07a60, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f94a5f07a60, 0x200, 0x7f9662fecae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9662fecae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f9662fecae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f94a5f07a60, 0xe, 0x7f9662fecae0, 0x7f94a5f07a60, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f9662fecae0, 0x7f9662fecae0, 0x7f983bc48260, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9662fecae0, 0x7f9662fecae0, 0x7f9834f64db4 , 0x0, 0x7f9662fe86b0, 0x7f9662fe86a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f9662fecae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f9662fe8680, 0x0, 0x20, 0x7f94a5f3dc90, 0x7f98387b8f20, 0x7f9662fecae0, 0x7f982dbdc64f, 0x7f94a494fe80, 0x7f94a5f3dc88, 0x0, 0x7f9472cb9440, 0x7f9662fea8a0, 0x0, 0x0, 0x0, 0x20, 0x7f9472cb9440, 0x7f9662fecae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94a7e83f20, 0x7f9662fe8710, 0x7f9662fe8740, 0x7f9662fe8760, 0x0, 0x7f9834f70f00 , 0x7f94a4b90290, 0x7f9662fecae0, 0x7f9662fe8778, 0x0, 0x7f94a67a9e98, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94a4b90290, 0x7f9662fecae0, 0x7f9662fe8870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94a4b90290...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94a7d38f50 sdn = 0x7f94a7f376d0 operation = 0x7f9838401660 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000b\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\270c\362\245\224\177\000\000h_\372\245\224\177\000\000(\245\376b\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000PJ+\246\224\177\000\000\000\000\000\000\000\000\000\000\bK+\246\224\177\000\000\250\315-\247\224\177\000\000\001", '\000' , "\240\016.\246\224\177", '\000' , "Z\235Z\316_Z\302X\266\034\244\224\177\000\000X\266\034\244\224\177\000\000`\266\034\244\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9662fecae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838401660 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f94a6207fc0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94a5f4cb60 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:6c3e2dce-2cd7-11e5-aacd-a0369f577818))" filter = 0x7f94a5f358c0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1386609152 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f9662fecae0, op=0x7f9838401660, conn=0x7f983bc3a0a0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc3a0a0, pb_op = 0x7f9838401660, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9838c4b490, pb_aci_target_check = 0} pb = 0x7f9662fecae0 conn = 0x7f983bc3a0a0 op = 0x7f9838401660 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 16 (Thread 0x7f96627ec700 (LWP 24987)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f963071b440, key=key at entry=0x7f96627e2b70, data=data at entry=0x7f96627e2ba0, comp_key=0x7f94ced6eca0 "cn=etc", elem=elem at entry=0x7f96627e2b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94cfbeebc0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f963071b440, srdn=srdn at entry=0x7f96627e4c90, elem=elem at entry=0x7f96627e4c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f94cc6dd2b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94ced6eca0 "cn=etc" rdnidx = 3 keybuf = 0x7f94cd944610 "C1" key = {data = 0x7f94cd944610, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f94cd8fdd90, flags = 2056} data = {data = 0x7f94cfbeebc0, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f94cc0675b0 tmpelem = 0x7f94cfbeebc0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94cedd0c40, id=id at entry=0x7f96627e4d24, flags=flags at entry=0, txn=txn at entry=0x7f96627e4f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94cfe490f0 "cn=cpn-k16-07-01.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94cfe47890, all_nrdns = 0x7f94cee68e90} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f963071b440 elem = 0x7f94cfbcfbe0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f94cedd0c40, txn=txn at entry=0x7f96627e4f00, flags=flags at entry=0, err=err at entry=0x7f96627e4ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f94cfc77640 "cn=cpn-k16-07-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96627e4f00, lock=0, sdn=0x7f94cedd0c40, be=0x7f98366e74c0, pb=0x7f96627ebae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc1b320 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96627ebae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96627e4f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96627ebae0 txn = 0x7f96627e4f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96627ebae0, be=, addr=, txn=txn at entry=0x7f96627e4f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96627ebae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94ce5f1e00 "cn=cpn-k16-07-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f94cedd0c40 scope = 0 controls = 0x0 operation = 0x7f9838baee50 addr = 0x7f9838baef28 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96627ebae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94cedfbad0 "cn=cpn-k16-07-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94cc0650b0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02da1, 0x7f95a5b90890, 0x0, 0x0, 0x7f94ce559a00, 0x7f96627e52e0, 0x7f96627e5280, 0x0, 0x7f94cfe3ba10, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a313235303431, 0x7f94cfc124d0, 0xffffffff34d0620f, 0x7f94cc12c700, 0x7f96627e5350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f96627e54d8, 0x0, 0x7f9834c916bf , 0x7f94cc12c780, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f94cc04fc10, 0x7f94cee73760, 0x1, 0x0, 0x7f96627e5558, 0x7f96627e5510, 0x7f96627e5500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f96627e5450, 0x7f96627e5450, 0x7f9830b70d5b , 0x7f94cfbecd90, 0x7f94cc703443, 0x7f94cc703432, 0x7f9830b71229 , 0x7f94cc703444, 0xc25a5fce5a9d5a00, 0x7f94cc703443, 0x7f96627e5450, 0x0, 0x0, 0x7f94cee20460, 0x7f9830b6c4d5 , 0x7f94cc703443, 0x0, 0x7f96627e54e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f96627ebae0, 0x2000, 0x7f96627e54e0, 0x7f96627e54e0, 0x7f94cdf00d00, 0x7f96627e54d8, 0x200000001, 0xffffffff, 0x7f94cd372670, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f94cd371560, 0x7f94cfbecdf0, 0x7f94cfbecded, 0x7f9830b71229 , 0x7f94cfbecdf1, 0xc25a5fce5a9d5a00, 0x7f94cfbecdf0, 0x7f96627e5550, 0x1, 0x0, 0x7f94cfbecd90, 0x7f9830b7143c , 0x7f94cfbecdf0, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f96627ebae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94cfbecd90, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f96627e7410, 0x7f96627e7420, 0x7f96627e71ae, 0x7f96307e71ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f96627ebae0, 0xe, 0x7f96627e73a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f96627e73a2, 0x7f9838401660, 0x7f96627ebae0, 0xe, 0x7f96627e73a0, 0x7f9834d2bcea, 0x7f96627e73d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f96627e7320, 0x7f96627e7240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e38f, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f9608000070, 0xffff80699d818d31, 0x7f96627e72d0, 0x7f96627e72cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f96627e7370, 0x0, 0x7f9834cc261b , 0x7f96627ebae0, 0x7f9834cf6e23 , 0x0, 0x7f96627e73a0, 0x7f9834d2bcea, 0x7f96627e73d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f96627e73b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f96627e73af, 0x7f9834ce171c , 0x7f96627e0030, 0x7f9834cdd18c , 0x7f96627e75a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9836c18100, 0x7f98330d5cbf , 0x7f96627e7410, 0xc25a5fce5a9d5a00, 0x7f96627ebae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f96627ebae0, 0x7f96627ebae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9400000000, 0x7f94cd8f0160, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f94cd8f0160, 0x200, 0x7f96627ebae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96627ebae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96627ebae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f94cd8f0160, 0xe, 0x7f96627ebae0, 0x7f94cd8f0160, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f96627ebae0, 0x7f96627ebae0, 0x7f983bc226a0, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f96627ebae0, 0x7f96627ebae0, 0x7f9834f64db4 , 0x0, 0x7f96627e76b0, 0x7f96627e76a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f96627ebae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x627e7680, 0x0, 0x20, 0x7f94cf1b1bb0, 0x7f98399a6e30, 0x7f9841494244, 0x7f982dbdc64f, 0x7f95a5baa820, 0x7f9841494350, 0x0, 0x7f948c3c8800, 0x7f96627e98a0, 0x0, 0x0, 0x0, 0x20, 0x7f948c3c8800, 0x7f98351cb141, 0x7f98388a8de8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94cfc5a510, 0x535347204c534153, 0x7f9600495041, 0x7f96627e7760, 0x0, 0x7f9834f70f00 , 0x7f94cf1bb180, 0x7f96627ebae0, 0x7f96627e7778, 0x0, 0x7f94cd372678, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94cf1bb180, 0x7f96627ebae0, 0x7f96627e7870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94cf1bb180...} attrlistbuf = "\"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags\"\000rbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPr"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f94cc0d46d0 sdn = 0x7f94cedd0c40 operation = 0x7f9838baee50 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\006\273\245\225\177\000\000?~b\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\330\324\064?\177\000\000\230\232\346?\177\000\000(\225~b\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000`\fx?\177\000\000\000\000\000\000\000\000\000\000\030\rx?\177\000\000\270\211\330?\177\000\000\001", '\000' , "@P\325?\177", '\000' , "Z\235Z\316_Z\302\b\257\273?\177\000\000\b\257\273?\177\000\000\020\257\273?\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000\005\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96627ebae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838baee50 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f94cedfbad0 "cn=cpn-k16-07-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94cc0650b0 "(objectClass=*)" filter = 0x7f94cee0faa0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 641279808 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f96627ebae0, op=0x7f9838baee50, conn=0x7f983bc1b320) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc1b320, pb_op = 0x7f9838baee50, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9837db6cf0, pb_aci_target_check = 0} pb = 0x7f96627ebae0 conn = 0x7f983bc1b320 op = 0x7f9838baee50 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 15 (Thread 0x7f9661feb700 (LWP 24988)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f9655d016b0, key=key at entry=0x7f9661fe1b70, data=data at entry=0x7f9661fe1ba0, comp_key=0x7f9457e44210 "cn=etc", elem=elem at entry=0x7f9661fe1b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f9457cf4880 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f9655d016b0, srdn=srdn at entry=0x7f9661fe3c90, elem=elem at entry=0x7f9661fe3c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f9457ff7540 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f9457e44210 "cn=etc" rdnidx = 3 keybuf = 0x7f9457e515f0 "C1" key = {data = 0x7f9457e515f0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f9456602f10, flags = 2056} data = {data = 0x7f9457cf4880, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f945551e740 tmpelem = 0x7f9457cf4880 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f945551fcc0, id=id at entry=0x7f9661fe3d24, flags=flags at entry=0, txn=txn at entry=0x7f9661fe3f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94575c3db0 "cn=cpn-k16-07-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f9457ff88d0, all_nrdns = 0x7f94fdad6470} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f9655d016b0 elem = 0x7f94565f5cb0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f945551fcc0, txn=txn at entry=0x7f9661fe3f00, flags=flags at entry=0, err=err at entry=0x7f9661fe3ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f94565fa4d0 "cn=cpn-k16-07-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f9661fe3f00, lock=0, sdn=0x7f945551fcc0, be=0x7f98366e74c0, pb=0x7f9661feaae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc1b470 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f9661feaae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f9661fe3f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f9661feaae0 txn = 0x7f9661fe3f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f9661feaae0, be=, addr=, txn=txn at entry=0x7f9661fe3f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f9661feaae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94554d1cd0 "cn=cpn-k16-07-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f945551fcc0 scope = 0 controls = 0x0 operation = 0x7f9837889950 addr = 0x7f9837889a28 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f9661feaae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94fd968c20 "cn=cpn-k16-07-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f94572a9450 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f9661fe4250, 0x0, 0x0, 0x0, 0x0, 0x7f9457d04140, 0x0, 0x0, 0x7f9457e34860, 0x0, 0x56e02d9b, 0x7f9457594b00, 0x0, 0x0, 0x7f94565f9900, 0x7f9661fe42e0, 0x7f9661fe4280, 0x0, 0x7f9457d74a00, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a353135303431, 0x7f945451d120, 0xffffffff34d0620f, 0x7f9457ccc900, 0x7f9661fe4350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f9661fe44d8, 0x0, 0x7f9834c916bf , 0x7f9457ccc990, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f9457594b00, 0x7f9455ee51c0, 0x1, 0x0, 0x7f9661fe4558, 0x7f9661fe4510, 0x7f9661fe4500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f9661fe4450, 0x7f9661fe4450, 0x7f9830b70d5b , 0x7f9457f47280, 0x7f9457e56803, 0x7f9457e567f2, 0x7f9830b71229 , 0x7f9457e56804, 0xc25a5fce5a9d5a00, 0x7f9457e56803, 0x7f9661fe4450, 0x0, 0x0, 0x7f9457627b00, 0x7f9830b6c4d5 , 0x7f9457e56803, 0x0, 0x7f9661fe44e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f9661feaae0, 0x2000, 0x7f9661fe44e0, 0x7f9661fe44e0, 0x7f9457f30040, 0x7f9661fe44d8, 0x200000001, 0xffffffff, 0x7f9457d038b0, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f94fdac5400, 0x7f9457f472e0, 0x7f9457f472dd, 0x7f9830b71229 , 0x7f9457f472e1, 0xc25a5fce5a9d5a00, 0x7f9457f472e0, 0x7f9661fe4550, 0x1, 0x0, 0x7f9457f47280, 0x7f9830b7143c , 0x7f9457f472e0, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f9661feaae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f9457f47280, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f94565ee400, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x861fe62e0, 0x7f9834cd5fbe , 0x7f94fd9669c0, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f9661fe6268, 0x0, 0x7f9661fe6268, 0x7f9661fe6280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f94565ee400, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f9661fe6290, 0x0, 0x0, 0x7f9457ccd6e0, 0x7f9661fe6290, 0x7f94565ee400, 0x7f9834c95936 , 0x0, 0x7f9457ccd6d8, 0x7f9454b5e890, 0x7f9457d9da50, 0x7f9454b5e890, 0x7f9454b5e890, 0x7f9454b5e890, 0x0, 0x7f9834f70f00 , 0x7f9457f49120, 0x7f94565ee400, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9454b5e880, 0x7f9661fe6320, 0x7f9661fe6350, 0x7f9661fe6370, 0x0, 0x7f9834f70f00 , 0x7f9457f49120, 0x7f94565ee400, 0x7f9661fe6388, 0x0, 0x7f9454b4e2d8, 0x1, 0x0, 0x7f9834f70f00 , 0x7f9457f49120, 0x7f94565ee400, 0x7f9661fe6480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f9457f49120, 0x7f94565ee400, 0x7f9834c95936 , 0x7f9454b6cfa0, 0x7f9834cd1823 , 0x7f9661fe64d8, 0x7f9661fe6510, 0x0, 0x20330d5cbf, 0x7f94565ee400, 0xc25a5fce5a9d5a00, 0x7f9661fe6480, 0x7f9661fe64a8, 0x0, 0x7f9834cfa31d , 0x7f9661feaae0, 0x7f9661feaae0, 0x0, 0x7f9661fe6488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f94554d39f0, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f94572a8510, 0x0, 0x7f9457f49100, 0x7f9454b6cfa0, 0x0, 0x7f9457e47f50, 0x0, 0x0, 0x0, 0x7f9455425d20, 0x7f9661fe64f0, 0x7f9457e402d0, 0x7f9454b5c240, 0x0, 0x7f9455425d18, 0x0, 0x0, 0x0, 0x7f9457fac520, 0x7f9457e402d0, 0x7f9457f3a7d0, 0x7f9661fe66b0, 0x7f9661fe66a8, 0x7f9455cfa600, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9661fe66b0, 0x7f9457fac510, 0x7f9661fe6580, 0x7f9661fe65b0, 0x7f9661fe65d0, 0x7f9457f3a7d0, 0x7f9661fe66b0, 0x7f9661fe66a8, 0x7f9455cfa680, 0x7f9661fe65e8, 0x7f9834f64db4 , 0x7f9457f3a7d0, 0x7f9661fe66b0, 0x7f9661fe6608, 0x7f9834f64db4 , 0x7f9457f3a7d0, 0x7f9661fe66b0, 0x7f9661fe66a8, 0x7f9455cfa680, 0x7f9834c95936 , 0x7f9457f3a7d0, 0x7f9834ca4914 , 0x7f9661feaae0, 0x0, 0x7f9661feaae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x61fe6680, 0x0, 0x0, 0x7f9455cec7d0, 0x7f9837193a10, 0x7f98371942a4, 0x7f982dbdc64f, 0x7f94572aa7c0, 0x7f98371943b0, 0x7f9454b53ec0, 0x0, 0x7f9661fe88a0, 0x0, 0x7f98364a1080, 0x0, 0x7f94ae932ef0, 0x7f94164a33b0, 0x7f98351cb141, 0x7f9837d79ce8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9454b43e90, 0x535347204c534153, 0x7f9600495041, 0x7f9661fe6760, 0x0, 0x7f9834f70f00 , 0x7f9457d0e7e0, 0x7f9661feaae0, 0x7f9661fe6778, 0x0, 0x7f9457d038b8, 0x1, 0x0, 0x7f9834f70f00 , 0x7f9457d0e7e0, 0x7f9661feaae0, 0x7f9661fe6870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f9457d0e7e0...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f9457e38d70 sdn = 0x7f945551fcc0 operation = 0x7f9837889950 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\215\377W\224\177\000\000?\376a\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\250\247\363U\224\177\000\000\270\254XW\224\177\000\000(\205\376a\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000P\177\344W\224\177\000\000\000\000\000\000\000\000\000\000\b\200\344W\224\177\000\000\070\363\304T\224\177\000\000\001", '\000' , "pR_V\224\177", '\000' , "Z\235Z\316_Z\302\b\300LU\224\177\000\000\b\300LU\224\177\000\000\020\300LU\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f9661feaae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9837889950 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f94fd968c20 "cn=cpn-k16-07-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f94572a9450 "(objectClass=*)" filter = 0x7f94544edda0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 2040714064 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f9661feaae0, op=0x7f9837889950, conn=0x7f983bc1b470) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc1b470, pb_op = 0x7f9837889950, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9837889930, pb_aci_target_check = 0} pb = 0x7f9661feaae0 conn = 0x7f983bc1b470 op = 0x7f9837889950 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 14 (Thread 0x7f96617ea700 (LWP 24989)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f96423859e0, key=key at entry=0x7f96617e0b70, data=data at entry=0x7f96617e0ba0, comp_key=0x7f948fbf1c70 "cn=etc", elem=elem at entry=0x7f96617e0b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f948cdc9020 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f96423859e0, srdn=srdn at entry=0x7f96617e2c90, elem=elem at entry=0x7f96617e2c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f948fe654b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f948fbf1c70 "cn=etc" rdnidx = 3 keybuf = 0x7f948ff0dec0 "C1" key = {data = 0x7f948ff0dec0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f948d048d20, flags = 2056} data = {data = 0x7f948cdc9020, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f948c3c7530 tmpelem = 0x7f948cdc9020 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f948cd1c510, id=id at entry=0x7f96617e2d24, flags=flags at entry=0, txn=txn at entry=0x7f96617e2f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f948cdbd7c0 "cn=cpn-m27-01-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f948fcd8220, all_nrdns = 0x7f948efb9a50} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f96423859e0 elem = 0x7f948cd000a0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f948cd1c510, txn=txn at entry=0x7f96617e2f00, flags=flags at entry=0, err=err at entry=0x7f96617e2ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f948cd1e9b0 "cn=cpn-m27-01-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96617e2f00, lock=0, sdn=0x7f948cd1c510, be=0x7f98366e74c0, pb=0x7f96617e9ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc44360 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96617e9ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96617e2f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96617e9ae0 txn = 0x7f96617e2f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96617e9ae0, be=, addr=, txn=txn at entry=0x7f96617e2f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96617e9ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f948fd8c7c0 "cn=cpn-m27-01-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f948cd1c510 scope = 0 controls = 0x0 operation = 0x7f9838bd0fe0 addr = 0x7f9838bd10b8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96617e9ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f948fbefbb0 "cn=cpn-m27-01-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f948c338890 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02db5, 0x7f948fcb0140, 0x0, 0x0, 0x7f948eec6600, 0x7f96617e32e0, 0x7f96617e3280, 0x0, 0x7f948e570750, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a313435303431, 0x7f948e3f0ba0, 0xffffffff34d0620f, 0x7f948e3d7000, 0x7f96617e3350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f96617e34d8, 0x0, 0x7f9834c916bf , 0x7f948e3d7080, 0x0, 0x6e73757972746e00, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f948cda8020, 0x7f948fc973f0, 0x1, 0x0, 0x7f96617e3558, 0x7f96617e3510, 0x7f96617e3500, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f96617e3450, 0x7f96617e3450, 0x7f9830b70d5b , 0x7f948cdf2480, 0x7f948c3d0123, 0x7f948c3d0112, 0x7f9830b71229 , 0x7f948c3d0124, 0xc25a5fce5a9d5a00, 0x7f948c3d0123, 0x7f96617e3450, 0x0, 0x0, 0x7f948c3d55d0, 0x7f9830b6c4d5 , 0x7f948c3d0123, 0x0, 0x7f96617e34e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f96617e9ae0, 0x2000, 0x7f96617e34e0, 0x7f96617e34e0, 0x7f948fe5c000, 0x7f96617e34d8, 0x200000001, 0xffffffff, 0x7f958614bec0, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f948ef7d120, 0x7f948cdf24e0, 0x7f948cdf24dd, 0x7f9830b71229 , 0x7f948cdf24e1, 0xc25a5fce5a9d5a00, 0x7f948cdf24e0, 0x7f96617e3550, 0x1, 0x0, 0x7f948cdf2480, 0x7f9830b7143c , 0x7f948cdf24e0, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f96617e9ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f948cdf2480, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f948cf69a60, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x8617e52e0, 0x7f9834cd5fbe , 0x7f948cf6bc30, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f96617e5268, 0x0, 0x7f96617e5268, 0x7f96617e5280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f948cf69a60, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f96617e5290, 0x0, 0x0, 0x7f948fda8750, 0x7f96617e5290, 0x7f948cf69a60, 0x7f9834c95936 , 0x0, 0x7f948fda8748, 0x7f948ff1d300, 0x7f948c41e750, 0x7f948ff1d300, 0x7f948ff1d300, 0x7f948ff1d300, 0x0, 0x7f9834f70f00 , 0x7f948fcdfbd0, 0x7f948cf69a60, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f948ff1d2f0, 0x7f96617e5320, 0x7f96617e5350, 0x7f96617e5370, 0x0, 0x7f9834f70f00 , 0x7f948fcdfbd0, 0x7f948cf69a60, 0x7f96617e5388, 0x0, 0x7f948fdbee48, 0x1, 0x0, 0x7f9834f70f00 , 0x7f948fcdfbd0, 0x7f948cf69a60, 0x7f96617e5480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f948fcdfbd0, 0x7f948cf69a60, 0x7f9834c95936 , 0x7f948ef6ad10, 0x7f9834cd1823 , 0x7f96617e54d8, 0x7f96617e5510, 0x0, 0x20330d5cbf, 0x7f948cf69a60, 0xc25a5fce5a9d5a00, 0x7f96617e5480, 0x7f96617e54a8, 0x0, 0x7f9834cfa31d , 0x7f96617e9ae0, 0x7f96617e9ae0, 0x0, 0x7f96617e5488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f948cf6caa0, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f948e3ccde0, 0x0, 0x7f948fcdfbb0, 0x7f948ef6ad10, 0x0, 0x7f948cda8020, 0x0, 0x0, 0x0, 0x7f948d06ad80, 0x7f96617e54f0, 0x7f948c3c5d50, 0x7f948cd78210, 0x0, 0x7f948d06ad78, 0x0, 0x0, 0x0, 0x7f948fca57c0, 0x7f948c3c5d50, 0x7f948eec6670, 0x7f96617e56b0, 0x7f96617e56a8, 0x7f948eed6200, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f96617e56b0, 0x7f948fca57b0, 0x7f96617e5580, 0x7f96617e55b0, 0x7f96617e55d0, 0x7f948eec6670, 0x7f96617e56b0, 0x7f96617e56a8, 0x7f948eed62f0, 0x7f96617e55e8, 0x7f9834f64db4 , 0x7f948eec6670, 0x7f96617e56b0, 0x7f96617e5608, 0x7f9834f64db4 , 0x7f948eec6670, 0x7f96617e56b0, 0x7f96617e56a8, 0x7f948eed62f0, 0x7f9834c95936 , 0x7f948eec6670, 0x7f9834ca4914 , 0x7f96617e9ae0, 0x0, 0x7f96617e9ae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x617e5680, 0x0, 0x0, 0x7f948c2ec6d0, 0x7f984153a420, 0x7f984153acb4, 0x7f982dbdc64f, 0x7f948cd13170, 0x7f984153adc0, 0x7f948ff067c0, 0x0, 0x7f96617e78a0, 0x0, 0x7f98364a1080, 0x0, 0x7f9417e6d8e0, 0x7f948cf2f330, 0x7f98351cb141, 0x7f98369283e8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f948ff1d2f0, 0x535347204c534153, 0x7f9600495041, 0x7f96617e5760, 0x0, 0x7f9834f70f00 , 0x7f948cf2f330, 0x7f96617e9ae0, 0x7f96617e5778, 0x0, 0x7f958614bec8, 0x1, 0x0, 0x7f9834f70f00 , 0x7f948cf2f330, 0x7f96617e9ae0, 0x7f96617e5870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f948cf2f330...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f948d074870 sdn = 0x7f948cd1c510 operation = 0x7f9838bd0fe0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000\252\373\216\224\177\000\000\320t~a\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000xH\a\215\224\177\000\000\210\245?\224\177\000\000(u~a\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000 \200?\224\177\000\000\000\000\000\000\000\000\000\000??\224\177\000\000\030V\a\215\224\177\000\000\001", '\000' , "`\277=\216\224\177", '\000' , "Z\235Z\316_Z\302\b\305\024\206\225\177\000\000\b\305\024\206\225\177\000\000\020\305\024\206\225\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96617e9ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9838bd0fe0 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f948fbefbb0 "cn=cpn-m27-01-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f948c338890 "(objectClass=*)" filter = 0x7f948fe574a0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 252191776 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f96617e9ae0, op=0x7f9838bd0fe0, conn=0x7f983bc44360) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc44360, pb_op = 0x7f9838bd0fe0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f98382489c0, pb_aci_target_check = 0} pb = 0x7f96617e9ae0 conn = 0x7f983bc44360 op = 0x7f9838bd0fe0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 13 (Thread 0x7f9660fe9700 (LWP 24990)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f9660fe42b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f94895d5b30 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f93d47b63d0 addr = 0x7f93d47b64a8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f948bf234e0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f94883d4400 referral = 0x0 e = 0x0 dn = 0x7f93d47b41b0 "fqdn=cpn-d09-06-01.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f948be82a10 passin_sdn = 0 mods = 0x7f94895d5b30 pw_mod = tmpmods = 0x7f94897a3710 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f93d47b63d0 errorbuf = "\000D=\210\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260F\376`\226\177\000\000\260\070?\177\000\000\200E\376`\226\177\000\000\260E\376`\226\177\000\000\320E\376`\226\177\000\000\020\351<\210\224\177\000\000\260F\376`\226\177\000\000\250F\376`\226\177\000\000\000D=\210\224\177\000\000\350E\376`\226\177\000\000\264M\366\064\230\177\000\000\020\351<\210\224\177\000\000\260F\376`\226\177\000\000\bF\376`\226\177\000\000\264M\366\064\230\177\000\000\020\351<\210\224\177\000\000\260F\376`\226\177\000\000\250F\376`\226\177\000\000\000D=\210\224\177\000\000\066Y\311\064\230\177\000\000\020\351<\210\224\177\000\000\024I"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f948bf234e0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f93d47b63d0 opresult = 0 normalized_mods = 0x7f94897a3710 mods = 0x7f94883e9930 mod = 0x7f94897a3718 smods = {mods = 0x7f9300000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -1947061024, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f9660fe8ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f9660fe8ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f9660fe8ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f9660fe8ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f95b78a45a0 "P\255\212\267\225\177" dn = saslmech = 0x7f948bee0430 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f93d478d320 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f948bed61d0 bind_sdn_in_pb = 1 referral = 0x2f657d370dda962e errorbuf = '\000' , "?(\r^\227{\004H\a\343\032\006\372\361\005\355d\241\002q\303,\b\251g\004\017\303\031\306\f?\a\006\310'\251\003y\v%\000\205\270>\033l\326+\aA\350~\027\320Y\240\a\377Hl\024\v+\356\017)H{\005\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\022~I\035\005\342\365\005Z\326\357\vXAg\027\350\357\355:\217~&\035\371\331+8\354\252t\vU?\027K\362,\036\262\237=\beh\240\024\360\031_"... supported = pmech = authtypebuf = "\200D\314\f\365=\242\002\341\207\307\017\370\301\326\005?\336\001a\347\212\017\016\324\250\033\t\242\071\003\063\034V\002\354\317<\024\000Z\235Z\316_Z?\371\067\033\027 bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f9660fe8ae0, op=0x7f9836eac110, conn=0x7f983bc2cc00) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc2cc00, pb_op = 0x7f9836eac110, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f948969dd90, op_stack_elem = 0x7f9838619120, pb_aci_target_check = 0} pb = 0x7f9660fe8ae0 conn = 0x7f983bc2cc00 op = 0x7f9836eac110 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 12 (Thread 0x7f96607e8700 (LWP 24991)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f964982cac0, key=key at entry=0x7f96607deb70, data=data at entry=0x7f96607deba0, comp_key=0x7f95146c1080 "cn=etc", elem=elem at entry=0x7f96607deb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f9497c188e0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f964982cac0, srdn=srdn at entry=0x7f96607e0c90, elem=elem at entry=0x7f96607e0c88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f9497e285a0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f95146c1080 "cn=etc" rdnidx = 3 keybuf = 0x7f9514775720 "C1" key = {data = 0x7f9514775720, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f94945ead10, flags = 2056} data = {data = 0x7f9497c188e0, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f9494d20bc0 tmpelem = 0x7f9497c188e0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9497fb2d60, id=id at entry=0x7f96607e0d24, flags=flags at entry=0, txn=txn at entry=0x7f96607e0f00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f9497ef67d0 "cn=cpn-d07-25-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f9497f9aad0, all_nrdns = 0x7f9494d193e0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f964982cac0 elem = 0x7f9514738b20 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9497fb2d60, txn=txn at entry=0x7f96607e0f00, flags=flags at entry=0, err=err at entry=0x7f96607e0ddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f94957b6f70 "cn=cpn-d07-25-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f96607e0f00, lock=0, sdn=0x7f9497fb2d60, be=0x7f98366e74c0, pb=0x7f96607e7ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc43b80 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f96607e7ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f96607e0f00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f96607e7ae0 txn = 0x7f96607e0f00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f96607e7ae0, be=, addr=, txn=txn at entry=0x7f96607e0f00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f96607e7ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f9496c6baa0 "cn=cpn-d07-25-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f9497fb2d60 scope = 0 controls = 0x0 operation = 0x7f98379480f0 addr = 0x7f98379481c8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f96607e7ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f94959f5d20 "cn=cpn-d07-25-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f9494d910e0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f96607e1278, 0x7f96607e123c, 0x0, 0x607e1280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f9495a1e0b0, 0x0, 0x1, 0x56e02dbc, 0x0, 0x7f9495a24b20, 0x0, 0x0, 0x7f9494d1de50, 0xc25a5fce5a9d5a00, 0x7f96607e14c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f96607e14c4, 0xc25a5fce5a9d5a00, 0x7f9514795200, 0x0, 0x7f9514795200, 0x0, 0x0, 0x0, 0x7f96607e1508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f9514795200, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f9494d1de50, 0x7f95147bf6e0, 0x1, 0x0, 0x7f96607e1558, 0x7f96607e1510, 0x7f96607e1508, 0x7f96607e1508, 0x0, 0x0, 0x7f96607e1558, 0xc25a5fce5a9d5a00, 0x7f9514795200, 0x0, 0x7f9514795200, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f96607e5400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f96607e1520, 0x1, 0x7f96607e1510, 0x100000001, 0x7f96607e1550, 0x0, 0x0, 0x7f96607e1548, 0x7f96607e14c4, 0x0, 0x0, 0x7f96607e1508, 0x1, 0x7f96607e14cc, 0x7f96607e14e0, 0x96c56740, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f9494d0ac60, 0x7f9834d34290, 0x7f9494d1b100, 0x0, 0x0, 0x7f9494d1de50, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f9514712a30, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f96607e3410, 0x7f96607e3420, 0x7f96607e31ae, 0x7f96307e31ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9838401660, 0x7f96607e7ae0, 0xe, 0x7f96607e33a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f96607e33a2, 0x7f9838401660, 0x7f96607e7ae0, 0xe, 0x7f96607e33a0, 0x7f9834d2bcea, 0x7f96607e33d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f96607e3320, 0x7f96607e3240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e392, 0x1, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f95f8000070, 0xffff80699f81cd31, 0x7f96607e32d0, 0x7f96607e32cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f96607e3370, 0x0, 0x7f9834cc261b , 0x7f96607e7ae0, 0x7f9834cf6e23 , 0x0, 0x7f96607e33a0, 0x7f9834d2bcea, 0x7f96607e33d0, 0xaf, 0x0, 0xaf, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f96607e33b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f96607e33af, 0x7f9834ce171c , 0x7f96607e0030, 0x7f9834cdd18c , 0x7f96607e35a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f983a296b00, 0x7f98330d5cbf , 0x7f96607e3410, 0xc25a5fce5a9d5a00, 0x7f96607e7ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f96607e7ae0, 0x7f96607e7ae0, 0x8, 0x7f9834ce5397 , 0x9c, 0x118000000af, 0xffffffd60000003a, 0x7f9400000000, 0x7f9494d108f0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9494d108f0, 0x200, 0x7f96607e7ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96607e7ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f96607e7ae0, 0xaf, 0x7f9834cf6566 , 0x9c, 0x0, 0xaf, 0xc25a5fce5a9d5a00, 0x7f9514707e85, 0xe, 0x7f96607e7ae0, 0x7f9494d108f0, 0xa9, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f96607e7ae0, 0x7f96607e7ae0, 0x7f983bc26990, 0x0, 0x0, 0x61, 0xffffffcb, 0x7f9501000000, 0x5, 0xa300000000, 0x7f9838401660, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f96607e7ae0, 0x7f96607e7ae0, 0x7f9834f64db4 , 0x0, 0x7f96607e36b0, 0x7f96607e36a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f96607e7ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f96607e3680, 0x0, 0x9c, 0x7f949550fb50, 0x7f984153a420, 0x7f96607e7ae0, 0x0, 0x7f9497c0cfd0, 0x7f949550fb48, 0x0, 0x7f94962282b0, 0x7f96607e58a0, 0x0, 0x0, 0x0, 0x9c, 0x7f94962282b0, 0x7f96607e7ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94958822c0, 0x7f96607e3710, 0x7f96607e3740, 0x7f96607e3760, 0x0, 0x7f9834f70f00 , 0x7f9496c8e960, 0x7f96607e7ae0, 0x7f96607e3778, 0x0, 0x7f9496c6d768, 0x1, 0x0, 0x7f9834f70f00 , 0x7f9496c8e960, 0x7f96607e7ae0, 0x7f96607e3870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f9496c8e960...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f951702e9a0 sdn = 0x7f9497fb2d60 operation = 0x7f98379480f0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000`\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000??\177\000\000\350\037\005\027\225\177\000\000(U~`\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\220\034?\224\177\000\000\000\000\000\000\000\000\000\000H\035?\224\177\000\000hM?\177\000\000\001", '\000' , "\060T?\224\177", '\000' , "Z\235Z\316_Z\302(\352?\224\177\000\000(\352?\224\177\000\000\060\352?\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016\000\000\000\000\000\000\000\005\000\000\000\000\000\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f96607e7ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f98379480f0 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f94959f5d20 "cn=cpn-d07-25-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f9494d910e0 "(objectClass=*)" filter = 0x7f9497f73770 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -1387018128 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f96607e7ae0, op=0x7f98379480f0, conn=0x7f983bc43b80) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc43b80, pb_op = 0x7f98379480f0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f98379480d0, pb_aci_target_check = 0} pb = 0x7f96607e7ae0 conn = 0x7f983bc43b80 op = 0x7f98379480f0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 11 (Thread 0x7f965ffe7700 (LWP 24992)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f95ecce2130, key=key at entry=0x7f965ffddb70, data=data at entry=0x7f965ffddba0, comp_key=0x7f94456e7e70 "cn=etc", elem=elem at entry=0x7f965ffddb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f9447264ab0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f95ecce2130, srdn=srdn at entry=0x7f965ffdfc90, elem=elem at entry=0x7f965ffdfc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f9447e2d810 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94456e7e70 "cn=etc" rdnidx = 3 keybuf = 0x7f9444d2f0b0 "C1" key = {data = 0x7f9444d2f0b0, size = 3, ulen = 3, dlen = 2048, doff = 0, app_data = 0x7f9444daa4e0, flags = 2056} data = {data = 0x7f9447264ab0, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f93954c0da0 tmpelem = 0x7f9447264ab0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f944667b8d0, id=id at entry=0x7f965ffdfd24, flags=flags at entry=0, txn=txn at entry=0x7f965ffdff00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f9447ef2540 "cn=cpn-m28-26-01.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f9445a55850, all_nrdns = 0x7f9447ed52f0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f95ecce2130 elem = 0x7f94471f50c0 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f944667b8d0, txn=txn at entry=0x7f965ffdff00, flags=flags at entry=0, err=err at entry=0x7f965ffdfddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f944579ea70 "cn=cpn-m28-26-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f965ffdff00, lock=0, sdn=0x7f944667b8d0, be=0x7f98366e74c0, pb=0x7f965ffe6ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc1fca0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f965ffe6ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f965ffdff00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f965ffe6ae0 txn = 0x7f965ffdff00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f965ffe6ae0, be=, addr=, txn=txn at entry=0x7f965ffdff00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f965ffe6ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f94474b95a0 "cn=cpn-m28-26-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f944667b8d0 scope = 0 controls = 0x0 operation = 0x7f95557ebc30 addr = 0x7f95557ebd08 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f965ffe6ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f9444d2c900 "cn=cpn-m28-26-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f9445222dd0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f98367397e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56e02db5, 0x7f94471bced0, 0x0, 0x0, 0x7f9447e1c4b0, 0x7f965ffe02e0, 0x7f965ffe0280, 0x0, 0x7f944725bbf0, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a313435303431, 0x7f94474cfe70, 0xffffffff34d0620f, 0x7f955ef34900, 0x7f965ffe0350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f965ffe04d8, 0x0, 0x7f9834c916bf , 0x7f955ef34920, 0x0, 0x6e73757972746e65, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f9447142d50, 0x7f94476cbbe0, 0x1, 0x0, 0x7f965ffe0558, 0x7f965ffe0510, 0x7f965ffe0508, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f965ffe0450, 0x7f965ffe0450, 0x7f9830b70d5b , 0x7f94471fd7f0, 0x7f9444d2eee3, 0x7f9444d2eed2, 0x7f9830b71229 , 0x7f9444d2eee4, 0xc25a5fce5a9d5a00, 0x7f9444d2eee3, 0x7f965ffe0450, 0x0, 0x0, 0x7f94471c3d40, 0x7f9830b6c4d5 , 0x7f9444d2eee3, 0x0, 0x7f965ffe04e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f965ffe6ae0, 0x2000, 0x7f965ffe04e0, 0x7f965ffe04e0, 0x7f9444db2070, 0x7f965ffe04d8, 0x200000001, 0xffffffff, 0x7f93954cfac0, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f9446f0f090, 0x7f94471fd850, 0x7f94471fd84d, 0x7f9830b71229 , 0x7f94471fd851, 0xc25a5fce5a9d5a00, 0x7f94471fd850, 0x7f965ffe0550, 0x1, 0x0, 0x7f94471fd7f0, 0x7f9830b7143c , 0x7f94471fd850, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f965ffe6ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94471fd7f0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f9838401660, 0x7f965ffe6ae0, 0x0, 0x7f965ffe2310, 0x7f9834d2bcea, 0x7f965ffe2340, 0x7f9834cc9f3f , 0x3000000030, 0x7f965ffe2290, 0x7f965ffe21b0, 0x7f98330bdcc0 , 0xffffffff00000000, 0x7f965ffe243e, 0x67303b, 0xc25a5fce5a9d5a00, 0x0, 0x7f9828fb0094, 0x7f965ffe2490, 0x0, 0xa, 0x7f9828fb0093, 0x7f965ffe24e0, 0x7f98330be19e , 0x7f9600000000, 0x0, 0x7f98366f8d00, 0x7f965ffe226f, 0x7f965ffe2270, 0x7f9834cdc17f , 0x7f965ffe23c0, 0x7f965ffe23c1, 0x7f980b25a2cc, 0x7f9838401660, 0x7f965ffe6ae0, 0x7f9834cf6d68 , 0x266bd, 0x7f965ffe2310, 0x7f9834d2bcea, 0x7f965ffe2340, 0x10, 0x0, 0x10, 0x67, 0xff, 0xffffffff0000003f, 0x6f, 0x7, 0x7f965ffe2320, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f965ffe231f, 0x7f9834ce171c , 0x7f965ffe0030, 0x7f965ffe2328, 0x3132653230653635, 0x3330303032303030, 0x7f0030303030, 0x0, 0x6536353d6e736320, 0x3030303132653230, 0x3030303330303032, 0xc25a5fce5a9d0030, 0x7f965ffe6ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f965ffe6ae0, 0x7f965ffe6ae0, 0x8, 0x7f9834ce5397 , 0x7f9834d1fcca, 0x11800000010, 0xffffffd60000003a, 0x7f9400000000, 0x7f94474e9ec0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f94474e9ec0, 0x200, 0x7f965ffe6ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f965ffe6ae0, 0x2, 0x7f9834ce54eb , 0x7f98364e9f80, 0xc25a5fce5a9d5a00, 0x0, 0x353136965ffe6ae0, 0x33373337, 0xc25a5fce5a9d5a00, 0x0, 0x7f965ffe2670, 0x0, 0x7f965ffe6ae0, 0x7f965ffe2658, 0x0, 0x7f98364feb10, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0x7f965ffe2670, 0x7f965ffe2687, 0x7f9400000040, 0x7f955ef4ab28, 0x7f955ef4ab28, 0x7f955ef4ab28, 0xc25a5fce5a9d5a00, 0x7f98366efcc8, 0x7f98330cfe78 , 0x1, 0x7f983bb9a400, 0xffffffff, 0x0 , 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364feb10, 0x7f983bba4cf0, 0x7f965ffe6ae0, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x85ffe26d0, 0x7f9834cd5fbe , 0x7f9444db2050, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f965ffe2658, 0x0, 0x7f965ffe2658, 0x7f965ffe2670, 0x0, 0x7f98364feb10, 0x7f9834c95936 , 0x7f965ffe6ae0, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f965ffe2680, 0x0, 0x0, 0x7f9447f65fa0, 0x7f965ffe2680, 0x7f965ffe6ae0, 0x7f9834c95936 , 0x0, 0x7f9447f65f98, 0x7f94474eb8d0, 0x7f94451093e0, 0x7f94474eb8d0, 0x7f94474eb8d0, 0x7f94474eb8d0, 0x0, 0x7f9834f70f00 , 0x7f94472969e0, 0x7f965ffe6ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94474eb8c0, 0x7f965ffe2710, 0x7f965ffe2740, 0x7f965ffe2760, 0x0, 0x7f9834f70f00 , 0x7f94472969e0, 0x7f965ffe6ae0, 0x7f965ffe2778, 0x0, 0x7f93954cfac8, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94472969e0, 0x7f965ffe6ae0, 0x7f965ffe2870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94472969e0, 0x7f965ffe6ae0, 0x7f9834c95936 ...} attrlistbuf = "\"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags\"\000as krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f955f0ce6d0 sdn = 0x7f944667b8d0 operation = 0x7f95557ebc30 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000_\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\b\267\356F\224\177\000\000\310\017`G\224\177\000\000(E\376_\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000P\212MG\224\177\000\000\000\000\000\000\000\000\000\000\b\213MG\224\177\000\000\bG\202D\224\177\000\000\001", '\000' , "\260J`G\224\177", '\000' , "Z\235Z\316_Z?&\343G\224\177\000\000\250&\343G\224\177\000\000\260&\343G\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f965ffe6ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f95557ebc30 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f9444d2c900 "cn=cpn-m28-26-01.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f9445222dd0 "(objectClass=*)" filter = 0x7f94476565b0 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 1015546800 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f965ffe6ae0, op=0x7f95557ebc30, conn=0x7f983bc1fca0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc1fca0, pb_op = 0x7f95557ebc30, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f95557ebde0, pb_aci_target_check = 0} pb = 0x7f965ffe6ae0 conn = 0x7f983bc1fca0 op = 0x7f95557ebc30 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 10 (Thread 0x7f965f7e6700 (LWP 24993)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f9649cdee70, key=key at entry=0x7f965f7dcb70, data=data at entry=0x7f965f7dcba0, comp_key=0x7f9464260ef0 "cn=accounts", elem=elem at entry=0x7f965f7dcb60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94644ec0c0 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f9649cdee70, srdn=srdn at entry=0x7f965f7dec90, elem=elem at entry=0x7f965f7dec88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f94644acc30 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f9464260ef0 "cn=accounts" rdnidx = 2 keybuf = 0x7f9529d7ca30 "C1" key = {data = 0x7f9529d7ca30, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f9467426a30, flags = 2056} data = {data = 0x7f94644ec0c0, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f9529da4e80 tmpelem = 0x7f94644ec0c0 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9467420d60, id=id at entry=0x7f965f7ded24, flags=flags at entry=0, txn=txn at entry=0x7f965f7def00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f9466b1b4d0 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f9466b1b4a0, all_nrdns = 0x7f9529ef4730} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f9649cdee70 elem = 0x7f9467a70a60 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f9467420d60, txn=txn at entry=0x7f965f7def00, flags=flags at entry=0, err=err at entry=0x7f965f7deddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f9466aefa00 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f965f7def00, lock=0, sdn=0x7f9467420d60, be=0x7f98366e74c0, pb=0x7f965f7e5ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc29240 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f965f7e5ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f965f7def00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f965f7e5ae0 txn = 0x7f965f7def00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f965f7e5ae0, be=, addr=, txn=txn at entry=0x7f965f7def00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f965f7e5ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f9467a8c830 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f9467420d60 scope = 2 controls = 0x0 operation = 0x7f983752eae0 addr = 0x7f983752ebb8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f965f7e5ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f9529ef4690 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f9467a86920 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:e83cbf78-2d2a-11e5-9db4-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f965f7df250, 0x0, 0x0, 0x0, 0x0, 0x7f952ab8b810, 0x0, 0x0, 0x7f952ab8bae0, 0x0, 0x56e02d99, 0x7f9467c63380, 0x0, 0x0, 0x7f9466a2e800, 0x7f965f7df2e0, 0x7f965f7df280, 0x0, 0x7f9464557490, 0x90000000e, 0x7400000002, 0x4400000003, 0x7f9600000000, 0x0, 0x7f983282a2e3, 0x7f9834c8f514 , 0x3930333036313032, 0x5a333135303431, 0x7f9467e40880, 0xffffffff34d0620f, 0x7f952b6dfd00, 0x7f965f7df350, 0x1, 0x7f9834c90aff , 0x7f98362b9980, 0x7f965f7df4d8, 0x0, 0x7f9834c916bf , 0x7f952b6dfd80, 0x0, 0x6e73757972746e65, 0x706d6174736500, 0x687475416c, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f9467aa46f0, 0x7f94655bb680, 0x1, 0x0, 0x7f965f7df558, 0x7f965f7df510, 0x7f965f7df508, 0x7f9834d061dc , 0x7f9836292ec0, 0x7f965f7df450, 0x7f965f7df450, 0x7f9830b70d5b , 0x7f94669d24d0, 0x7f9529d69c83, 0x7f9529d69c72, 0x7f9830b71229 , 0x7f9529d69c84, 0xc25a5fce5a9d5a00, 0x7f9529d69c83, 0x7f965f7df450, 0x0, 0x0, 0x7f94655b65e0, 0x7f9830b6c4d5 , 0x7f9529d69c83, 0x0, 0x7f965f7df4e0, 0x0, 0x0, 0x7f9834cebadb , 0x0, 0x1, 0x7f965f7e5ae0, 0x2000, 0x7f965f7df4e0, 0x7f965f7df4e0, 0x7f952b602890, 0x7f965f7df4d8, 0x200000001, 0xffffffff, 0x7f9467de4330, 0x7f98362b9980, 0xffffffffffffffff, 0x7f9830b70d5b , 0x7f9529f40870, 0x7f94669d2530, 0x7f94669d252d, 0x7f9830b71229 , 0x7f94669d2531, 0xc25a5fce5a9d5a00, 0x7f94669d2530, 0x7f965f7df550, 0x1, 0x0, 0x7f94669d24d0, 0x7f9830b7143c , 0x7f94669d2530, 0xc25a5fce5a9d5a00, 0x7f98366e74c0, 0x7f965f7e5ae0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f94669d24d0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f965f7e1410, 0x7f965f7e1420, 0x7f965f7e11ae, 0x7f96307e11ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f9837889950, 0x7f965f7e5ae0, 0xe, 0x7f965f7e13a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f965f7e13a2, 0x7f9837889950, 0x7f965f7e5ae0, 0xe, 0x7f965f7e13a0, 0x7f9834d2bcea, 0x7f965f7e13d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f965f7e1320, 0x7f965f7e1240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e380, 0x1, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f95f0000070, 0xffff8069a081ed31, 0x7f965f7e12d0, 0x7f965f7e12cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f965f7e1370, 0x0, 0x7f9834cc261b , 0x7f965f7e5ae0, 0x7f9834cf6e23 , 0x0, 0x7f965f7e13a0, 0x7f9834d2bcea, 0x7f965f7e13d0, 0xaf, 0x0, 0xaf, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f965f7e13b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f965f7e13af, 0x7f9834ce171c , 0x7f965f7e0030, 0x7f9834cdd18c , 0x7f965f7e15a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f98396e1200, 0x7f98330d5cbf , 0x7f965f7e1410, 0xc25a5fce5a9d5a00, 0x7f965f7e5ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f965f7e5ae0, 0x7f965f7e5ae0, 0x8, 0x7f9834ce5397 , 0x9c, 0x118000000af, 0xffffffd60000003a, 0x7f9400000000, 0x7f9467a78100, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9467a78100, 0x200, 0x7f965f7e5ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f965f7e5ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f965f7e5ae0, 0xaf, 0x7f9834cf6566 , 0x9c, 0x0, 0xaf, 0xc25a5fce5a9d5a00, 0x7f9467a97709, 0xe, 0x7f965f7e5ae0, 0x7f9467a78100, 0xa9, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f965f7e5ae0, 0x7f965f7e5ae0, 0x7f983bc244d0, 0x0, 0x0, 0x61, 0xffffffcb, 0x7f9401000000, 0x5, 0xa300000000, 0x7f9837889950, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f965f7e5ae0, 0x7f965f7e5ae0, 0x7f9834f64db4 , 0x0, 0x7f965f7e16b0, 0x7f965f7e16a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f965f7e5ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f965f7e1680, 0x0, 0x9c, 0x7f9467d670c0, 0x7f98372856e0, 0x7f965f7e5ae0, 0x0, 0x7f9529ee7720, 0x7f9467d670b8, 0x0, 0x7f9529eea5e0, 0x7f965f7e38a0, 0x0, 0x0, 0x0, 0x9c, 0x7f9529eea5e0, 0x7f965f7e5ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f94655beb70, 0x7f965f7e1710, 0x7f965f7e1740, 0x7f965f7e1760, 0x0, 0x7f9834f70f00 , 0x7f94644ae470, 0x7f965f7e5ae0, 0x7f965f7e1778, 0x0, 0x7f9467de4338, 0x1, 0x0, 0x7f9834f70f00 , 0x7f94644ae470, 0x7f965f7e5ae0, 0x7f965f7e1870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f94644ae470...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f9467e55da0 sdn = 0x7f9467420d60 operation = 0x7f983752eae0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000_\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\250y\350g\224\177\000\000\070G at d\224\177\000\000(5~_\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\320+\250g\224\177\000\000\000\000\000\000\000\000\000\000\210,\250g\224\177\000\000\250\255\331)\225\177\000\000\001", '\000' , "\200<\365)\225\177", '\000' , "Z\235Z\316_Z\302xgKg\224\177\000\000xgKg\224\177\000\000\200gKg\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f965f7e5ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f983752eae0 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f9529ef4690 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f9467a86920 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:e83cbf78-2d2a-11e5-9db4-a0369f577818))" filter = 0x7f9466a2ea80 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = 252191776 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f965f7e5ae0, op=0x7f983752eae0, conn=0x7f983bc29240) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc29240, pb_op = 0x7f983752eae0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f983752ea60, pb_aci_target_check = 0} pb = 0x7f965f7e5ae0 conn = 0x7f983bc29240 op = 0x7f983752eae0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 9 (Thread 0x7f965efe5700 (LWP 24994)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f965efe02b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f943dc28eb0 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f94ed49ab30 addr = 0x7f94ed49ac08 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f943e852a70, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f943c879110 referral = 0x0 e = 0x0 dn = 0x7f943f85ded0 "fqdn=cpn-d07-27-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f94eec4ce70 passin_sdn = 0 mods = 0x7f943dc28eb0 pw_mod = tmpmods = 0x7f943f845ac0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f94ed49ab30 errorbuf = "\000\221\207<\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\006\376^\226\177\000\000\360\257)=\224\177\000\000\200\005\376^\226\177\000\000\260\005\376^\226\177\000\000\320\005\376^\226\177\000\000p\215\215?\224\177\000\000\260\006\376^\226\177\000\000\250\006\376^\226\177\000\000\020\221\207<\224\177\000\000\350\005\376^\226\177\000\000\264M\366\064\230\177\000\000p\215\215?\224\177\000\000\260\006\376^\226\177\000\000\b\006\376^\226\177\000\000\264M\366\064\230\177\000\000p\215\215?\224\177\000\000\260\006\376^\226\177\000\000\250\006\376^\226\177\000\000\020\221\207<\224\177\000\000\066Y\311\064\230\177\000\000p\215\215?\224\177\000\000"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f943e852a70) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f94ed49ab30 opresult = 0 normalized_mods = 0x7f943f845ac0 mods = 0x7f943db419f0 mod = 0x7f943f845ac8 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 1048914544, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f965efe4ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f965efe4ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f965efe4ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f965efe4ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f943fdd4bb0 "\241\257\266U" dn = saslmech = 0x7f94ed4a6c70 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f943fdb1640 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f943fe8e230 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\067\214x\020Y\v=\fD\373Y\001\214;z\004\342[\274\025\264$\363\v?\245\214\036\203\b\233\f\265\272$\r\262\063\003\016b\331\020\v|C\001\aEl\207\v\316V0\003I#\275\f\222\253(\004v\343\215\016\265:Z\004\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000\263\033\303\033q\204\265\000o/\326\026\336K\337\037\365\316\340\066\221x\233\026)O\274\064\024J\265\016\355\370\263\027\205\350m\017A\342\360\tHfm\a"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\030\216\204?\224\177\000\000\020\216\204?\224\177\000\000\360\215\204?\224\177\000\000\001\000\000\000\000\000\000\000\330)\376^\226\177\000\000\340J\376^\226\177\000\000\200\201\313=\224\177\000\000\022\006\322\064\230\177\000\000\340)\376^\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340)\376^\226\177\000\000\000\000\000\000\000\000\000\000\270)\376^\226\177\000\000\330)\376^\226\177\000\000\367\255\244\021H\334j\f)N\r\030\002\000\000\000\300\276%8\230\177\000\000\377\377\377\377\377\377\377\377\360\215\204?\224\177\000\000\000\000\000\000\000\000\000\000\v\357\214?\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f965efe4ae0, op=0x7f960c03b460, conn=0x7f983bc28d00) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc28d00, pb_op = 0x7f960c03b460, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f943ec4f7f0, op_stack_elem = 0x7f960c03b3c0, pb_aci_target_check = 0} pb = 0x7f965efe4ae0 conn = 0x7f983bc28d00 op = 0x7f960c03b460 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 8 (Thread 0x7f965e7e4700 (LWP 24995)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f95e0fe3530, key=key at entry=0x7f965e7dab70, data=data at entry=0x7f965e7daba0, comp_key=0x7f94164904c0 "cn=accounts", elem=elem at entry=0x7f965e7dab60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f94146bb050 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f95e0fe3530, srdn=srdn at entry=0x7f965e7dcc90, elem=elem at entry=0x7f965e7dcc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 33 id = 1 nrdn = 0x7f941497c210 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f94164904c0 "cn=accounts" rdnidx = 2 keybuf = 0x7f941586b1e0 "C1" key = {data = 0x7f941586b1e0, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f982c192bf8 , flags = 2056} data = {data = 0x7f94146bb050, size = 33, ulen = 33, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f941523f650 tmpelem = 0x7f94146bb050 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f939c1e6720, id=id at entry=0x7f965e7dcd24, flags=flags at entry=0, txn=txn at entry=0x7f965e7dcf00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f94157c3950 "cn=Default Trust View", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f94157c3920, all_nrdns = 0x7f941496bf20} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f95e0fe3530 elem = 0x7f941649e510 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f939c1e6720, txn=txn at entry=0x7f965e7dcf00, flags=flags at entry=0, err=err at entry=0x7f965e7dcddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 75, bv_val = 0x7f94164b47e0 "cn=default trust view,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f965e7dcf00, lock=0, sdn=0x7f939c1e6720, be=0x7f98366e74c0, pb=0x7f965e7e3ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc2e4f0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f965e7e3ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f965e7dcf00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f965e7e3ae0 txn = 0x7f965e7dcf00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f965e7e3ae0, be=, addr=, txn=txn at entry=0x7f965e7dcf00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f965e7e3ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f941765a0d0 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f939c1e6720 scope = 2 controls = 0x0 operation = 0x7f9837dc1f30 addr = 0x7f9837dc2008 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f965e7e3ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f941649d260 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f941438d8d0 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:2e0d393c-2cdc-11e5-8ba2-a0369f577818))" scope = 2 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f965e7dd278, 0x7f965e7dd23c, 0x0, 0x5e7dd280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f9416383ae0, 0x0, 0x1, 0x56e02dc4, 0x0, 0x7f94163d1c20, 0x0, 0x0, 0x7f9415242570, 0xc25a5fce5a9d5a00, 0x7f965e7dd4c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f965e7dd4c4, 0xc25a5fce5a9d5a00, 0x7f941640cee0, 0x0, 0x7f941640cee0, 0x0, 0x0, 0x0, 0x7f965e7dd508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f941640cee0, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f9415242570, 0x7f9416380cf0, 0x1, 0x0, 0x7f965e7dd558, 0x7f965e7dd510, 0x7f965e7dd508, 0x7f965e7dd508, 0x0, 0x0, 0x7f965e7dd558, 0xc25a5fce5a9d5a00, 0x7f941640cee0, 0x0, 0x7f941640cee0, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f965e7e1400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f965e7dd520, 0x1, 0x7f965e7dd510, 0x100000001, 0x7f965e7dd550, 0x0, 0x0, 0x7f965e7dd548, 0x7f965e7dd4c4, 0x0, 0x0, 0x7f965e7dd508, 0x1, 0x7f965e7dd4cc, 0x7f965e7dd4e0, 0x1649d8f0, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f941649d8d0, 0x7f9834d34290, 0x7f941649d260, 0x0, 0x0, 0x7f9415242570, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x5e, 0x7f939c1d36d0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x7f98330d1967 <_pr_poll_with_poll+679>, 0x0, 0x7f965e7df410, 0x7f965e7df420, 0x7f965e7df1ae, 0x7f96307df1ac, 0xc25a5fce5a9d5a00, 0x1b774000000000, 0x7f98386659a0, 0x7f965e7e3ae0, 0xe, 0x7f965e7df3a0, 0x1, 0x61, 0x7f98330bf1b2 , 0x7f98330bdde0 , 0xc25a5fce5a9d5a00, 0x7f965e7df3a2, 0x7f98386659a0, 0x7f965e7e3ae0, 0xe, 0x7f965e7df3a0, 0x7f9834d2bcea, 0x7f965e7df3d0, 0x7f9834cc9f3f , 0x3000000030, 0x7f965e7df320, 0x7f965e7df240, 0xc25a5fce5a9d5a00, 0x0, 0x0, 0x68e39a, 0x2, 0xe, 0x61, 0x0, 0x0, 0x0, 0x7f95e8000070, 0xffff8069a1820d31, 0x7f965e7df2d0, 0x7f965e7df2cf, 0x0, 0x0, 0x0, 0x0, 0x7f9834cdc17f , 0x0, 0x7f965e7df370, 0x0, 0x7f9834cc261b , 0x7f965e7e3ae0, 0x7f9834cf6e23 , 0x0, 0x7f965e7df3a0, 0x7f9834d2bcea, 0x7f965e7df3d0, 0x30, 0x0, 0x30, 0x61, 0xff, 0xffffffff0000003f, 0x7f940000006f, 0x7, 0x7f965e7df3b0, 0x0, 0x6effffffff, 0x0, 0x0, 0x7c00000077, 0x7f965e7df3af, 0x7f9834ce171c , 0x7f965e7e0030, 0x7f9834cdd18c , 0x7f965e7df5a0, 0xc25a5fce5a9d5a00, 0x7f983641d300, 0x0, 0x7f9839b5ff00, 0x7f98330d5cbf , 0x7f965e7df410, 0xc25a5fce5a9d5a00, 0x7f965e7e3ae0, 0x0, 0x0, 0x7f9834cfa31d , 0x7f965e7e3ae0, 0x7f965e7e3ae0, 0x8, 0x7f9834ce5397 , 0x20, 0x11800000030, 0xffffffd60000003a, 0x7f9400000000, 0x7f9417e6dab0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f9417e6dab0, 0x200, 0x7f965e7e3ae0, 0xc25a5fce5a9d5a00, 0x0, 0x7f965e7e3ae0, 0x2, 0x7f9834ce54eb , 0x0, 0xc25a5fce5a9d5a00, 0x0, 0x7f965e7e3ae0, 0x30, 0x7f9834cf6566 , 0x20, 0x0, 0x30, 0xc25a5fce5a9d5a00, 0x7f9417e6dab0, 0xe, 0x7f965e7e3ae0, 0x7f9417e6dab0, 0x2b, 0x1, 0x61, 0x7f9834cf8658 , 0x7f9834d2bcea, 0x7f9834cfa31d , 0x7f965e7e3ae0, 0x7f965e7e3ae0, 0x7f983bc27d40, 0x0, 0x0, 0x61, 0xffffffcb, 0x1000000, 0x7, 0xa300000000, 0x7f98386659a0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f965e7e3ae0, 0x7f965e7e3ae0, 0x7f9834f64db4 , 0x0, 0x7f965e7df6b0, 0x7f965e7df6a8, 0x1, 0xc25a5fce5a9d5a00, 0x7f965e7e3ae0, 0x7f9834f64db4 , 0x0, 0x7f98351c312e , 0x0, 0x0, 0x7f98364a35c0, 0x7f965e7df680, 0x0, 0x20, 0x7f94159d16d0, 0x7f983d494070, 0x7f965e7e3ae0, 0x7f982dbdc64f, 0x7f9417e8d2f0, 0x7f94159d16c8, 0x0, 0x7f94790cdf00, 0x7f965e7e18a0, 0x0, 0x0, 0x0, 0x20, 0x7f94790cdf00, 0x7f965e7e3ae0, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f9417653ab0, 0x7f965e7df710, 0x7f965e7df740, 0x7f965e7df760, 0x0, 0x7f9834f70f00 , 0x7f941439de90, 0x7f965e7e3ae0, 0x7f965e7df778, 0x0, 0x7f9415246b48, 0x1, 0x0, 0x7f9834f70f00 , 0x7f941439de90, 0x7f965e7e3ae0, 0x7f965e7df870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f941439de90...} attrlistbuf = "\"* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommitt"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f9414996e80 sdn = 0x7f939c1e6720 operation = 0x7f9837dc1f30 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000^\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000xge\027\224\177\000\000\b\035d\024\224\177\000\000(\025~^\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\020\301%\234\223\177\000\000\000\000\000\000\000\000\000\000\310\301%\234\223\177\000\000\270\306W\026\224\177\000\000\001", '\000' , "\300MB\026\224\177", '\000' , "Z\235Z\316_Z\302\310\356`\024\224\177\000\000\310\356`\024\224\177\000\000\320\356`\024\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f965e7e3ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f9837dc1f30 ber = i = err = attrsonly = 0 scope = 2 deref = 0 sizelimit = 0 timelimit = 0 rawbase = 0x7f941649d260 "cn=Default Trust View,cn=views,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f941438d8d0 "(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:cbls.ccr.buffalo.edu:2e0d393c-2cdc-11e5-8ba2-a0369f577818))" filter = 0x7f94164a6d00 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 0 send_entchg_controls = 1066215120 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3589 in connection_dispatch_operation (pb=0x7f965e7e3ae0, op=0x7f9837dc1f30, conn=0x7f983bc2e4f0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 1 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc2e4f0, pb_op = 0x7f9837dc1f30, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f983ab2d7d0, pb_aci_target_check = 0} pb = 0x7f965e7e3ae0 conn = 0x7f983bc2e4f0 op = 0x7f9837dc1f30 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 7 (Thread 0x7f965dfe3700 (LWP 24996)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f982c9f72f3 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x00007f982c9f6640 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x00007f982caa0cea in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x00007f982caa17d0 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x00007f982cacd112 in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x00007f982ca145f5 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x00007f982c9ff256 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x00007f982ca01233 in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x00007f982cab9c56 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x00007f982cac8ad2 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x00007f982922b764 in _entryrdn_get_elem (cursor=cursor at entry=0x7f95e8910b20, key=key at entry=0x7f965dfd9b70, data=data at entry=0x7f965dfd9ba0, comp_key=0x7f941f1d15f0 "cn=etc", elem=elem at entry=0x7f965dfd9b60, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1807 rc = ptr = 0x7f941c065e50 #12 0x00007f982922edea in _entryrdn_index_read (be=be at entry=0x7f98366e74c0, cursor=0x7f95e8910b20, srdn=srdn at entry=0x7f965dfdbc90, elem=elem at entry=0x7f965dfdbc88, parentelem=parentelem at entry=0x0, childelems=childelems at entry=0x0, flags=flags at entry=0, db_txn=db_txn at entry=0x0) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:3340 rc = 0 len = 23 id = 1 nrdn = 0x7f941fecb4b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" childnrdn = 0x7f941f1d15f0 "cn=etc" rdnidx = 3 keybuf = 0x7f941e884390 "C1" key = {data = 0x7f941e884390, size = 3, ulen = 3, dlen = 8, doff = 0, app_data = 0x7f957a9f67b0, flags = 2056} data = {data = 0x7f941c065e50, size = 23, ulen = 23, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} childnum = 32 curr_childnum = 0 tmpsrdn = 0x7f941f2c14b0 tmpelem = 0x7f941c065e50 #13 0x00007f982923014a in entryrdn_index_read_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f941c068de0, id=id at entry=0x7f965dfdbd24, flags=flags at entry=0, txn=txn at entry=0x7f965dfdbf00) at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:448 rc = 0 ai = 0x7f98367159b0 srdn = {flag = 0 '\000', rdn = 0x7f941d30c830 "cn=cpn-d07-18-02.cbls.ccr.buffalo.edu", rdns = 0x0, butcheredupto = -1, nrdn = 0x0, all_rdns = 0x7f941f3cf460, all_nrdns = 0x7f941f41cbd0} db = 0x7f98367d0680 db_txn = 0x0 cursor = 0x7f95e8910b20 elem = 0x7f941f3ed380 db_retry = #14 0x00007f9829200849 in dn2entry_ext (be=be at entry=0x7f98366e74c0, sdn=sdn at entry=0x7f941c068de0, txn=txn at entry=0x7f965dfdbf00, flags=flags at entry=0, err=err at entry=0x7f965dfdbddc) at ldap/servers/slapd/back-ldbm/dn2entry.c:92 id = 0 inst = 0x7f98366efc40 ndnv = {bv_len = 95, bv_val = 0x7f9579b57610 "cn=cpn-d07-18-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu"} e = 0x0 indexname = #15 0x00007f9829203651 in find_entry_internal_dn (flags=0, txn=0x7f965dfdbf00, lock=0, sdn=0x7f941c068de0, be=0x7f98366e74c0, pb=0x7f965dfe2ae0) at ldap/servers/slapd/back-ldbm/findentry.c:130 e = 0x7f983bc338f0 err = 0 inst = 0x7f98366efc40 tries = 0 managedsait = 0 #16 find_entry_internal (pb=pb at entry=0x7f965dfe2ae0, be=0x7f98366e74c0, lock=lock at entry=0, txn=txn at entry=0x7f965dfdbf00, flags=flags at entry=0, addr=, addr=) at ldap/servers/slapd/back-ldbm/findentry.c:293 entry = 0x0 flags = 0 pb = 0x7f965dfe2ae0 txn = 0x7f965dfdbf00 lock = 0 be = 0x7f98366e74c0 #17 0x00007f982920393e in find_entry (pb=pb at entry=0x7f965dfe2ae0, be=, addr=, txn=txn at entry=0x7f965dfdbf00) at ldap/servers/slapd/back-ldbm/findentry.c:313 No locals. #18 0x00007f982923d9bb in ldbm_back_search (pb=0x7f965dfe2ae0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:616 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x6 candidates = 0x0 base = 0x7f941fd0a8c0 "cn=cpn-d07-18-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" basesdn = 0x7f941c068de0 scope = 0 controls = 0x0 operation = 0x7f95643c75f0 addr = 0x7f95643c76c8 estimate = 0 sort = 0 vlv = sort_spec = 0x0 is_sorting_critical = is_sorting_critical_orig = 0 sort_control = 0x0 virtual_list_view = 0 vlv_spec = 0x0 is_vlv_critical = 0 vlv_request_control = {beforeCount = 0, afterCount = 0, tag = 0, index = 0, contentCount = 0, value = {bv_len = 0, bv_val = 0x0}} sr = tmp_err = -1 tmp_desc = 0x0 lookup_returned_allids = 0 backend_count = 0 print_once = 1 txn = {back_txn_txn = 0x0} rc = #19 0x00007f9834cd8d49 in op_shared_search (pb=pb at entry=0x7f965dfe2ae0, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:831 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f941fcdf420 "cn=cpn-d07-18-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f957aa157f0 "(objectClass=*)" scope = 0 be = 0x7f98366e74c0 be_single = 0x0 be_list = {0x7f98366e74c0, 0x0, 0x7f965dfdc278, 0x7f965dfdc23c, 0x0, 0x5dfdc280, 0x100000000, 0xffffffffffffffff, 0x1, 0xffffffff00000000, 0x0, 0x7f98366e74c0, 0x7f98364e9ce0, 0x0, 0x7f957a9b12b0, 0x0, 0x1, 0x56e02da1, 0x0, 0x7f941fed0bf0, 0x0, 0x0, 0x7f941fd96720, 0xc25a5fce5a9d5a00, 0x7f965dfdc4c4, 0x7f9834ce171c , 0x0, 0xffffffff, 0x7f965dfdc4c4, 0xc25a5fce5a9d5a00, 0x7f941f3e9250, 0x0, 0x7f941f3e9250, 0x0, 0x0, 0x0, 0x7f965dfdc508, 0xc25a5fce5a9d5a00, 0x0, 0x7f9834cfa31d , 0x7f941f3e9250, 0x7f98366e7790, 0x0, 0x30, 0x0, 0x30, 0x100000031, 0x7f9600010000, 0x200000000, 0x0, 0x7f941fd96720, 0x7f957a999050, 0x1, 0x0, 0x7f965dfdc558, 0x7f965dfdc510, 0x7f965dfdc508, 0x7f965dfdc508, 0x0, 0x0, 0x7f965dfdc558, 0xc25a5fce5a9d5a00, 0x7f941f3e9250, 0x0, 0x7f941f3e9250, 0x7f9834cd8470 , 0x7f9834d34290, 0x7f965dfe0400, 0x7f9834d2bcea, 0x7f9834d2bcea, 0x0, 0x7f965dfdc520, 0x1, 0x7f965dfdc510, 0x100000001, 0x7f965dfdc550, 0x0, 0x0, 0x7f965dfdc548, 0x7f965dfdc4c4, 0x0, 0x0, 0x7f965dfdc508, 0x1, 0x7f965dfdc4cc, 0x7f965dfdc4e0, 0x1f3d2c40, 0x0, 0x200000001, 0xffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x1ffffffff, 0x7f941fcf2670, 0x7f9834d34290, 0x7f941c051050, 0x0, 0x0, 0x7f941fd96720, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f9800000001, 0x7f9800000000, 0x0, 0x7f98366e74c0, 0x0, 0x1, 0x7f9834ceb5e8 , 0x61653739, 0x7f98362b1b70, 0x61, 0x7f941f3e80d0, 0x5a010004, 0x326465663d010025, 0x3263322d39653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x59010004, 0x326465663d010025, 0x3263322d38653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x58010004, 0x326465663d010025, 0x3263322d37653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x57010004, 0x326465663d010025, 0x3263322d36653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x56010004, 0x326465663d010025, 0x3263322d35653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x55010004, 0x326465663d010025, 0x3263322d34653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x54010004, 0x326465663d010025, 0x3263322d33653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x53010004, 0x326465663d010025, 0x3263322d32653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x52010004, 0x326465663d010025, 0x3263322d31653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x51010004, 0x326465663d010025, 0x3263322d30653739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x50010004, 0x326465663d010025, 0x3263322d66643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4f010004, 0x326465663d010025, 0x3263322d65643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4e010004, 0x326465663d010025, 0x3263322d64643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230, 0x4d010004, 0x326465663d010025, 0x3263322d63643739, 0x63612d3565313165, 0x652d653766386230, 0x37373361316230...} referral_list = {0x0, 0x0, 0x0, 0xc25a5fce5a9d5a00, 0x7f983bbd1480, 0xc25a5fce5a9d5a00, 0x7f983bbc73e0, 0x7f9834c9e6f9 , 0x7f983bb9a470, 0x7f9834c9e770 , 0x7f98364ff530, 0x7f983bba4cf0, 0x7f941f3e9250, 0x7f98330cff60 , 0x7f983bba4cf0, 0x7f9828f660e0 , 0x85dfde2e0, 0x7f9834cd5fbe , 0x7f941f1d31e0, 0x7f983bba9ea0, 0x7f983bba9ea0, 0x7f965dfde268, 0x0, 0x7f965dfde268, 0x7f965dfde280, 0x0, 0x7f98364ff530, 0x7f9834c95936 , 0x7f941f3e9250, 0x7f9828f726fc , 0x7f98364a35c0, 0x7f965dfde290, 0x0, 0x0, 0x7f941f2ee080, 0x7f965dfde290, 0x7f941f3e9250, 0x7f9834c95936 , 0x0, 0x7f941f2ee078, 0x7f941f2aef50, 0x7f957b680040, 0x7f941f2aef50, 0x7f941f2aef50, 0x7f941f2aef50, 0x0, 0x7f9834f70f00 , 0x7f941dc74400, 0x7f941f3e9250, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f941f2aef40, 0x7f965dfde320, 0x7f965dfde350, 0x7f965dfde370, 0x0, 0x7f9834f70f00 , 0x7f941dc74400, 0x7f941f3e9250, 0x7f965dfde388, 0x0, 0x7f941fceee78, 0x1, 0x0, 0x7f9834f70f00 , 0x7f941dc74400, 0x7f941f3e9250, 0x7f965dfde480, 0x0, 0x0, 0x7f9834f70f00 , 0x7f941dc74400, 0x7f941f3e9250, 0x7f9834c95936 , 0x7f941fec07f0, 0x7f9834cd1823 , 0x7f965dfde4d8, 0x7f965dfde510, 0x0, 0x20330d5cbf, 0x7f941f3e9250, 0xc25a5fce5a9d5a00, 0x7f965dfde480, 0x7f965dfde4a8, 0x0, 0x7f9834cfa31d , 0x7f965dfe2ae0, 0x7f965dfe2ae0, 0x0, 0x7f965dfde488, 0x7f9834d1fcca, 0x1180000000e, 0xffffffd60000003a, 0x7f9400000000, 0x7f941f206ed0, 0x0, 0x1, 0x7f98366e74c0, 0x0, 0x7f9579bbc120, 0x0, 0x7f941dc743e0, 0x7f941fec07f0, 0x0, 0x7f941ff22fa0, 0x0, 0x0, 0x0, 0x7f957a970040, 0x7f965dfde4f0, 0x7f941ed72ce0, 0x7f941f8d7f40, 0x0, 0x7f957a970038, 0x0, 0x0, 0x0, 0x7f9579ba0a70, 0x7f941ed72ce0, 0x7f941f1cf700, 0x7f965dfde6b0, 0x7f965dfde6a8, 0x7f941fcdc500, 0x7f9834c95936 , 0x10, 0x7f9834d18f8e , 0x7f965dfde6b0, 0x7f9579ba0a60, 0x7f965dfde580, 0x7f965dfde5b0, 0x7f965dfde5d0, 0x7f941f1cf700, 0x7f965dfde6b0, 0x7f965dfde6a8, 0x7f941fcdc570, 0x7f965dfde5e8, 0x7f9834f64db4 , 0x7f941f1cf700, 0x7f965dfde6b0, 0x7f965dfde608, 0x7f9834f64db4 , 0x7f941f1cf700, 0x7f965dfde6b0, 0x7f965dfde6a8, 0x7f941fcdc570, 0x7f9834c95936 , 0x7f941f1cf700, 0x7f9834ca4914 , 0x7f965dfe2ae0, 0x0, 0x7f965dfe2ae0, 0x7f98351c2e48 , 0x0, 0x0, 0x7f98364a35c0, 0x5dfde680, 0x0, 0x0, 0x7f941f2c7b70, 0x7f9837ffb8c0, 0x7f9837ffc154, 0x7f982dbdc64f, 0x7f941f304800, 0x7f9837ffc260, 0x7f9579b953d0, 0x0, 0x7f965dfe08a0, 0x0, 0x7f98364a1080, 0x0, 0x7f953b6a4190, 0x7f941d182590, 0x7f98351cb141, 0x7f9837bf0cb8, 0x6100000001, 0x7f9834d18f8e , 0x7f9834f70f00 , 0x7f941f3ebee0, 0x535347204c534153, 0x7f9600495041, 0x7f965dfde760, 0x0, 0x7f9834f70f00 , 0x7f941d182590, 0x7f965dfe2ae0, 0x7f965dfde778, 0x0, 0x7f941e999a48, 0x1, 0x0, 0x7f9834f70f00 , 0x7f941d182590, 0x7f965dfe2ae0, 0x7f965dfde870, 0x0, 0x0, 0x7f9834f70f00 , 0x7f941d182590...} attrlistbuf = "\"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwd"... attrliststr = attrs = 0x0 rc = -1 internal_op = basesdn = 0x7f9579bb5430 sdn = 0x7f941c068de0 operation = 0x7f95643c75f0 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = "\000eTimeout\"\000]\226\177\000\000\005\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000('i{\225\177\000\000\070O\275y\225\177\000\000(\005\376]\226\177\000\000\240\331(6\230\177\000\000\060\000\000\000\000\000\000\000\240/\362\037\224\177\000\000\000\000\000\000\000\000\000\000X0\362\037\224\177\000\000\070\361\062\035\224\177\000\000\001", '\000' , "\300r\225z\225\177", '\000' , "Z\235Z\316_Z\302\210\271\354\037\224\177\000\000\210\271\354\037\224\177\000\000\220\271\354\037\224\177\000\000\000\000\000\000\000\000\000\000\264M\366\064\230\177\000\000\016"... nentries = 0 pnentries = 0 flag_search_base_found = 0 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x0 ctl_value = 0x0 iscritical = 0 be_name = index = -1 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #20 0x00007f98351c407e in do_search (pb=pb at entry=0x7f965dfe2ae0) at ldap/servers/slapd/search.c:378 operation = 0x7f95643c75f0 ber = i = err = attrsonly = 0 scope = 0 deref = 0 sizelimit = 0 timelimit = 300 rawbase = 0x7f941fcdf420 "cn=cpn-d07-18-02.cbls.ccr.buffalo.edu,cn=masters,cn=ipa,cn=etc,dc=cbls,dc=ccr,dc=buffalo,dc=edu" rawbase_set_in_pb = 1 fstr = 0x7f957aa157f0 "(objectClass=*)" filter = 0x7f941fd8dd90 attrs = 0x0 gerattrs = 0x0 psearch = 0 psbvp = 0x0 changetypes = 32664 send_entchg_controls = -831731408 changesonly = 0 rc = -1 strict = minssf_exclude_rootdse = filter_normalized = 0 #21 0x00007f98351b3405 in connection_dispatch_operation (pb=0x7f965dfe2ae0, op=0x7f95643c75f0, conn=0x7f983bc338f0) at ldap/servers/slapd/connection.c:684 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #22 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98366e74c0, pb_conn = 0x7f983bc338f0, pb_op = 0x7f95643c75f0, pb_plugin = 0x7f98364e9f80, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 1, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x7f9566114760, pb_aci_target_check = 0} pb = 0x7f965dfe2ae0 conn = 0x7f983bc338f0 op = 0x7f95643c75f0 tag = 99 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #23 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #24 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #25 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 6 (Thread 0x7f965d7e2700 (LWP 24997)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98366e74c0, parent_txn=0x0, txn=txn at entry=0x7f965d7dd2b0) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f9829237827 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:560 cache_rc = 0 new_mod_count = 0 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x0 original_entry = 0x0 tmpentry = 0x0 postentry = 0x0 mods = 0x7f9427c4bcc0 mods_original = 0x0 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x0} parent_txn = 0x0 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = -1 msg = errbuf = 0x0 retry_count = 0 disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f94241a5a50 addr = 0x7f94241a5b28 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 0 not_an_error = 0 fixup_tombstone = 0 #5 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f942637f8b0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0x7f9424041080 referral = 0x0 e = 0x0 dn = 0x7f942636af50 "fqdn=cpn-d09-17-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f9424029060 passin_sdn = 0 mods = 0x7f9427c4bcc0 pw_mod = tmpmods = 0x7f94263a0140 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f94241a5a50 errorbuf = "\000\020\004$\224\177\000\000\066Y\311\064\230\177\000\000\020\000\000\000\000\000\000\000\216\217\321\064\230\177\000\000\260\326}]\226\177\000\000\020\306\353'\224\177\000\000\200\325}]\226\177\000\000\260\325}]\226\177\000\000\320\325}]\226\177\000\000\240*\002$\224\177\000\000\260\326}]\226\177\000\000\250\326}]\226\177\000\000\200\020\004$\224\177\000\000\350\325}]\226\177\000\000\264M\366\064\230\177\000\000\240*\002$\224\177\000\000\260\326}]\226\177\000\000\b\326}]\226\177\000\000\264M\366\064\230\177\000\000\240*\002$\224\177\000\000\260\326}]\226\177\000\000\250\326}]\226\177\000\000\200\020\004$\224\177\000\000\066Y\311\064\230\177\000\000\240*\002$\224\177\000\000"... err = lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #6 0x00007f9834cd2ba4 in modify_internal_pb (pb=0x7f942637f8b0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f94241a5a50 opresult = 0 normalized_mods = 0x7f94263a0140 mods = 0x7f93a83a0c60 mod = 0x7f94263a0148 smods = {mods = 0x7f9400000000, num_elements = 1520261632, num_mods = -1034264626, iterator = 641202352, free_mods = 32660} pw_change = old_pw = 0x0 #7 0x00007f982a8d8bd3 in ipalockout_postop () from /usr/lib64/dirsrv/plugins/libipa_lockout.so No symbol table info available. #8 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836464b60, operation=operation at entry=501, pb=pb at entry=0x7f965d7e1ae0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f982a8d8580 rc = return_value = 0 count = 3 locked = 0x0 #9 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f965d7e1ae0, operation=501, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #10 plugin_call_plugins (pb=pb at entry=0x7f965d7e1ae0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364a1310 plugin_list_number = 2 rc = 0 do_op = #11 0x00007f98351ac9ff in do_bind (pb=pb at entry=0x7f965d7e1ae0) at ldap/servers/slapd/bind.c:424 ber = err = isroot = 0 method = 163 version = 3 auth_response_requested = 0 pw_response_requested = 0 rawdn = 0x7f94263df700 "`\026\326'\224\177" dn = saslmech = 0x7f9426429dc0 "GSSAPI" cred = {bv_len = 32, bv_val = 0x7f94264a26f0 "\004\377\377\377\005\004\004\377"} be = 0x0 ber_rc = rc = 0 sdn = 0x7f94254db510 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' , "\362\242\030\020\207f\340\t\314\006\307\026\232\255;\006\272\370\305\022\026`\035\005pj\203\030\226\067\220\016\002~\222\v\017\343\324\f{\020\066\000\035\031\250\032e\274\204\005\266\031\223\002\213\364\237\aM\330K\006n\371>\003\025\314S\r\002", '\000' , "\370\377\017\377\377\377\037\377\377\377\017\377\377\277\037\377\377\377\001\000\000\000\000r\204\021\033\360\236\237\a\"\376\326\036\005\252\355\031\261\336\067#->\247\034\207\342\257#e\230\235\fZ\377\213\036:\t\227\034\266Iw\t\355\351-\030"... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\370\060\016$\224\177\000\000\360\060\016$\224\177\000\000\320\060\016$\224\177\000\000\001\000\000\000\000\000\000\000\330\371}]\226\177\000\000\340\032~]\226\177\000\000\220By\342\225\177\000\000\022\006\322\064\230\177\000\000\340\371}]\226\177\000\000\000\000\000\000\000\000\000\000\066Y\311\064\230\177\000\000\000\000\000\000\000\000\000\000\334/\315\064\230\177\000\000\340\371}]\226\177\000\000\000\000\000\000\000\000\000\000\270\371}]\226\177\000\000\330\371}]\226\177\000\000\252\365#\f\204\020!\002\317p\322\030\002\000\000\000\300\276%8\230\177\000\000\377\377\377\377\377\377\377\377\320\060\016$\224\177\000\000\000\000\000\000\000\000\000\000N!G$\224\177", '\000' bind_target_entry = 0x0 auto_bind = minssf = minssf_exclude_rootdse = #12 0x00007f98351b343f in connection_dispatch_operation (pb=0x7f965d7e1ae0, op=0x7f98386659a0, conn=0x7f983bc27d40) at ldap/servers/slapd/connection.c:635 minssf = 0 minssf_exclude_rootdse = enable_nagle = 1 pop_cork = 0 #13 connection_threadmain () at ldap/servers/slapd/connection.c:2534 is_timedout = 0 curtime = local_pb = {pb_backend = 0x7f98364a1080, pb_conn = 0x7f983bc27d40, pb_op = 0x7f98386659a0, pb_plugin = 0x7f9836464b60, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 0, pb_slapd_argv = 0x0, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x7f958efa24f0, op_stack_elem = 0x7f9837eaa400, pb_aci_target_check = 0} pb = 0x7f965d7e1ae0 conn = 0x7f983bc27d40 op = 0x7f98386659a0 tag = 96 need_wakeup = 1 thread_turbo_flag = ret = more_data = 0 replication_connection = 0 doshutdown = 0 maxthreads = 5 bypasspollcnt = #14 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #15 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #16 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 5 (Thread 0x7f965cfe1700 (LWP 24998)): #0 0x00007f983279b8f3 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f9834d16459 in DS_Sleep (ticks=ticks at entry=1000) at ldap/servers/slapd/util.c:1118 mSecs = tm = {tv_sec = 0, tv_usec = 99031} #2 0x00007f98351b42c5 in time_thread (nothing=) at ldap/servers/slapd/daemon.c:474 interval = 1000 #3 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 4 (Thread 0x7f95df7fe700 (LWP 25001)): #0 0x00007f9832a7aab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330cfb07 in pt_TimedWait () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98330cffce in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #3 0x00007f982b70f374 in sync_send_results (arg=) at ldap/servers/plugins/sync/sync_persist.c:602 req = 0x7f962c00dbe0 qnode = 0x0 qnodenext = conn_acq_flag = 0 conn = 0x7f983bc1e500 op = 0x7f983b0ccef0 rc = connid = 52 opid = 0 #4 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 3 (Thread 0x7f95dffff700 (LWP 12057)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98291f7132 in dblayer_lock_backend (be=) at ldap/servers/slapd/back-ldbm/dblayer.c:3946 inst = #3 0x00007f98291fbf36 in dblayer_txn_begin (be=0x7f98367397e0, parent_txn=0x7f95cd065af0, txn=txn at entry=0x7f95dfff1370) at ldap/servers/slapd/back-ldbm/dblayer.c:3668 li = 0x7f98364e9ce0 rc = 0 #4 0x00007f982921bb67 in ldbm_back_add (pb=0x7f95ccb1d430) at ldap/servers/slapd/back-ldbm/ldbm_add.c:272 be = 0x7f98367397e0 li = 0x7f98364e9ce0 inst = 0x7f9836744220 dn = e = 0x7f95ccb1bcb0 tombstoneentry = 0x0 addingentry = 0x0 parententry = 0x0 originalentry = 0x0 tmpentry = 0x0 pid = isroot = 1 errbuf = 0x0 txn = {back_txn_txn = 0x0} parent_txn = 0x7f95cd065af0 retval = -1 msg = managedsait = 0 ldap_result_code = 0 ldap_result_message = 0x0 ldap_result_matcheddn = 0x0 retry_count = disk_full = 0 parent_modify_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} parent_found = ruv_c_init = 0 rc = 0 addingentry_id_assigned = sdn = 0x0 parentsdn = {flag = 0 '\000', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0} operation = 0x7f95ccb1c980 is_replicated_operation = 0 is_resurect_operation = 0 is_tombstone_operation = 0 is_fixup_operation = 0 is_remove_from_cache = 2097152 is_ruv = 0 opcsn = addr = {udn = 0x0, uniqueid = 0x0, sdn = 0x0} not_an_error = 0 parent_switched = 0 noabort = myrc = 0 conn_id = 0 op_id = 0 #5 0x00007f9834c8bf1a in op_shared_add (pb=pb at entry=0x7f95ccb1d430) at ldap/servers/slapd/add.c:735 rc = 0 ec = 0x7f95cc7606a0 add_target_sdn = 0x7f95cc7619f0 save_e = 0x0 operation = 0x7f95ccb1c980 e = 0x7f95ccb1bcb0 pse = 0xf be = 0x7f98367397e0 err = internal_op = 32 repl_op = 0 legacy_op = 0 lastmod = 1 pwdtype = 0x0 attr = 0x0 referral = 0x0 errorbuf = "\000\005\254 \230\177\000\000\260\026\377?\177\000\000\001\000\000\000\000\000\000\000\377\n\311\064\230\177\000\000\200\231+6\230\177\000\000\070\030\377?\177\000\000\000\000\000\000\000\000\000\000\277\026\311\064\230\177\000\000`\206%?\177\000\000\000\000\000\000\000\000\000\000entryusn\000estamp\000\000\000\000\000\000\000\000\000?n6\230\177\000\000\320KoL\227\177\000\000\300\331\314M\227\177\000\000`av6\230\177\000\000`av6\230\177\000\000`av6\230\177\000\000\370\273\261,\230\177\000\000H\030\377\337\000\000\000\000\324#\262,\230\177\000\000X\030\377?\177\000\000\060\243%K\227\177\000\000\360\333\361\022\230\177\000\000\334a\320\064\230"... p = proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 sdn = 0x0 #6 0x00007f9834c8c773 in add_internal_pb (pb=pb at entry=0x7f95ccb1d430) at ldap/servers/slapd/add.c:434 controls = 0x0 op = 0x7f95ccb1c980 opresult = 0 e = 0x7f95ccb1bcb0 #7 0x00007f9834c8d453 in slapi_add_internal_pb (pb=pb at entry=0x7f95ccb1d430) at ldap/servers/slapd/add.c:356 No locals. #8 0x00007f9827aa632d in write_replog_db (newsuperior=0x0, modrdn_mods=0x0, newrdn=0x0, log_e=0x0, curtime=1457532345, flag=0, log_m=0x7f95cd50deb0, dn=0x7f95cc7760a0 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu", optype=, pb=0x7f95cd45d8d0) at ldap/servers/plugins/retrocl/retrocl_po.c:377 newPb = 0x7f95ccb1d430 changenum = 18281505 edn = 0x7f95ccb1bc60 "changenumber=18281505,cn=changelog" err = 0 vals = {0x7f95dfff3810, 0x0} e = 0x7f95ccb1bcb0 ret = 0 val = {bv_len = 15, bv_val = 0x0} chnobuf = "18281505\000\061\316\064\230\177\000\000\000\000\000" extensibleObject = i = #9 retrocl_postob (pb=0x7f95cd45d8d0, optype=) at ldap/servers/plugins/retrocl/retrocl_po.c:682 dn = 0x7f95cc7760a0 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" log_m = 0x7f95cd50deb0 flag = 0 te = 0x0 op = 0x7f95cc5f0dd0 modrdn_mods = 0x0 newrdn = 0x0 newsuperior = 0x0 be = 0x7f98366e74c0 curtime = 1457532345 rc = #10 0x00007f9834ce5280 in plugin_call_func (list=0x7f9836516b80, operation=operation at entry=561, pb=pb at entry=0x7f95cd45d8d0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f9827aa38e0 rc = return_value = 0 count = 0 locked = 0x0 #11 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f95cd45d8d0, operation=561, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #12 plugin_call_plugins (pb=pb at entry=0x7f95cd45d8d0, whichfunction=whichfunction at entry=561) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364e9f80 plugin_list_number = 20 rc = 0 do_op = #13 0x00007f9829236be9 in ldbm_back_modify (pb=) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:847 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x0 ec = 0x7f95cd283570 original_entry = 0x7f95cd283270 tmpentry = 0x0 postentry = 0x7f95ccb1a3a0 mods = 0x7f95cd50deb0 mods_original = 0x7f95cd50e630 smods = {mods = 0x7f95cd50deb0, num_elements = 5, num_mods = 4, iterator = 0, free_mods = 0} txn = {back_txn_txn = 0x7f95cd065af0} parent_txn = 0x7f95cd258660 ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} ruv_c_init = 0 retval = 0 msg = errbuf = 0x0 retry_count = disk_full = 0 ldap_result_code = 0 ldap_result_message = 0x0 rc = 0 operation = 0x7f95cc5f0dd0 addr = 0x7f95cc5f0ea8 is_fixup_operation = 0 is_ruv = 0 opcsn = repl_op = 0 opreturn = 0 mod_count = 4 not_an_error = 0 fixup_tombstone = 0 #14 0x00007f9834cd20e1 in op_shared_modify (pb=pb at entry=0x7f95cd45d8d0, pw_change=pw_change at entry=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1086 rc = 0 be = 0x7f98366e74c0 pse = 0xff530002 referral = 0x0 e = 0x0 dn = 0x7f95cc7760a0 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" normdn = sdn = 0x7f95cc5ff4f0 passin_sdn = 1 mods = 0x7f95cc862b60 pw_mod = tmpmods = 0x7f95cc863670 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} repl_op = 0 internal_op = 32 lastmod = 1 skip_modified_attrs = 0 unhashed_pw_attr = 0x0 operation = 0x7f95cc5f0dd0 errorbuf = "\000\037\027\000\000\000\000\000\335\016\000\000\222?\000\001\000\000\000\000\000\000\000\004", '\000' , "\324#\262,\230\177\000\000$>\377?\177\000\000\000Z\235Z\316_Z\302\000e\237,\230\177\000\000\320*nQ\000\000\000\000\070\241%\v\230\177\000\000\004\001\f\000\000\000\000\000 =\377?\177\000\000\020=\377?\177\000\000\b=\377?\177\000\000\304=\377?\177\000\000\000\000\000\000\000\000\000\000\020@\377?\177\000\000\304=\377\337\000\000\000\000\224 lc_mod = p = i = proxydn = 0x0 proxy_err = errtext = 0x0 #15 0x00007f9834cd2ba4 in modify_internal_pb (pb=pb at entry=0x7f95cd45d8d0) at ldap/servers/slapd/modify.c:631 controls = 0x0 pwpolicy_ctrl = 0 op = 0x7f95cc5f0dd0 opresult = 0 normalized_mods = 0x7f95cc863670 mods = 0x7f95cc5ff300 mod = 0x7f95cc863678 smods = {mods = 0x7f9500000000, num_elements = 1520261632, num_mods = -1034264626, iterator = -851060528, free_mods = 32661} pw_change = old_pw = 0x0 #16 0x00007f9834cd36a3 in slapi_modify_internal_pb (pb=pb at entry=0x7f95cd45d8d0) at ldap/servers/slapd/modify.c:486 No locals. #17 0x00007f98289116f1 in memberof_fix_memberof_callback (e=, callback_data=callback_data at entry=0x7f95dfff6030) at ldap/servers/plugins/memberof/memberof.c:2902 val = 0x0 mod_pb = 0x7f95cd45d8d0 smod = 0x7f95cd529040 mods = 0x7f95cc5ff300 hint = rc = 0 sdn = 0x7f95cc5ff4f0 config = 0x7f95dfff6030 del_data = {dn = 0x0, type = 0x7f95cd45dbb0 "memberOf"} groups = #18 0x00007f98289121d5 in memberof_modop_one_replace_r (pb=pb at entry=0x7f95cd5ee4b0, config=config at entry=0x7f95dfff6030, mod_op=mod_op at entry=1, group_sdn=group_sdn at entry=0x7f95cd35fad0, op_this_sdn=op_this_sdn at entry=0x7f95cd35fad0, replace_with_sdn=replace_with_sdn at entry=0x0, op_to_sdn=0x7f95cc862bc0, stack=stack at entry=0x0) at ldap/servers/plugins/memberof/memberof.c:1674 rc = 0 mod = {mod_op = -864594192, mod_type = 0x0, mod_vals = {modv_strvals = 0x0, modv_bvals = 0x0}} replace_mod = {mod_op = 133, mod_type = 0x10
, mod_vals = {modv_strvals = 0x7f95cd28ec80, modv_bvals = 0x7f95cd28ec80}} mods = {0x7f95ccb0a310, 0x7f983272e18c , 0x0} val = {0x7f95cc7756f0 "member", 0x88
} replace_val = {0x7f95cc775b40 "nsuniqueid=d48e5121-cf5311e5-9a208f7e-e0b1a377,ipauniqueid=ec5e3106-cf53-11e5-b8e8-a0369f577818,cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu", 0x7f95dfff5e68 "`\214\261?\177"} mod_pb = 0x0 e = 0x7f95cc5ff4f0 ll = 0x0 op_str = op_to = 0x7f95ccb18ee0 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" op_this = to_dn_val = 0x7f95ccb18c60 this_dn_val = 0x7f95cc775b10 #19 0x00007f98289123c5 in memberof_modop_one_r (stack=0x0, op_to_sdn=, op_this_sdn=0x7f95cd35fad0, group_sdn=0x7f95cd35fad0, mod_op=1, config=0x7f95dfff6030, pb=0x7f95cd5ee4b0) at ldap/servers/plugins/memberof/memberof.c:1417 No locals. #20 memberof_mod_attr_list_r (pb=pb at entry=0x7f95cd5ee4b0, config=config at entry=0x7f95dfff6030, mod=mod at entry=1, group_sdn=group_sdn at entry=0x7f95cd35fad0, op_this_sdn=op_this_sdn at entry=0x7f95cd35fad0, attr=0x7f95cd28ec80, stack=stack at entry=0x0) at ldap/servers/plugins/memberof/memberof.c:1919 dn_str = 0x7f95cc862a90 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" bv = 0x7f95ccb0a310 rc = 0 val = 0x7f95ccb0a310 op_this_val = 0x7f95cc775a10 last_size = 133 last_str = 0x7f95cc862a90 "uid=ccrgst74,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" hint = 0 sdn = 0x7f95cc862bc0 #21 0x00007f98289143e6 in memberof_mod_attr_list (attr=, group_sdn=0x7f95cd35fad0, mod=1, config=0x7f95dfff6030, pb=0x7f95cd5ee4b0) at ldap/servers/plugins/memberof/memberof.c:1858 No locals. #22 memberof_del_attr_list (attr=, group_sdn=0x7f95cd35fad0, config=0x7f95dfff6030, pb=0x7f95cd5ee4b0) at ldap/servers/plugins/memberof/memberof.c:1957 No locals. #23 memberof_postop_del (pb=0x7f95cd5ee4b0) at ldap/servers/plugins/memberof/memberof.c:579 i = attr = 0x7f95cd28ec80 e = 0x7f95cd29e2c0 ret = 0 configCopy = {groupattrs = 0x7f95cd45d580, memberof_attr = 0x7f95cd45dbb0 "memberOf", allBackends = 0, entryScope = 0x0, entryScopeExcludeSubtree = 0x0, group_filter = 0x7f95cc775c60, group_slapiattrs = 0x7f95cc775c00} sdn = 0x7f95cd35fad0 caller_id = 0x7f98364fcdb0 #24 0x00007f9834ce5280 in plugin_call_func (list=0x7f98364f8f20, operation=operation at entry=563, pb=pb at entry=0x7f95cd5ee4b0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f98289141d0 rc = return_value = 0 count = 8 locked = 0x0 #25 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f95cd5ee4b0, operation=563, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #26 plugin_call_plugins (pb=pb at entry=0x7f95cd5ee4b0, whichfunction=whichfunction at entry=563) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364e9f80 plugin_list_number = 20 rc = 0 do_op = #27 0x00007f982922942e in ldbm_back_delete (pb=0x7f95cd5ee4b0) at ldap/servers/slapd/back-ldbm/ldbm_delete.c:1226 be = 0x7f98366e74c0 inst = 0x7f98366efc40 li = 0x7f98364e9ce0 e = 0x7f944fd376d0 tombstone = 0x0 original_tombstone = 0x0 tmptombstone = 0x0 dn = 0x7f95cc647130 "nsuniqueid=d48e5121-cf5311e5-9a208f7e-e0b1a377,ipaUniqueID=ec5e3106-cf53-11e5-b8e8-a0369f577818,cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu" txn = {back_txn_txn = 0x7f95cd258660} parent_txn = 0x0 retval = 0 msg = errbuf = 0x0 retry_count = disk_full = 0 parent_found = ruv_c_init = 0 parent_modify_c = {old_entry = 0x7f95bf1a5920, new_entry = 0x7f95cd2fc030, smods = 0x7f95cc6343a0, attr_encrypt = 1} ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} rc = 0 ldap_result_code = 0 ldap_result_message = 0x0 sdnp = 0x7f95cd35fad0 e_uniqueid = 0x0 nscpEntrySDN = {flag = 0 '\000', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0} operation = 0x7f95cd3506a0 opcsn = 0x0 is_fixup_operation = 0 is_ruv = 0 is_replicated_operation = 0 is_tombstone_entry = delete_tombstone_entry = 4096 create_tombstone_entry = 0 addr = 0x7f95cd350778 addordel_flags = 46 entryusn_str = 0x0 orig_entry = 0x0 parentsdn = {flag = 2 '\002', udn = 0x0, dn = 0x7f95cd29bc50 "cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu", ndn = 0x0, ndn_len = 40} opreturn = 0 free_delete_existing_entry = 0 not_an_error = 0 myrc = 0 conn_id = 0 tombstone_csn = deletion_csn_str = "56d5c822000b00040000" op_id = 0 ep_id = tomb_ep_id = 0 #28 0x00007f9834c99190 in op_shared_delete (pb=pb at entry=0x7f95cd5ee4b0) at ldap/servers/slapd/delete.c:364 rc = 0 rawdn = 0x7f944fde94b0 "nsuniqueid=d48e5121-cf5311e5-9a208f7e-e0b1a377,ipaUniqueID=ec5e3106-cf53-11e5-b8e8-a0369f577818,cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu" dn = be = 0x7f98366e74c0 internal_op = 32 sdn = 0x7f95cd35fad0 operation = 0x7f95cd3506a0 referral = 0x0 ecopy = 0x0 errorbuf = '\000' ... err = proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 #29 0x00007f9834c99342 in delete_internal_pb (pb=pb at entry=0x7f95cd5ee4b0) at ldap/servers/slapd/delete.c:242 controls = 0x0 op = 0x7f95cd3506a0 opresult = 0 #30 0x00007f9834c995f3 in slapi_delete_internal_pb (pb=pb at entry=0x7f95cd5ee4b0) at ldap/servers/slapd/delete.c:185 No locals. #31 0x00007f9828f76af8 in _delete_tombstone (tombstone_dn=0x7f944fde94b0 "nsuniqueid=d48e5121-cf5311e5-9a208f7e-e0b1a377,ipaUniqueID=ec5e3106-cf53-11e5-b8e8-a0369f577818,cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu", uniqueid=0x7f95bee65750 "d48e5121-cf5311e5-9a208f7e-e0b1a377", ext_op_flags=0) at ldap/servers/plugins/replication/repl5_replica.c:2932 ldaprc = 32661 pb = 0x7f95cd5ee4b0 ext_op_flags = 0 uniqueid = 0x7f95bee65750 "d48e5121-cf5311e5-9a208f7e-e0b1a377" tombstone_dn = 0x7f944fde94b0 "nsuniqueid=d48e5121-cf5311e5-9a208f7e-e0b1a377,ipaUniqueID=ec5e3106-cf53-11e5-b8e8-a0369f577818,cn=hbac,dc=cbls,dc=ccr,dc=buffalo,dc=edu" #32 0x00007f9828f79362 in process_reap_entry (entry=0x7f944f540430, cb_data=0x7f95dfffecc0) at ldap/servers/plugins/replication/repl5_replica.c:2993 deletion_csn_str = "?\377\337\001\000\000\000\232\001\000\000\000\000\000\000@\345.?" purge_csn_str = "\000\000\000\000\000\000\000\000@\345.?\177\000\000\001\000\000\000" num_entriesp = 0x7f95dfffecc8 num_purged_entriesp = 0x7f95dfffecd0 purge_csn = tombstone_reap_stop = deletion_csn = #33 0x00007f9834cf9a7d in send_ldap_search_entry_ext (pb=pb at entry=0x7f95cd2ee540, e=, ectrls=ectrls at entry=0x0, attrs=0x7f95cc647490, attrsonly=0, send_result=send_result at entry=0, nentries=nentries at entry=0, urls=urls at entry=0x0) at ldap/servers/slapd/result.c:1544 conn = 0x0 op = 0x7f95cc776110 ber = 0x0 i = rc = 0 logit = 0 alluserattrs = noattrs = some_named_attrs = operation = 0x7f95cc776110 real_attrs_only = 0 ctrlp = 0x0 ecopy = 0x0 searchctrlp = 0x0 #34 0x00007f9834cfa2bc in send_ldap_search_entry (pb=pb at entry=0x7f95cd2ee540, e=, ectrls=ectrls at entry=0x0, attrs=, attrsonly=) at ldap/servers/slapd/result.c:1084 No locals. #35 0x00007f9834cd76d3 in iterate (pb=pb at entry=0x7f95cd2ee540, pnentries=pnentries at entry=0x7f95dfff88c8, pagesize=pagesize at entry=-1, pr_statp=pr_statp at entry=0x7f95dfff8844, be=0x7f95cd2ee540, send_result=1) at ldap/servers/slapd/opshared.c:1485 gerentry = 0x0 operation = 0x7f95cc776110 rc = 0 rval = 1 attrsonly = 0 done = 0 e = 0x7f944f540430 attrs = 0x7f95cc647490 pr_stat = 0 pr_idx = -1 #36 0x00007f9834cd787a in send_results_ext (pb=pb at entry=0x7f95cd2ee540, nentries=nentries at entry=0x7f95dfff88c8, pagesize=-1, pr_stat=pr_stat at entry=0x7f95dfff8844, send_result=1) at ldap/servers/slapd/opshared.c:1724 be = 0x7f98366e74c0 rc = #37 0x00007f9834cd91c1 in op_shared_search (pb=pb at entry=0x7f95cd2ee540, send_result=send_result at entry=1) at ldap/servers/slapd/opshared.c:881 be_suffix = 0x7f98366ed430 err = 0 next_be = 0x0 base = 0x7f983bbdb4b0 "dc=cbls,dc=ccr,dc=buffalo,dc=edu" normbase = fstr = 0x7f95dfffed10 "(objectclass=nsTombstone)" scope = 2 be = 0x7f98366e74c0 be_single = 0x7f98366e74c0 be_list = {0x0 } referral_list = {0x0 } attrlistbuf = '\000' attrliststr = attrs = 0x7f95cc647490 rc = 0 internal_op = basesdn = 0x7f95cc6471f0 sdn = 0x7f95cd320120 operation = 0x7f95cc776110 referral = 0x0 proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 errorbuf = '\000' ... nentries = 0 pnentries = 0 flag_search_base_found = 1 flag_no_such_object = 0 flag_referral = 0 flag_psearch = err_code = 0 ctrlp = 0x7f95ccb15690 ctl_value = 0x0 iscritical = 1 be_name = index = 0 sent_result = 0 pr_stat = 0 pagesize = -1 estimate = 0 curr_search_count = pr_be = pr_search_result = pr_idx = -1 orig_sdn = 0x0 free_sdn = 1 #38 0x00007f9834ce91de in search_internal_callback_pb (pb=pb at entry=0x7f95cd2ee540, callback_data=callback_data at entry=0x7f95dfffecc0, prc=prc at entry=0x7f9828f75be0 , psec=psec at entry=0x7f9828f79260 , prec=prec at entry=0x0) at ldap/servers/slapd/plugin_internal_op.c:812 controls = 0x7f95ccb15690 op = 0x7f95cc776110 filter = 0x7f95cc642c70 fstr = 0x7f95ccb1d980 "(objectclass=nsTombstone)" callback_handler_data = {p_res_callback = 0x7f9828f75be0 , p_srch_entry_callback = 0x7f9828f79260 , p_ref_entry_callback = 0x0, callback_data = 0x7f95dfffecc0} scope = 2 ifstr = 0x7f95dfffed10 "(objectclass=nsTombstone)" opresult = 687299552 rc = 0 tmp_attrs = 0x0 #39 0x00007f9834ce9759 in slapi_search_internal_callback_pb (pb=pb at entry=0x7f95cd2ee540, callback_data=callback_data at entry=0x7f95dfffecc0, prc=prc at entry=0x7f9828f75be0 , psec=psec at entry=0x7f9828f79260 , prec=prec at entry=0x0) at ldap/servers/slapd/plugin_internal_op.c:593 No locals. #40 0x00007f9828f7b7b1 in _replica_reap_tombstones (arg=0x7f983bbdd820) at ldap/servers/plugins/replication/repl5_replica.c:3123 tombstone_filter = "(objectclass=nsTombstone)", '\000' , "Z\235Z\316_", oprc = ctrls = 0x7f95ccb15690 cb_data = {rc = 0, num_entries = 0, num_purged_entries = 0, purge_csn = 0x7f95cc63fe00, tombstone_reap_stop = 0x7f983bbb11a8} deletion_csn_str = "\000\000\000\000\000\000\000\000Yd\321\064\230\177\000\000\000\000\000\000" attrs = 0x7f95cd310930 replica_name = 0x7f983bbdd820 "ed35d212-2cb811e5-af63d574-de3f6355" pb = 0x7f95cd2ee540 replica_object = 0x7f983bbde420 replica = 0x7f983bbb1100 purge_csn = 0x7f95cc63fe00 #41 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #42 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #43 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 2 (Thread 0x7f98350d9700 (LWP 12059)): #0 0x00007f9832a7a705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f98330d02c3 in PR_EnterMonitor () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f982891431a in memberof_postop_del (pb=0x7f9505362290) at ldap/servers/plugins/memberof/memberof.c:554 e = 0x7f9505366140 ret = 0 configCopy = {groupattrs = 0x7f9505359a30, memberof_attr = 0x7f9505366120 "memberOf", allBackends = 0, entryScope = 0x0, entryScopeExcludeSubtree = 0x0, group_filter = 0x7f9505363090, group_slapiattrs = 0x7f950535a3d0} sdn = 0x7f950535a8f0 caller_id = 0x7f9836517da0 #3 0x00007f9834ce5280 in plugin_call_func (list=0x7f98364f8f20, operation=operation at entry=563, pb=pb at entry=0x7f9505362290, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1952 n = func = 0x7f98289141d0 rc = return_value = 0 count = 8 locked = 0x0 #4 0x00007f9834ce54d8 in plugin_call_list (pb=0x7f9505362290, operation=563, list=) at ldap/servers/slapd/plugin.c:1886 No locals. #5 plugin_call_plugins (pb=pb at entry=0x7f9505362290, whichfunction=whichfunction at entry=563) at ldap/servers/slapd/plugin.c:459 p = 0x7f98364e9f80 plugin_list_number = 20 rc = 0 do_op = #6 0x00007f982922942e in ldbm_back_delete (pb=0x7f9505362290) at ldap/servers/slapd/back-ldbm/ldbm_delete.c:1226 be = 0x7f98367397e0 inst = 0x7f9836744220 li = 0x7f98364e9ce0 e = 0x7f9505367470 tombstone = 0x0 original_tombstone = 0x0 tmptombstone = 0x0 dn = 0x7f9505366ca0 "changenumber=17901598,cn=changelog" txn = {back_txn_txn = 0x7f9505367100} parent_txn = 0x0 retval = 0 msg = errbuf = 0x0 retry_count = disk_full = 0 parent_found = ruv_c_init = 0 parent_modify_c = {old_entry = 0x7f9505366290, new_entry = 0x7f9505366650, smods = 0x7f9505364900, attr_encrypt = 1} ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0} rc = 0 ldap_result_code = 0 ldap_result_message = 0x0 sdnp = 0x7f950535a8f0 e_uniqueid = 0x0 nscpEntrySDN = {flag = 0 '\000', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0} operation = 0x7f9505365f00 opcsn = 0x0 is_fixup_operation = 0 is_ruv = 0 is_replicated_operation = 0 is_tombstone_entry = delete_tombstone_entry = 0 create_tombstone_entry = 0 addr = 0x7f9505365fd8 addordel_flags = 38 entryusn_str = 0x0 orig_entry = 0x0 parentsdn = {flag = 2 '\002', udn = 0x0, dn = 0x7f950535a240 "cn=changelog", ndn = 0x0, ndn_len = 12} opreturn = 0 free_delete_existing_entry = 1 not_an_error = 0 myrc = 0 conn_id = 0 tombstone_csn = deletion_csn_str = "\220\"6\005\225\177\000\000\000Z\235Z\316_Z\302\000\000\000\000" op_id = 0 ep_id = tomb_ep_id = 0 #7 0x00007f9834c99190 in op_shared_delete (pb=pb at entry=0x7f9505362290) at ldap/servers/slapd/delete.c:364 rc = 0 rawdn = 0x7f95053593a0 "changenumber=17901598, cn=changelog" dn = be = 0x7f98367397e0 internal_op = 32 sdn = 0x7f950535a8f0 operation = 0x7f9505365f00 referral = 0x0 ecopy = 0x0 errorbuf = '\000' ... err = proxydn = 0x0 proxystr = 0x0 proxy_err = errtext = 0x0 #8 0x00007f9834c99342 in delete_internal_pb (pb=pb at entry=0x7f9505362290) at ldap/servers/slapd/delete.c:242 controls = 0x0 op = 0x7f9505365f00 opresult = 0 #9 0x00007f9834c995f3 in slapi_delete_internal_pb (pb=pb at entry=0x7f9505362290) at ldap/servers/slapd/delete.c:185 No locals. #10 0x00007f9827aa6afe in delete_changerecord (cnum=cnum at entry=17901598) at ldap/servers/plugins/retrocl/retrocl_trim.c:117 pb = 0x7f9505362290 dnbuf = 0x7f95053593a0 "changenumber=17901598, cn=changelog" delrc = 32664 #11 0x00007f9827aa6dd1 in trim_changelog () at ldap/servers/plugins/retrocl/retrocl_trim.c:316 did_delete = 0 done = 0 last_in_log = me = 172800 lt = ldrc = now = 1457532345 first_in_log = 17901598 num_deleted = 9 #12 changelog_trim_thread_fn (arg=) at ldap/servers/plugins/retrocl/retrocl_trim.c:359 No locals. #13 0x00007f98330d57bb in _pt_root () from /lib64/libnspr4.so No symbol table info available. #14 0x00007f9832a76df5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #15 0x00007f98327a41ad in clone () from /lib64/libc.so.6 No symbol table info available. Thread 1 (Thread 0x7f983517c840 (LWP 24951)): #0 0x00007f9832799b7d in poll () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f98330d1967 in _pr_poll_with_poll () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f98351b6f59 in slapd_daemon (ports=ports at entry=0x7fffcc72cd20) at ldap/servers/slapd/daemon.c:1170 select_return = 0 prerr = n_tcps = 0x7f98364acde0 s_tcps = 0x7f98364acd70 i_unix = 0x7f98364acc70 fdesp = 0x0 num_poll = 7 pr_timeout = 250 time_thread_p = 0x7f983bf06910 threads = in_referral_mode = 0 n_listeners = 3 listener_idxs = 0x7f983bf06c10 #3 0x00007f98351aa17c in main (argc=7, argv=0x7fffcc72d348) at ldap/servers/slapd/main.c:1279 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f98364acef0, s_listenaddr = 0x7f98364acd90, n_socket = 0x7f98364acde0, i_listenaddr = 0x7f98364ace80, i_port = 1, i_socket = 0x7f98364acc70, s_socket = 0x7f98364acd70} m = Detaching from program: /usr/sbin/ns-slapd, process 24951 From cal-s at blue-bolt.com Wed Mar 9 15:59:07 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Wed, 9 Mar 2016 15:59:07 +0000 Subject: [Freeipa-users] Replica without CA: implications? Message-ID: <56E0484B.4080006@blue-bolt.com> Hi Somehow i picked the wrong cookbook when i provisioned my first (and only) replica and it lacks CA aso, as pointed out in a recent thread, creates a single point of failure. Not ready to set up more 2 replicas yet and am still in testing. Is it possible to replicate the master's CA to the replica without destroying and reprovisioning with --setup-ca this time? thanks - cal sawyer From simo at redhat.com Wed Mar 9 16:13:44 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 Mar 2016 11:13:44 -0500 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <56E0484B.4080006@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> Message-ID: <1457540024.8257.279.camel@redhat.com> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote: > Hi > > Somehow i picked the wrong cookbook when i provisioned my first (and > only) replica and it lacks CA aso, as pointed out in a recent thread, > creates a single point of failure. Not ready to set up more 2 replicas > yet and am still in testing. Is it possible to replicate the master's > CA to the replica without destroying and reprovisioning with --setup-ca > this time? Use ipa-ca-install on the replica. Simo. -- Simo Sorce * Red Hat, Inc * New York From lkrispen at redhat.com Wed Mar 9 16:21:50 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 09 Mar 2016 17:21:50 +0100 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160309154631.GC24736@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> Message-ID: <56E04D9E.2040005@redhat.com> On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: > On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: >> On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: >>> if the process hangs, could you get a pstack from the process ? >> >> I'd be happy to provide a pstack but can't seem to get the correct debuginfo >> packages installed.. we're running centos7 and 389-ds-base 1.3.3.1. We haven't >> upgraded to 1.3.4.0. How can I get the debuginfo packages installed for that >> specific version. > Nevermind.. i got the debuginfo packages. Attached is the stacktrace of > our second failed replicate that's currently hung. not sure, but the process could be in a deadlock, there are threads in the retro cl and memberof plugin and we have seen deadlocks there. In that case restart or stop would not be able to stop the ds process. You can try ipactl stop and if the ds process is still running, you have to kill it > > Should we systemctl restart ipa? What's the best way to recover here. > reboot? > > Thanks again. > > --Andrew -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From pspacek at redhat.com Wed Mar 9 16:19:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 9 Mar 2016 17:19:24 +0100 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks Message-ID: <56E04D0C.1080601@redhat.com> Dear users, FreeIPA team is thinking about adding notification system (or 'hooks') to various parts of FreeIPA. If you happen to know about a use-case for hook or an event you want to react to please let us know. Example: - As admin, I want to call my custom script when a host is deleted. (E.g. to to do cleanup in our other internal systems.) - As user, I want to get a notification when ... Be creative and let us know as soon as you find the use-case. Thank you very much! BTW design page is on: http://www.freeipa.org/page/V4/Notification_system (but it is mostly empty at the moment). -- Petr^2 Spacek From aebruno2 at buffalo.edu Wed Mar 9 16:51:39 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 9 Mar 2016 11:51:39 -0500 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <56E04D9E.2040005@redhat.com> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> Message-ID: <20160309165139.GD24736@dead.ccr.buffalo.edu> On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: > > On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: > >On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: > >>On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: > >>>if the process hangs, could you get a pstack from the process ? > >> > >>I'd be happy to provide a pstack but can't seem to get the correct debuginfo > >>packages installed.. we're running centos7 and 389-ds-base 1.3.3.1. We haven't > >>upgraded to 1.3.4.0. How can I get the debuginfo packages installed for that > >>specific version. > >Nevermind.. i got the debuginfo packages. Attached is the stacktrace of > >our second failed replicate that's currently hung. > not sure, but the process could be in a deadlock, there are threads in the > retro cl and memberof plugin and we have seen deadlocks there. In that case > restart or stop would not be able to stop the ds process. You can try ipactl > stop and if the ds process is still running, you have to kill it Our first master came back up after the restart and appears to be working again. The second replica that was hung, we did a ipactl stop and it killed the ds process. Running a ipactl start now. We got the same error: [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 We're going to let this run and hopefully will come back up. Just want to confirm again that these can can be safely ignored: [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272989 (rc: 32) [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272990 (rc: 32) They fill up the logs when bringing the ds back up. We seem to keep getting bit by this deadlock [1,2]. Replicas become unresponsive, file descriptor counts increase. Other than a pstack, if there's any other info we can provide/check let us know. We'll be upgrading to centos 7.2 and 389-ds-base 1.3.4 next week. As always, thanks again for the help and quick responses. Best, --Andrew [1] https://www.redhat.com/archives/freeipa-users/2015-September/msg00006.html [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html From lkrispen at redhat.com Wed Mar 9 17:08:04 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 09 Mar 2016 18:08:04 +0100 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160309165139.GD24736@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> <20160309165139.GD24736@dead.ccr.buffalo.edu> Message-ID: <56E05874.5020907@redhat.com> On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: > On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: >> On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: >>> On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: >>>> On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: >>>>> if the process hangs, could you get a pstack from the process ? >>>> I'd be happy to provide a pstack but can't seem to get the correct debuginfo >>>> packages installed.. we're running centos7 and 389-ds-base 1.3.3.1. We haven't >>>> upgraded to 1.3.4.0. How can I get the debuginfo packages installed for that >>>> specific version. >>> Nevermind.. i got the debuginfo packages. Attached is the stacktrace of >>> our second failed replicate that's currently hung. >> not sure, but the process could be in a deadlock, there are threads in the >> retro cl and memberof plugin and we have seen deadlocks there. In that case >> restart or stop would not be able to stop the ds process. You can try ipactl >> stop and if the ds process is still running, you have to kill it > Our first master came back up after the restart and appears to be > working again. The second replica that was hung, we did a ipactl stop > and it killed the ds process. Running a ipactl start now. We got the > same error: > > > [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 if ds is cleanly shutdown this file should be removed, if ds is killed it remains and should be recreated at restart, which fails. could you try another stop, remove the file manually and start again ? > > > We're going to let this run and hopefully will come back up. > > Just want to confirm again that these can can be safely ignored: > > [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272989 (rc: 32) > [09/Mar/2016:10:23:10 -0500] DSRetroclPlugin - delete_changerecord: could not delete change record 11272990 (rc: 32) there is something wrong with defining the starting point for changelog trimming, so it will skip many entries, this is annoying and we will have to fix it. Apart from spamming the logs and keeping the retor cl busy for a while it should not do any harm. > > They fill up the logs when bringing the ds back up. > > We seem to keep getting bit by this deadlock [1,2]. Replicas become > unresponsive, file descriptor counts increase. Other than a pstack, if there's > any other info we can provide/check let us know. > > We'll be upgrading to centos 7.2 and 389-ds-base 1.3.4 next week. > > As always, thanks again for the help and quick responses. > > Best, > > --Andrew > > [1] https://www.redhat.com/archives/freeipa-users/2015-September/msg00006.html > [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From rcritten at redhat.com Wed Mar 9 22:14:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 9 Mar 2016 17:14:44 -0500 Subject: [Freeipa-users] Cannot add password policy In-Reply-To: <56DEE631.2090904@jackland.demon.co.uk> References: <56DEE631.2090904@jackland.demon.co.uk> Message-ID: <56E0A054.5080806@redhat.com> Bob Hinton wrote: > Hi, > > I've been trying to add a password policy for an existing user group > called "services" in IPA version 4.2.0. > > ipa pwpolicy-add services > ipa: ERROR: entry with name "services" already exists > > ipa pwpolicy-show services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-del services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-mod services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-find > doesn't list it. > > As an experiment I've tried to add additional pwpolicy entries. If these > fail due to insufficient privileges then I get the same symptoms, so > it's possible that this is what happened with the services pwpolicy. > > How do I correct this situation? > > Many thanks I'd use ldapsearch to narrow things down. A group-based password policy consists of two entries so I'd look in both: $ kinit admin $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com '(objectclass=krbPwdPolicy)' There could, for example, be a replication conflict entry. rob From aalam at paperlesspost.com Wed Mar 9 23:27:52 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Wed, 9 Mar 2016 18:27:52 -0500 Subject: [Freeipa-users] Existing clients join new cluster Message-ID: Hello I am looking for some advice on how to make my existing clients join a new ipa cluster. We have an existing cluster (3.0) and after several attempts at upgrading we decided to just build fresh cluster (4.2) We now want the clients join the new cluster. It seems there are few things that tie the clients. - /var/lib/ipa-client/sysrestore - /etc/ipa/ca.crt - certutil -L -d /etc/pki/nssdb/ - certutil delete the IPA CA cert (which is fully trusted CT, C, C) - certutil delete the machine specific certificate Even with all of this its not clean and i am running into other issues. I am hoping there is a better way. Thank You -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 10 01:07:28 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 9 Mar 2016 20:07:28 -0500 Subject: [Freeipa-users] Existing clients join new cluster In-Reply-To: References: Message-ID: <56E0C8D0.8050807@redhat.com> Ash Alam wrote: > Hello > > I am looking for some advice on how to make my existing clients join a > new ipa cluster. We have an existing cluster (3.0) and after several > attempts at upgrading we decided to just build fresh cluster (4.2) We > now want the clients join the new cluster. It seems there are few things > that tie the clients. > > - /var/lib/ipa-client/sysrestore > - /etc/ipa/ca.crt > - certutil -L -d /etc/pki/nssdb/ > - certutil delete the IPA CA cert (which is fully trusted CT, C, C) > - certutil delete the machine specific certificate > > Even with all of this its not clean and i am running into other issues. > I am hoping there is a better way. Your best bet is ipa-client-install --uninstall If /etc/ipa/ca.crt still exists (it was left in < EL 6.7 IIRC) then remove that, then re-run ipa-client-install to point to new install. rob From darren.poulson at genesys.com Thu Mar 10 02:47:14 2016 From: darren.poulson at genesys.com (Darren Poulson) Date: Thu, 10 Mar 2016 02:47:14 +0000 Subject: [Freeipa-users] Adding RID base to existing range In-Reply-To: <20160309151710.GC3059@p.redhat.com> References: <20160309094545.GV3079@p.redhat.com> <20160309151710.GC3059@p.redhat.com> Message-ID: Thanks, Adding with ldapmodify seems to have done the trick. Can run ipa-adtrust-install at least. Now having other issues, but that?s for a different thread. :) Cheers, Darren. On 3/9/16, 3:17 PM, "Sumit Bose" wrote: >On Wed, Mar 09, 2016 at 02:21:31PM +0000, Darren Poulson wrote: >> Hi, >> >> Here?s what I get. The initial default range as created by freeipa and >> contains all our users, and a second one that I created for system >> accounts. > >The 'ipa idrange' utility does various checks to prevent that idranges >which are in use are modified or deleted. > >Did you create the 'System Users' idrange just to block the IDs because >they are used by accounts in /etc/passwd or do you have users with a UID >between 500 and 1500 in IPA? In the former case you can just delete the >idrange and recreate it with the RID bases set. Please note the IPA >won't create idranges with POSIX IDs below 200000 automatically. So it >might be even possible to just delete the idrange in this case. > >In the latter case you cannot remove the idrange, because there are >users in it, and unfortunately you cannot modify it with 'ipa >idrange-mod' either. Nevertheless you have to add the RID bases so that >ipa-adtrust-install can run successfully. This can be done manually with >ldapmodify as root: > >ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF >dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops >changetype: modify >add: ipabaserid >ipabaserid: 200000000 >- >add: ipasecondarybaserid >ipasecondarybaserid: 210000000 >- >EOF > > >As an alternative you can remove the check from the 'ipa idrange' >utility but I would recommend ldapmodify. > >After this ipa-adtrust-install should run successfully because it is >able to add the missing RID bases to one idrange already. I guess we >should enhance it to handle multiple idranges as in your case as well. > >HTH > >bye, >Sumit > >> >> [root at freeipa1-01 ~]# ipa idrange-find >> ---------------- >> 2 ranges matched >> ---------------- >> Range name: BUR.US.GENOPS_id_range >> First Posix ID of the range: 50000 >> Number of IDs in the range: 10000 >> Range type: local domain range >> >> Range name: System Users >> First Posix ID of the range: 500 >> Number of IDs in the range: 1000 >> Range type: local domain range >> ---------------------------- >> Number of entries returned 2 >> ?????????????? >> >> If it makes any difference, this install was initially (I believe) >>freeipa >> 3.3. >> >> Darren. >> >> >> >> On 3/9/16, 1:31 PM, "freeipa-users-bounces at redhat.com on behalf of >>Darren >> Poulson" > darren.poulson at genesys.com> wrote: >> >> >Hi, >> > >> >I?d tried that, but get this: >> > >> >[root at freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 >> >ipa: ERROR: This command can not be used to change ID allocation for >>local >> >IPA domain. Run `ipa help idrange` for more information >> > >> > >> >Thanks, >> > >> >Darren. >> > >> > >> >On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of >>Sumit >> >Bose" >> >wrote: >> > >> >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: >> >>> Hi, >> >>> >> >>> We?re currently trying to set up an AD domain (great fun for a >>bunch of >> >>> linux admins? not) so that we can get authentication working with >> >>>various >> >>> bits of hardware that only support AD. We want this domain to trust >>our >> >>> existing FreeIPA setup. >> >>> >> >>> When trying to ipa-adtrust-install I?m getting: >> >>> >> >>> [10/22]: adding RID bases >> >>> ipa : CRITICAL Found more than one local domain ID range >>with >> >>>no RID >> >>> base set. >> >>> >> >>> >From reading up, I need to have the id ranges configured with >>primary >> >>>and >> >>> secondary RIDs. Is there any way to do this, or do I have to delete >>and >> >> >> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing >> >>ranges. >> >> >> >>HTH >> >> >> >>bye, >> >>Sumit >> >> >> >>> recreate the ranges? And if I do that, what are the implications? >> >>> >> >>> IPA 4.2.0 (CentOS 7) >> >>> AD 2012R2 >> >>> >> >>> Cheers, >> >>> >> >>> Darren. >> >>> >> >>> >> >>> >> >> >> >> >> >> >> >>> -- >> >>> Manage your subscription for the Freeipa-users mailing list: >> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>> Go to http://freeipa.org for more info on the project >> >> >> >>-- >> >>Manage your subscription for the Freeipa-users mailing list: >> >>https://www.redhat.com/mailman/listinfo/freeipa-users >> >>Go to http://freeipa.org for more info on the project >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2414 bytes Desc: not available URL: From thbeh at thbeh.com Thu Mar 10 02:50:08 2016 From: thbeh at thbeh.com (Teik Hooi Beh) Date: Thu, 10 Mar 2016 15:50:08 +1300 Subject: [Freeipa-users] sudo users Message-ID: Hi, I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and the other sudo options=authenticate (PASSWD) (which I assume requires the user to key in the password to run). The NOPASSWD works but the one with PASSWD kept denying eventhough password seems authenticated (from /var/log/secure) - Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= user=ttester Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user ttester: 6 (Permission denied) I have followed instructions from here - http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From darren.poulson at genesys.com Thu Mar 10 02:54:03 2016 From: darren.poulson at genesys.com (Darren Poulson) Date: Thu, 10 Mar 2016 02:54:03 +0000 Subject: [Freeipa-users] ipa trust-add seems to work, but doesn't add the trust in FreeIPA Message-ID: Hi, So, after I got the ipa-adtrust-install working, I tried to create a trust between our freeipa cluster, and a new AD machine. It seemed to run ok, and gave an output, but in the ui under trusts, there is nothing. [root at freeipa1-01 httpd]# ipa trust-add --type=ad ad.genops --admin Administrator Active Directory domain administrator's password: -------------------------------------------------- Added Active Directory trust for realm "ad.genops" -------------------------------------------------- Realm name: ad.genops Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-1113268607-2619903336-2585939669 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified [root at freeipa1-01 httpd]# ipa trust-fetch-domains ad.genops ipa: ERROR: no matching entry found Any pointers as to where to start looking? It seems to have added the id range for AD, as well as the Default Trust View. Just not the actual trust. I can see the trust has been created on the AD side fine. FreeIPA 4.2 on CentOS 7 Windows 2012R2 TIA Darren. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2414 bytes Desc: not available URL: From pioto at pioto.org Thu Mar 10 04:06:04 2016 From: pioto at pioto.org (Mike Kelly) Date: Thu, 10 Mar 2016 04:06:04 +0000 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: <56E04D0C.1080601@redhat.com> References: <56E04D0C.1080601@redhat.com> Message-ID: As an admin, I want to get a notification when a user's password is rest, or when they update their password, so that I can disable an user who does not change their password a certain amount of time after it was reset. Basically, the goal is to have a way to implement a policy like "if we reset your password, and you don't change it to a new one after 2 days, we'll lock your account" so that, say, some old email with their password in it is unlikely to be valid anymore. On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek wrote: > Dear users, > > FreeIPA team is thinking about adding notification system (or 'hooks') to > various parts of FreeIPA. > > If you happen to know about a use-case for hook or an event you want to > react > to please let us know. > > Example: > - As admin, I want to call my custom script when a host is deleted. (E.g. > to > to do cleanup in our other internal systems.) > - As user, I want to get a notification when ... > > Be creative and let us know as soon as you find the use-case. > > Thank you very much! > > > BTW design page is on: > http://www.freeipa.org/page/V4/Notification_system > (but it is mostly empty at the moment). > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Mike Kelly -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Mar 10 04:53:22 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 10 Mar 2016 06:53:22 +0200 Subject: [Freeipa-users] ipa trust-add seems to work, but doesn't add the trust in FreeIPA In-Reply-To: References: Message-ID: <20160310045322.GX4492@redhat.com> On Thu, 10 Mar 2016, Darren Poulson wrote: >Hi, > >So, after I got the ipa-adtrust-install working, I tried to create a trust >between our freeipa cluster, and a new AD machine. > >It seemed to run ok, and gave an output, but in the ui under trusts, there >is nothing. > >[root at freeipa1-01 httpd]# ipa trust-add --type=ad ad.genops --admin >Administrator >Active Directory domain administrator's password: >-------------------------------------------------- >Added Active Directory trust for realm "ad.genops" >-------------------------------------------------- > Realm name: ad.genops > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-1113268607-2619903336-2585939669 > SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, >S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, >S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, >S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, >S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > Trust direction: Trusting forest > Trust type: Active Directory domain > Trust status: Established and verified > >[root at freeipa1-01 httpd]# ipa trust-fetch-domains ad.genops >ipa: ERROR: no matching entry found > >Any pointers as to where to start looking? It seems to have added the id >range for AD, as well as the Default Trust View. Just not the actual trust. >I can see the trust has been created on the AD side fine. http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust -- / Alexander Bokovoy From jhrozek at redhat.com Thu Mar 10 08:37:13 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Mar 2016 09:37:13 +0100 Subject: [Freeipa-users] sudo users In-Reply-To: References: Message-ID: <20160310083713.GJ5194@hendrix.redhat.com> On Thu, Mar 10, 2016 at 03:50:08PM +1300, Teik Hooi Beh wrote: > Hi, > > I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have > created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and > the other sudo options=authenticate (PASSWD) (which I assume requires the > user to key in the password to run). > > The NOPASSWD works but the one with PASSWD kept denying eventhough password > seems authenticated (from /var/log/secure) - > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; > logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= > user=ttester > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user > ttester: 6 (Permission denied) > > I have followed instructions from here - > http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ Looks like HBAC is denying access, please make sure the user is allowed to access the sudo/sudo-i service. From giulio at di.unimi.it Thu Mar 10 11:29:38 2016 From: giulio at di.unimi.it (Giulio Casella) Date: Thu, 10 Mar 2016 12:29:38 +0100 Subject: [Freeipa-users] FreeIPA and samba 4 Message-ID: <56E15AA2.5060107@di.unimi.it> Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio From jstephen at redhat.com Thu Mar 10 12:23:15 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Thu, 10 Mar 2016 07:23:15 -0500 Subject: [Freeipa-users] FreeIPA and samba 4 In-Reply-To: <56E15AA2.5060107@di.unimi.it> References: <56E15AA2.5060107@di.unimi.it> Message-ID: <56E16733.2050205@redhat.com> Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: > Hi guys, > I've got a FreeIPA domain up and running, with a nfs server, joined to > IPA domain, offering user's home directories. > > I'd like to give users on Windows 7 PC (not joined to the same domain) > the ability to mount those home directories via samba (entering > credentials, not kerberos, being different domains). > > How can I configure samba to use IPA kerberos authentication > authentication to offer access to home directories? > > I know this could be configured more as a samba question, but I hope > someone in this list already faced my scenario. > > Thanks in advance, > Giulio > -------------- next part -------------- An HTML attachment was scrubbed... URL: From giulio at di.unimi.it Thu Mar 10 12:34:46 2016 From: giulio at di.unimi.it (Giulio Casella) Date: Thu, 10 Mar 2016 13:34:46 +0100 Subject: [Freeipa-users] FreeIPA and samba 4 In-Reply-To: <56E16733.2050205@redhat.com> References: <56E15AA2.5060107@di.unimi.it> <56E16733.2050205@redhat.com> Message-ID: <56E169E6.8060401@di.unimi.it> I've seen that howto, but it's not my case. I cannot establish a trust between IPA and AD, because AD domain involves additional UPNs (mydomain.com and another.mydomain.com) in addition to main domain foobar.local. This scenario is not supported by current version of FreeIPA (maybe in future releases). So: FreeIPA domain and AD domain have to be different. Giulio Il 10/03/2016 13:23, Justin Stephenson ha scritto: > Hello, > > Are you looking for this? This leverages the AD trust to allow samba > within IPA to resolve AD users from a trusted AD domain/forest > > *Howto/Integrating a Samba File Server With IPA* > > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > > -Justin > > On 03/10/2016 06:29 AM, Giulio Casella wrote: >> Hi guys, >> I've got a FreeIPA domain up and running, with a nfs server, joined to >> IPA domain, offering user's home directories. >> >> I'd like to give users on Windows 7 PC (not joined to the same domain) >> the ability to mount those home directories via samba (entering >> credentials, not kerberos, being different domains). >> >> How can I configure samba to use IPA kerberos authentication >> authentication to offer access to home directories? >> >> I know this could be configured more as a samba question, but I hope >> someone in this list already faced my scenario. >> >> Thanks in advance, >> Giulio >> > -- Giulio Casella giulio at di.unimi.it System and network manager Computer Science Dept. - University of Milano From pspacek at redhat.com Thu Mar 10 14:15:17 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 15:15:17 +0100 Subject: [Freeipa-users] FreeIPA and samba 4 In-Reply-To: <56E169E6.8060401@di.unimi.it> References: <56E15AA2.5060107@di.unimi.it> <56E16733.2050205@redhat.com> <56E169E6.8060401@di.unimi.it> Message-ID: <56E18175.4070902@redhat.com> On 10.3.2016 13:34, Giulio Casella wrote: > I've seen that howto, but it's not my case. I cannot establish a trust between > IPA and AD, because AD domain involves additional UPNs (mydomain.com and > another.mydomain.com) in addition to main domain foobar.local. This scenario > is not supported by current version of FreeIPA (maybe in future releases). > So: FreeIPA domain and AD domain have to be different. For the record, UPN support is soonish. Petr^2 Spacek > > Giulio > > Il 10/03/2016 13:23, Justin Stephenson ha scritto: >> Hello, >> >> Are you looking for this? This leverages the AD trust to allow samba >> within IPA to resolve AD users from a trusted AD domain/forest >> >> *Howto/Integrating a Samba File Server With IPA* >> >> >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> >> -Justin >> >> On 03/10/2016 06:29 AM, Giulio Casella wrote: >>> Hi guys, >>> I've got a FreeIPA domain up and running, with a nfs server, joined to >>> IPA domain, offering user's home directories. >>> >>> I'd like to give users on Windows 7 PC (not joined to the same domain) >>> the ability to mount those home directories via samba (entering >>> credentials, not kerberos, being different domains). >>> >>> How can I configure samba to use IPA kerberos authentication >>> authentication to offer access to home directories? >>> >>> I know this could be configured more as a samba question, but I hope >>> someone in this list already faced my scenario. >>> >>> Thanks in advance, >>> Giulio >>> >> > -- Petr^2 Spacek From rob.verduijn at gmail.com Thu Mar 10 15:06:39 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Thu, 10 Mar 2016 16:06:39 +0100 Subject: [Freeipa-users] FreeIPA and samba 4 In-Reply-To: <56E18175.4070902@redhat.com> References: <56E15AA2.5060107@di.unimi.it> <56E16733.2050205@redhat.com> <56E169E6.8060401@di.unimi.it> <56E18175.4070902@redhat.com> Message-ID: Howdy, out of curiousity .... any targetted release for UPN ? Cheers Rob 2016-03-10 15:15 GMT+01:00 Petr Spacek : > On 10.3.2016 13:34, Giulio Casella wrote: >> I've seen that howto, but it's not my case. I cannot establish a trust between >> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >> another.mydomain.com) in addition to main domain foobar.local. This scenario >> is not supported by current version of FreeIPA (maybe in future releases). >> So: FreeIPA domain and AD domain have to be different. > > For the record, UPN support is soonish. > > Petr^2 Spacek > >> >> Giulio >> >> Il 10/03/2016 13:23, Justin Stephenson ha scritto: >>> Hello, >>> >>> Are you looking for this? This leverages the AD trust to allow samba >>> within IPA to resolve AD users from a trusted AD domain/forest >>> >>> *Howto/Integrating a Samba File Server With IPA* >>> >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> -Justin >>> >>> On 03/10/2016 06:29 AM, Giulio Casella wrote: >>>> Hi guys, >>>> I've got a FreeIPA domain up and running, with a nfs server, joined to >>>> IPA domain, offering user's home directories. >>>> >>>> I'd like to give users on Windows 7 PC (not joined to the same domain) >>>> the ability to mount those home directories via samba (entering >>>> credentials, not kerberos, being different domains). >>>> >>>> How can I configure samba to use IPA kerberos authentication >>>> authentication to offer access to home directories? >>>> >>>> I know this could be configured more as a samba question, but I hope >>>> someone in this list already faced my scenario. >>>> >>>> Thanks in advance, >>>> Giulio >>>> >>> >> > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From bob at jackland.demon.co.uk Thu Mar 10 15:18:27 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Thu, 10 Mar 2016 15:18:27 +0000 Subject: [Freeipa-users] Cannot add password policy SOLVED In-Reply-To: <56E0A054.5080806@redhat.com> References: <56DEE631.2090904@jackland.demon.co.uk> <56E0A054.5080806@redhat.com> Message-ID: <56E19043.9010008@jackland.demon.co.uk> On 09/03/2016 22:14, Rob Crittenden wrote: > Bob Hinton wrote: >> Hi, >> >> I've been trying to add a password policy for an existing user group >> called "services" in IPA version 4.2.0. >> >> ipa pwpolicy-add services >> ipa: ERROR: entry with name "services" already exists >> >> ipa pwpolicy-show services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-del services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-mod services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-find >> doesn't list it. >> >> As an experiment I've tried to add additional pwpolicy entries. If these >> fail due to insufficient privileges then I get the same symptoms, so >> it's possible that this is what happened with the services pwpolicy. >> >> How do I correct this situation? >> >> Many thanks > I'd use ldapsearch to narrow things down. A group-based password policy > consists of two entries so I'd look in both: > > $ kinit admin > $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com > $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com > '(objectclass=krbPwdPolicy)' > > There could, for example, be a replication conflict entry. > > rob > . > Hi Rob, The culprit turned-out to be a "cn=costemplates,cn=accounts,..." record. Attempting to create a pwpolicy that failed with a permissions error created a costemplates record, but not the corresponding "cn=DOMAIN,cn=kerberos,..." record. After removing the offending record with ldapdelete I could create the pwpolicy entry. Many thanks Bob Hinton From pspacek at redhat.com Thu Mar 10 15:26:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 16:26:56 +0100 Subject: [Freeipa-users] FreeIPA and samba 4 In-Reply-To: References: <56E15AA2.5060107@di.unimi.it> <56E16733.2050205@redhat.com> <56E169E6.8060401@di.unimi.it> <56E18175.4070902@redhat.com> Message-ID: <56E19240.6060309@redhat.com> On 10.3.2016 16:06, Rob Verduijn wrote: > Howdy, > > out of curiousity .... any targetted release for UPN ? Currently 4.4, see https://fedorahosted.org/freeipa/ticket/5354 . This might change, of course. Petr^2 Spacek > > Cheers > Rob > > 2016-03-10 15:15 GMT+01:00 Petr Spacek : >> On 10.3.2016 13:34, Giulio Casella wrote: >>> I've seen that howto, but it's not my case. I cannot establish a trust between >>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >>> another.mydomain.com) in addition to main domain foobar.local. This scenario >>> is not supported by current version of FreeIPA (maybe in future releases). >>> So: FreeIPA domain and AD domain have to be different. >> >> For the record, UPN support is soonish. >> >> Petr^2 Spacek >> >>> >>> Giulio >>> >>> Il 10/03/2016 13:23, Justin Stephenson ha scritto: >>>> Hello, >>>> >>>> Are you looking for this? This leverages the AD trust to allow samba >>>> within IPA to resolve AD users from a trusted AD domain/forest >>>> >>>> *Howto/Integrating a Samba File Server With IPA* >>>> >>>> >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>> >>>> >>>> -Justin >>>> >>>> On 03/10/2016 06:29 AM, Giulio Casella wrote: >>>>> Hi guys, >>>>> I've got a FreeIPA domain up and running, with a nfs server, joined to >>>>> IPA domain, offering user's home directories. >>>>> >>>>> I'd like to give users on Windows 7 PC (not joined to the same domain) >>>>> the ability to mount those home directories via samba (entering >>>>> credentials, not kerberos, being different domains). >>>>> >>>>> How can I configure samba to use IPA kerberos authentication >>>>> authentication to offer access to home directories? >>>>> >>>>> I know this could be configured more as a samba question, but I hope >>>>> someone in this list already faced my scenario. >>>>> >>>>> Thanks in advance, >>>>> Giulio >>>>> >>>> >>> >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Petr^2 Spacek From pspacek at redhat.com Thu Mar 10 15:34:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 16:34:03 +0100 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: References: <56E04D0C.1080601@redhat.com> Message-ID: <56E193EB.8000306@redhat.com> On 10.3.2016 05:06, Mike Kelly wrote: > As an admin, I want to get a notification when a user's password is rest, > or when they update their password, so that I can disable an user who does > not change their password a certain amount of time after it was reset. > > Basically, the goal is to have a way to implement a policy like "if we > reset your password, and you don't change it to a new one after 2 days, > we'll lock your account" so that, say, some old email with their password > in it is unlikely to be valid anymore. This sounds sensible, thank you. (re-posting to ipa-users) For the record and other interested parties: Please keep in mind that this is NOT intended as an audit mechanism. We already have audit in LDAP server and audit is explicitly out of scope of this work. This should provide hooks so vanilla IPA as shipped in packages can be easily integrated with third-party systems which are present all over the place. Jan Cholasta identified few object types which he thinks are interesting from the hook(s) perspective: user, group, host, hostgroup, service Current line of thinking was about adding hooks into IPA framework so we are not risking destabilizing or slowing down the DS. If we want to monitor generic LDAP we could use syncrepl to stay outside of DS. As far as I understood Honza this has interesting problems because the consumer of the notifications from LDAP would have to undestand the relations between IPA LDAP objects etc., which can be quite complicated. For this reason we were thinking about kind of limited approach where hooks are called when using CLI/WebUI/API but not when direct LDAP modifications are done. Would that work for you? Petr^2 Spacek > > On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek wrote: > >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek -- Petr^2 Spacek From listeranon at gmail.com Thu Mar 10 16:20:25 2016 From: listeranon at gmail.com (Anon Lister) Date: Thu, 10 Mar 2016 11:20:25 -0500 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: <56E04D0C.1080601@redhat.com> References: <56E04D0C.1080601@redhat.com> Message-ID: I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server.... Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > Dear users, > > FreeIPA team is thinking about adding notification system (or 'hooks') to > various parts of FreeIPA. > > If you happen to know about a use-case for hook or an event you want to > react > to please let us know. > > Example: > - As admin, I want to call my custom script when a host is deleted. (E.g. > to > to do cleanup in our other internal systems.) > - As user, I want to get a notification when ... > > Be creative and let us know as soon as you find the use-case. > > Thank you very much! > > > BTW design page is on: > http://www.freeipa.org/page/V4/Notification_system > (but it is mostly empty at the moment). > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Mar 10 16:22:55 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 17:22:55 +0100 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: References: <56E04D0C.1080601@redhat.com> Message-ID: <56E19F5F.20609@redhat.com> On 10.3.2016 17:20, Anon Lister wrote: > I would like an alert when my IPA servers successfully establish a > bidirectional trust with mutual authentication with our AD server.... > Actually I could even skip the alert ;) > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: Heh, I'm confused. How would you establish the trust without using admin's credentials or pre-shared secret in the first place? I.e. how this could be done without admin's consent? Petr^2 Spacek >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek From listeranon at gmail.com Thu Mar 10 16:29:19 2016 From: listeranon at gmail.com (Anon Lister) Date: Thu, 10 Mar 2016 11:29:19 -0500 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: <56E19F5F.20609@redhat.com> References: <56E04D0C.1080601@redhat.com> <56E19F5F.20609@redhat.com> Message-ID: Well... I suppose that's problem #2. Problem #1 would be implementing the bidirectional authentication in the first place. :p On Mar 10, 2016 11:22 AM, "Petr Spacek" wrote: > On 10.3.2016 17:20, Anon Lister wrote: > > I would like an alert when my IPA servers successfully establish a > > bidirectional trust with mutual authentication with our AD server.... > > Actually I could even skip the alert ;) > > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > > Heh, I'm confused. How would you establish the trust without using admin's > credentials or pre-shared secret in the first place? > > I.e. how this could be done without admin's consent? > > Petr^2 Spacek > > >> Dear users, > >> > >> FreeIPA team is thinking about adding notification system (or 'hooks') > to > >> various parts of FreeIPA. > >> > >> If you happen to know about a use-case for hook or an event you want to > >> react > >> to please let us know. > >> > >> Example: > >> - As admin, I want to call my custom script when a host is deleted. > (E.g. > >> to > >> to do cleanup in our other internal systems.) > >> - As user, I want to get a notification when ... > >> > >> Be creative and let us know as soon as you find the use-case. > >> > >> Thank you very much! > >> > >> > >> BTW design page is on: > >> http://www.freeipa.org/page/V4/Notification_system > >> (but it is mostly empty at the moment). > >> > >> -- > >> Petr^2 Spacek > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter.hummelink at kpn.com Thu Mar 10 16:28:48 2016 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Thu, 10 Mar 2016 16:28:48 +0000 Subject: [Freeipa-users] [requirements gathering] Notification system / hooks In-Reply-To: References: <56E04D0C.1080601@redhat.com> Message-ID: <2CA71D6C07ADB544847562573DC6BF061870ABAC@CPEMS-KPN309.KPNCNL.LOCAL> As an administrator I would like to get notified when anyone successfully/unsuccessfully authenticates to predefined services (n times). Van: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Namens Anon Lister Verzonden: donderdag 10 maart 2016 17:20 Aan: Petr Spacek CC: freeipa-users Onderwerp: Re: [Freeipa-users] [requirements gathering] Notification system / hooks I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server.... Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" > wrote: Dear users, FreeIPA team is thinking about adding notification system (or 'hooks') to various parts of FreeIPA. If you happen to know about a use-case for hook or an event you want to react to please let us know. Example: - As admin, I want to call my custom script when a host is deleted. (E.g. to to do cleanup in our other internal systems.) - As user, I want to get a notification when ... Be creative and let us know as soon as you find the use-case. Thank you very much! BTW design page is on: http://www.freeipa.org/page/V4/Notification_system (but it is mostly empty at the moment). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.rainey.ctr at nrlssc.navy.mil Thu Mar 10 19:36:15 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Thu, 10 Mar 2016 13:36:15 -0600 Subject: [Freeipa-users] Lock screen when Smart Card is removed. Message-ID: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> Greetings, I have been adding systems to my new domain and utilizing the smart card login feature. To date the smart card login feature is working very well. However, my group has been trying to implement locking the screen when the smart card is removed, but have not been successful at making it work. Does anyone have any suggestions as to what it would take to enable locking the screen when the smart card is removed. Thank you in advance. -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From thbeh at thbeh.com Thu Mar 10 20:06:31 2016 From: thbeh at thbeh.com (Teik Hooi Beh) Date: Fri, 11 Mar 2016 09:06:31 +1300 Subject: [Freeipa-users] sudo users In-Reply-To: <20160310083713.GJ5194@hendrix.redhat.com> References: <20160310083713.GJ5194@hendrix.redhat.com> Message-ID: Cool. That solved the problem. Thanks On Thu, Mar 10, 2016 at 9:37 PM, Jakub Hrozek wrote: > On Thu, Mar 10, 2016 at 03:50:08PM +1300, Teik Hooi Beh wrote: > > Hi, > > > > I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have > > created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and > > the other sudo options=authenticate (PASSWD) (which I assume requires the > > user to key in the password to run). > > > > The NOPASSWD works but the one with PASSWD kept denying eventhough > password > > seems authenticated (from /var/log/secure) - > > > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:auth): authentication success; > > logname=ttester uid=5001 euid=0 tty=/dev/pts/1 ruser=ttester rhost= > > user=ttester > > Mar 10 02:38:31 node1 sudo: pam_sss(sudo:account): Access denied for user > > ttester: 6 (Permission denied) > > > > I have followed instructions from here - > > > http://blog.delouw.ch/2013/07/25/centrally-manage-sudoers-rules-with-ipa-part-i-preparation/ > > Looks like HBAC is denying access, please make sure the user is allowed > to access the sudo/sudo-i service. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Daryl.Fonseca-Holt at umanitoba.ca Thu Mar 10 22:10:44 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Thu, 10 Mar 2016 16:10:44 -0600 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue Message-ID: <56E1F0E4.9080605@umanitoba.ca> Environment: RHEL 7.2 IPA 4.2.0-15 nss 3.19.1-19 389-ds-base 1.3.4.0-26 sssd 1.13.0-40 I've encountered this problem in IPA 3.0.0 but hoped it was addressed in 4.2.0. Trying to set up a replica of a master with 150,000+ user accounts, NIS and Schema Compatability enabled on the master. During ipa-replica-install it attempts to start IPA. dirsrv starts, krb5kdc starts, but then kadmind fails because krb5kdc has gone missing. This happens during restart of IPA in version 3.0.0 too. There it can be overcome by manually starting each component of IPA _but_ waiting until ns-slapd- has settled down (as seen from top) before starting krb5kdc. I also think that the startup of krb5kdc loads the LDAP instance quite a bit. There is a problem in the startup logic where dirsrv is so busy that even though krb5kdc successfully starts and allows the kadmin to begin kdb5kdc is not really able to do its duties. I'm reporting this since there must be some way to delay the start of krb5kdc and then kadmind until ns-slapd- is really open for business. # systemctl status krb5kdc.service ? krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: inactive (dead) Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 KDC. Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 KDC... Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 KDC. # systemctl status krb5kdc.service ? krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: inactive (dead) Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 KDC. Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 KDC... Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 KDC. journalctl -xe was stale by the time I got to it so I've attached /var/log/messages instead. The log from ipa-replica-install (with -d) is at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log The console script (mostly the same as the log but with my entries) is at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console The /var/log/dirsrv/ns-slapd- access log is at http://home.cc.umanitoba.ca/~fonsecah/ipa/access Regards, Daryl -- -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 -------------- next part -------------- 389-Directory/1.3.4.0 B2016.025.1958 jutta.cc.umanitoba.ca:389 (/etc/dirsrv/slapd-UOFMT1) [10/Mar/2016:14:09:47 -0600] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [10/Mar/2016:14:09:47 -0600] - check_and_set_import_cache: pagesize: 4096, pages: 65990059, procpages: 56593 [10/Mar/2016:14:09:47 -0600] - Import allocates 105584092KB import cache. [10/Mar/2016:14:09:47 -0600] - Setting ncache to: 26 to keep each chunk below 4Gbytes [10/Mar/2016:14:09:52 -0600] - import userRoot: Beginning import job... [10/Mar/2016:14:09:52 -0600] - import userRoot: Index buffering enabled with bucket size 100 [10/Mar/2016:14:09:52 -0600] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [10/Mar/2016:14:09:52 -0600] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [10/Mar/2016:14:09:52 -0600] - import userRoot: Workers finished; cleaning up... [10/Mar/2016:14:09:53 -0600] - import userRoot: Workers cleaned up. [10/Mar/2016:14:09:53 -0600] - import userRoot: Cleaning up producer thread... [10/Mar/2016:14:09:53 -0600] - import userRoot: Indexing complete. Post-processing... [10/Mar/2016:14:09:53 -0600] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [10/Mar/2016:14:09:53 -0600] - import userRoot: Generating numSubordinates complete. [10/Mar/2016:14:09:53 -0600] - import userRoot: Gathering ancestorid non-leaf IDs... [10/Mar/2016:14:09:53 -0600] - import userRoot: Finished gathering ancestorid non-leaf IDs. [10/Mar/2016:14:09:53 -0600] - Nothing to do to build ancestorid index [10/Mar/2016:14:09:53 -0600] - import userRoot: Created ancestorid index (new idl). [10/Mar/2016:14:09:53 -0600] - import userRoot: Flushing caches... [10/Mar/2016:14:09:53 -0600] - import userRoot: Closing files... [10/Mar/2016:14:09:54 -0600] - All database threads now stopped [10/Mar/2016:14:09:54 -0600] - import userRoot: Import complete. Processed 1 entries in 2 seconds. (0.50 entries/sec) [10/Mar/2016:14:09:54 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:09:54 -0600] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [10/Mar/2016:14:09:54 -0600] - resizing db cache size: 743927808 -> 10000000 [10/Mar/2016:14:09:54 -0600] - resizing db cache count: 26 -> 0 [10/Mar/2016:14:09:55 -0600] - convert_pbe_des_to_aes: Converting DES passwords to AES... [10/Mar/2016:14:09:55 -0600] - convert_pbe_des_to_aes: Successfully disabled DES plugin (cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config) [10/Mar/2016:14:09:55 -0600] - convert_pbe_des_to_aes: Finished - no DES passwords to convert. [10/Mar/2016:14:09:55 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:09:56 -0600] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [10/Mar/2016:14:09:56 -0600] - slapd shutting down - waiting for 28 threads to terminate [10/Mar/2016:14:09:56 -0600] - slapd shutting down - closing down internal subsystems and plugins [10/Mar/2016:14:09:56 -0600] - Waiting for 4 database threads to stop [10/Mar/2016:14:09:57 -0600] - All database threads now stopped [10/Mar/2016:14:09:57 -0600] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [10/Mar/2016:14:09:57 -0600] - slapd stopped. [10/Mar/2016:14:09:58 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:09:58 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:09:58 -0600] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [10/Mar/2016:14:10:00 -0600] - Warning: Adding configuration attribute "nsslapd-security" [10/Mar/2016:14:10:00 -0600] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [10/Mar/2016:14:10:00 -0600] - slapd shutting down - waiting for 27 threads to terminate [10/Mar/2016:14:10:00 -0600] - slapd shutting down - closing down internal subsystems and plugins [10/Mar/2016:14:10:00 -0600] - Waiting for 4 database threads to stop [10/Mar/2016:14:10:01 -0600] - All database threads now stopped [10/Mar/2016:14:10:01 -0600] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [10/Mar/2016:14:10:01 -0600] - slapd stopped. [10/Mar/2016:14:10:02 -0600] - SSL alert: Configured NSS Ciphers [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:02 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [10/Mar/2016:14:10:03 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [10/Mar/2016:14:10:03 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:10:03 -0600] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [10/Mar/2016:14:10:03 -0600] attrcrypt - Key for cipher AES successfully generated and stored [10/Mar/2016:14:10:03 -0600] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [10/Mar/2016:14:10:03 -0600] attrcrypt - Key for cipher 3DES successfully generated and stored [10/Mar/2016:14:10:03 -0600] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [10/Mar/2016:14:10:03 -0600] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [10/Mar/2016:14:10:03 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:10:03 -0600] - Listening on All Interfaces port 636 for LDAPS requests [10/Mar/2016:14:10:03 -0600] - Listening on /var/run/slapd-UOFMT1.socket for LDAPI requests [10/Mar/2016:14:10:04 -0600] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [10/Mar/2016:14:10:04 -0600] - slapd shutting down - waiting for 27 threads to terminate [10/Mar/2016:14:10:04 -0600] - slapd shutting down - closing down internal subsystems and plugins [10/Mar/2016:14:10:04 -0600] - Waiting for 4 database threads to stop [10/Mar/2016:14:10:04 -0600] - All database threads now stopped [10/Mar/2016:14:10:04 -0600] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [10/Mar/2016:14:10:04 -0600] - slapd stopped. [10/Mar/2016:14:10:05 -0600] - SSL alert: Configured NSS Ciphers [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [10/Mar/2016:14:10:05 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [10/Mar/2016:14:10:05 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:10:06 -0600] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [10/Mar/2016:14:10:06 -0600] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [10/Mar/2016:14:10:06 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:10:06 -0600] - Listening on All Interfaces port 636 for LDAPS requests [10/Mar/2016:14:10:06 -0600] - Listening on /var/run/slapd-UOFMT1.socket for LDAPI requests [10/Mar/2016:14:10:10 -0600] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=uofmt1 is going offline; disabling replication [10/Mar/2016:14:10:11 -0600] NSMMReplicationPlugin - agmt="cn=meTomork.cc.umanitoba.ca" (mork:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [10/Mar/2016:14:10:11 -0600] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [10/Mar/2016:14:10:31 -0600] - import userRoot: Processed 27552 entries -- average rate 1377.6/sec, recent rate 1377.5/sec, hit ratio 0% [10/Mar/2016:14:10:51 -0600] - import userRoot: Processed 70107 entries -- average rate 1752.7/sec, recent rate 1752.7/sec, hit ratio 96% [10/Mar/2016:14:11:11 -0600] - import userRoot: Processed 111896 entries -- average rate 1864.9/sec, recent rate 2108.6/sec, hit ratio 93% [10/Mar/2016:14:11:31 -0600] - import userRoot: Processed 151447 entries -- average rate 1893.1/sec, recent rate 2033.5/sec, hit ratio 93% [10/Mar/2016:14:11:36 -0600] - import userRoot: Workers finished; cleaning up... [10/Mar/2016:14:11:36 -0600] - import userRoot: Workers cleaned up. [10/Mar/2016:14:11:36 -0600] - import userRoot: Indexing complete. Post-processing... [10/Mar/2016:14:11:36 -0600] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [10/Mar/2016:14:11:36 -0600] - import userRoot: Generating numSubordinates complete. [10/Mar/2016:14:11:36 -0600] - import userRoot: Gathering ancestorid non-leaf IDs... [10/Mar/2016:14:11:36 -0600] - import userRoot: Finished gathering ancestorid non-leaf IDs. [10/Mar/2016:14:11:36 -0600] - import userRoot: Creating ancestorid index (new idl)... [10/Mar/2016:14:11:38 -0600] - import userRoot: Created ancestorid index (new idl). [10/Mar/2016:14:11:38 -0600] - import userRoot: Flushing caches... [10/Mar/2016:14:11:38 -0600] - import userRoot: Closing files... [10/Mar/2016:14:11:43 -0600] - import userRoot: Import complete. Processed 158601 entries in 92 seconds. (1723.92 entries/sec) [10/Mar/2016:14:11:43 -0600] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=uofmt1 is coming online; enabling replication [10/Mar/2016:14:11:43 -0600] NSMMReplicationPlugin - Need to create replication keep alive entry [10/Mar/2016:14:11:43 -0600] NSMMReplicationPlugin - add dn: cn=repl keep alive 3,dc=uofmt1 objectclass: top objectclass: ldapsubentry objectclass: extensibleObject cn: repl keep alive 3 [10/Mar/2016:14:11:43 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target ou=sudoers,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:11:43 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:11:49 -0600] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [10/Mar/2016:14:11:49 -0600] - slapd shutting down - waiting for 28 threads to terminate [10/Mar/2016:14:11:49 -0600] - slapd shutting down - closing down internal subsystems and plugins [10/Mar/2016:14:11:49 -0600] - Waiting for 4 database threads to stop [10/Mar/2016:14:11:49 -0600] - All database threads now stopped [10/Mar/2016:14:11:49 -0600] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [10/Mar/2016:14:11:49 -0600] - slapd stopped. [10/Mar/2016:14:11:50 -0600] - SSL alert: Configured NSS Ciphers [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:50 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [10/Mar/2016:14:11:51 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [10/Mar/2016:14:11:51 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:11:51 -0600] - WARNING: userRoot: entry cache size 10485760B is less than db size 430989312B; We recommend to increase the entry cache size nsslapd-cachememsize. [10/Mar/2016:14:11:51 -0600] - resizing db cache size: 20000000 -> 10000000 [10/Mar/2016:14:11:52 -0600] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=uofmt1 [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target ou=sudoers,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:13:00 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:13:00 -0600] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [10/Mar/2016:14:13:00 -0600] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [10/Mar/2016:14:13:00 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:13:00 -0600] - Listening on All Interfaces port 636 for LDAPS requests [10/Mar/2016:14:13:00 -0600] - Listening on /var/run/slapd-UOFMT1.socket for LDAPI requests [10/Mar/2016:14:13:00 -0600] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted [10/Mar/2016:14:13:24 -0600] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [10/Mar/2016:14:13:24 -0600] attrcrypt - Key for cipher AES successfully generated and stored [10/Mar/2016:14:13:24 -0600] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [10/Mar/2016:14:13:24 -0600] attrcrypt - Key for cipher 3DES successfully generated and stored [10/Mar/2016:14:13:25 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:15:09 -0600] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-jutta.cc.umanitoba.ca-pki-tomcat" (mork:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [10/Mar/2016:14:15:10 -0600] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [10/Mar/2016:14:15:10 -0600] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [10/Mar/2016:14:15:11 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:15:14 -0600] - import ipaca: Workers finished; cleaning up... [10/Mar/2016:14:15:14 -0600] - import ipaca: Workers cleaned up. [10/Mar/2016:14:15:14 -0600] - import ipaca: Indexing complete. Post-processing... [10/Mar/2016:14:15:14 -0600] - import ipaca: Generating numsubordinates (this may take several minutes to complete)... [10/Mar/2016:14:15:14 -0600] - import ipaca: Generating numSubordinates complete. [10/Mar/2016:14:15:14 -0600] - import ipaca: Gathering ancestorid non-leaf IDs... [10/Mar/2016:14:15:14 -0600] - import ipaca: Finished gathering ancestorid non-leaf IDs. [10/Mar/2016:14:15:14 -0600] - import ipaca: Creating ancestorid index (new idl)... [10/Mar/2016:14:15:14 -0600] - import ipaca: Created ancestorid index (new idl). [10/Mar/2016:14:15:14 -0600] - import ipaca: Flushing caches... [10/Mar/2016:14:15:14 -0600] - import ipaca: Closing files... [10/Mar/2016:14:15:14 -0600] - import ipaca: Import complete. Processed 132 entries in 4 seconds. (33.00 entries/sec) [10/Mar/2016:14:15:14 -0600] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [10/Mar/2016:14:15:14 -0600] NSMMReplicationPlugin - Need to create replication keep alive entry [10/Mar/2016:14:15:14 -0600] NSMMReplicationPlugin - add dn: cn=repl keep alive 97,o=ipaca objectclass: top objectclass: ldapsubentry objectclass: extensibleObject cn: repl keep alive 97 [10/Mar/2016:14:15:15 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allExpiredCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allInvalidCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allInValidCertsNotBefore-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allNonRevokedCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedCaCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedCertsNotAfter-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedExpiredCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allValidCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allValidCertsNotAfter-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: allValidOrRevokedCerts-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caAll-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCanceled-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCanceledEnrollment-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCanceledRenewal-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCanceledRevocation-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caComplete-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCompleteEnrollment-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCompleteRenewal-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caCompleteRevocation-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caEnrollment-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caPending-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caPendingEnrollment-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caPendingRenewal-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caPendingRevocation-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRejected-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRejectedEnrollment-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRejectedRenewal-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRejectedRevocation-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRenewal-pki-tomcatIndex [10/Mar/2016:14:16:19 -0600] - ipaca: Indexing VLV: caRevocation-pki-tomcatIndex [10/Mar/2016:14:16:20 -0600] - ipaca: Finished indexing. [10/Mar/2016:14:17:22 -0600] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-jutta.cc.umanitoba.ca-pki-tomcat" (mork:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [10/Mar/2016:14:17:22 -0600] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-jutta.cc.umanitoba.ca-pki-tomcat" (mork:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [10/Mar/2016:14:17:23 -0600] - slapd shutting down - signaling operation threads - op stack size 10 max work q size 7 max work q stack size 7 [10/Mar/2016:14:17:23 -0600] - slapd shutting down - waiting for 28 threads to terminate [10/Mar/2016:14:17:23 -0600] - slapd shutting down - closing down internal subsystems and plugins [10/Mar/2016:14:17:27 -0600] - Waiting for 4 database threads to stop [10/Mar/2016:14:17:27 -0600] - All database threads now stopped [10/Mar/2016:14:17:30 -0600] - slapd shutting down - freed 7 work q stack objects - freed 10 op stack objects [10/Mar/2016:14:17:30 -0600] - slapd stopped. [10/Mar/2016:14:17:32 -0600] - SSL alert: Configured NSS Ciphers [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [10/Mar/2016:14:17:32 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [10/Mar/2016:14:17:32 -0600] - 389-Directory/1.3.4.0 B2016.025.1958 starting up [10/Mar/2016:14:17:32 -0600] - WARNING: userRoot: entry cache size 10485760B is less than db size 430989312B; We recommend to increase the entry cache size nsslapd-cachememsize. [10/Mar/2016:14:17:32 -0600] - resizing db cache size: 20000000 -> 10000000 [10/Mar/2016:14:17:33 -0600] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=uofmt1 [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=dns,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target ou=sudoers,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=uofmt1 does not exist [10/Mar/2016:14:18:41 -0600] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=uofmt1--no CoS Templates found, which should be added before the CoS Definition. [10/Mar/2016:14:18:41 -0600] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [10/Mar/2016:14:18:41 -0600] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [10/Mar/2016:14:18:41 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Mar/2016:14:18:41 -0600] - Listening on All Interfaces port 636 for LDAPS requests [10/Mar/2016:14:18:41 -0600] - Listening on /var/run/slapd-UOFMT1.socket for LDAPI requests [10/Mar/2016:14:20:33 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:20:33 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:20:33 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:20:33 -0600] NSMMReplicationPlugin - agmt="cn=meTomork.cc.umanitoba.ca" (mork:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [10/Mar/2016:14:20:37 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:20:37 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:20:37 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:20:54 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:20:54 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:20:54 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:20:55 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:20:55 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:20:55 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:21:19 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:21:19 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:21:19 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:22:07 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:22:07 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:22:07 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:23:43 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:23:43 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:23:43 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:26:55 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:26:55 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:26:55 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:31:55 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:31:55 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:31:55 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:36:55 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:36:55 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:36:55 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [10/Mar/2016:14:41:55 -0600] set_krb5_creds - Could not get initial credentials for principal [ldap/jutta.cc.umanitoba.ca at UOFMT1] in keytab [FILE:/etc/krb5.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [10/Mar/2016:14:41:55 -0600] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [10/Mar/2016:14:41:55 -0600] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) -------------- next part -------------- otp: Loaded Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): setting up network... Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 9: tcp 0.0.0.0.88 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 8: tcp ::.88 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): set up 4 sockets Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): creating 64 worker processes Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 8 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 9 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 7 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 6 Mar 10 14:20:47 jutta.cc.umanitoba.ca krb5kdc[25952](info): commencing operation Mar 10 14:20:47 jutta.cc.umanitoba.ca krb5kdc[25954](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25953](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25957](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25956](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25955](info): commencing operation krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25951](Error): worker 25959 exited with status 256 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 8 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 6 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 6 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: LOOKING_UP_CLIENT: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Server error Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](debug): Got signal to request exit Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 12 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 8 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 9 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 7 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 6 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): shutting down -------------- next part -------------- Mar 8 11:33:38 jutta rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="1409" x-info="http://www.rsyslog.com"] start Mar 8 11:33:11 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 11:33:11 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 11:33:11 jutta kernel: CPU0 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys cpuset Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys cpu Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys cpuacct Mar 8 11:33:11 jutta kernel: Linux version 3.10.0-327.el7.x86_64 (mockbuild at x86-034.build.eng.bos.redhat.com) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Oct 29 17:29:29 EDT 2015 Mar 8 11:33:11 jutta kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-327.el7.x86_64 root=/dev/mapper/rootvg-lv_root ro nomodeset crashkernel=auto rd.lvm.lv=rootvg/lv_root rd.lvm.lv=rootvg/lv_swap biosdevname=0 net.ifnames=0 console=ttyS0,9600 LANG=en_US.UTF-8 Mar 8 11:33:11 jutta kernel: e820: BIOS-provided physical RAM map: Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000097bff] usable Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x0000000000097c00-0x000000000009ffff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f73ffff] usable Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x000000007f74e000-0x000000007f74ffff] type 9 Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x000000007f750000-0x000000007f75dfff] ACPI data Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x000000007f75e000-0x000000007f7cffff] ACPI NVS Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x000000007f7d0000-0x000000007f7dffff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x000000007f7ec000-0x000000008fffffff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x00000000ffc00000-0x00000000ffffffff] reserved Mar 8 11:33:11 jutta kernel: BIOS-e820: [mem 0x0000000100000000-0x000000407fffffff] usable Mar 8 11:33:11 jutta kernel: NX (Execute Disable) protection: active Mar 8 11:33:11 jutta kernel: SMBIOS 2.6 present. Mar 8 11:33:11 jutta kernel: AGP: No AGP bridge found Mar 8 11:33:11 jutta kernel: e820: last_pfn = 0x4080000 max_arch_pfn = 0x400000000 Mar 8 11:33:11 jutta kernel: x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 Mar 8 11:33:11 jutta kernel: total RAM covered: 262136M Mar 8 11:33:11 jutta kernel: Found optimal setting for mtrr clean up Mar 8 11:33:11 jutta kernel: gran_size: 64K #011chunk_size: 16M #011num_reg: 9 #011lose cover RAM: 0G Mar 8 11:33:11 jutta kernel: e820: last_pfn = 0x7f740 max_arch_pfn = 0x400000000 Mar 8 11:33:11 jutta kernel: found SMP MP-table at [mem 0x000ff780-0x000ff78f] mapped at [ffff8800000ff780] Mar 8 11:33:11 jutta kernel: Using GB pages for direct mapping Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x00000000-0x000fffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x407fe00000-0x407fffffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x407c000000-0x407fdfffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x4000000000-0x407bffffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x3000000000-0x3fffffffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x00100000-0x7f73ffff] Mar 8 11:33:11 jutta kernel: init_memory_mapping: [mem 0x100000000-0x2fffffffff] Mar 8 11:33:11 jutta kernel: RAMDISK: [mem 0x35b1d000-0x36d86fff] Mar 8 11:33:11 jutta kernel: ACPI: RSDP 00000000000fb3f0 00024 (v02 ORACLE) Mar 8 11:33:11 jutta kernel: ACPI: XSDT 000000007f750100 0009C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: FACP 000000007f750290 000F4 (v04 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: DSDT 000000007f7507d0 06833 (v02 ORACLE X4470M2 00000001 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: FACS 000000007f75e000 00040 Mar 8 11:33:11 jutta kernel: ACPI: APIC 000000007f750390 002EA (v02 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: SPCR 000000007f750680 00050 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: MCFG 000000007f7506d0 0003C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: SLIT 000000007f750710 0003C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: SPMI 000000007f750780 00041 (v05 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: OEMB 000000007f75e040 000C4 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: SRAT 000000007f75a7d0 00520 (v02 ORACLE X4470M2 00000001 MSFT 00000001) Mar 8 11:33:11 jutta kernel: ACPI: HPET 000000007f75acf0 00038 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: DMAR 000000007f75e110 001B8 (v01 ORACLE X4470M2 00000001 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: SSDT 000000007f773350 00363 (v02 ORACLE CpuPm 00000012 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: EINJ 000000007f75ad30 00130 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: BERT 000000007f75aec0 00030 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: ERST 000000007f75aef0 00210 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: ACPI: HEST 000000007f75b100 000A8 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x02 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x04 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x10 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x12 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x20 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x22 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x24 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x30 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x03 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x05 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x11 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x13 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x21 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x23 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x25 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 0 -> APIC 0x31 -> Node 0 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x40 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x42 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x44 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x50 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x62 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x64 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x70 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x72 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x41 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x43 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x45 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x51 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x63 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x65 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x71 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 1 -> APIC 0x73 -> Node 1 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x80 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x84 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x90 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x92 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa0 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa2 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa4 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xb2 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x81 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x85 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x91 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0x93 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa1 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa3 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xa5 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 2 -> APIC 0xb3 -> Node 2 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xc0 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xc2 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xd0 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xd2 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xe0 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xe2 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xf0 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xf2 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xc1 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xc3 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xd1 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xd3 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xe1 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xe3 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xf1 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: PXM 3 -> APIC 0xf3 -> Node 3 Mar 8 11:33:11 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff] Mar 8 11:33:11 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x00100000-0x7fffffff] Mar 8 11:33:11 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x100000000-0x107fffffff] Mar 8 11:33:11 jutta kernel: SRAT: Node 1 PXM 1 [mem 0x1080000000-0x207fffffff] Mar 8 11:33:11 jutta kernel: SRAT: Node 2 PXM 2 [mem 0x2080000000-0x307fffffff] Mar 8 11:33:11 jutta kernel: SRAT: Node 3 PXM 3 [mem 0x3080000000-0x407fffffff] Mar 8 11:33:11 jutta kernel: NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0x7fffffff] -> [mem 0x00000000-0x7fffffff] Mar 8 11:33:11 jutta kernel: NUMA: Node 0 [mem 0x00000000-0x7fffffff] + [mem 0x100000000-0x107fffffff] -> [mem 0x00000000-0x107fffffff] Mar 8 11:33:11 jutta kernel: Initmem setup node 0 [mem 0x00000000-0x107fffffff] Mar 8 11:33:11 jutta kernel: NODE_DATA [mem 0x107ffd9000-0x107fffffff] Mar 8 11:33:11 jutta kernel: Initmem setup node 1 [mem 0x1080000000-0x207fffffff] Mar 8 11:33:11 jutta kernel: NODE_DATA [mem 0x207ffd9000-0x207fffffff] Mar 8 11:33:11 jutta kernel: Initmem setup node 2 [mem 0x2080000000-0x307fffffff] Mar 8 11:33:11 jutta kernel: NODE_DATA [mem 0x307ffd9000-0x307fffffff] Mar 8 11:33:11 jutta kernel: Initmem setup node 3 [mem 0x3080000000-0x407fffffff] Mar 8 11:33:11 jutta kernel: NODE_DATA [mem 0x407ffd6000-0x407fffcfff] Mar 8 11:33:11 jutta kernel: Reserving 176MB of memory at 672MB for crashkernel (System RAM: 262134MB) Mar 8 11:33:11 jutta kernel: Zone ranges: Mar 8 11:33:11 jutta kernel: DMA [mem 0x00001000-0x00ffffff] Mar 8 11:33:11 jutta kernel: DMA32 [mem 0x01000000-0xffffffff] Mar 8 11:33:11 jutta kernel: Normal [mem 0x100000000-0x407fffffff] Mar 8 11:33:11 jutta kernel: Movable zone start for each node Mar 8 11:33:11 jutta kernel: Early memory node ranges Mar 8 11:33:11 jutta kernel: node 0: [mem 0x00001000-0x00096fff] Mar 8 11:33:11 jutta kernel: node 0: [mem 0x00100000-0x7f73ffff] Mar 8 11:33:11 jutta kernel: node 0: [mem 0x100000000-0x107fffffff] Mar 8 11:33:11 jutta kernel: node 1: [mem 0x1080000000-0x207fffffff] Mar 8 11:33:11 jutta kernel: node 2: [mem 0x2080000000-0x307fffffff] Mar 8 11:33:11 jutta kernel: node 3: [mem 0x3080000000-0x407fffffff] Mar 8 11:33:11 jutta kernel: ACPI: PM-Timer IO Port: 0x808 Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x01] lapic_id[0x02] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x02] lapic_id[0x04] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x03] lapic_id[0x10] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x04] lapic_id[0x12] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x05] lapic_id[0x20] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x06] lapic_id[0x22] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x07] lapic_id[0x24] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x08] lapic_id[0x30] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x09] lapic_id[0x40] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0a] lapic_id[0x42] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0b] lapic_id[0x44] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0c] lapic_id[0x50] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0d] lapic_id[0x62] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0e] lapic_id[0x64] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x0f] lapic_id[0x70] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x10] lapic_id[0x72] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x11] lapic_id[0x80] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x12] lapic_id[0x84] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x13] lapic_id[0x90] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x14] lapic_id[0x92] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x15] lapic_id[0xa0] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x16] lapic_id[0xa2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x17] lapic_id[0xa4] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x18] lapic_id[0xb2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x19] lapic_id[0xc0] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1a] lapic_id[0xc2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1b] lapic_id[0xd0] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1c] lapic_id[0xd2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1d] lapic_id[0xe0] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1e] lapic_id[0xe2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x1f] lapic_id[0xf0] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x20] lapic_id[0xf2] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x21] lapic_id[0x03] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x22] lapic_id[0x05] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x23] lapic_id[0x11] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x24] lapic_id[0x13] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x25] lapic_id[0x21] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x26] lapic_id[0x23] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x27] lapic_id[0x25] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x28] lapic_id[0x31] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x29] lapic_id[0x41] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2a] lapic_id[0x43] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2b] lapic_id[0x45] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2c] lapic_id[0x51] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2d] lapic_id[0x63] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2e] lapic_id[0x65] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x2f] lapic_id[0x71] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x30] lapic_id[0x73] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x31] lapic_id[0x81] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x32] lapic_id[0x85] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x33] lapic_id[0x91] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x34] lapic_id[0x93] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x35] lapic_id[0xa1] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x36] lapic_id[0xa3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x37] lapic_id[0xa5] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x38] lapic_id[0xb3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x39] lapic_id[0xc1] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3a] lapic_id[0xc3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3b] lapic_id[0xd1] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3c] lapic_id[0xd3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3d] lapic_id[0xe1] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3e] lapic_id[0xe3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x3f] lapic_id[0xf1] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x40] lapic_id[0xf3] enabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x41] lapic_id[0xc0] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x42] lapic_id[0xc1] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x43] lapic_id[0xc2] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x44] lapic_id[0xc3] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x45] lapic_id[0xc4] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x46] lapic_id[0xc5] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x47] lapic_id[0xc6] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x48] lapic_id[0xc7] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x49] lapic_id[0xc8] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4a] lapic_id[0xc9] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4b] lapic_id[0xca] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4c] lapic_id[0xcb] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4d] lapic_id[0xcc] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4e] lapic_id[0xcd] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x4f] lapic_id[0xce] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC (acpi_id[0x50] lapic_id[0xcf] disabled) Mar 8 11:33:11 jutta kernel: ACPI: LAPIC_NMI (acpi_id[0xff] high edge lint[0x1]) Mar 8 11:33:11 jutta kernel: ACPI: IOAPIC (id[0x06] address[0xfec00000] gsi_base[0]) Mar 8 11:33:11 jutta kernel: IOAPIC[0]: apic_id 6, version 32, address 0xfec00000, GSI 0-23 Mar 8 11:33:11 jutta kernel: ACPI: IOAPIC (id[0x07] address[0xfec02000] gsi_base[24]) Mar 8 11:33:11 jutta kernel: IOAPIC[1]: apic_id 7, version 32, address 0xfec02000, GSI 24-47 Mar 8 11:33:11 jutta kernel: ACPI: IOAPIC (id[0x08] address[0xfec04000] gsi_base[48]) Mar 8 11:33:11 jutta kernel: IOAPIC[2]: apic_id 8, version 32, address 0xfec04000, GSI 48-71 Mar 8 11:33:11 jutta kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) Mar 8 11:33:11 jutta kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) Mar 8 11:33:11 jutta kernel: Using ACPI (MADT) for SMP configuration information Mar 8 11:33:11 jutta kernel: ACPI: HPET id: 0x8086a301 base: 0xfed00000 Mar 8 11:33:11 jutta kernel: smpboot: Allowing 80 CPUs, 16 hotplug CPUs Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x00097000-0x00097fff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x00098000-0x0009ffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x000a0000-0x000dffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x000e0000-0x000fffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f740000-0x7f74dfff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f74e000-0x7f74ffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f750000-0x7f75dfff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f75e000-0x7f7cffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f7d0000-0x7f7dffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f7e0000-0x7f7ebfff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x7f7ec000-0x8fffffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0x90000000-0xfedfffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0xfee00000-0xfee00fff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0xfee01000-0xffbfffff] Mar 8 11:33:11 jutta kernel: PM: Registered nosave memory: [mem 0xffc00000-0xffffffff] Mar 8 11:33:11 jutta kernel: e820: [mem 0x90000000-0xfedfffff] available for PCI devices Mar 8 11:33:11 jutta kernel: Booting paravirtualized kernel on bare hardware Mar 8 11:33:11 jutta kernel: setup_percpu: NR_CPUS:5120 nr_cpumask_bits:80 nr_cpu_ids:80 nr_node_ids:4 Mar 8 11:33:11 jutta kernel: PERCPU: Embedded 31 pages/cpu @ffff88103f800000 s87168 r8192 d31616 u262144 Mar 8 11:33:11 jutta kernel: Built 4 zonelists in Zone order, mobility grouping on. Total pages: 66057956 Mar 8 11:33:11 jutta kernel: Policy zone: Normal Mar 8 11:33:11 jutta kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-327.el7.x86_64 root=/dev/mapper/rootvg-lv_root ro nomodeset crashkernel=auto rd.lvm.lv=rootvg/lv_root rd.lvm.lv=rootvg/lv_swap biosdevname=0 net.ifnames=0 console=ttyS0,9600 LANG=en_US.UTF-8 Mar 8 11:33:11 jutta kernel: PID hash table entries: 4096 (order: 3, 32768 bytes) Mar 8 11:33:11 jutta kernel: AGP: Checking aperture... Mar 8 11:33:11 jutta kernel: AGP: No AGP bridge found Mar 8 11:33:11 jutta kernel: Memory: 263939732k/270532608k available (6440k kernel code, 2106536k absent, 4486340k reserved, 4266k data, 1620k init) Mar 8 11:33:11 jutta kernel: SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=80, Nodes=4 Mar 8 11:33:11 jutta kernel: Hierarchical RCU implementation. Mar 8 11:33:11 jutta kernel: #011RCU restricting CPUs from NR_CPUS=5120 to nr_cpu_ids=80. Mar 8 11:33:11 jutta kernel: #011Offload RCU callbacks from all CPUs Mar 8 11:33:11 jutta kernel: #011Offload RCU callbacks from CPUs: 0-79. Mar 8 11:33:11 jutta kernel: NR_IRQS:327936 nr_irqs:1880 0 Mar 8 11:33:11 jutta kernel: Console: colour VGA+ 80x25 Mar 8 11:33:11 jutta kernel: console [ttyS0] enabled Mar 8 11:33:11 jutta kernel: allocated 1073741824 bytes of page_cgroup Mar 8 11:33:11 jutta kernel: please try 'cgroup_disable=memory' option if you don't want memory cgroups Mar 8 11:33:11 jutta kernel: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl Mar 8 11:33:11 jutta kernel: tsc: Fast TSC calibration using PIT Mar 8 11:33:11 jutta kernel: tsc: Detected 1994.999 MHz processor Mar 8 11:33:11 jutta kernel: Calibrating delay loop (skipped), value calculated using timer frequency.. 3989.99 BogoMIPS (lpj=1994999) Mar 8 11:33:11 jutta kernel: pid_max: default: 81920 minimum: 640 Mar 8 11:33:11 jutta kernel: Security Framework initialized Mar 8 11:33:11 jutta kernel: SELinux: Initializing. Mar 8 11:33:11 jutta kernel: Dentry cache hash table entries: 33554432 (order: 16, 268435456 bytes) Mar 8 11:33:11 jutta kernel: Inode-cache hash table entries: 16777216 (order: 15, 134217728 bytes) Mar 8 11:33:11 jutta kernel: Mount-cache hash table entries: 4096 Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys memory Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys devices Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys freezer Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys net_cls Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys blkio Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys perf_event Mar 8 11:33:11 jutta kernel: Initializing cgroup subsys hugetlb Mar 8 11:33:11 jutta kernel: CPU: Physical Processor ID: 0 Mar 8 11:33:11 jutta kernel: CPU: Processor Core ID: 1 Mar 8 11:33:11 jutta kernel: ENERGY_PERF_BIAS: Set to 'normal', was 'performance'#012ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8) Mar 8 11:33:11 jutta kernel: mce: CPU supports 24 MCE banks Mar 8 11:33:11 jutta kernel: CPU0: Thermal monitoring enabled (TM1) Mar 8 11:33:11 jutta kernel: Last level iTLB entries: 4KB 512, 2MB 7, 4MB 7#012Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32#012tlb_flushall_shift: 6 Mar 8 11:33:11 jutta kernel: Freeing SMP alternatives: 28k freed Mar 8 11:33:11 jutta kernel: ACPI: Core revision 20130517 Mar 8 11:33:11 jutta kernel: ACPI: All ACPI Tables successfully acquired Mar 8 11:33:11 jutta kernel: ftrace: allocating 24585 entries in 97 pages Mar 8 11:33:11 jutta kernel: dmar: Host address width 46 Mar 8 11:33:11 jutta kernel: dmar: DRHD base: 0x000000fbefe000 flags: 0x0 Mar 8 11:33:11 jutta kernel: dmar: IOMMU 0: reg_base_addr fbefe000 ver 1:0 cap c90780106f0462 ecap f020fe Mar 8 11:33:11 jutta kernel: dmar: DRHD base: 0x000000cf4fe000 flags: 0x1 Mar 8 11:33:11 jutta kernel: dmar: IOMMU 1: reg_base_addr cf4fe000 ver 1:0 cap c90780106f0462 ecap f020fe Mar 8 11:33:11 jutta kernel: dmar: RMRR base: 0x000000000ec000 end: 0x000000000effff Mar 8 11:33:11 jutta kernel: dmar: RMRR base: 0x0000007f7ec000 end: 0x0000007f7fffff Mar 8 11:33:11 jutta kernel: dmar: ATSR flags: 0x0 Mar 8 11:33:11 jutta kernel: IOAPIC id 8 under DRHD base 0xfbefe000 IOMMU 0 Mar 8 11:33:11 jutta kernel: IOAPIC id 6 under DRHD base 0xcf4fe000 IOMMU 1 Mar 8 11:33:11 jutta kernel: IOAPIC id 7 under DRHD base 0xcf4fe000 IOMMU 1 Mar 8 11:33:11 jutta kernel: Queued invalidation will be enabled to support x2apic and Intr-remapping. Mar 8 11:33:11 jutta kernel: Enabled IRQ remapping in x2apic mode Mar 8 11:33:11 jutta kernel: Enabling x2apic Mar 8 11:33:11 jutta kernel: Enabled x2apic Mar 8 11:33:11 jutta kernel: Switched APIC routing to cluster x2apic. Mar 8 11:33:11 jutta kernel: ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 Mar 8 11:33:11 jutta kernel: smpboot: CPU0: Intel(R) Xeon(R) CPU E7- 4820 @ 2.00GHz (fam: 06, model: 2f, stepping: 02) Mar 8 11:33:11 jutta kernel: Performance Events: PEBS fmt1+, 16-deep LBR, Westmere events, Intel PMU driver. Mar 8 11:33:11 jutta kernel: perf_event_intel: CPUID marked event: 'bus cycles' unavailable Mar 8 11:33:11 jutta kernel: ... version: 3 Mar 8 11:33:11 jutta kernel: ... bit width: 48 Mar 8 11:33:11 jutta kernel: ... generic registers: 4 Mar 8 11:33:11 jutta kernel: ... value mask: 0000ffffffffffff Mar 8 11:33:11 jutta kernel: ... max period: 000000007fffffff Mar 8 11:33:11 jutta kernel: ... fixed-purpose events: 3 Mar 8 11:33:11 jutta kernel: ... event mask: 000000070000000f Mar 8 11:33:11 jutta kernel: CPU1 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter. Mar 8 11:33:11 jutta kernel: CPU2 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU3 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU4 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU5 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU6 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU7 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 0, Processors #1 #2 #3 #4 #5 #6 #7 OK Mar 8 11:33:11 jutta kernel: CPU8 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU9 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU10 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU11 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU12 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU13 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU14 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU15 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 1, Processors #8 #9 #10 #11 #12 #13 #14 #15 OK Mar 8 11:33:11 jutta kernel: CPU16 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU17 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU18 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU19 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU20 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU21 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU22 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU23 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 2, Processors #16 #17 #18 #19 #20 #21 #22 #23 OK Mar 8 11:33:11 jutta kernel: CPU24 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU25 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU26 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU27 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU28 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU29 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU30 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: CPU31 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 3, Processors #24 #25 #26 #27 #28 #29 #30 #31 OK Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 0, Processors #32 #33 #34 #35 #36 #37 #38 #39 OK Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 1, Processors #40 #41 #42 #43 #44 #45 #46 #47 OK Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 2, Processors #48 #49 #50 #51 #52 #53 #54 #55 OK Mar 8 11:33:11 jutta kernel: smpboot: Booting Node 3, Processors #56 #57 #58 #59 #60 #61 #62 #63 Mar 8 11:33:11 jutta kernel: Brought up 64 CPUs Mar 8 11:33:11 jutta kernel: smpboot: Total of 64 processors activated (255350.59 BogoMIPS) Mar 8 11:33:11 jutta kernel: devtmpfs: initialized Mar 8 11:33:11 jutta kernel: EVM: security.selinux Mar 8 11:33:11 jutta kernel: EVM: security.ima Mar 8 11:33:11 jutta kernel: EVM: security.capability Mar 8 11:33:11 jutta kernel: PM: Registering ACPI NVS region [mem 0x7f75e000-0x7f7cffff] (466944 bytes) Mar 8 11:33:11 jutta kernel: atomic64 test passed for x86-64 platform with CX8 and with SSE Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 16 Mar 8 11:33:11 jutta kernel: ACPI FADT declares the system doesn't support PCIe ASPM, so disable it Mar 8 11:33:11 jutta kernel: ACPI: bus type PCI registered Mar 8 11:33:11 jutta kernel: acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 Mar 8 11:33:11 jutta kernel: PCI: MMCONFIG for domain 0000 [bus 00-ff] at [mem 0x80000000-0x8fffffff] (base 0x80000000) Mar 8 11:33:11 jutta kernel: PCI: MMCONFIG at [mem 0x80000000-0x8fffffff] reserved in E820 Mar 8 11:33:11 jutta kernel: PCI: Using configuration type 1 for base access Mar 8 11:33:11 jutta kernel: ACPI: Added _OSI(Module Device) Mar 8 11:33:11 jutta kernel: ACPI: Added _OSI(Processor Device) Mar 8 11:33:11 jutta kernel: ACPI: Added _OSI(3.0 _SCP Extensions) Mar 8 11:33:11 jutta kernel: ACPI: Added _OSI(Processor Aggregator Device) Mar 8 11:33:11 jutta kernel: ACPI: SSDT 000000007f75e2d0 0CEE4 (v01 ORACLE X4470M2 00000011 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 11:33:11 jutta kernel: ACPI: SSDT (null) 0CEE4 (v01 ORACLE X4470M2 00000011 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: SSDT 000000007f76b1c0 06265 (v01 PmRef P001Cst 00003001 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 11:33:11 jutta kernel: ACPI: SSDT (null) 06265 (v01 PmRef P001Cst 00003001 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: SSDT 000000007f771430 01F12 (v01 PmRef Cpu0Tst 00003000 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 11:33:11 jutta kernel: ACPI: SSDT (null) 01F12 (v01 PmRef Cpu0Tst 00003000 INTL 20051117) Mar 8 11:33:11 jutta kernel: ACPI: Interpreter enabled Mar 8 11:33:11 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20130517/hwxface-571) Mar 8 11:33:11 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20130517/hwxface-571) Mar 8 11:33:11 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S3_] (20130517/hwxface-571) Mar 8 11:33:11 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S4_] (20130517/hwxface-571) Mar 8 11:33:11 jutta kernel: ACPI: (supports S0 S5) Mar 8 11:33:11 jutta kernel: ACPI: Using IOAPIC for interrupt routing Mar 8 11:33:11 jutta kernel: HEST: Table parsing has been initialized. Mar 8 11:33:11 jutta kernel: PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug Mar 8 11:33:11 jutta kernel: ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-7f]) Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI] Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: _OSC: OS now controls [PCIeHotplug PME AER PCIeCapability] Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x0000-0x03af] ignored Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x03b0-0x03bb] ignored Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x03c0-0x03df] ignored Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: ignoring host bridge window [mem 0x000d0000-0x000dffff] (conflicts with Adapter ROM [mem 0x000cf800-0x000d07ff]) Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:00 Mar 8 11:33:11 jutta kernel: pci_bus 0000:00: root bus resource [bus 00-7f] Mar 8 11:33:11 jutta kernel: pci_bus 0000:00: root bus resource [io 0x0000-0x9fff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:00: root bus resource [mem 0x90000000-0xcfffffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:00: root bus resource [mem 0xfed40000-0xfed4bfff pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1a.0: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1a.1: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1a.2: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1a.7: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1d.0: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1d.1: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1d.2: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1d.7: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:1e.0: System wakeup disabled by ACPI Mar 8 11:33:11 jutta kernel: pci 0000:00:01.0: PCI bridge to [bus 01-10] Mar 8 11:33:11 jutta kernel: pci 0000:00:03.0: PCI bridge to [bus 11-20] Mar 8 11:33:11 jutta kernel: pci 0000:00:05.0: PCI bridge to [bus 21-30] Mar 8 11:33:11 jutta kernel: pci 0000:00:07.0: PCI bridge to [bus 31-40] Mar 8 11:33:11 jutta kernel: pci 0000:00:09.0: PCI bridge to [bus 41-50] Mar 8 11:33:11 jutta kernel: pci 0000:61:00.0: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:61:00.0: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:61:00.1: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:61:00.1: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: PCI bridge to [bus 61] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: bridge has subordinate 61 but max busn 62 Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: PCI bridge to [bus 51-60] Mar 8 11:33:11 jutta kernel: pci 0000:00:1e.0: PCI bridge to [bus 62] (subtractive decode) Mar 8 11:33:11 jutta kernel: acpi PNP0A08:00: Disabling ASPM (FADT indicates it is unsupported) Mar 8 11:33:11 jutta kernel: ACPI: PCI Root Bridge [BR50] (domain 0000 [bus 80-f7]) Mar 8 11:33:11 jutta kernel: acpi PNP0A08:01: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI] Mar 8 11:33:11 jutta kernel: acpi PNP0A08:01: _OSC: OS now controls [PCIeHotplug PME AER PCIeCapability] Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:80 Mar 8 11:33:11 jutta kernel: pci_bus 0000:80: root bus resource [bus 80-f7] Mar 8 11:33:11 jutta kernel: pci_bus 0000:80: root bus resource [io 0xa000-0xffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:80: root bus resource [mem 0xd0000000-0xfbffffff] Mar 8 11:33:11 jutta kernel: pci 0000:81:00.0: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:81:00.0: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:81:00.1: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:81:00.1: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: PCI bridge to [bus 81-90] Mar 8 11:33:11 jutta kernel: pci 0000:80:01.0: PCI bridge to [bus 91-a0] Mar 8 11:33:11 jutta kernel: pci 0000:80:03.0: PCI bridge to [bus a1-b0] Mar 8 11:33:11 jutta kernel: pci 0000:80:05.0: PCI bridge to [bus b1-c0] Mar 8 11:33:11 jutta kernel: pci 0000:80:07.0: PCI bridge to [bus c1-d0] Mar 8 11:33:11 jutta kernel: pci 0000:80:09.0: PCI bridge to [bus d1-e0] Mar 8 11:33:11 jutta kernel: acpi PNP0A08:01: Disabling ASPM (FADT indicates it is unsupported) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 6 7 *10 11 12 14 15) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKB] (IRQs *5) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 6 7 10 *11 12 14 15) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 6 7 10 11 12 14 15) *0, disabled. Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 6 7 10 11 12 14 *15) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 6 7 10 11 12 *14 15) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 6 *7 10 11 12 14 15) Mar 8 11:33:11 jutta kernel: ACPI: PCI Interrupt Link [LNKH] (IRQs *3 4 6 7 10 11 12 14 15) Mar 8 11:33:11 jutta kernel: ACPI: Enabled 1 GPEs in block 00 to 3F Mar 8 11:33:11 jutta kernel: vgaarb: device added: PCI:0000:62:05.0,decodes=io+mem,owns=io+mem,locks=none Mar 8 11:33:11 jutta kernel: vgaarb: loaded Mar 8 11:33:11 jutta kernel: vgaarb: bridge control possible 0000:62:05.0 Mar 8 11:33:11 jutta kernel: SCSI subsystem initialized Mar 8 11:33:11 jutta kernel: ACPI: bus type USB registered Mar 8 11:33:11 jutta kernel: usbcore: registered new interface driver usbfs Mar 8 11:33:11 jutta kernel: usbcore: registered new interface driver hub Mar 8 11:33:11 jutta kernel: usbcore: registered new device driver usb Mar 8 11:33:11 jutta kernel: PCI: Using ACPI for IRQ routing Mar 8 11:33:11 jutta kernel: PCI: Discovered peer bus fc Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:fc Mar 8 11:33:11 jutta kernel: pci_bus 0000:fc: root bus resource [io 0x0000-0xffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fc: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fc: No busn resource found for root bus, will use [bus fc-ff] Mar 8 11:33:11 jutta kernel: PCI: Discovered peer bus fd Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:fd Mar 8 11:33:11 jutta kernel: pci_bus 0000:fd: root bus resource [io 0x0000-0xffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fd: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fd: No busn resource found for root bus, will use [bus fd-ff] Mar 8 11:33:11 jutta kernel: PCI: Discovered peer bus fe Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:fe Mar 8 11:33:11 jutta kernel: pci_bus 0000:fe: root bus resource [io 0x0000-0xffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fe: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:fe: No busn resource found for root bus, will use [bus fe-ff] Mar 8 11:33:11 jutta kernel: PCI: Discovered peer bus ff Mar 8 11:33:11 jutta kernel: PCI host bridge to bus 0000:ff Mar 8 11:33:11 jutta kernel: pci_bus 0000:ff: root bus resource [io 0x0000-0xffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:ff: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 11:33:11 jutta kernel: pci_bus 0000:ff: No busn resource found for root bus, will use [bus ff-ff] Mar 8 11:33:11 jutta kernel: NetLabel: Initializing Mar 8 11:33:11 jutta kernel: NetLabel: domain hash size = 128 Mar 8 11:33:11 jutta kernel: NetLabel: protocols = UNLABELED CIPSOv4 Mar 8 11:33:11 jutta kernel: NetLabel: unlabeled traffic allowed by default Mar 8 11:33:11 jutta kernel: hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0, 0 Mar 8 11:33:11 jutta kernel: hpet0: 4 comparators, 64-bit 14.318180 MHz counter Mar 8 11:33:11 jutta kernel: Switching to clocksource hpet Mar 8 11:33:11 jutta kernel: pnp: PnP ACPI init Mar 8 11:33:11 jutta kernel: ACPI: bus type PNP registered Mar 8 11:33:11 jutta kernel: system 00:00: [mem 0xfc000000-0xfcffffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:00: [mem 0xfd000000-0xfdffffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:00: [mem 0xfe000000-0xfebfffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:05: [io 0x0a00-0x0a0f] has been reserved Mar 8 11:33:11 jutta kernel: system 00:06: [io 0x04d0-0x04d1] has been reserved Mar 8 11:33:11 jutta kernel: system 00:06: [io 0x0800-0x087f] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:06: [io 0x0500-0x057f] has been reserved Mar 8 11:33:11 jutta kernel: system 00:06: [mem 0xfed1c000-0xfed1ffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:06: [mem 0xfed20000-0xfed3ffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:06: [mem 0xfed40000-0xfed8ffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:09: [mem 0xfec00000-0xfec00fff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:09: [mem 0xfee00000-0xfee00fff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:0b: [mem 0x80000000-0x8fffffff] has been reserved Mar 8 11:33:11 jutta kernel: system 00:0c: [mem 0x00000000-0x0009ffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:0c: [mem 0x000c0000-0x000cffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:0c: [mem 0x000e0000-0x000fffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:0c: [mem 0x00100000-0xffffffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:0c: [mem 0xfed90000-0xffffffff] could not be reserved Mar 8 11:33:11 jutta kernel: system 00:0d: [mem 0xfbefe000-0xfbefffff] could not be reserved Mar 8 11:33:11 jutta kernel: pnp: PnP ACPI: found 14 devices Mar 8 11:33:11 jutta kernel: ACPI: bus type PNP unregistered Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: BAR 15: assigned [mem 0x90000000-0x901fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: BAR 14: assigned [mem 0x90200000-0x903fffff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: BAR 15: assigned [mem 0x90400000-0x905fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: BAR 13: assigned [io 0x1000-0x1fff] Mar 8 11:33:11 jutta kernel: pci 0000:00:01.0: PCI bridge to [bus 01-10] Mar 8 11:33:11 jutta kernel: pci 0000:00:03.0: PCI bridge to [bus 11-20] Mar 8 11:33:11 jutta kernel: pci 0000:00:05.0: PCI bridge to [bus 21-30] Mar 8 11:33:11 jutta kernel: pci 0000:00:05.0: bridge window [io 0x7000-0x7fff] Mar 8 11:33:11 jutta kernel: pci 0000:00:05.0: bridge window [mem 0xcf500000-0xcf5fffff] Mar 8 11:33:11 jutta kernel: pci 0000:00:07.0: PCI bridge to [bus 31-40] Mar 8 11:33:11 jutta kernel: pci 0000:00:09.0: PCI bridge to [bus 41-50] Mar 8 11:33:11 jutta kernel: pci 0000:61:00.0: BAR 7: assigned [mem 0x90000000-0x9001ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:61:00.0: BAR 10: assigned [mem 0x90020000-0x9003ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:61:00.1: BAR 7: assigned [mem 0x90040000-0x9005ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:61:00.1: BAR 10: assigned [mem 0x90060000-0x9007ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: PCI bridge to [bus 61] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: bridge window [io 0x8000-0x8fff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: bridge window [mem 0xcf600000-0xcf6fffff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.0: bridge window [mem 0x90000000-0x901fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: PCI bridge to [bus 51-60] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: bridge window [io 0x1000-0x1fff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: bridge window [mem 0x90200000-0x903fffff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1c.4: bridge window [mem 0x90400000-0x905fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:00:1e.0: PCI bridge to [bus 62] Mar 8 11:33:11 jutta kernel: pci 0000:00:1e.0: bridge window [io 0x9000-0x9fff] Mar 8 11:33:11 jutta kernel: pci 0000:00:1e.0: bridge window [mem 0xcf700000-0xcfffffff] Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: BAR 15: assigned [mem 0xd0000000-0xd00fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:81:00.0: BAR 7: assigned [mem 0xd0000000-0xd001ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:81:00.0: BAR 10: assigned [mem 0xd0020000-0xd003ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:81:00.1: BAR 7: assigned [mem 0xd0040000-0xd005ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:81:00.1: BAR 10: assigned [mem 0xd0060000-0xd007ffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: PCI bridge to [bus 81-90] Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: bridge window [io 0xf000-0xffff] Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: bridge window [mem 0xfbf00000-0xfbffffff] Mar 8 11:33:11 jutta kernel: pci 0000:80:00.0: bridge window [mem 0xd0000000-0xd00fffff 64bit pref] Mar 8 11:33:11 jutta kernel: pci 0000:80:01.0: PCI bridge to [bus 91-a0] Mar 8 11:33:11 jutta kernel: pci 0000:80:03.0: PCI bridge to [bus a1-b0] Mar 8 11:33:11 jutta kernel: pci 0000:80:05.0: PCI bridge to [bus b1-c0] Mar 8 11:33:11 jutta kernel: pci 0000:80:07.0: PCI bridge to [bus c1-d0] Mar 8 11:33:11 jutta kernel: pci 0000:80:09.0: PCI bridge to [bus d1-e0] Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 2 Mar 8 11:33:11 jutta kernel: TCP established hash table entries: 524288 (order: 10, 4194304 bytes) Mar 8 11:33:11 jutta kernel: TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) Mar 8 11:33:11 jutta kernel: TCP: Hash tables configured (established 524288 bind 65536) Mar 8 11:33:11 jutta kernel: TCP: reno registered Mar 8 11:33:11 jutta kernel: UDP hash table entries: 65536 (order: 9, 2097152 bytes) Mar 8 11:33:11 jutta kernel: UDP-Lite hash table entries: 65536 (order: 9, 2097152 bytes) Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 1 Mar 8 11:33:11 jutta kernel: Unpacking initramfs... Mar 8 11:33:11 jutta kernel: Freeing initrd memory: 18856k freed Mar 8 11:33:11 jutta kernel: PCI-DMA: Using software bounce buffering for IO (SWIOTLB) Mar 8 11:33:11 jutta kernel: software IO TLB [mem 0x7b740000-0x7f740000] (64MB) mapped at [ffff88007b740000-ffff88007f73ffff] Mar 8 11:33:11 jutta kernel: microcode: CPU0 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU1 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU2 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU3 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU4 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU5 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU6 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU7 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU8 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU9 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU10 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU11 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU12 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU13 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU14 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: tsc: Refined TSC clocksource calibration: 1995.001 MHz Mar 8 11:33:11 jutta kernel: microcode: CPU15 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU16 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU17 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU18 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU19 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU20 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU21 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU22 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU23 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU24 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU25 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU26 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU27 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU28 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU29 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU30 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU31 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU32 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU33 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU34 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU35 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU36 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU37 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU38 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU39 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU40 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU41 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU42 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU43 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU44 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU45 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU46 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU47 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU48 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU49 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU50 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU51 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU52 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU53 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU54 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU55 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU56 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU57 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU58 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU59 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU60 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU61 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: Switching to clocksource tsc Mar 8 11:33:11 jutta kernel: microcode: CPU62 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: CPU63 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 11:33:11 jutta kernel: microcode: Microcode Update Driver: v2.00 , Peter Oruba Mar 8 11:33:11 jutta kernel: sha1_ssse3: Using SSSE3 optimized SHA-1 implementation Mar 8 11:33:11 jutta kernel: sha256_ssse3: Using SSSE3 optimized SHA-256 implementation Mar 8 11:33:11 jutta kernel: futex hash table entries: 32768 (order: 9, 2097152 bytes) Mar 8 11:33:11 jutta kernel: Initialise system trusted keyring Mar 8 11:33:11 jutta kernel: audit: initializing netlink socket (disabled) Mar 8 11:33:11 jutta kernel: type=2000 audit(1457458337.839:1): initialized Mar 8 11:33:11 jutta kernel: HugeTLB registered 1 GB page size, pre-allocated 0 pages Mar 8 11:33:11 jutta kernel: HugeTLB registered 2 MB page size, pre-allocated 0 pages Mar 8 11:33:11 jutta kernel: zpool: loaded Mar 8 11:33:11 jutta kernel: zbud: loaded Mar 8 11:33:11 jutta kernel: VFS: Disk quotas dquot_6.5.2 Mar 8 11:33:11 jutta kernel: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) Mar 8 11:33:11 jutta kernel: msgmni has been set to 32768 Mar 8 11:33:11 jutta kernel: Key type big_key registered Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 38 Mar 8 11:33:11 jutta kernel: Key type asymmetric registered Mar 8 11:33:11 jutta kernel: Asymmetric key parser 'x509' registered Mar 8 11:33:11 jutta kernel: Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) Mar 8 11:33:11 jutta kernel: io scheduler noop registered Mar 8 11:33:11 jutta kernel: io scheduler deadline registered (default) Mar 8 11:33:11 jutta kernel: io scheduler cfq registered Mar 8 11:33:11 jutta kernel: pcieport 0000:00:1c.4: enabling device (0144 -> 0147) Mar 8 11:33:11 jutta kernel: pcieport 0000:00:01.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:03.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:05.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci 0000:21:00.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:07.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:09.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci 0000:61:00.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci 0000:61:00.1: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:00:1c.4: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:00.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci 0000:81:00.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci 0000:81:00.1: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:01.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:03.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:05.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:07.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pcieport 0000:80:09.0: Signaling PME through PCIe PME interrupt Mar 8 11:33:11 jutta kernel: pci_hotplug: PCI Hot Plug PCI Core version: 0.5 Mar 8 11:33:11 jutta kernel: pciehp 0000:00:1c.0:pcie04: Slot #0 AttnBtn- AttnInd- PwrInd- PwrCtrl- MRL- Interlock- NoCompl- LLActRep+ Mar 8 11:33:11 jutta kernel: pciehp 0000:00:1c.4:pcie04: Slot #11 AttnBtn- AttnInd- PwrInd- PwrCtrl- MRL- Interlock- NoCompl- LLActRep+ Mar 8 11:33:11 jutta kernel: pciehp: PCI Express Hot Plug Controller Driver version: 0.4 Mar 8 11:33:11 jutta kernel: input: Power Button as /devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input0 Mar 8 11:33:11 jutta kernel: ACPI: Power Button [PWRB] Mar 8 11:33:11 jutta kernel: input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input1 Mar 8 11:33:11 jutta kernel: ACPI: Power Button [PWRF] Mar 8 11:33:11 jutta kernel: ACPI: Requesting acpi_cpufreq Mar 8 11:33:11 jutta kernel: ERST: Can not request iomem region <0x 7f74e000-0x 7f750000> for ERST. Mar 8 11:33:11 jutta kernel: [Firmware Warn]: GHES: Poll interval is 0 for generic hardware error source: 1, disabled. Mar 8 11:33:11 jutta kernel: GHES: APEI firmware first mode is enabled by APEI bit and WHEA _OSC. Mar 8 11:33:11 jutta kernel: Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled Mar 8 11:33:11 jutta kernel: 00:0a: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Mar 8 11:33:11 jutta kernel: Non-volatile memory driver v1.3 Mar 8 11:33:11 jutta kernel: Linux agpgart interface v0.103 Mar 8 11:33:11 jutta kernel: crash memory driver: version 1.1 Mar 8 11:33:11 jutta kernel: rdac: device handler registered Mar 8 11:33:11 jutta kernel: hp_sw: device handler registered Mar 8 11:33:11 jutta kernel: emc: device handler registered Mar 8 11:33:11 jutta kernel: alua: device handler registered Mar 8 11:33:11 jutta kernel: libphy: Fixed MDIO Bus: probed Mar 8 11:33:11 jutta kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Mar 8 11:33:11 jutta kernel: ehci-pci: EHCI PCI platform driver Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1a.7: EHCI Host Controller Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1a.7: new USB bus registered, assigned bus number 1 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1a.7: debug port 1 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1a.7: irq 18, io mem 0xcf4fc000 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1a.7: USB 2.0 started, EHCI 1.00 Mar 8 11:33:11 jutta kernel: usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 Mar 8 11:33:11 jutta kernel: usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb1: Product: EHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb1: Manufacturer: Linux 3.10.0-327.el7.x86_64 ehci_hcd Mar 8 11:33:11 jutta kernel: usb usb1: SerialNumber: 0000:00:1a.7 Mar 8 11:33:11 jutta kernel: hub 1-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 1-0:1.0: 6 ports detected Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1d.7: EHCI Host Controller Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 2 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1d.7: debug port 1 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1d.7: irq 23, io mem 0xcf4fa000 Mar 8 11:33:11 jutta kernel: ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00 Mar 8 11:33:11 jutta kernel: usb usb2: New USB device found, idVendor=1d6b, idProduct=0002 Mar 8 11:33:11 jutta kernel: usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb2: Product: EHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb2: Manufacturer: Linux 3.10.0-327.el7.x86_64 ehci_hcd Mar 8 11:33:11 jutta kernel: usb usb2: SerialNumber: 0000:00:1d.7 Mar 8 11:33:11 jutta kernel: hub 2-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 2-0:1.0: 6 ports detected Mar 8 11:33:11 jutta kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Mar 8 11:33:11 jutta kernel: usb 1-3: new high-speed USB device number 2 using ehci-pci Mar 8 11:33:11 jutta kernel: ohci-pci: OHCI PCI platform driver Mar 8 11:33:11 jutta kernel: uhci_hcd: USB Universal Host Controller Interface driver Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.0: UHCI Host Controller Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.0: new USB bus registered, assigned bus number 3 Mar 8 11:33:11 jutta kernel: usb 2-2: new high-speed USB device number 2 using ehci-pci Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.0: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.0: irq 21, io base 0x00005800 Mar 8 11:33:11 jutta kernel: usb usb3: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb3: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb3: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb3: SerialNumber: 0000:00:1a.0 Mar 8 11:33:11 jutta kernel: hub 3-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 3-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: usb 1-3: New USB device found, idVendor=046b, idProduct=ff01 Mar 8 11:33:11 jutta kernel: usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Mar 8 11:33:11 jutta kernel: usb 1-3: Product: Generic Hub Mar 8 11:33:11 jutta kernel: usb 1-3: Manufacturer: American Megatrends Inc. Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.1: UHCI Host Controller Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.1: new USB bus registered, assigned bus number 4 Mar 8 11:33:11 jutta kernel: hub 1-3:1.0: USB hub found Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.1: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.1: irq 21, io base 0x00005880 Mar 8 11:33:11 jutta kernel: hub 1-3:1.0: 3 ports detected Mar 8 11:33:11 jutta kernel: usb usb4: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb4: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb4: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb4: SerialNumber: 0000:00:1a.1 Mar 8 11:33:11 jutta kernel: hub 4-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 4-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.2: UHCI Host Controller Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.2: new USB bus registered, assigned bus number 5 Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.2: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1a.2: irq 20, io base 0x00005c00 Mar 8 11:33:11 jutta kernel: usb usb5: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb5: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb5: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb5: SerialNumber: 0000:00:1a.2 Mar 8 11:33:11 jutta kernel: hub 5-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 5-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: usb 2-2: New USB device found, idVendor=0928, idProduct=0000 Mar 8 11:33:11 jutta kernel: usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Mar 8 11:33:11 jutta kernel: usb 2-2: Product: Mass Storage plus Mar 8 11:33:11 jutta kernel: usb 2-2: Manufacturer: OEM Mar 8 11:33:11 jutta kernel: usb 2-2: SerialNumber: ABCDEF0123456789 Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.0: UHCI Host Controller Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 6 Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.0: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.0: irq 23, io base 0x00005080 Mar 8 11:33:11 jutta kernel: usb usb6: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb6: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb6: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb6: SerialNumber: 0000:00:1d.0 Mar 8 11:33:11 jutta kernel: hub 6-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 6-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.1: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb 2-3: new high-speed USB device number 3 using ehci-pci Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 7 Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.1: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.1: irq 20, io base 0x00005400 Mar 8 11:33:11 jutta kernel: usb usb7: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb7: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb7: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb7: SerialNumber: 0000:00:1d.1 Mar 8 11:33:11 jutta kernel: hub 7-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 7-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.2: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb 5-1: new low-speed USB device number 2 using uhci_hcd Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 8 Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.2: detected 2 ports Mar 8 11:33:11 jutta kernel: uhci_hcd 0000:00:1d.2: irq 18, io base 0x00005480 Mar 8 11:33:11 jutta kernel: usb 2-3: New USB device found, idVendor=04b4, idProduct=6560 Mar 8 11:33:11 jutta kernel: usb 2-3: New USB device strings: Mfr=0, Product=0, SerialNumber=0 Mar 8 11:33:11 jutta kernel: usb usb8: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 11:33:11 jutta kernel: usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 11:33:11 jutta kernel: usb usb8: Product: UHCI Host Controller Mar 8 11:33:11 jutta kernel: usb usb8: Manufacturer: Linux 3.10.0-327.el7.x86_64 uhci_hcd Mar 8 11:33:11 jutta kernel: usb usb8: SerialNumber: 0000:00:1d.2 Mar 8 11:33:11 jutta kernel: hub 2-3:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 8-0:1.0: USB hub found Mar 8 11:33:11 jutta kernel: hub 8-0:1.0: 2 ports detected Mar 8 11:33:11 jutta kernel: hub 2-3:1.0: 4 ports detected Mar 8 11:33:11 jutta kernel: usbcore: registered new interface driver usbserial Mar 8 11:33:11 jutta kernel: usb 5-1: New USB device found, idVendor=046b, idProduct=ff10 Mar 8 11:33:11 jutta kernel: usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Mar 8 11:33:11 jutta kernel: usb 5-1: Product: Virtual Keyboard and Mouse Mar 8 11:33:11 jutta kernel: usb 5-1: Manufacturer: American Megatrends Inc. Mar 8 11:33:11 jutta kernel: usbcore: registered new interface driver usbserial_generic Mar 8 11:33:11 jutta kernel: usbserial: USB Serial support registered for generic Mar 8 11:33:11 jutta kernel: i8042: PNP: No PS/2 controller found. Probing ports directly. Mar 8 11:33:11 jutta kernel: i8042: No controller found Mar 8 11:33:11 jutta kernel: mousedev: PS/2 mouse device common for all mice Mar 8 11:33:11 jutta kernel: rtc_cmos 00:02: RTC can wake from S4 Mar 8 11:33:11 jutta kernel: rtc_cmos 00:02: rtc core: registered rtc_cmos as rtc0 Mar 8 11:33:11 jutta kernel: rtc_cmos 00:02: alarms up to one month, y3k, 114 bytes nvram, hpet irqs Mar 8 11:33:11 jutta kernel: cpuidle: using governor menu Mar 8 11:33:11 jutta kernel: hidraw: raw HID events driver (C) Jiri Kosina Mar 8 11:33:11 jutta kernel: input: OEM Mass Storage plus as /devices/pci0000:00/0000:00:1d.7/usb2/2-2/2-2:1.1/input/input2 Mar 8 11:33:11 jutta kernel: hid-generic 0003:0928:0000.0001: input,hidraw0: USB HID v1.11 Device [OEM Mass Storage plus] on usb-0000:00:1d.7-2/input1 Mar 8 11:33:11 jutta kernel: input: American Megatrends Inc. Virtual Keyboard and Mouse as /devices/pci0000:00/0000:00:1a.2/usb5/5-1/5-1:1.0/input/input3 Mar 8 11:33:11 jutta kernel: hid-generic 0003:046B:FF10.0002: input,hidraw1: USB HID v1.10 Keyboard [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-0000:00:1a.2-1/input0 Mar 8 11:33:11 jutta kernel: input: American Megatrends Inc. Virtual Keyboard and Mouse as /devices/pci0000:00/0000:00:1a.2/usb5/5-1/5-1:1.1/input/input4 Mar 8 11:33:11 jutta kernel: hid-generic 0003:046B:FF10.0003: input,hidraw2: USB HID v1.10 Mouse [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-0000:00:1a.2-1/input1 Mar 8 11:33:11 jutta kernel: usbcore: registered new interface driver usbhid Mar 8 11:33:11 jutta kernel: usbhid: USB HID core driver Mar 8 11:33:11 jutta kernel: drop_monitor: Initializing network drop monitor service Mar 8 11:33:11 jutta kernel: TCP: cubic registered Mar 8 11:33:11 jutta kernel: Initializing XFRM netlink socket Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 10 Mar 8 11:33:11 jutta kernel: NET: Registered protocol family 17 Mar 8 11:33:11 jutta kernel: Loading compiled-in X.509 certificates Mar 8 11:33:11 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a80' Mar 8 11:33:11 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8' Mar 8 11:33:11 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux kernel signing key: bc73c3cee89e5eae994ae50a0db1f0fee3fc0913' Mar 8 11:33:11 jutta kernel: registered taskstats version 1 Mar 8 11:33:11 jutta kernel: Key type trusted registered Mar 8 11:33:11 jutta kernel: Key type encrypted registered Mar 8 11:33:11 jutta kernel: IMA: No TPM chip found, activating TPM-bypass! Mar 8 11:33:11 jutta kernel: rtc_cmos 00:02: setting system clock to 2016-03-08 17:33:09 UTC (1457458389) Mar 8 11:33:11 jutta kernel: Freeing unused kernel memory: 1620k freed Mar 8 11:33:11 jutta systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 11:33:11 jutta systemd[1]: Detected architecture x86-64. Mar 8 11:33:11 jutta systemd[1]: Running in initial RAM disk. Mar 8 11:33:11 jutta systemd[1]: Set hostname to . Mar 8 11:33:11 jutta systemd[1]: Reached target Local File Systems. Mar 8 11:33:11 jutta systemd[1]: Starting Local File Systems. Mar 8 11:33:11 jutta systemd[1]: Reached target Timers. Mar 8 11:33:11 jutta systemd[1]: Starting Timers. Mar 8 11:33:11 jutta systemd[1]: Created slice -.slice. Mar 8 11:33:11 jutta systemd[1]: Starting -.slice. Mar 8 11:33:11 jutta systemd[1]: Listening on udev Kernel Socket. Mar 8 11:33:11 jutta systemd[1]: Starting udev Kernel Socket. Mar 8 11:33:11 jutta systemd[1]: Reached target Swap. Mar 8 11:33:11 jutta systemd[1]: Starting Swap. Mar 8 11:33:11 jutta systemd[1]: Listening on udev Control Socket. Mar 8 11:33:11 jutta systemd[1]: Starting udev Control Socket. Mar 8 11:33:11 jutta systemd[1]: Created slice System Slice. Mar 8 11:33:11 jutta systemd[1]: Starting System Slice. Mar 8 11:33:11 jutta systemd[1]: Reached target Slices. Mar 8 11:33:11 jutta systemd[1]: Starting Slices. Mar 8 11:33:11 jutta systemd[1]: Listening on Journal Socket. Mar 8 11:33:11 jutta systemd[1]: Starting Journal Socket. Mar 8 11:33:11 jutta systemd[1]: Starting Journal Service... Mar 8 11:33:11 jutta systemd[1]: Started Load Kernel Modules. Mar 8 11:33:11 jutta journal: Journal started Mar 8 11:33:11 jutta systemd[1]: Starting Setup Virtual Console... Mar 8 11:33:12 jutta systemd[1]: Reached target Sockets. Mar 8 11:33:12 jutta systemd[1]: Starting Sockets. Mar 8 11:33:12 jutta systemd[1]: Starting Create list of required static device nodes for the current kernel... Mar 8 11:33:12 jutta systemd[1]: Starting Apply Kernel Variables... Mar 8 11:33:12 jutta systemd[1]: Started dracut ask for additional cmdline parameters. Mar 8 11:33:12 jutta systemd[1]: Starting dracut cmdline hook... Mar 8 11:33:12 jutta systemd[1]: Started Journal Service. Mar 8 11:33:12 jutta systemd: Started Setup Virtual Console. Mar 8 11:33:12 jutta systemd: Started Create list of required static device nodes for the current kernel. Mar 8 11:33:12 jutta systemd: Started Apply Kernel Variables. Mar 8 11:33:12 jutta systemd: Started dracut cmdline hook. Mar 8 11:33:12 jutta systemd: Starting dracut pre-udev hook... Mar 8 11:33:13 jutta kernel: device-mapper: uevent: version 1.0.3 Mar 8 11:33:13 jutta kernel: device-mapper: ioctl: 4.33.0-ioctl (2015-8-18) initialised: dm-devel at redhat.com Mar 8 11:33:13 jutta systemd: Starting Create Static Device Nodes in /dev... Mar 8 11:33:13 jutta systemd-tmpfiles: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring Mar 8 11:33:13 jutta systemd-tmpfiles: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring Mar 8 11:33:13 jutta systemd-tmpfiles: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring Mar 8 11:33:13 jutta systemd-tmpfiles: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring Mar 8 11:33:13 jutta systemd: Started Create Static Device Nodes in /dev. Mar 8 11:33:13 jutta systemd: Started dracut pre-udev hook. Mar 8 11:33:13 jutta systemd: Starting udev Kernel Device Manager... Mar 8 11:33:13 jutta systemd-udevd: starting version 219 Mar 8 11:33:13 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 11:33:13 jutta systemd: Started udev Kernel Device Manager. Mar 8 11:33:13 jutta systemd: Started dracut pre-trigger hook. Mar 8 11:33:13 jutta systemd: Starting udev Coldplug all Devices... Mar 8 11:33:13 jutta systemd: Mounting Configuration File System... Mar 8 11:33:13 jutta kernel: usb-storage 2-2:1.0: USB Mass Storage device detected Mar 8 11:33:13 jutta kernel: scsi host0: usb-storage 2-2:1.0 Mar 8 11:33:13 jutta systemd: Mounted Configuration File System. Mar 8 11:33:13 jutta kernel: usbcore: registered new interface driver usb-storage Mar 8 11:33:13 jutta kernel: dca service started, version 1.12.1 Mar 8 11:33:14 jutta kernel: mpt2sas version 20.100.00.00 loaded Mar 8 11:33:14 jutta kernel: [drm] Initialized drm 1.1.0 20060810 Mar 8 11:33:14 jutta kernel: mpt2sas0: 64 BIT PCI BUS DMA ADDRESSING SUPPORTED, total mem (263960236 kB) Mar 8 11:33:14 jutta systemd: Started udev Coldplug all Devices. Mar 8 11:33:14 jutta systemd: Starting dracut initqueue hook... Mar 8 11:33:14 jutta kernel: pps_core: LinuxPPS API ver. 1 registered Mar 8 11:33:14 jutta kernel: mpt2sas0: MSI-X vectors supported: 1, no of cores: 64, max_msix_vectors: 8 Mar 8 11:33:14 jutta kernel: mpt2sas0-msix0: PCI-MSI-X enabled: IRQ 38 Mar 8 11:33:14 jutta kernel: mpt2sas0: iomem(0x00000000cf5fc000), mapped(0xffffc90028148000), size(16384) Mar 8 11:33:14 jutta kernel: mpt2sas0: ioport(0x0000000000007000), size(256) Mar 8 11:33:14 jutta kernel: mpt2sas0: sending diag reset !! Mar 8 11:33:14 jutta kernel: pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti Mar 8 11:33:14 jutta systemd: Starting Show Plymouth Boot Screen... Mar 8 11:33:14 jutta kernel: PTP clock support registered Mar 8 11:33:14 jutta kernel: scsi 0:0:0:0: CD-ROM TEAC DV-W28SS-V 1.0B PQ: 0 ANSI: 0 Mar 8 11:33:15 jutta kernel: igb: Intel(R) Gigabit Ethernet Network Driver - version 5.2.15-k Mar 8 11:33:15 jutta kernel: igb: Copyright (c) 2007-2014 Intel Corporation. Mar 8 11:33:15 jutta systemd: Reached target System Initialization. Mar 8 11:33:15 jutta systemd: Starting System Initialization. Mar 8 11:33:15 jutta kernel: ahci 0000:00:1f.2: SSS flag set, parallel bus scan disabled Mar 8 11:33:15 jutta kernel: ahci 0000:00:1f.2: AHCI 0001.0200 32 slots 6 ports 3 Gbps 0x3f impl SATA mode Mar 8 11:33:15 jutta systemd: Received SIGRTMIN+20 from PID 857 (plymouthd). Mar 8 11:33:17 jutta kernel: igb 0000:61:00.0: added PHC on eth0 Mar 8 11:33:17 jutta kernel: igb 0000:61:00.0: Intel(R) Gigabit Ethernet Network Connection Mar 8 11:33:17 jutta kernel: igb 0000:61:00.0: eth0: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e6 Mar 8 11:33:17 jutta kernel: igb 0000:61:00.0: eth0: PBA No: Unknown Mar 8 11:33:17 jutta kernel: igb 0000:61:00.0: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 11:33:17 jutta kernel: mpt2sas0: diag reset: SUCCESS Mar 8 11:33:17 jutta kernel: mpt2sas0: Allocated physical memory: size(3813 kB) Mar 8 11:33:17 jutta kernel: mpt2sas0: Current Controller Queue Depth(1676), Max Controller Queue Depth(1871) Mar 8 11:33:17 jutta kernel: mpt2sas0: Scatter Gather Elements per IO(128) Mar 8 11:33:17 jutta kernel: igb 0000:61:00.1: added PHC on eth1 Mar 8 11:33:17 jutta kernel: igb 0000:61:00.1: Intel(R) Gigabit Ethernet Network Connection Mar 8 11:33:17 jutta kernel: igb 0000:61:00.1: eth1: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e7 Mar 8 11:33:17 jutta kernel: igb 0000:61:00.1: eth1: PBA No: Unknown Mar 8 11:33:17 jutta kernel: igb 0000:61:00.1: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 11:33:17 jutta kernel: igb 0000:81:00.0: added PHC on eth2 Mar 8 11:33:17 jutta kernel: igb 0000:81:00.0: Intel(R) Gigabit Ethernet Network Connection Mar 8 11:33:17 jutta kernel: igb 0000:81:00.0: eth2: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e8 Mar 8 11:33:17 jutta kernel: igb 0000:81:00.0: eth2: PBA No: Unknown Mar 8 11:33:17 jutta kernel: igb 0000:81:00.0: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 11:33:17 jutta kernel: igb 0000:81:00.1: added PHC on eth3 Mar 8 11:33:17 jutta kernel: igb 0000:81:00.1: Intel(R) Gigabit Ethernet Network Connection Mar 8 11:33:17 jutta kernel: igb 0000:81:00.1: eth3: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e9 Mar 8 11:33:17 jutta kernel: igb 0000:81:00.1: eth3: PBA No: Unknown Mar 8 11:33:17 jutta kernel: igb 0000:81:00.1: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 11:33:17 jutta kernel: ahci 0000:00:1f.2: flags: 64bit ncq sntf stag pm led clo pio slum part ccc ems sxs Mar 8 11:33:17 jutta kernel: mpt2sas0: log_info(0x30030100): originator(IOP), code(0x03), sub_code(0x0100) Mar 8 11:33:17 jutta kernel: mpt2sas0: log_info(0x30030100): originator(IOP), code(0x03), sub_code(0x0100) Mar 8 11:33:17 jutta kernel: mpt2sas0: LSISAS2008: FWVersion(05.00.17.00), ChipRevision(0x03), BiosVersion(07.05.05.00) Mar 8 11:33:17 jutta kernel: mpt2sas0: Protocol=(Initiator,Target), Capabilities=(Raid,TLR,EEDP,Snapshot Buffer,Diag Trace Buffer,Task Set Full,NCQ) Mar 8 11:33:17 jutta kernel: scsi host1: Fusion MPT SAS Host Mar 8 11:33:17 jutta kernel: mpt2sas0: sending port enable !! Mar 8 11:33:18 jutta systemd: Started Show Plymouth Boot Screen. Mar 8 11:33:18 jutta kernel: scsi host2: ahci Mar 8 11:33:18 jutta kernel: scsi host3: ahci Mar 8 11:33:18 jutta kernel: scsi host4: ahci Mar 8 11:33:18 jutta kernel: scsi host5: ahci Mar 8 11:33:18 jutta kernel: scsi host6: ahci Mar 8 11:33:18 jutta kernel: scsi host7: ahci Mar 8 11:33:18 jutta kernel: ata1: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6100 irq 48 Mar 8 11:33:18 jutta kernel: ata2: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6180 irq 49 Mar 8 11:33:18 jutta kernel: ata3: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6200 irq 50 Mar 8 11:33:18 jutta kernel: ata4: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6280 irq 51 Mar 8 11:33:18 jutta kernel: ata5: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6300 irq 52 Mar 8 11:33:18 jutta kernel: ata6: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6380 irq 53 Mar 8 11:33:18 jutta kernel: ata1: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:18 jutta kernel: [sched_delayed] sched: RT throttling activated Mar 8 11:33:18 jutta systemd: Started Forward Password Requests to Plymouth Directory Watch. Mar 8 11:33:18 jutta systemd: Starting Forward Password Requests to Plymouth Directory Watch. Mar 8 11:33:18 jutta systemd: Started Dispatch Password Requests to Console Directory Watch. Mar 8 11:33:18 jutta systemd: Reached target Paths. Mar 8 11:33:18 jutta systemd: Starting Paths. Mar 8 11:33:18 jutta systemd: Reached target Basic System. Mar 8 11:33:18 jutta systemd: Starting Basic System. Mar 8 11:33:18 jutta kernel: mpt2sas0: host_add: handle(0x0001), sas_addr(0x500605b003d783f0), phys(8) Mar 8 11:33:18 jutta kernel: sr 0:0:0:0: [sr0] scsi3-mmc drive: 24x/24x writer dvd-ram cd/rw xa/form2 cdda caddy Mar 8 11:33:18 jutta kernel: cdrom: Uniform CD-ROM driver Revision: 3.20 Mar 8 11:33:24 jutta kernel: mpt2sas0: port enable: SUCCESS Mar 8 11:33:25 jutta kernel: scsi 1:0:0:0: Direct-Access SEAGATE ST960005SSUN600G 0606 PQ: 0 ANSI: 6 Mar 8 11:33:25 jutta kernel: scsi 1:0:0:0: SSP: handle(0x0009), sas_addr(0x5000c500436ae53d), phy(3), device_name(0x00c500503ce56a43) Mar 8 11:33:25 jutta kernel: scsi 1:0:0:0: SSP: enclosure_logical_id(0x500605b003d783f0), slot(0) Mar 8 11:33:25 jutta kernel: scsi 1:0:0:0: qdepth(254), tagged(1), simple(0), ordered(0), scsi_level(7), cmd_que(1) Mar 8 11:33:25 jutta kernel: sd 1:0:0:0: [sda] 1172123568 512-byte logical blocks: (600 GB/558 GiB) Mar 8 11:33:25 jutta kernel: sd 1:0:0:0: [sda] Write Protect is off Mar 8 11:33:25 jutta kernel: sd 1:0:0:0: [sda] Write cache: disabled, read cache: enabled, supports DPO and FUA Mar 8 11:33:25 jutta kernel: sda: sda1 sda2 Mar 8 11:33:25 jutta kernel: ata2: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:25 jutta kernel: sd 1:0:0:0: [sda] Attached SCSI disk Mar 8 11:33:26 jutta kernel: ata3: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:26 jutta kernel: ata4: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:26 jutta kernel: ata5: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:27 jutta kernel: ata6: SATA link down (SStatus 0 SControl 300) Mar 8 11:33:27 jutta systemd: Found device /dev/mapper/rootvg-lv_root. Mar 8 11:33:27 jutta systemd: Starting File System Check on /dev/mapper/rootvg-lv_root... Mar 8 11:33:27 jutta systemd-fsck: /sbin/fsck.xfs: XFS file system. Mar 8 11:33:27 jutta systemd: Started File System Check on /dev/mapper/rootvg-lv_root. Mar 8 11:33:27 jutta systemd: Started dracut initqueue hook. Mar 8 11:33:27 jutta systemd: Reached target Remote File Systems (Pre). Mar 8 11:33:27 jutta systemd: Starting Remote File Systems (Pre). Mar 8 11:33:27 jutta systemd: Reached target Remote File Systems. Mar 8 11:33:27 jutta systemd: Starting Remote File Systems. Mar 8 11:33:27 jutta systemd: Started dracut pre-mount hook. Mar 8 11:33:27 jutta systemd: Mounting /sysroot... Mar 8 11:33:27 jutta kernel: SGI XFS with ACLs, security attributes, no debug enabled Mar 8 11:33:27 jutta kernel: XFS (dm-0): Mounting V4 Filesystem Mar 8 11:33:27 jutta kernel: XFS (dm-0): Ending clean mount Mar 8 11:33:27 jutta systemd: Mounted /sysroot. Mar 8 11:33:27 jutta systemd: Reached target Initrd Root File System. Mar 8 11:33:27 jutta systemd: Starting Initrd Root File System. Mar 8 11:33:27 jutta systemd: Starting Reload Configuration from the Real Root... Mar 8 11:33:27 jutta systemd: Reloading. Mar 8 11:33:28 jutta systemd: Started Reload Configuration from the Real Root. Mar 8 11:33:28 jutta systemd: Reached target Initrd File Systems. Mar 8 11:33:28 jutta systemd: Starting Initrd File Systems. Mar 8 11:33:28 jutta systemd: Started dracut mount hook. Mar 8 11:33:28 jutta systemd: Reached target Initrd Default Target. Mar 8 11:33:28 jutta systemd: Starting Initrd Default Target. Mar 8 11:33:28 jutta systemd: Starting dracut pre-pivot and cleanup hook... Mar 8 11:33:28 jutta systemd: Started dracut pre-pivot and cleanup hook. Mar 8 11:33:28 jutta systemd: Starting Cleaning Up and Shutting Down Daemons... Mar 8 11:33:28 jutta systemd: Starting Plymouth switch root service... Mar 8 11:33:28 jutta systemd: Stopped target Timers. Mar 8 11:33:28 jutta systemd: Stopping Timers. Mar 8 11:33:28 jutta systemd: Stopped Cleaning Up and Shutting Down Daemons. Mar 8 11:33:28 jutta systemd: Stopped dracut pre-pivot and cleanup hook. Mar 8 11:33:28 jutta systemd: Stopping dracut pre-pivot and cleanup hook... Mar 8 11:33:28 jutta systemd: Stopped target Initrd Default Target. Mar 8 11:33:28 jutta systemd: Stopping Initrd Default Target. Mar 8 11:33:28 jutta systemd: Stopped target Basic System. Mar 8 11:33:28 jutta systemd: Stopping Basic System. Mar 8 11:33:28 jutta systemd: Stopped target Slices. Mar 8 11:33:28 jutta systemd: Stopping Slices. Mar 8 11:33:28 jutta systemd: Stopped target Sockets. Mar 8 11:33:28 jutta systemd: Stopping Sockets. Mar 8 11:33:28 jutta systemd: Stopped target System Initialization. Mar 8 11:33:28 jutta systemd: Stopping System Initialization. Mar 8 11:33:28 jutta systemd: Stopped target Local File Systems. Mar 8 11:33:28 jutta systemd: Stopping Local File Systems. Mar 8 11:33:28 jutta systemd: Stopped target Swap. Mar 8 11:33:28 jutta systemd: Stopping Swap. Mar 8 11:33:28 jutta systemd: Stopping udev Kernel Device Manager... Mar 8 11:33:28 jutta systemd: Stopped Apply Kernel Variables. Mar 8 11:33:28 jutta systemd: Stopping Apply Kernel Variables... Mar 8 11:33:28 jutta systemd: Stopped target Paths. Mar 8 11:33:28 jutta systemd: Stopping Paths. Mar 8 11:33:28 jutta systemd: Stopped target Remote File Systems. Mar 8 11:33:28 jutta systemd: Stopping Remote File Systems. Mar 8 11:33:28 jutta systemd: Stopped target Remote File Systems (Pre). Mar 8 11:33:28 jutta systemd: Stopping Remote File Systems (Pre). Mar 8 11:33:28 jutta systemd: Stopped dracut initqueue hook. Mar 8 11:33:28 jutta systemd: Stopping dracut initqueue hook... Mar 8 11:33:28 jutta systemd: Stopped udev Coldplug all Devices. Mar 8 11:33:28 jutta systemd: Stopping udev Coldplug all Devices... Mar 8 11:33:28 jutta systemd: Stopped udev Kernel Device Manager. Mar 8 11:33:28 jutta systemd: Started Plymouth switch root service. Mar 8 11:33:28 jutta systemd: Stopped Create Static Device Nodes in /dev. Mar 8 11:33:28 jutta systemd: Stopping Create Static Device Nodes in /dev... Mar 8 11:33:28 jutta systemd: Stopped Create list of required static device nodes for the current kernel. Mar 8 11:33:28 jutta systemd: Stopping Create list of required static device nodes for the current kernel... Mar 8 11:33:28 jutta systemd: Stopped dracut pre-udev hook. Mar 8 11:33:28 jutta systemd: Stopping dracut pre-udev hook... Mar 8 11:33:28 jutta systemd: Stopped dracut cmdline hook. Mar 8 11:33:28 jutta systemd: Stopping dracut cmdline hook... Mar 8 11:33:28 jutta systemd: Closed udev Kernel Socket. Mar 8 11:33:28 jutta systemd: Stopping udev Kernel Socket. Mar 8 11:33:28 jutta systemd: Closed udev Control Socket. Mar 8 11:33:28 jutta systemd: Stopping udev Control Socket. Mar 8 11:33:28 jutta systemd: Starting Cleanup udevd DB... Mar 8 11:33:28 jutta systemd: Started Cleanup udevd DB. Mar 8 11:33:28 jutta systemd: Reached target Switch Root. Mar 8 11:33:28 jutta systemd: Starting Switch Root. Mar 8 11:33:28 jutta systemd: Starting Switch Root... Mar 8 11:33:28 jutta systemd: Switching root. Mar 8 11:33:28 jutta journal: Journal stopped Mar 8 11:33:29 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 11:33:29 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 11:33:29 jutta systemd-journald[635]: Received SIGTERM from PID 1 (n/a). Mar 8 11:33:29 jutta kernel: SELinux: Disabled at runtime. Mar 8 11:33:29 jutta kernel: type=1404 audit(1457458408.617:2): selinux=0 auid=4294967295 ses=4294967295 Mar 8 11:33:29 jutta kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Mar 8 11:33:29 jutta systemd[1]: Inserted module 'ip_tables' Mar 8 11:33:29 jutta journal: Journal started Mar 8 11:33:29 jutta systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 11:33:29 jutta systemd: Detected architecture x86-64. Mar 8 11:33:29 jutta systemd: Set hostname to . Mar 8 11:33:29 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 11:33:29 jutta systemd: Started Apply Kernel Variables. Mar 8 11:33:29 jutta systemd: Mounted Debug File System. Mar 8 11:33:29 jutta systemd: Mounted POSIX Message Queue File System. Mar 8 11:33:29 jutta systemd: Mounted Huge Pages File System. Mar 8 11:33:29 jutta systemd: Started Remount Root and Kernel File Systems. Mar 8 11:33:29 jutta systemd: Starting Configure read-only root support... Mar 8 11:33:29 jutta systemd: Starting Rebuild Hardware Database... Mar 8 11:33:29 jutta systemd: Started First Boot Wizard. Mar 8 11:33:29 jutta systemd: Starting Rebuild Dynamic Linker Cache... Mar 8 11:33:29 jutta systemd: Started Create Static Device Nodes in /dev. Mar 8 11:33:29 jutta systemd: Reached target Local File Systems (Pre). Mar 8 11:33:29 jutta systemd: Starting Local File Systems (Pre). Mar 8 11:33:29 jutta systemd: Starting udev Kernel Device Manager... Mar 8 11:33:30 jutta systemd: Started LVM2 metadata daemon. Mar 8 11:33:30 jutta systemd: Starting LVM2 metadata daemon... Mar 8 11:33:30 jutta systemd: Started Configure read-only root support. Mar 8 11:33:30 jutta systemd-udevd: starting version 219 Mar 8 11:33:30 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 11:33:30 jutta systemd: Started udev Kernel Device Manager. Mar 8 11:33:30 jutta lvm: 2 logical volume(s) in volume group "rootvg" monitored Mar 8 11:33:30 jutta systemd: Started Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling. Mar 8 11:33:32 jutta systemd: Started Rebuild Dynamic Linker Cache. Mar 8 11:33:32 jutta systemd: Started Rebuild Hardware Database. Mar 8 11:33:32 jutta systemd: Starting udev Coldplug all Devices... Mar 8 11:33:32 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 11:33:32 jutta systemd: Started udev Coldplug all Devices. Mar 8 11:33:32 jutta kernel: EDAC MC: Ver: 3.0.0 Mar 8 11:33:32 jutta kernel: shpchp: Standard Hot Plug PCI Controller Driver version: 0.4 Mar 8 11:33:32 jutta kernel: ipmi message handler version 39.2 Mar 8 11:33:32 jutta systemd: Found device /dev/ttyS0. Mar 8 11:33:32 jutta kernel: i801_smbus 0000:00:1f.3: SMBus using PCI interrupt Mar 8 11:33:32 jutta kernel: sr 0:0:0:0: Attached scsi generic sg0 type 5 Mar 8 11:33:32 jutta kernel: sd 1:0:0:0: Attached scsi generic sg1 type 0 Mar 8 11:33:33 jutta kernel: ACPI Warning: SystemIO range 0x0000000000000828-0x000000000000082f conflicts with OpRegion 0x0000000000000800-0x000000000000084f (\PMRG) (20130517/utaddress-254) Mar 8 11:33:33 jutta kernel: ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver Mar 8 11:33:33 jutta kernel: lpc_ich: Resource conflict(s) found affecting gpio_ich Mar 8 11:33:33 jutta systemd: Found device /dev/mapper/rootvg-lv_swap. Mar 8 11:33:33 jutta kernel: input: PC Speaker as /devices/platform/pcspkr/input/input5 Mar 8 11:33:33 jutta systemd: Created slice system-lvm2\x2dpvscan.slice. Mar 8 11:33:33 jutta systemd: Starting system-lvm2\x2dpvscan.slice. Mar 8 11:33:33 jutta systemd: Starting LVM2 PV scan on device 8:2... Mar 8 11:33:33 jutta systemd: Activating swap /dev/mapper/rootvg-lv_swap... Mar 8 11:33:33 jutta systemd: Found device ST960005SSUN600G 1. Mar 8 11:33:33 jutta systemd: Mounting /boot... Mar 8 11:33:33 jutta kernel: IPMI System Interface driver. Mar 8 11:33:33 jutta kernel: Adding 4194300k swap on /dev/mapper/rootvg-lv_swap. Priority:-1 extents:1 across:4194300k FS Mar 8 11:33:33 jutta kernel: ipmi_si: probing via ACPI Mar 8 11:33:33 jutta systemd: Activated swap /dev/mapper/rootvg-lv_swap. Mar 8 11:33:33 jutta kernel: XFS (sda1): Mounting V4 Filesystem Mar 8 11:33:33 jutta kernel: ipmi_si 00:08: [io 0x0ca2] regsize 1 spacing 4 irq 0 Mar 8 11:33:33 jutta kernel: ipmi_si: Adding ACPI-specified kcs state machine Mar 8 11:33:33 jutta kernel: ipmi_si: probing via SMBIOS Mar 8 11:33:33 jutta kernel: ipmi_si: SMBIOS: io 0xca2 regsize 1 spacing 4 irq 0 Mar 8 11:33:33 jutta kernel: ipmi_si: Adding SMBIOS-specified kcs state machine duplicate interface Mar 8 11:33:33 jutta kernel: ipmi_si: probing via SPMI Mar 8 11:33:33 jutta kernel: ipmi_si: SPMI: io 0xca2 regsize 4 spacing 4 irq 0 Mar 8 11:33:33 jutta kernel: ipmi_si: Adding SPMI-specified kcs state machine duplicate interface Mar 8 11:33:33 jutta kernel: ipmi_si: Trying ACPI-specified kcs state machine at i/o address 0xca2, slave address 0x0, irq 0 Mar 8 11:33:33 jutta lvm: 3 logical volume(s) in volume group "rootvg" now active Mar 8 11:33:34 jutta systemd: Reached target Swap. Mar 8 11:33:34 jutta systemd: Starting Swap. Mar 8 11:33:34 jutta systemd: Started LVM2 PV scan on device 8:2. Mar 8 11:33:34 jutta kernel: ipmi_si 00:08: Found new BMC (man_id: 0x00002a, prod_id: 0x4701, dev_id: 0x20) Mar 8 11:33:34 jutta kernel: ipmi_si 00:08: IPMI kcs interface initialized Mar 8 11:33:34 jutta kernel: iTCO_vendor_support: vendor-support=0 Mar 8 11:33:34 jutta systemd: Found device /dev/mapper/rootvg-lv_var. Mar 8 11:33:34 jutta systemd: Mounting /var... Mar 8 11:33:34 jutta kernel: iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 Mar 8 11:33:34 jutta kernel: XFS (dm-2): Mounting V4 Filesystem Mar 8 11:33:34 jutta kernel: iTCO_wdt: unable to reset NO_REBOOT flag, device disabled by hardware/BIOS Mar 8 11:33:34 jutta kernel: XFS (dm-2): Ending clean mount Mar 8 11:33:34 jutta systemd: Mounted /var. Mar 8 11:33:34 jutta systemd: Starting Load/Save Random Seed... Mar 8 11:33:34 jutta systemd: Starting Flush Journal to Persistent Storage... Mar 8 11:33:34 jutta kernel: IPMI SSIF Interface driver Mar 8 11:33:34 jutta systemd: Started Load/Save Random Seed. Mar 8 11:33:34 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 11:33:35 jutta kernel: alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni) Mar 8 11:33:35 jutta systemd: Started Flush Journal to Persistent Storage. Mar 8 11:33:35 jutta kernel: alg: No test for crc32 (crc32-pclmul) Mar 8 11:33:37 jutta kernel: XFS (sda1): Ending clean mount Mar 8 11:33:37 jutta systemd: Mounted /boot. Mar 8 11:33:37 jutta systemd: Reached target Local File Systems. Mar 8 11:33:37 jutta systemd: Starting Local File Systems. Mar 8 11:33:37 jutta systemd: Starting Import network configuration from initramfs... Mar 8 11:33:37 jutta systemd: Started Commit a transient machine-id on disk. Mar 8 11:33:37 jutta systemd: Starting Rebuild Journal Catalog... Mar 8 11:33:37 jutta systemd: Started Reconfigure the system on administrator request. Mar 8 11:33:37 jutta systemd: Starting Tell Plymouth To Write Out Runtime Data... Mar 8 11:33:37 jutta systemd: Started Relabel all filesystems, if necessary. Mar 8 11:33:37 jutta systemd: Starting Mark the need to relabel after reboot... Mar 8 11:33:37 jutta systemd: Started Mark the need to relabel after reboot. Mar 8 11:33:37 jutta systemd: Started Tell Plymouth To Write Out Runtime Data. Mar 8 11:33:37 jutta systemd: Started Rebuild Journal Catalog. Mar 8 11:33:37 jutta systemd: Starting Update is Completed... Mar 8 11:33:37 jutta systemd: Started Update is Completed. Mar 8 11:33:37 jutta systemd: Started Import network configuration from initramfs. Mar 8 11:33:37 jutta systemd: Starting Create Volatile Files and Directories... Mar 8 11:33:37 jutta systemd: Started Create Volatile Files and Directories. Mar 8 11:33:37 jutta systemd: Starting Security Auditing Service... Mar 8 11:33:38 jutta auditd[1383]: Started dispatcher: /sbin/audispd pid: 1393 Mar 8 11:33:38 jutta audispd: No plugins found, exiting Mar 8 11:33:38 jutta kernel: type=1305 audit(1457458418.081:3): audit_pid=1383 old=0 auid=4294967295 ses=4294967295 res=1 Mar 8 11:33:38 jutta auditd[1383]: Init complete, auditd 2.4.1 listening for events (startup state enable) Mar 8 11:33:38 jutta augenrules: No rules Mar 8 11:33:38 jutta augenrules: enabled 1 Mar 8 11:33:38 jutta augenrules: flag 1 Mar 8 11:33:38 jutta augenrules: pid 1383 Mar 8 11:33:38 jutta augenrules: rate_limit 0 Mar 8 11:33:38 jutta augenrules: backlog_limit 320 Mar 8 11:33:38 jutta augenrules: lost 0 Mar 8 11:33:38 jutta augenrules: backlog 1 Mar 8 11:33:38 jutta systemd: Started Security Auditing Service. Mar 8 11:33:38 jutta systemd: Starting Update UTMP about System Boot/Shutdown... Mar 8 11:33:38 jutta systemd: Started Update UTMP about System Boot/Shutdown. Mar 8 11:33:38 jutta systemd: Reached target System Initialization. Mar 8 11:33:38 jutta systemd: Starting System Initialization. Mar 8 11:33:38 jutta systemd: Started Flexible branding. Mar 8 11:33:38 jutta systemd: Starting Flexible branding. Mar 8 11:33:38 jutta systemd: Reached target Paths. Mar 8 11:33:38 jutta systemd: Starting Paths. Mar 8 11:33:38 jutta systemd: Started Daily Cleanup of Temporary Directories. Mar 8 11:33:38 jutta systemd: Starting Daily Cleanup of Temporary Directories. Mar 8 11:33:38 jutta systemd: Reached target Timers. Mar 8 11:33:38 jutta systemd: Starting Timers. Mar 8 11:33:38 jutta systemd: Listening on D-Bus System Message Bus Socket. Mar 8 11:33:38 jutta systemd: Starting D-Bus System Message Bus Socket. Mar 8 11:33:38 jutta systemd: Reached target Sockets. Mar 8 11:33:38 jutta systemd: Starting Sockets. Mar 8 11:33:38 jutta systemd: Reached target Basic System. Mar 8 11:33:38 jutta systemd: Starting Basic System. Mar 8 11:33:38 jutta systemd: Starting Dynamic System Tuning Daemon... Mar 8 11:33:38 jutta systemd: Started irqbalance daemon. Mar 8 11:33:38 jutta systemd: Starting irqbalance daemon... Mar 8 11:33:38 jutta systemd: Starting System Logging Service... Mar 8 11:33:38 jutta systemd: Starting Load CPU microcode update... Mar 8 11:33:38 jutta systemd: Starting Permit User Sessions... Mar 8 11:33:38 jutta systemd: Starting Dump dmesg to /var/log/dmesg... Mar 8 11:33:38 jutta systemd: Starting Enable periodic update of entitlement certificates.... Mar 8 11:33:38 jutta systemd: Starting Postfix Mail Transport Agent... Mar 8 11:33:38 jutta systemd: Starting LSB: Bring up/down networking... Mar 8 11:33:38 jutta systemd: Starting OpenSSH Server Key Generation... Mar 8 11:33:38 jutta systemd: Starting Login Service... Mar 8 11:33:38 jutta systemd: Started D-Bus System Message Bus. Mar 8 11:33:39 jutta network: Bringing up loopback interface: [ OK ] Mar 8 11:33:39 jutta dbus[1420]: [system] Successfully activated service 'org.freedesktop.systemd1' Mar 8 11:33:39 jutta dbus-daemon: dbus[1420]: [system] Successfully activated service 'org.freedesktop.systemd1' Mar 8 11:33:39 jutta systemd: Starting D-Bus System Message Bus... Mar 8 11:33:39 jutta systemd: Started System Logging Service. Mar 8 11:33:39 jutta systemd: Started Load CPU microcode update. Mar 8 11:33:39 jutta systemd: Started Permit User Sessions. Mar 8 11:33:39 jutta systemd: Started Dump dmesg to /var/log/dmesg. Mar 8 11:33:39 jutta systemd: Started Enable periodic update of entitlement certificates.. Mar 8 11:33:39 jutta systemd: Started Command Scheduler. Mar 8 11:33:39 jutta systemd: Starting Command Scheduler... Mar 8 11:33:39 jutta systemd: Starting Wait for Plymouth Boot Screen to Quit... Mar 8 11:33:39 jutta systemd: Starting Terminate Plymouth Boot Screen... Mar 8 11:33:39 jutta systemd: Started Login Service. Mar 8 11:33:39 jutta systemd: Received SIGRTMIN+21 from PID 857 (plymouthd). Mar 8 11:33:39 jutta network: Bringing up interface eth0: Mar 8 11:33:39 jutta systemd-logind: Watching system buttons on /dev/input/event1 (Power Button) Mar 8 11:33:39 jutta systemd-logind: Watching system buttons on /dev/input/event0 (Power Button) Mar 8 11:33:39 jutta systemd-logind: New seat seat0. Mar 8 11:33:39 jutta kernel: IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Mar 8 11:33:39 jutta sshd-keygen: Generating SSH2 RSA host key: [ OK ] Mar 8 11:33:39 jutta sshd-keygen: Generating SSH2 ECDSA host key: [ OK ] Mar 8 11:33:39 jutta sshd-keygen: Generating SSH2 ED25519 host key: [ OK ] Mar 8 11:33:40 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 11:33:40 jutta systemd: Started Wait for Plymouth Boot Screen to Quit. Mar 8 11:33:40 jutta systemd: Started Terminate Plymouth Boot Screen. Mar 8 11:33:40 jutta systemd: Started Serial Getty on ttyS0. Mar 8 11:33:40 jutta systemd: Starting Serial Getty on ttyS0... Mar 8 11:33:40 jutta systemd: Started Getty on tty1. Mar 8 11:33:40 jutta systemd: Starting Getty on tty1... Mar 8 11:33:40 jutta systemd: Reached target Login Prompts. Mar 8 11:33:40 jutta systemd: Starting Login Prompts. Mar 8 11:33:40 jutta systemd: Started OpenSSH server daemon. Mar 8 11:33:40 jutta systemd: Starting OpenSSH server daemon... Mar 8 11:33:40 jutta systemd: Started Postfix Mail Transport Agent. Mar 8 11:33:41 jutta systemd: Started Dynamic System Tuning Daemon. Mar 8 11:33:41 jutta kernel: igb 0000:61:00.0 eth0: igb: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX Mar 8 11:33:41 jutta kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Mar 8 11:33:42 jutta dhclient[1909]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x21d583d1) Mar 8 11:33:42 jutta dhclient[1909]: DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x21d583d1) Mar 8 11:33:42 jutta dhclient[1909]: DHCPOFFER from 130.179.16.1 Mar 8 11:33:42 jutta dhclient[1909]: DHCPACK from 130.179.16.1 (xid=0x21d583d1) Mar 8 11:33:44 jutta NET[2128]: /usr/sbin/dhclient-script : updated /etc/resolv.conf Mar 8 11:33:44 jutta dhclient[1909]: bound to 130.179.19.176 -- renewal in 603096 seconds. Mar 8 11:33:44 jutta network: Determining IP information for eth0... done. Mar 8 11:33:44 jutta network: [ OK ] Mar 8 11:33:44 jutta systemd: Started LSB: Bring up/down networking. Mar 8 11:33:44 jutta systemd: Reached target Network is Online. Mar 8 11:33:44 jutta systemd: Starting Network is Online. Mar 8 11:33:44 jutta systemd: Starting LSB: Starts the Spacewalk Daemon... Mar 8 11:33:44 jutta systemd: Starting Crash recovery kernel arming... Mar 8 11:33:45 jutta rhnsd: Starting Spacewalk Daemon: [ OK ] Mar 8 11:33:45 jutta rhnsd[2215]: Spacewalk Services Daemon starting up, check in interval 240 minutes. Mar 8 11:33:45 jutta systemd: Started LSB: Starts the Spacewalk Daemon. Mar 8 11:33:45 jutta systemd: Reached target Multi-User System. Mar 8 11:33:45 jutta systemd: Starting Multi-User System. Mar 8 11:33:45 jutta systemd: Started Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 11:33:45 jutta systemd: Starting Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 11:33:45 jutta systemd: Starting Update UTMP about System Runlevel Changes... Mar 8 11:33:45 jutta systemd: Started Update UTMP about System Runlevel Changes. Mar 8 11:33:45 jutta kdumpctl: No kdump initial ramdisk found. Mar 8 11:33:45 jutta kdumpctl: Rebuilding /boot/initramfs-3.10.0-327.el7.x86_64kdump.img Mar 8 11:33:47 jutta kdumpctl: Warning: There might not be enough space to save a vmcore. Mar 8 11:33:47 jutta kdumpctl: The size of /dev/mapper/rootvg-lv_var should be greater than 263960236 kilo bytes. Mar 8 11:33:47 jutta dracut: dracut- Mar 8 11:33:47 jutta dracut: Executing: /usr/sbin/dracut --hostonly --hostonly-cmdline --hostonly-i18n -o "plymouth dash resume ifcfg" --mount "/dev/mapper/rootvg-lv_var /kdumproot//var xfs defaults,x-initrd.mount" -f /boot/initramfs-3.10.0-327.el7.x86_64kdump.img 3.10.0-327.el7.x86_64 Mar 8 11:33:48 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'ifcfg' will not be installed, because it's in the list to be omitted! Mar 8 11:33:48 jutta dracut: dracut module 'plymouth' will not be installed, because it's in the list to be omitted! Mar 8 11:33:48 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 11:33:48 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 11:33:48 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 11:33:48 jutta dracut: dracut module 'resume' will not be installed, because it's in the list to be omitted! Mar 8 11:33:48 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 11:33:49 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 11:33:49 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 11:33:49 jutta dracut: *** Including module: bash *** Mar 8 11:33:49 jutta dracut: *** Including module: nss-softokn *** Mar 8 11:33:49 jutta dracut: *** Including module: i18n *** Mar 8 11:33:49 jutta dracut: *** Including module: network *** Mar 8 11:33:49 jutta dracut: *** Including module: dm *** Mar 8 11:33:50 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 11:33:50 jutta dracut: Skipping udev rule: 60-persistent-storage-dm.rules Mar 8 11:33:50 jutta dracut: Skipping udev rule: 55-dm.rules Mar 8 11:33:50 jutta dracut: *** Including module: kernel-modules *** Mar 8 11:33:53 jutta dracut: *** Including module: lvm *** Mar 8 11:33:53 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 11:33:53 jutta dracut: Skipping udev rule: 56-lvm.rules Mar 8 11:33:53 jutta dracut: Skipping udev rule: 60-persistent-storage-lvm.rules Mar 8 11:33:53 jutta dracut: *** Including module: fstab-sys *** Mar 8 11:33:53 jutta dracut: *** Including module: rootfs-block *** Mar 8 11:33:53 jutta dracut: *** Including module: terminfo *** Mar 8 11:33:54 jutta dracut: *** Including module: udev-rules *** Mar 8 11:33:54 jutta dracut: Skipping udev rule: 91-permissions.rules Mar 8 11:33:54 jutta dracut: *** Including module: biosdevname *** Mar 8 11:33:54 jutta dracut: *** Including module: systemd *** Mar 8 11:33:54 jutta dracut: *** Including module: usrmount *** Mar 8 11:33:54 jutta dracut: *** Including module: base *** Mar 8 11:33:55 jutta dracut: *** Including module: fs-lib *** Mar 8 11:33:55 jutta dracut: *** Including module: kdumpbase *** Mar 8 11:33:55 jutta dracut: *** Including module: shutdown *** Mar 8 11:33:55 jutta dracut: *** Including modules done *** Mar 8 11:33:55 jutta dracut: *** Installing kernel module dependencies and firmware *** Mar 8 11:33:56 jutta dracut: *** Installing kernel module dependencies and firmware done *** Mar 8 11:33:56 jutta dracut: *** Resolving executable dependencies *** Mar 8 11:33:57 jutta dracut: *** Resolving executable dependencies done*** Mar 8 11:33:57 jutta dracut: *** Hardlinking files *** Mar 8 11:33:57 jutta dracut: *** Hardlinking files done *** Mar 8 11:33:57 jutta dracut: *** Stripping files *** Mar 8 11:33:57 jutta dracut: *** Stripping files done *** Mar 8 11:33:57 jutta dracut: *** Generating early-microcode cpio image *** Mar 8 11:33:57 jutta dracut: *** Constructing GenuineIntel.bin **** Mar 8 11:33:57 jutta dracut: *** Store current command line parameters *** Mar 8 11:33:57 jutta dracut: *** Creating image file *** Mar 8 11:34:10 jutta dracut: *** Creating image file done *** Mar 8 11:34:14 jutta kdumpctl: kexec: loaded kdump kernel Mar 8 11:34:14 jutta kdumpctl: Starting kdump: [OK] Mar 8 11:34:14 jutta systemd: Started Crash recovery kernel arming. Mar 8 11:34:14 jutta systemd: Startup finished in 31.797s (kernel) + 18.862s (initrd) + 45.987s (userspace) = 1min 36.647s. Mar 8 11:34:15 jutta systemd: Starting Stop Read-Ahead Data Collection... Mar 8 11:34:15 jutta systemd: Started Stop Read-Ahead Data Collection. Mar 8 11:34:42 jutta systemd: Created slice user-0.slice. Mar 8 11:34:42 jutta systemd: Starting user-0.slice. Mar 8 11:34:42 jutta systemd-logind: New session 1 of user root. Mar 8 11:34:42 jutta systemd: Started Session 1 of user root. Mar 8 11:34:42 jutta systemd: Starting Session 1 of user root. Mar 8 11:39:25 jutta systemd: Stopping OpenSSH server daemon... Mar 8 11:39:25 jutta systemd: Stopped OpenSSH server daemon. Mar 8 11:39:25 jutta systemd: Stopped OpenSSH Server Key Generation. Mar 8 11:39:25 jutta systemd: Stopping OpenSSH Server Key Generation... Mar 8 11:39:33 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 11:39:33 jutta systemd: Reloading. Mar 8 11:39:33 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 11:39:33 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 11:39:41 jutta systemd: Starting firewalld - dynamic firewall daemon... Mar 8 11:39:41 jutta kernel: nf_conntrack version 0.5.0 (65536 buckets, 262144 max) Mar 8 11:39:41 jutta kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team Mar 8 11:39:42 jutta kernel: Ebtables v2.0 registered Mar 8 11:39:42 jutta kernel: Bridge firewalling registered Mar 8 11:39:42 jutta systemd: Started firewalld - dynamic firewall daemon. Mar 8 11:40:21 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.7" (uid=0 pid=11579 comm="/usr/bin/python -Es /bin/firewall-cmd --zone=publi") Mar 8 11:40:21 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.7" (uid=0 pid=11579 comm="/usr/bin/python -Es /bin/firewall-cmd --zone=publi") Mar 8 11:40:22 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:22 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:22 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:22 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:22 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:22 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.8" (uid=0 pid=11592 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:23 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:23 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.9" (uid=0 pid=11593 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.10" (uid=0 pid=11594 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:24 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.11" (uid=0 pid=11595 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.12" (uid=0 pid=11596 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:25 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.13" (uid=0 pid=11597 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.14" (uid=0 pid=11598 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:26 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.15" (uid=0 pid=11599 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.16" (uid=0 pid=11600 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:27 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.17" (uid=0 pid=11601 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.18" (uid=0 pid=11602 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:28 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.19" (uid=0 pid=11603 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.20" (uid=0 pid=11604 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:29 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.21" (uid=0 pid=11605 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.22" (uid=0 pid=11606 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:30 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.23" (uid=0 pid=11607 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 8 11:40:32 jutta dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.24" (uid=0 pid=11608 comm="/usr/bin/python -Es /bin/firewall-cmd --reload ") Mar 8 11:40:32 jutta dbus-daemon: dbus[1420]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.6" (uid=0 pid=11227 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.24" (uid=0 pid=11608 comm="/usr/bin/python -Es /bin/firewall-cmd --reload ") Mar 8 11:41:23 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 11:41:23 jutta systemd: Started OpenSSH server daemon. Mar 8 11:41:23 jutta systemd: Starting OpenSSH server daemon... Mar 8 11:44:59 jutta systemd: Reloading. Mar 8 11:44:59 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 11:44:59 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 11:47:38 jutta systemd: Starting Cleanup of Temporary Directories... Mar 8 11:47:38 jutta systemd: Started Cleanup of Temporary Directories. Mar 8 12:01:01 jutta systemd: Started Session 2 of user root. Mar 8 12:01:01 jutta systemd: Starting Session 2 of user root. Mar 8 12:38:08 jutta rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date. Mar 8 13:01:01 jutta systemd: Started Session 3 of user root. Mar 8 13:01:01 jutta systemd: Starting Session 3 of user root. Mar 8 13:18:38 jutta systemd: Created slice user-49273.slice. Mar 8 13:18:38 jutta systemd: Starting user-49273.slice. Mar 8 13:18:38 jutta systemd-logind: New session 4 of user fonsecah. Mar 8 13:18:38 jutta systemd: Started Session 4 of user fonsecah. Mar 8 13:18:38 jutta systemd: Starting Session 4 of user fonsecah. Mar 8 13:18:44 jutta systemd-logind: Removed session 1. Mar 8 13:18:44 jutta systemd: Removed slice user-0.slice. Mar 8 13:18:44 jutta systemd: Stopping user-0.slice. Mar 8 13:18:44 jutta systemd: serial-getty at ttyS0.service holdoff time over, scheduling restart. Mar 8 13:18:44 jutta systemd: Started Serial Getty on ttyS0. Mar 8 13:18:44 jutta systemd: Starting Serial Getty on ttyS0... Mar 8 13:21:16 jutta su: (to root) fonsecah on pts/0 Mar 8 13:24:38 jutta systemd-logind: New session 5 of user fonsecah. Mar 8 13:24:38 jutta systemd: Started Session 5 of user fonsecah. Mar 8 13:24:38 jutta systemd: Starting Session 5 of user fonsecah. Mar 8 13:24:50 jutta su: FAILED SU (to root) fonsecah on pts/1 Mar 8 13:24:55 jutta su: (to root) fonsecah on pts/1 Mar 8 14:01:01 jutta systemd: Created slice user-0.slice. Mar 8 14:01:01 jutta systemd: Starting user-0.slice. Mar 8 14:01:01 jutta systemd: Started Session 6 of user root. Mar 8 14:01:01 jutta systemd: Starting Session 6 of user root. Mar 8 14:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 14:01:01 jutta systemd: Stopping user-0.slice. Mar 8 14:02:51 jutta systemd: Created slice user-0.slice. Mar 8 14:02:51 jutta systemd: Starting user-0.slice. Mar 8 14:02:51 jutta systemd-logind: New session 7 of user root. Mar 8 14:02:51 jutta systemd: Started Session 7 of user root. Mar 8 14:02:51 jutta systemd: Starting Session 7 of user root. Mar 8 14:03:18 jutta dbus[1420]: [system] Activating service name='com.redhat.SubscriptionManager' (using servicehelper) Mar 8 14:03:18 jutta dbus-daemon: dbus[1420]: [system] Activating service name='com.redhat.SubscriptionManager' (using servicehelper) Mar 8 14:03:18 jutta dbus[1420]: [system] Successfully activated service 'com.redhat.SubscriptionManager' Mar 8 14:03:18 jutta dbus-daemon: dbus[1420]: [system] Successfully activated service 'com.redhat.SubscriptionManager' Mar 8 14:03:18 jutta systemd: Reloading. Mar 8 14:03:18 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:03:18 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:05:33 jutta systemd-logind: Removed session 7. Mar 8 14:05:33 jutta systemd: Removed slice user-0.slice. Mar 8 14:05:33 jutta systemd: Stopping user-0.slice. Mar 8 14:05:33 jutta systemd: serial-getty at ttyS0.service holdoff time over, scheduling restart. Mar 8 14:05:33 jutta systemd: Started Serial Getty on ttyS0. Mar 8 14:05:33 jutta systemd: Starting Serial Getty on ttyS0... Mar 8 14:12:03 jutta systemd-logind: New session 8 of user fonsecah. Mar 8 14:12:03 jutta systemd: Started Session 8 of user fonsecah. Mar 8 14:12:03 jutta systemd: Starting Session 8 of user fonsecah. Mar 8 14:12:32 jutta su: (to root) fonsecah on pts/2 Mar 8 14:12:42 jutta yum[19087]: Installed: autogen-libopts-5.18-5.el7.x86_64 Mar 8 14:12:43 jutta systemd: Reloading. Mar 8 14:12:43 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:12:43 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:12:43 jutta yum[19087]: Installed: ntpdate-4.2.6p5-22.el7_2.1.x86_64 Mar 8 14:12:43 jutta systemd: Reloading. Mar 8 14:12:43 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:12:43 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:12:43 jutta yum[19087]: Installed: ntp-4.2.6p5-22.el7_2.1.x86_64 Mar 8 14:14:09 jutta systemd: Reloading. Mar 8 14:14:10 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:14:10 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:14:28 jutta systemd: Starting Network Time Service... Mar 8 14:14:28 jutta ntpd[19154]: ntpd 4.2.6p5 at 1.2349-o Wed Jan 20 15:22:38 UTC 2016 (1) Mar 8 14:14:28 jutta ntpd[19155]: proto: precision = 0.064 usec Mar 8 14:14:28 jutta ntpd[19155]: 0.0.0.0 c01d 0d kern kernel time sync enabled Mar 8 14:14:28 jutta ntpd[19155]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listen and drop on 1 v6wildcard :: UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listen normally on 2 lo 127.0.0.1 UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listen normally on 3 eth0 130.179.19.176 UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listen normally on 4 lo ::1 UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listen normally on 5 eth0 fe80::210:e0ff:fe0f:92e6 UDP 123 Mar 8 14:14:28 jutta ntpd[19155]: Listening on routing socket on fd #22 for interface updates Mar 8 14:14:28 jutta ntpd[19155]: 0.0.0.0 c016 06 restart Mar 8 14:14:28 jutta ntpd[19155]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM Mar 8 14:14:28 jutta ntpd[19155]: 0.0.0.0 c011 01 freq_not_set Mar 8 14:14:28 jutta systemd: Started Network Time Service. Mar 8 14:14:30 jutta ntpd[19155]: 0.0.0.0 c61c 0c clock_step +0.322172 s Mar 8 14:14:30 jutta ntpd[19155]: 0.0.0.0 c614 04 freq_mode Mar 8 14:14:30 jutta systemd: Time has been changed Mar 8 14:14:31 jutta ntpd[19155]: 0.0.0.0 c618 08 no_sys_peer Mar 8 14:15:56 jutta yum[19160]: Installed: lm_sensors-libs-3.3.4-11.el7.x86_64 Mar 8 14:15:56 jutta yum[19160]: Installed: 14:libpcap-1.5.3-8.el7.x86_64 Mar 8 14:15:57 jutta yum[19160]: Installed: 14:tcpdump-4.5.1-3.el7.x86_64 Mar 8 14:15:57 jutta systemd: Reloading. Mar 8 14:15:57 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:15:57 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:15:57 jutta yum[19160]: Installed: sysstat-10.1.5-7.el7.x86_64 Mar 8 14:15:58 jutta yum[19160]: Installed: screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64 Mar 8 14:15:58 jutta systemd: Reloading. Mar 8 14:15:58 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:15:58 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:15:58 jutta yum[19160]: Installed: rsync-3.0.9-17.el7.x86_64 Mar 8 14:15:58 jutta yum[19160]: Installed: wget-1.14-10.el7_0.1.x86_64 Mar 8 14:15:58 jutta yum[19160]: Installed: m4-1.4.16-10.el7.x86_64 Mar 8 14:15:59 jutta yum[19160]: Installed: ed-1.9-4.el7.x86_64 Mar 8 14:15:59 jutta yum[19160]: Installed: strace-4.8-11.el7.x86_64 Mar 8 14:15:59 jutta yum[19160]: Installed: time-1.7-45.el7.x86_64 Mar 8 14:16:00 jutta yum[19160]: Installed: gdb-7.6.1-80.el7.x86_64 Mar 8 14:16:12 jutta systemd: Reloading. Mar 8 14:16:13 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:16:13 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:16:13 jutta yum[19227]: Installed: haveged-1.9.1-1.el7.x86_64 Mar 8 14:16:19 jutta systemd: Reloading. Mar 8 14:16:19 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:16:19 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:16:26 jutta systemd: Started Entropy Daemon based on the HAVEGE algorithm. Mar 8 14:16:26 jutta systemd: Starting Entropy Daemon based on the HAVEGE algorithm... Mar 8 14:16:26 jutta haveged: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 4.8.2 ITV); collect: 128K Mar 8 14:16:26 jutta haveged: haveged: cpu: (L4 VC); data: 32K (L2 L4 V); inst: 32K (L2 L4 V); idx: 21/40; sz: 32709/60538 Mar 8 14:16:26 jutta haveged: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 8.00049 Mar 8 14:16:26 jutta haveged: haveged: fills: 0, generated: 0 Mar 8 14:17:10 jutta yum[19265]: Updated: tzdata-2016a-1.el7.noarch Mar 8 14:17:11 jutta systemd: Reexecuting. Mar 8 14:17:11 jutta systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 14:17:11 jutta systemd: Detected architecture x86-64. Mar 8 14:17:11 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:17:11 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:17:11 jutta systemd: Stopping Command Scheduler... Mar 8 14:17:11 jutta systemd: Started Command Scheduler. Mar 8 14:17:11 jutta systemd: Starting Command Scheduler... Mar 8 14:17:11 jutta yum[19265]: Updated: glibc-2.17-106.el7_2.4.x86_64 Mar 8 14:17:19 jutta yum[19265]: Updated: glibc-common-2.17-106.el7_2.4.x86_64 Mar 8 14:17:19 jutta yum[19265]: Updated: systemd-libs-219-19.el7_2.4.x86_64 Mar 8 14:17:20 jutta yum[19265]: Updated: libxml2-2.9.1-6.el7_2.2.x86_64 Mar 8 14:17:20 jutta yum[19265]: Updated: procps-ng-3.3.10-5.el7_2.x86_64 Mar 8 14:17:20 jutta yum[19265]: Updated: python-pyudev-0.15-7.el7_2.1.noarch Mar 8 14:17:20 jutta yum[19265]: Updated: 1:gmp-6.0.0-12.el7_1.x86_64 Mar 8 14:17:21 jutta yum[19265]: Updated: 1:openssl-libs-1.0.1e-51.el7_2.4.x86_64 Mar 8 14:17:22 jutta yum[19265]: Updated: coreutils-8.22-15.el7_2.1.x86_64 Mar 8 14:17:24 jutta yum[19265]: Updated: ca-certificates-2015.2.6-70.1.el7_2.noarch Mar 8 14:17:24 jutta systemd: Closed udev Control Socket. Mar 8 14:17:24 jutta systemd: Stopping udev Control Socket. Mar 8 14:17:24 jutta systemd: Closed udev Kernel Socket. Mar 8 14:17:24 jutta systemd: Stopping udev Kernel Socket. Mar 8 14:17:24 jutta systemd: Stopping udev Kernel Device Manager... Mar 8 14:17:24 jutta systemd: Stopped udev Kernel Device Manager. Mar 8 14:17:24 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:24 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:25 jutta systemd: Reexecuting. Mar 8 14:17:25 jutta systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 14:17:25 jutta systemd: Detected architecture x86-64. Mar 8 14:17:26 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:17:26 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:17:26 jutta systemd: Listening on udev Kernel Socket. Mar 8 14:17:26 jutta systemd: Starting udev Kernel Socket. Mar 8 14:17:26 jutta systemd: Listening on udev Control Socket. Mar 8 14:17:26 jutta systemd: Starting udev Control Socket. Mar 8 14:17:26 jutta systemd: Starting udev Kernel Device Manager... Mar 8 14:17:26 jutta systemd-udevd: starting version 219 Mar 8 14:17:26 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 14:17:26 jutta systemd: Started udev Kernel Device Manager. Mar 8 14:17:26 jutta yum[19265]: Updated: systemd-219-19.el7_2.4.x86_64 Mar 8 14:17:27 jutta yum[19265]: Updated: dracut-033-360.el7_2.x86_64 Mar 8 14:17:27 jutta yum[19265]: Updated: 7:device-mapper-libs-1.02.107-5.el7_2.1.x86_64 Mar 8 14:17:27 jutta yum[19265]: Updated: 7:device-mapper-1.02.107-5.el7_2.1.x86_64 Mar 8 14:17:27 jutta yum[19265]: Updated: 7:device-mapper-event-libs-1.02.107-5.el7_2.1.x86_64 Mar 8 14:17:27 jutta yum[19265]: Updated: openssh-6.6.1p1-23.el7_2.x86_64 Mar 8 14:17:28 jutta systemd: Reloading. Mar 8 14:17:28 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:17:28 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:17:28 jutta systemd: Listening on Device-mapper event daemon FIFOs. Mar 8 14:17:28 jutta yum[19265]: Updated: 7:device-mapper-event-1.02.107-5.el7_2.1.x86_64 Mar 8 14:17:28 jutta yum[19265]: Updated: 7:lvm2-libs-2.02.130-5.el7_2.1.x86_64 Mar 8 14:17:29 jutta yum[19265]: Updated: 1:grub2-tools-2.02-0.34.el7_2.x86_64 Mar 8 14:17:29 jutta yum[19265]: Updated: dracut-network-033-360.el7_2.x86_64 Mar 8 14:17:30 jutta yum[19265]: Updated: selinux-policy-3.13.1-60.el7_2.3.noarch Mar 8 14:17:30 jutta yum[19265]: Updated: nss-3.19.1-19.el7_2.x86_64 Mar 8 14:17:30 jutta yum[19265]: Updated: nss-sysinit-3.19.1-19.el7_2.x86_64 Mar 8 14:17:30 jutta yum[19265]: Updated: kernel-tools-libs-3.10.0-327.10.1.el7.x86_64 Mar 8 14:17:31 jutta yum[19265]: Updated: python-perf-3.10.0-327.10.1.el7.x86_64 Mar 8 14:17:31 jutta yum[19265]: Updated: 32:bind-license-9.9.4-29.el7_2.2.noarch Mar 8 14:17:31 jutta yum[19265]: Updated: 32:bind-libs-lite-9.9.4-29.el7_2.2.x86_64 Mar 8 14:17:31 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:31 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:31 jutta dbus[1420]: [system] Reloaded configuration Mar 8 14:17:31 jutta dbus-daemon: dbus[1420]: [system] Reloaded configuration Mar 8 14:17:32 jutta yum[19265]: Updated: tuned-2.5.1-4.el7_2.2.noarch Mar 8 14:17:32 jutta yum[19265]: Updated: kernel-tools-3.10.0-327.10.1.el7.x86_64 Mar 8 14:17:32 jutta yum[19265]: Updated: nss-tools-3.19.1-19.el7_2.x86_64 Mar 8 14:17:51 jutta yum[19265]: Updated: selinux-policy-targeted-3.13.1-60.el7_2.3.noarch Mar 8 14:17:51 jutta yum[19265]: Updated: kexec-tools-2.0.7-38.el7_2.1.x86_64 Mar 8 14:17:52 jutta yum[19265]: Updated: 1:grub2-2.02-0.34.el7_2.x86_64 Mar 8 14:17:52 jutta systemd: Reloading. Mar 8 14:17:52 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:17:52 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:17:52 jutta systemd: Listening on LVM2 metadata daemon socket. Mar 8 14:17:52 jutta systemd: Reloading. Mar 8 14:17:52 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:17:52 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:17:52 jutta systemd: Listening on LVM2 poll daemon socket. Mar 8 14:17:52 jutta yum[19265]: Updated: 7:lvm2-2.02.130-5.el7_2.1.x86_64 Mar 8 14:17:52 jutta yum[19265]: Updated: openssh-clients-6.6.1p1-23.el7_2.x86_64 Mar 8 14:17:53 jutta yum[19265]: Updated: openssh-server-6.6.1p1-23.el7_2.x86_64 Mar 8 14:18:02 jutta yum[19265]: Installed: kernel-3.10.0-327.10.1.el7.x86_64 Mar 8 14:18:02 jutta yum[19265]: Updated: dracut-config-rescue-033-360.el7_2.x86_64 Mar 8 14:18:02 jutta yum[19265]: Updated: rdma-7.2_4.1_rc6-2.el7.noarch Mar 8 14:18:03 jutta yum[19265]: Updated: systemd-sysv-219-19.el7_2.4.x86_64 Mar 8 14:18:03 jutta yum[19265]: Updated: logrotate-3.8.6-7.el7_2.x86_64 Mar 8 14:18:03 jutta yum[19265]: Updated: 1:openssl-1.0.1e-51.el7_2.4.x86_64 Mar 8 14:18:03 jutta yum[19265]: Updated: libxml2-python-2.9.1-6.el7_2.2.x86_64 Mar 8 14:18:03 jutta yum[19265]: Updated: libgudev1-219-19.el7_2.4.x86_64 Mar 8 14:18:04 jutta yum[19265]: Updated: numactl-libs-2.0.9-6.el7_2.x86_64 Mar 8 14:18:04 jutta yum[19265]: Updated: cyrus-sasl-lib-2.1.26-20.el7_2.x86_64 Mar 8 14:18:04 jutta systemd: Reloading. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:04 jutta systemd: Reloading. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:04 jutta systemd: Stopping LVM2 metadata daemon... Mar 8 14:18:04 jutta systemd: Started LVM2 metadata daemon. Mar 8 14:18:04 jutta systemd: Starting LVM2 metadata daemon... Mar 8 14:18:04 jutta systemd: Reloading. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:04 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:05 jutta systemd: Reloading. Mar 8 14:18:05 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:05 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:05 jutta systemd: Stopping OpenSSH server daemon... Mar 8 14:18:05 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 14:18:05 jutta systemd: Started OpenSSH server daemon. Mar 8 14:18:05 jutta systemd: Starting OpenSSH server daemon... Mar 8 14:18:05 jutta systemd: Reloading. Mar 8 14:18:05 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:05 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:05 jutta systemd: Stopping Crash recovery kernel arming... Mar 8 14:18:05 jutta kdumpctl: kexec: unloaded kdump kernel Mar 8 14:18:05 jutta kdumpctl: Stopping kdump: [OK] Mar 8 14:18:05 jutta systemd: Starting Crash recovery kernel arming... Mar 8 14:18:06 jutta kdumpctl: Detected change(s) in the following file(s): Mar 8 14:18:06 jutta kdumpctl: /etc/kdump.conf Mar 8 14:18:06 jutta kdumpctl: Rebuilding /boot/initramfs-3.10.0-327.el7.x86_64kdump.img Mar 8 14:18:08 jutta kdumpctl: Warning: There might not be enough space to save a vmcore. Mar 8 14:18:08 jutta kdumpctl: The size of /dev/mapper/rootvg-lv_var should be greater than 263960236 kilo bytes. Mar 8 14:18:08 jutta dracut: dracut- Mar 8 14:18:08 jutta dracut: Executing: /usr/sbin/dracut --hostonly --hostonly-cmdline --hostonly-i18n -o "plymouth dash resume ifcfg" --mount "/dev/mapper/rootvg-lv_var /kdumproot//var xfs defaults,x-initrd.mount" -f /boot/initramfs-3.10.0-327.el7.x86_64kdump.img 3.10.0-327.el7.x86_64 Mar 8 14:18:09 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'ifcfg' will not be installed, because it's in the list to be omitted! Mar 8 14:18:09 jutta dracut: dracut module 'plymouth' will not be installed, because it's in the list to be omitted! Mar 8 14:18:09 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:18:09 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:18:09 jutta dracut: dracut module 'resume' will not be installed, because it's in the list to be omitted! Mar 8 14:18:09 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:18:09 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:18:09 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:18:09 jutta dracut: *** Including module: bash *** Mar 8 14:18:09 jutta dracut: *** Including module: nss-softokn *** Mar 8 14:18:09 jutta dracut: *** Including module: i18n *** Mar 8 14:18:10 jutta dracut: *** Including module: network *** Mar 8 14:18:10 jutta dracut: *** Including module: dm *** Mar 8 14:18:10 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:18:10 jutta dracut: Skipping udev rule: 60-persistent-storage-dm.rules Mar 8 14:18:10 jutta dracut: Skipping udev rule: 55-dm.rules Mar 8 14:18:10 jutta dracut: *** Including module: kernel-modules *** Mar 8 14:18:12 jutta dracut: *** Including module: lvm *** Mar 8 14:18:12 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:18:12 jutta dracut: Skipping udev rule: 56-lvm.rules Mar 8 14:18:12 jutta dracut: Skipping udev rule: 60-persistent-storage-lvm.rules Mar 8 14:18:12 jutta dracut: *** Including module: fstab-sys *** Mar 8 14:18:12 jutta dracut: *** Including module: rootfs-block *** Mar 8 14:18:12 jutta dracut: *** Including module: terminfo *** Mar 8 14:18:12 jutta dracut: *** Including module: udev-rules *** Mar 8 14:18:13 jutta dracut: Skipping udev rule: 91-permissions.rules Mar 8 14:18:13 jutta dracut: *** Including module: biosdevname *** Mar 8 14:18:13 jutta dracut: *** Including module: systemd *** Mar 8 14:18:13 jutta dracut: *** Including module: usrmount *** Mar 8 14:18:13 jutta dracut: *** Including module: base *** Mar 8 14:18:13 jutta dracut: *** Including module: fs-lib *** Mar 8 14:18:13 jutta dracut: *** Including module: kdumpbase *** Mar 8 14:18:14 jutta dracut: *** Including module: shutdown *** Mar 8 14:18:14 jutta dracut: *** Including modules done *** Mar 8 14:18:14 jutta dracut: *** Installing kernel module dependencies and firmware *** Mar 8 14:18:14 jutta dracut: *** Installing kernel module dependencies and firmware done *** Mar 8 14:18:14 jutta dracut: *** Resolving executable dependencies *** Mar 8 14:18:15 jutta dracut: *** Resolving executable dependencies done*** Mar 8 14:18:15 jutta dracut: *** Hardlinking files *** Mar 8 14:18:15 jutta dracut: *** Hardlinking files done *** Mar 8 14:18:15 jutta dracut: *** Stripping files *** Mar 8 14:18:16 jutta dracut: *** Stripping files done *** Mar 8 14:18:16 jutta dracut: *** Generating early-microcode cpio image *** Mar 8 14:18:16 jutta dracut: *** Constructing GenuineIntel.bin **** Mar 8 14:18:16 jutta dracut: *** Store current command line parameters *** Mar 8 14:18:16 jutta dracut: *** Creating image file *** Mar 8 14:18:28 jutta dracut: *** Creating image file done *** Mar 8 14:18:33 jutta kdumpctl: kexec: loaded kdump kernel Mar 8 14:18:33 jutta kdumpctl: Starting kdump: [OK] Mar 8 14:18:33 jutta systemd: Started Crash recovery kernel arming. Mar 8 14:18:34 jutta systemd: Reloading. Mar 8 14:18:34 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:34 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:34 jutta systemd: Stopping Dynamic System Tuning Daemon... Mar 8 14:18:35 jutta systemd: Starting Dynamic System Tuning Daemon... Mar 8 14:18:35 jutta systemd: Started Dynamic System Tuning Daemon. Mar 8 14:18:36 jutta systemd: Reloading. Mar 8 14:18:36 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:36 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:38 jutta systemd: Reloading. Mar 8 14:18:38 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:18:38 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:18:41 jutta dracut: dracut- Mar 8 14:18:41 jutta dracut: Executing: /sbin/dracut -f /boot/initramfs-3.10.0-327.10.1.el7.x86_64.img 3.10.0-327.10.1.el7.x86_64 Mar 8 14:18:42 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:18:42 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:18:42 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:18:42 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:18:42 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:18:42 jutta dracut: *** Including module: bash *** Mar 8 14:18:43 jutta dracut: *** Including module: nss-softokn *** Mar 8 14:18:43 jutta dracut: *** Including module: i18n *** Mar 8 14:18:43 jutta dracut: *** Including module: network *** Mar 8 14:18:43 jutta dracut: *** Including module: ifcfg *** Mar 8 14:18:43 jutta dracut: *** Including module: drm *** Mar 8 14:18:44 jutta dracut: *** Including module: plymouth *** Mar 8 14:18:44 jutta dracut: *** Including module: dm *** Mar 8 14:18:45 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:18:45 jutta dracut: Skipping udev rule: 60-persistent-storage-dm.rules Mar 8 14:18:45 jutta dracut: Skipping udev rule: 55-dm.rules Mar 8 14:18:45 jutta dracut: *** Including module: kernel-modules *** Mar 8 14:18:47 jutta dracut: *** Including module: lvm *** Mar 8 14:18:47 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:18:47 jutta dracut: Skipping udev rule: 56-lvm.rules Mar 8 14:18:47 jutta dracut: Skipping udev rule: 60-persistent-storage-lvm.rules Mar 8 14:18:47 jutta dracut: *** Including module: resume *** Mar 8 14:18:47 jutta dracut: *** Including module: rootfs-block *** Mar 8 14:18:47 jutta dracut: *** Including module: terminfo *** Mar 8 14:18:47 jutta dracut: *** Including module: udev-rules *** Mar 8 14:18:47 jutta dracut: Skipping udev rule: 91-permissions.rules Mar 8 14:18:47 jutta dracut: *** Including module: biosdevname *** Mar 8 14:18:47 jutta dracut: *** Including module: systemd *** Mar 8 14:18:48 jutta dracut: *** Including module: usrmount *** Mar 8 14:18:48 jutta dracut: *** Including module: base *** Mar 8 14:18:48 jutta dracut: *** Including module: fs-lib *** Mar 8 14:18:48 jutta dracut: *** Including module: shutdown *** Mar 8 14:18:48 jutta dracut: *** Including modules done *** Mar 8 14:18:48 jutta dracut: *** Installing kernel module dependencies and firmware *** Mar 8 14:18:48 jutta dracut: *** Installing kernel module dependencies and firmware done *** Mar 8 14:18:48 jutta dracut: *** Resolving executable dependencies *** Mar 8 14:18:49 jutta dracut: *** Resolving executable dependencies done*** Mar 8 14:18:49 jutta dracut: *** Hardlinking files *** Mar 8 14:18:49 jutta dracut: *** Hardlinking files done *** Mar 8 14:18:49 jutta dracut: *** Stripping files *** Mar 8 14:18:50 jutta dracut: *** Stripping files done *** Mar 8 14:18:50 jutta dracut: *** Generating early-microcode cpio image *** Mar 8 14:18:50 jutta dracut: *** Constructing GenuineIntel.bin **** Mar 8 14:18:50 jutta dracut: *** Store current command line parameters *** Mar 8 14:18:50 jutta dracut: *** Creating image file *** Mar 8 14:18:56 jutta systemd: Created slice user-0.slice. Mar 8 14:18:56 jutta systemd: Starting user-0.slice. Mar 8 14:18:56 jutta systemd-logind: New session 9 of user root. Mar 8 14:18:56 jutta systemd: Started Session 9 of user root. Mar 8 14:18:56 jutta systemd: Starting Session 9 of user root. Mar 8 14:19:03 jutta dracut: *** Creating image file done *** Mar 8 14:19:20 jutta systemd-logind: Removed session 8. Mar 8 14:19:26 jutta systemd: Stopped Dump dmesg to /var/log/dmesg. Mar 8 14:19:26 jutta systemd: Stopping Dump dmesg to /var/log/dmesg... Mar 8 14:19:26 jutta systemd: Stopping firewalld - dynamic firewall daemon... Mar 8 14:19:26 jutta systemd: Stopped target Timers. Mar 8 14:19:26 jutta systemd: Stopping Timers. Mar 8 14:19:26 jutta systemd: Deactivating swap /dev/mapper/rootvg-lv_swap... Mar 8 14:19:26 jutta systemd: Stopping Session 9 of user root. Mar 8 14:19:26 jutta systemd: Stopping Session 5 of user fonsecah. Mar 8 14:19:26 jutta systemd: Stopping LVM2 PV scan on device 8:2... Mar 8 14:19:26 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 14:19:26 jutta systemd: Stopped Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 14:19:26 jutta systemd: Stopping Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 14:19:26 jutta systemd: Stopped target Multi-User System. Mar 8 14:19:26 jutta systemd: Stopping Multi-User System. Mar 8 14:19:26 jutta systemd: Stopping D-Bus System Message Bus... Mar 8 14:19:26 jutta systemd-logind: Failed to abandon session scope: Connection reset by peer Mar 8 14:19:26 jutta systemd: Stopping LSB: Starts the Spacewalk Daemon... Mar 8 14:19:26 jutta rhnsd[2215]: Exiting Mar 8 14:19:26 jutta ntpd[19155]: ntpd exiting on signal 15 Mar 8 14:19:26 jutta systemd: Stopping Network Time Service... Mar 8 14:19:26 jutta systemd: Stopping Command Scheduler... Mar 8 14:19:26 jutta systemd: Stopping Entropy Daemon based on the HAVEGE algorithm... Mar 8 14:19:26 jutta haveged: haveged: Stopping due to signal 15 Mar 8 14:19:26 jutta haveged: haveged starting up Mar 8 14:19:26 jutta systemd: Stopping Dynamic System Tuning Daemon... Mar 8 14:19:27 jutta rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="1409" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 8 14:23:35 jutta rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="1524" x-info="http://www.rsyslog.com"] start Mar 8 14:22:57 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 14:22:57 jutta kernel: CPU0 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys cpuset Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys cpu Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys cpuacct Mar 8 14:22:57 jutta kernel: Linux version 3.10.0-327.10.1.el7.x86_64 (mockbuild at x86-021.build.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Sat Jan 23 04:54:55 EST 2016 Mar 8 14:22:57 jutta kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-327.10.1.el7.x86_64 root=/dev/mapper/rootvg-lv_root ro nomodeset crashkernel=auto rd.lvm.lv=rootvg/lv_root rd.lvm.lv=rootvg/lv_swap biosdevname=0 net.ifnames=0 console=ttyS0,9600 LANG=en_US.UTF-8 Mar 8 14:22:57 jutta kernel: e820: BIOS-provided physical RAM map: Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000097bff] usable Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x0000000000097c00-0x000000000009ffff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007f73ffff] usable Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x000000007f74e000-0x000000007f74ffff] type 9 Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x000000007f750000-0x000000007f75dfff] ACPI data Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x000000007f75e000-0x000000007f7cffff] ACPI NVS Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x000000007f7d0000-0x000000007f7dffff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x000000007f7ec000-0x000000008fffffff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x00000000ffc00000-0x00000000ffffffff] reserved Mar 8 14:22:57 jutta kernel: BIOS-e820: [mem 0x0000000100000000-0x000000407fffffff] usable Mar 8 14:22:57 jutta kernel: NX (Execute Disable) protection: active Mar 8 14:22:57 jutta kernel: SMBIOS 2.6 present. Mar 8 14:22:57 jutta kernel: AGP: No AGP bridge found Mar 8 14:22:57 jutta kernel: e820: last_pfn = 0x4080000 max_arch_pfn = 0x400000000 Mar 8 14:22:57 jutta kernel: x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 Mar 8 14:22:57 jutta kernel: total RAM covered: 262136M Mar 8 14:22:57 jutta kernel: Found optimal setting for mtrr clean up Mar 8 14:22:57 jutta kernel: gran_size: 64K #011chunk_size: 16M #011num_reg: 9 #011lose cover RAM: 0G Mar 8 14:22:57 jutta kernel: e820: last_pfn = 0x7f740 max_arch_pfn = 0x400000000 Mar 8 14:22:57 jutta kernel: found SMP MP-table at [mem 0x000ff780-0x000ff78f] mapped at [ffff8800000ff780] Mar 8 14:22:57 jutta kernel: Using GB pages for direct mapping Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x00000000-0x000fffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x407fe00000-0x407fffffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x407c000000-0x407fdfffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x4000000000-0x407bffffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x3000000000-0x3fffffffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x00100000-0x7f73ffff] Mar 8 14:22:57 jutta kernel: init_memory_mapping: [mem 0x100000000-0x2fffffffff] Mar 8 14:22:57 jutta kernel: RAMDISK: [mem 0x35bfa000-0x36df4fff] Mar 8 14:22:57 jutta kernel: ACPI: RSDP 00000000000fb3f0 00024 (v02 ORACLE) Mar 8 14:22:57 jutta kernel: ACPI: XSDT 000000007f750100 0009C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: FACP 000000007f750290 000F4 (v04 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: DSDT 000000007f7507d0 06833 (v02 ORACLE X4470M2 00000001 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: FACS 000000007f75e000 00040 Mar 8 14:22:57 jutta kernel: ACPI: APIC 000000007f750390 002EA (v02 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: SPCR 000000007f750680 00050 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: MCFG 000000007f7506d0 0003C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: SLIT 000000007f750710 0003C (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: SPMI 000000007f750780 00041 (v05 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: OEMB 000000007f75e040 000C4 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: SRAT 000000007f75a7d0 00520 (v02 ORACLE X4470M2 00000001 MSFT 00000001) Mar 8 14:22:57 jutta kernel: ACPI: HPET 000000007f75acf0 00038 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: DMAR 000000007f75e110 001B8 (v01 ORACLE X4470M2 00000001 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: SSDT 000000007f773350 00363 (v02 ORACLE CpuPm 00000012 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: EINJ 000000007f75ad30 00130 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: BERT 000000007f75aec0 00030 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: ERST 000000007f75aef0 00210 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: ACPI: HEST 000000007f75b100 000A8 (v01 ORACLE X4470M2 20120418 MSFT 00000097) Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x02 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x04 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x10 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x12 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x20 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x22 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x24 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x30 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x03 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x05 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x11 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x13 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x21 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x23 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x25 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 0 -> APIC 0x31 -> Node 0 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x40 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x42 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x44 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x50 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x62 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x64 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x70 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x72 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x41 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x43 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x45 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x51 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x63 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x65 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x71 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 1 -> APIC 0x73 -> Node 1 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x80 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x84 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x90 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x92 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa0 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa2 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa4 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xb2 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x81 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x85 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x91 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0x93 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa1 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa3 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xa5 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 2 -> APIC 0xb3 -> Node 2 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xc0 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xc2 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xd0 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xd2 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xe0 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xe2 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xf0 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xf2 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xc1 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xc3 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xd1 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xd3 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xe1 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xe3 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xf1 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: PXM 3 -> APIC 0xf3 -> Node 3 Mar 8 14:22:57 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff] Mar 8 14:22:57 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x00100000-0x7fffffff] Mar 8 14:22:57 jutta kernel: SRAT: Node 0 PXM 0 [mem 0x100000000-0x107fffffff] Mar 8 14:22:57 jutta kernel: SRAT: Node 1 PXM 1 [mem 0x1080000000-0x207fffffff] Mar 8 14:22:57 jutta kernel: SRAT: Node 2 PXM 2 [mem 0x2080000000-0x307fffffff] Mar 8 14:22:57 jutta kernel: SRAT: Node 3 PXM 3 [mem 0x3080000000-0x407fffffff] Mar 8 14:22:57 jutta kernel: NUMA: Node 0 [mem 0x00000000-0x0009ffff] + [mem 0x00100000-0x7fffffff] -> [mem 0x00000000-0x7fffffff] Mar 8 14:22:57 jutta kernel: NUMA: Node 0 [mem 0x00000000-0x7fffffff] + [mem 0x100000000-0x107fffffff] -> [mem 0x00000000-0x107fffffff] Mar 8 14:22:57 jutta kernel: Initmem setup node 0 [mem 0x00000000-0x107fffffff] Mar 8 14:22:57 jutta kernel: NODE_DATA [mem 0x107ffd9000-0x107fffffff] Mar 8 14:22:57 jutta kernel: Initmem setup node 1 [mem 0x1080000000-0x207fffffff] Mar 8 14:22:57 jutta kernel: NODE_DATA [mem 0x207ffd9000-0x207fffffff] Mar 8 14:22:57 jutta kernel: Initmem setup node 2 [mem 0x2080000000-0x307fffffff] Mar 8 14:22:57 jutta kernel: NODE_DATA [mem 0x307ffd9000-0x307fffffff] Mar 8 14:22:57 jutta kernel: Initmem setup node 3 [mem 0x3080000000-0x407fffffff] Mar 8 14:22:57 jutta kernel: NODE_DATA [mem 0x407ffd6000-0x407fffcfff] Mar 8 14:22:57 jutta kernel: Reserving 176MB of memory at 672MB for crashkernel (System RAM: 262134MB) Mar 8 14:22:57 jutta kernel: Zone ranges: Mar 8 14:22:57 jutta kernel: DMA [mem 0x00001000-0x00ffffff] Mar 8 14:22:57 jutta kernel: DMA32 [mem 0x01000000-0xffffffff] Mar 8 14:22:57 jutta kernel: Normal [mem 0x100000000-0x407fffffff] Mar 8 14:22:57 jutta kernel: Movable zone start for each node Mar 8 14:22:57 jutta kernel: Early memory node ranges Mar 8 14:22:57 jutta kernel: node 0: [mem 0x00001000-0x00096fff] Mar 8 14:22:57 jutta kernel: node 0: [mem 0x00100000-0x7f73ffff] Mar 8 14:22:57 jutta kernel: node 0: [mem 0x100000000-0x107fffffff] Mar 8 14:22:57 jutta kernel: node 1: [mem 0x1080000000-0x207fffffff] Mar 8 14:22:57 jutta kernel: node 2: [mem 0x2080000000-0x307fffffff] Mar 8 14:22:57 jutta kernel: node 3: [mem 0x3080000000-0x407fffffff] Mar 8 14:22:57 jutta kernel: ACPI: PM-Timer IO Port: 0x808 Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x01] lapic_id[0x02] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x02] lapic_id[0x04] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x03] lapic_id[0x10] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x04] lapic_id[0x12] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x05] lapic_id[0x20] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x06] lapic_id[0x22] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x07] lapic_id[0x24] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x08] lapic_id[0x30] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x09] lapic_id[0x40] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0a] lapic_id[0x42] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0b] lapic_id[0x44] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0c] lapic_id[0x50] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0d] lapic_id[0x62] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0e] lapic_id[0x64] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x0f] lapic_id[0x70] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x10] lapic_id[0x72] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x11] lapic_id[0x80] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x12] lapic_id[0x84] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x13] lapic_id[0x90] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x14] lapic_id[0x92] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x15] lapic_id[0xa0] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x16] lapic_id[0xa2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x17] lapic_id[0xa4] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x18] lapic_id[0xb2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x19] lapic_id[0xc0] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1a] lapic_id[0xc2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1b] lapic_id[0xd0] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1c] lapic_id[0xd2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1d] lapic_id[0xe0] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1e] lapic_id[0xe2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x1f] lapic_id[0xf0] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x20] lapic_id[0xf2] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x21] lapic_id[0x03] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x22] lapic_id[0x05] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x23] lapic_id[0x11] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x24] lapic_id[0x13] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x25] lapic_id[0x21] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x26] lapic_id[0x23] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x27] lapic_id[0x25] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x28] lapic_id[0x31] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x29] lapic_id[0x41] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2a] lapic_id[0x43] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2b] lapic_id[0x45] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2c] lapic_id[0x51] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2d] lapic_id[0x63] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2e] lapic_id[0x65] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x2f] lapic_id[0x71] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x30] lapic_id[0x73] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x31] lapic_id[0x81] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x32] lapic_id[0x85] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x33] lapic_id[0x91] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x34] lapic_id[0x93] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x35] lapic_id[0xa1] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x36] lapic_id[0xa3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x37] lapic_id[0xa5] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x38] lapic_id[0xb3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x39] lapic_id[0xc1] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3a] lapic_id[0xc3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3b] lapic_id[0xd1] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3c] lapic_id[0xd3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3d] lapic_id[0xe1] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3e] lapic_id[0xe3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x3f] lapic_id[0xf1] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x40] lapic_id[0xf3] enabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x41] lapic_id[0xc0] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x42] lapic_id[0xc1] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x43] lapic_id[0xc2] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x44] lapic_id[0xc3] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x45] lapic_id[0xc4] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x46] lapic_id[0xc5] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x47] lapic_id[0xc6] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x48] lapic_id[0xc7] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x49] lapic_id[0xc8] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4a] lapic_id[0xc9] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4b] lapic_id[0xca] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4c] lapic_id[0xcb] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4d] lapic_id[0xcc] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4e] lapic_id[0xcd] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x4f] lapic_id[0xce] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC (acpi_id[0x50] lapic_id[0xcf] disabled) Mar 8 14:22:57 jutta kernel: ACPI: LAPIC_NMI (acpi_id[0xff] high edge lint[0x1]) Mar 8 14:22:57 jutta kernel: ACPI: IOAPIC (id[0x06] address[0xfec00000] gsi_base[0]) Mar 8 14:22:57 jutta kernel: IOAPIC[0]: apic_id 6, version 32, address 0xfec00000, GSI 0-23 Mar 8 14:22:57 jutta kernel: ACPI: IOAPIC (id[0x07] address[0xfec02000] gsi_base[24]) Mar 8 14:22:57 jutta kernel: IOAPIC[1]: apic_id 7, version 32, address 0xfec02000, GSI 24-47 Mar 8 14:22:57 jutta kernel: ACPI: IOAPIC (id[0x08] address[0xfec04000] gsi_base[48]) Mar 8 14:22:57 jutta kernel: IOAPIC[2]: apic_id 8, version 32, address 0xfec04000, GSI 48-71 Mar 8 14:22:57 jutta kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) Mar 8 14:22:57 jutta kernel: ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) Mar 8 14:22:57 jutta kernel: Using ACPI (MADT) for SMP configuration information Mar 8 14:22:57 jutta kernel: ACPI: HPET id: 0x8086a301 base: 0xfed00000 Mar 8 14:22:57 jutta kernel: smpboot: Allowing 80 CPUs, 16 hotplug CPUs Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x00097000-0x00097fff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x00098000-0x0009ffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x000a0000-0x000dffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x000e0000-0x000fffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f740000-0x7f74dfff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f74e000-0x7f74ffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f750000-0x7f75dfff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f75e000-0x7f7cffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f7d0000-0x7f7dffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f7e0000-0x7f7ebfff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x7f7ec000-0x8fffffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0x90000000-0xfedfffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0xfee00000-0xfee00fff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0xfee01000-0xffbfffff] Mar 8 14:22:57 jutta kernel: PM: Registered nosave memory: [mem 0xffc00000-0xffffffff] Mar 8 14:22:57 jutta kernel: e820: [mem 0x90000000-0xfedfffff] available for PCI devices Mar 8 14:22:57 jutta kernel: Booting paravirtualized kernel on bare hardware Mar 8 14:22:57 jutta kernel: setup_percpu: NR_CPUS:5120 nr_cpumask_bits:80 nr_cpu_ids:80 nr_node_ids:4 Mar 8 14:22:57 jutta kernel: PERCPU: Embedded 31 pages/cpu @ffff88103f800000 s87168 r8192 d31616 u262144 Mar 8 14:22:57 jutta kernel: Built 4 zonelists in Zone order, mobility grouping on. Total pages: 66057956 Mar 8 14:22:57 jutta kernel: Policy zone: Normal Mar 8 14:22:57 jutta kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-327.10.1.el7.x86_64 root=/dev/mapper/rootvg-lv_root ro nomodeset crashkernel=auto rd.lvm.lv=rootvg/lv_root rd.lvm.lv=rootvg/lv_swap biosdevname=0 net.ifnames=0 console=ttyS0,9600 LANG=en_US.UTF-8 Mar 8 14:22:57 jutta kernel: PID hash table entries: 4096 (order: 3, 32768 bytes) Mar 8 14:22:57 jutta kernel: AGP: Checking aperture... Mar 8 14:22:57 jutta kernel: AGP: No AGP bridge found Mar 8 14:22:57 jutta kernel: Memory: 263940176k/270532608k available (6440k kernel code, 2106536k absent, 4485896k reserved, 4266k data, 1620k init) Mar 8 14:22:57 jutta kernel: SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=80, Nodes=4 Mar 8 14:22:57 jutta kernel: Hierarchical RCU implementation. Mar 8 14:22:57 jutta kernel: #011RCU restricting CPUs from NR_CPUS=5120 to nr_cpu_ids=80. Mar 8 14:22:57 jutta kernel: #011Offload RCU callbacks from all CPUs Mar 8 14:22:57 jutta kernel: #011Offload RCU callbacks from CPUs: 0-79. Mar 8 14:22:57 jutta kernel: NR_IRQS:327936 nr_irqs:1880 0 Mar 8 14:22:57 jutta kernel: Console: colour VGA+ 80x25 Mar 8 14:22:57 jutta kernel: console [ttyS0] enabled Mar 8 14:22:57 jutta kernel: allocated 1073741824 bytes of page_cgroup Mar 8 14:22:57 jutta kernel: please try 'cgroup_disable=memory' option if you don't want memory cgroups Mar 8 14:22:57 jutta kernel: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl Mar 8 14:22:57 jutta kernel: tsc: Fast TSC calibration using PIT Mar 8 14:22:57 jutta kernel: tsc: Detected 1995.141 MHz processor Mar 8 14:22:57 jutta kernel: Calibrating delay loop (skipped), value calculated using timer frequency.. 3990.28 BogoMIPS (lpj=1995141) Mar 8 14:22:57 jutta kernel: pid_max: default: 81920 minimum: 640 Mar 8 14:22:57 jutta kernel: Security Framework initialized Mar 8 14:22:57 jutta kernel: SELinux: Initializing. Mar 8 14:22:57 jutta kernel: Dentry cache hash table entries: 33554432 (order: 16, 268435456 bytes) Mar 8 14:22:57 jutta kernel: Inode-cache hash table entries: 16777216 (order: 15, 134217728 bytes) Mar 8 14:22:57 jutta kernel: Mount-cache hash table entries: 4096 Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys memory Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys devices Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys freezer Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys net_cls Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys blkio Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys perf_event Mar 8 14:22:57 jutta kernel: Initializing cgroup subsys hugetlb Mar 8 14:22:57 jutta kernel: CPU: Physical Processor ID: 0 Mar 8 14:22:57 jutta kernel: CPU: Processor Core ID: 1 Mar 8 14:22:57 jutta kernel: ENERGY_PERF_BIAS: Set to 'normal', was 'performance'#012ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8) Mar 8 14:22:57 jutta kernel: mce: CPU supports 24 MCE banks Mar 8 14:22:57 jutta kernel: CPU0: Thermal monitoring enabled (TM1) Mar 8 14:22:57 jutta kernel: Last level iTLB entries: 4KB 512, 2MB 7, 4MB 7#012Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32#012tlb_flushall_shift: 6 Mar 8 14:22:57 jutta kernel: Freeing SMP alternatives: 28k freed Mar 8 14:22:57 jutta kernel: ACPI: Core revision 20130517 Mar 8 14:22:57 jutta kernel: ACPI: All ACPI Tables successfully acquired Mar 8 14:22:57 jutta kernel: ftrace: allocating 24591 entries in 97 pages Mar 8 14:22:57 jutta kernel: dmar: Host address width 46 Mar 8 14:22:57 jutta kernel: dmar: DRHD base: 0x000000fbefe000 flags: 0x0 Mar 8 14:22:57 jutta kernel: dmar: IOMMU 0: reg_base_addr fbefe000 ver 1:0 cap c90780106f0462 ecap f020fe Mar 8 14:22:57 jutta kernel: dmar: DRHD base: 0x000000cf4fe000 flags: 0x1 Mar 8 14:22:57 jutta kernel: dmar: IOMMU 1: reg_base_addr cf4fe000 ver 1:0 cap c90780106f0462 ecap f020fe Mar 8 14:22:57 jutta kernel: dmar: RMRR base: 0x000000000ec000 end: 0x000000000effff Mar 8 14:22:57 jutta kernel: dmar: RMRR base: 0x0000007f7ec000 end: 0x0000007f7fffff Mar 8 14:22:57 jutta kernel: dmar: ATSR flags: 0x0 Mar 8 14:22:57 jutta kernel: IOAPIC id 8 under DRHD base 0xfbefe000 IOMMU 0 Mar 8 14:22:57 jutta kernel: IOAPIC id 6 under DRHD base 0xcf4fe000 IOMMU 1 Mar 8 14:22:57 jutta kernel: IOAPIC id 7 under DRHD base 0xcf4fe000 IOMMU 1 Mar 8 14:22:57 jutta kernel: Queued invalidation will be enabled to support x2apic and Intr-remapping. Mar 8 14:22:57 jutta kernel: Enabled IRQ remapping in x2apic mode Mar 8 14:22:57 jutta kernel: Enabling x2apic Mar 8 14:22:57 jutta kernel: Enabled x2apic Mar 8 14:22:57 jutta kernel: Switched APIC routing to cluster x2apic. Mar 8 14:22:57 jutta kernel: ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 Mar 8 14:22:57 jutta kernel: smpboot: CPU0: Intel(R) Xeon(R) CPU E7- 4820 @ 2.00GHz (fam: 06, model: 2f, stepping: 02) Mar 8 14:22:57 jutta kernel: Performance Events: PEBS fmt1+, 16-deep LBR, Westmere events, Intel PMU driver. Mar 8 14:22:57 jutta kernel: perf_event_intel: CPUID marked event: 'bus cycles' unavailable Mar 8 14:22:57 jutta kernel: ... version: 3 Mar 8 14:22:57 jutta kernel: ... bit width: 48 Mar 8 14:22:57 jutta kernel: ... generic registers: 4 Mar 8 14:22:57 jutta kernel: ... value mask: 0000ffffffffffff Mar 8 14:22:57 jutta kernel: ... max period: 000000007fffffff Mar 8 14:22:57 jutta kernel: ... fixed-purpose events: 3 Mar 8 14:22:57 jutta kernel: ... event mask: 000000070000000f Mar 8 14:22:57 jutta kernel: CPU1 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter. Mar 8 14:22:57 jutta kernel: CPU2 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU3 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU4 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU5 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU6 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU7 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 0, Processors #1 #2 #3 #4 #5 #6 #7 OK Mar 8 14:22:57 jutta kernel: CPU8 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU9 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU10 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU11 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU12 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU13 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU14 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU15 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 1, Processors #8 #9 #10 #11 #12 #13 #14 #15 OK Mar 8 14:22:57 jutta kernel: CPU16 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU17 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU18 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU19 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU20 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU21 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU22 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU23 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 2, Processors #16 #17 #18 #19 #20 #21 #22 #23 OK Mar 8 14:22:57 jutta kernel: CPU24 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU25 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU26 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU27 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU28 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU29 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU30 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: CPU31 microcode updated early to revision 0x37, date = 2013-06-18 Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 3, Processors #24 #25 #26 #27 #28 #29 #30 #31 OK Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 0, Processors #32 #33 #34 #35 #36 #37 #38 #39 OK Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 1, Processors #40 #41 #42 #43 #44 #45 #46 #47 OK Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 2, Processors #48 #49 #50 #51 #52 #53 #54 #55 OK Mar 8 14:22:57 jutta kernel: smpboot: Booting Node 3, Processors #56 #57 #58 #59 #60 #61 #62 #63 Mar 8 14:22:57 jutta kernel: Brought up 64 CPUs Mar 8 14:22:57 jutta kernel: smpboot: Total of 64 processors activated (255361.21 BogoMIPS) Mar 8 14:22:57 jutta kernel: devtmpfs: initialized Mar 8 14:22:57 jutta kernel: EVM: security.selinux Mar 8 14:22:57 jutta kernel: EVM: security.ima Mar 8 14:22:57 jutta kernel: EVM: security.capability Mar 8 14:22:57 jutta kernel: PM: Registering ACPI NVS region [mem 0x7f75e000-0x7f7cffff] (466944 bytes) Mar 8 14:22:57 jutta kernel: atomic64 test passed for x86-64 platform with CX8 and with SSE Mar 8 14:22:57 jutta kernel: NET: Registered protocol family 16 Mar 8 14:22:57 jutta kernel: ACPI FADT declares the system doesn't support PCIe ASPM, so disable it Mar 8 14:22:57 jutta kernel: ACPI: bus type PCI registered Mar 8 14:22:57 jutta kernel: acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 Mar 8 14:22:57 jutta kernel: PCI: MMCONFIG for domain 0000 [bus 00-ff] at [mem 0x80000000-0x8fffffff] (base 0x80000000) Mar 8 14:22:57 jutta kernel: PCI: MMCONFIG at [mem 0x80000000-0x8fffffff] reserved in E820 Mar 8 14:22:57 jutta kernel: PCI: Using configuration type 1 for base access Mar 8 14:22:57 jutta kernel: ACPI: Added _OSI(Module Device) Mar 8 14:22:57 jutta kernel: ACPI: Added _OSI(Processor Device) Mar 8 14:22:57 jutta kernel: ACPI: Added _OSI(3.0 _SCP Extensions) Mar 8 14:22:57 jutta kernel: ACPI: Added _OSI(Processor Aggregator Device) Mar 8 14:22:57 jutta kernel: ACPI: SSDT 000000007f75e2d0 0CEE4 (v01 ORACLE X4470M2 00000011 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 14:22:57 jutta kernel: ACPI: SSDT (null) 0CEE4 (v01 ORACLE X4470M2 00000011 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: SSDT 000000007f76b1c0 06265 (v01 PmRef P001Cst 00003001 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 14:22:57 jutta kernel: ACPI: SSDT (null) 06265 (v01 PmRef P001Cst 00003001 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: SSDT 000000007f771430 01F12 (v01 PmRef Cpu0Tst 00003000 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: Dynamic OEM Table Load: Mar 8 14:22:57 jutta kernel: ACPI: SSDT (null) 01F12 (v01 PmRef Cpu0Tst 00003000 INTL 20051117) Mar 8 14:22:57 jutta kernel: ACPI: Interpreter enabled Mar 8 14:22:57 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20130517/hwxface-571) Mar 8 14:22:57 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20130517/hwxface-571) Mar 8 14:22:57 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S3_] (20130517/hwxface-571) Mar 8 14:22:57 jutta kernel: ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S4_] (20130517/hwxface-571) Mar 8 14:22:57 jutta kernel: ACPI: (supports S0 S5) Mar 8 14:22:57 jutta kernel: ACPI: Using IOAPIC for interrupt routing Mar 8 14:22:57 jutta kernel: HEST: Table parsing has been initialized. Mar 8 14:22:57 jutta kernel: PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug Mar 8 14:22:57 jutta kernel: ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-7f]) Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI] Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: _OSC: OS now controls [PCIeHotplug PME AER PCIeCapability] Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x0000-0x03af] ignored Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x03b0-0x03bb] ignored Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: host bridge window expanded to [io 0x0000-0x9fff]; [io 0x03c0-0x03df] ignored Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: ignoring host bridge window [mem 0x000d0000-0x000dffff] (conflicts with Adapter ROM [mem 0x000cf800-0x000d07ff]) Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:00 Mar 8 14:22:57 jutta kernel: pci_bus 0000:00: root bus resource [bus 00-7f] Mar 8 14:22:57 jutta kernel: pci_bus 0000:00: root bus resource [io 0x0000-0x9fff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:00: root bus resource [mem 0x90000000-0xcfffffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:00: root bus resource [mem 0xfed40000-0xfed4bfff pref] Mar 8 14:22:57 jutta kernel: pci 0000:00:1a.0: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1a.1: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1a.2: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1a.7: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1c.0: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1c.4: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1d.0: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1d.1: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1d.2: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1d.7: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:1e.0: System wakeup disabled by ACPI Mar 8 14:22:57 jutta kernel: pci 0000:00:01.0: PCI bridge to [bus 01-10] Mar 8 14:22:57 jutta kernel: pci 0000:00:03.0: PCI bridge to [bus 11-20] Mar 8 14:22:57 jutta kernel: pci 0000:00:05.0: PCI bridge to [bus 21-30] Mar 8 14:22:57 jutta kernel: pci 0000:00:07.0: PCI bridge to [bus 31-40] Mar 8 14:22:57 jutta kernel: pci 0000:00:09.0: PCI bridge to [bus 41-50] Mar 8 14:22:57 jutta kernel: pci 0000:61:00.0: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:61:00.0: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:61:00.1: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:61:00.1: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:00:1c.0: PCI bridge to [bus 61] Mar 8 14:22:57 jutta kernel: pci 0000:00:1c.0: bridge has subordinate 61 but max busn 62 Mar 8 14:22:57 jutta kernel: pci 0000:00:1c.4: PCI bridge to [bus 51-60] Mar 8 14:22:57 jutta kernel: pci 0000:00:1e.0: PCI bridge to [bus 62] (subtractive decode) Mar 8 14:22:57 jutta kernel: acpi PNP0A08:00: Disabling ASPM (FADT indicates it is unsupported) Mar 8 14:22:57 jutta kernel: ACPI: PCI Root Bridge [BR50] (domain 0000 [bus 80-f7]) Mar 8 14:22:57 jutta kernel: acpi PNP0A08:01: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI] Mar 8 14:22:57 jutta kernel: acpi PNP0A08:01: _OSC: OS now controls [PCIeHotplug PME AER PCIeCapability] Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:80 Mar 8 14:22:57 jutta kernel: pci_bus 0000:80: root bus resource [bus 80-f7] Mar 8 14:22:57 jutta kernel: pci_bus 0000:80: root bus resource [io 0xa000-0xffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:80: root bus resource [mem 0xd0000000-0xfbffffff] Mar 8 14:22:57 jutta kernel: pci 0000:81:00.0: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:81:00.0: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:81:00.1: VF(n) BAR0 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR0 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:81:00.1: VF(n) BAR3 space: [mem 0x00000000-0x0001ffff 64bit pref] (contains BAR3 for 8 VFs) Mar 8 14:22:57 jutta kernel: pci 0000:80:00.0: PCI bridge to [bus 81-90] Mar 8 14:22:57 jutta kernel: pci 0000:80:01.0: PCI bridge to [bus 91-a0] Mar 8 14:22:57 jutta kernel: pci 0000:80:03.0: PCI bridge to [bus a1-b0] Mar 8 14:22:57 jutta kernel: pci 0000:80:05.0: PCI bridge to [bus b1-c0] Mar 8 14:22:57 jutta kernel: pci 0000:80:07.0: PCI bridge to [bus c1-d0] Mar 8 14:22:57 jutta kernel: pci 0000:80:09.0: PCI bridge to [bus d1-e0] Mar 8 14:22:57 jutta kernel: acpi PNP0A08:01: Disabling ASPM (FADT indicates it is unsupported) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 6 7 *10 11 12 14 15) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKB] (IRQs *5) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 6 7 10 *11 12 14 15) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 6 7 10 11 12 14 15) *0, disabled. Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 6 7 10 11 12 14 *15) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 6 7 10 11 12 *14 15) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 6 *7 10 11 12 14 15) Mar 8 14:22:57 jutta kernel: ACPI: PCI Interrupt Link [LNKH] (IRQs *3 4 6 7 10 11 12 14 15) Mar 8 14:22:57 jutta kernel: ACPI: Enabled 1 GPEs in block 00 to 3F Mar 8 14:22:57 jutta kernel: vgaarb: device added: PCI:0000:62:05.0,decodes=io+mem,owns=io+mem,locks=none Mar 8 14:22:57 jutta kernel: vgaarb: loaded Mar 8 14:22:57 jutta kernel: vgaarb: bridge control possible 0000:62:05.0 Mar 8 14:22:57 jutta kernel: SCSI subsystem initialized Mar 8 14:22:57 jutta kernel: ACPI: bus type USB registered Mar 8 14:22:57 jutta kernel: usbcore: registered new interface driver usbfs Mar 8 14:22:57 jutta kernel: usbcore: registered new interface driver hub Mar 8 14:22:57 jutta kernel: usbcore: registered new device driver usb Mar 8 14:22:57 jutta kernel: PCI: Using ACPI for IRQ routing Mar 8 14:22:57 jutta kernel: PCI: Discovered peer bus fc Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:fc Mar 8 14:22:57 jutta kernel: pci_bus 0000:fc: root bus resource [io 0x0000-0xffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fc: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fc: No busn resource found for root bus, will use [bus fc-ff] Mar 8 14:22:57 jutta kernel: PCI: Discovered peer bus fd Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:fd Mar 8 14:22:57 jutta kernel: pci_bus 0000:fd: root bus resource [io 0x0000-0xffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fd: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fd: No busn resource found for root bus, will use [bus fd-ff] Mar 8 14:22:57 jutta kernel: PCI: Discovered peer bus fe Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:fe Mar 8 14:22:57 jutta kernel: pci_bus 0000:fe: root bus resource [io 0x0000-0xffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fe: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:fe: No busn resource found for root bus, will use [bus fe-ff] Mar 8 14:22:57 jutta kernel: PCI: Discovered peer bus ff Mar 8 14:22:57 jutta kernel: PCI host bridge to bus 0000:ff Mar 8 14:22:57 jutta kernel: pci_bus 0000:ff: root bus resource [io 0x0000-0xffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:ff: root bus resource [mem 0x00000000-0xfffffffffff] Mar 8 14:22:57 jutta kernel: pci_bus 0000:ff: No busn resource found for root bus, will use [bus ff-ff] Mar 8 14:22:57 jutta kernel: NetLabel: Initializing Mar 8 14:22:57 jutta kernel: NetLabel: domain hash size = 128 Mar 8 14:22:57 jutta kernel: NetLabel: protocols = UNLABELED CIPSOv4 Mar 8 14:22:57 jutta kernel: NetLabel: unlabeled traffic allowed by default Mar 8 14:22:57 jutta kernel: hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0, 0 Mar 8 14:22:57 jutta kernel: hpet0: 4 comparators, 64-bit 14.318180 MHz counter Mar 8 14:22:57 jutta kernel: Switching to clocksource hpet Mar 8 14:22:57 jutta kernel: pnp: PnP ACPI init Mar 8 14:22:57 jutta kernel: ACPI: bus type PNP registered Mar 8 14:22:57 jutta kernel: system 00:00: [mem 0xfc000000-0xfcffffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:00: [mem 0xfd000000-0xfdffffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:00: [mem 0xfe000000-0xfebfffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:05: [io 0x0a00-0x0a0f] has been reserved Mar 8 14:22:57 jutta kernel: system 00:06: [io 0x04d0-0x04d1] has been reserved Mar 8 14:22:57 jutta kernel: system 00:06: [io 0x0800-0x087f] could not be reserved Mar 8 14:22:57 jutta kernel: system 00:06: [io 0x0500-0x057f] has been reserved Mar 8 14:22:57 jutta kernel: system 00:06: [mem 0xfed1c000-0xfed1ffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:06: [mem 0xfed20000-0xfed3ffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:06: [mem 0xfed40000-0xfed8ffff] could not be reserved Mar 8 14:22:57 jutta kernel: system 00:09: [mem 0xfec00000-0xfec00fff] could not be reserved Mar 8 14:22:57 jutta kernel: system 00:09: [mem 0xfee00000-0xfee00fff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:0b: [mem 0x80000000-0x8fffffff] has been reserved Mar 8 14:22:57 jutta kernel: system 00:0c: [mem 0x00000000-0x0009ffff] could not be reserved Mar 8 14:22:57 jutta kernel: system 00:0c: [mem 0x000c0000-0x000cffff] could not be reserved Mar 8 14:22:58 jutta kernel: system 00:0c: [mem 0x000e0000-0x000fffff] could not be reserved Mar 8 14:22:58 jutta kernel: system 00:0c: [mem 0x00100000-0xffffffff] could not be reserved Mar 8 14:22:58 jutta kernel: system 00:0c: [mem 0xfed90000-0xffffffff] could not be reserved Mar 8 14:22:58 jutta kernel: system 00:0d: [mem 0xfbefe000-0xfbefffff] could not be reserved Mar 8 14:22:58 jutta kernel: pnp: PnP ACPI: found 14 devices Mar 8 14:22:58 jutta kernel: ACPI: bus type PNP unregistered Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.0: BAR 15: assigned [mem 0x90000000-0x901fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: BAR 14: assigned [mem 0x90200000-0x903fffff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: BAR 15: assigned [mem 0x90400000-0x905fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: BAR 13: assigned [io 0x1000-0x1fff] Mar 8 14:22:58 jutta kernel: pci 0000:00:01.0: PCI bridge to [bus 01-10] Mar 8 14:22:58 jutta kernel: pci 0000:00:03.0: PCI bridge to [bus 11-20] Mar 8 14:22:58 jutta kernel: pci 0000:00:05.0: PCI bridge to [bus 21-30] Mar 8 14:22:58 jutta kernel: pci 0000:00:05.0: bridge window [io 0x7000-0x7fff] Mar 8 14:22:58 jutta kernel: pci 0000:00:05.0: bridge window [mem 0xcf500000-0xcf5fffff] Mar 8 14:22:58 jutta kernel: pci 0000:00:07.0: PCI bridge to [bus 31-40] Mar 8 14:22:58 jutta kernel: pci 0000:00:09.0: PCI bridge to [bus 41-50] Mar 8 14:22:58 jutta kernel: pci 0000:61:00.0: BAR 7: assigned [mem 0x90000000-0x9001ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:61:00.0: BAR 10: assigned [mem 0x90020000-0x9003ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:61:00.1: BAR 7: assigned [mem 0x90040000-0x9005ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:61:00.1: BAR 10: assigned [mem 0x90060000-0x9007ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.0: PCI bridge to [bus 61] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.0: bridge window [io 0x8000-0x8fff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.0: bridge window [mem 0xcf600000-0xcf6fffff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.0: bridge window [mem 0x90000000-0x901fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: PCI bridge to [bus 51-60] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: bridge window [io 0x1000-0x1fff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: bridge window [mem 0x90200000-0x903fffff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1c.4: bridge window [mem 0x90400000-0x905fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:00:1e.0: PCI bridge to [bus 62] Mar 8 14:22:58 jutta kernel: pci 0000:00:1e.0: bridge window [io 0x9000-0x9fff] Mar 8 14:22:58 jutta kernel: pci 0000:00:1e.0: bridge window [mem 0xcf700000-0xcfffffff] Mar 8 14:22:58 jutta kernel: pci 0000:80:00.0: BAR 15: assigned [mem 0xd0000000-0xd00fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:81:00.0: BAR 7: assigned [mem 0xd0000000-0xd001ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:81:00.0: BAR 10: assigned [mem 0xd0020000-0xd003ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:81:00.1: BAR 7: assigned [mem 0xd0040000-0xd005ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:81:00.1: BAR 10: assigned [mem 0xd0060000-0xd007ffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:80:00.0: PCI bridge to [bus 81-90] Mar 8 14:22:58 jutta kernel: pci 0000:80:00.0: bridge window [io 0xf000-0xffff] Mar 8 14:22:58 jutta kernel: pci 0000:80:00.0: bridge window [mem 0xfbf00000-0xfbffffff] Mar 8 14:22:58 jutta kernel: pci 0000:80:00.0: bridge window [mem 0xd0000000-0xd00fffff 64bit pref] Mar 8 14:22:58 jutta kernel: pci 0000:80:01.0: PCI bridge to [bus 91-a0] Mar 8 14:22:58 jutta kernel: pci 0000:80:03.0: PCI bridge to [bus a1-b0] Mar 8 14:22:58 jutta kernel: pci 0000:80:05.0: PCI bridge to [bus b1-c0] Mar 8 14:22:58 jutta kernel: pci 0000:80:07.0: PCI bridge to [bus c1-d0] Mar 8 14:22:58 jutta kernel: pci 0000:80:09.0: PCI bridge to [bus d1-e0] Mar 8 14:22:58 jutta kernel: NET: Registered protocol family 2 Mar 8 14:22:58 jutta kernel: TCP established hash table entries: 524288 (order: 10, 4194304 bytes) Mar 8 14:22:58 jutta kernel: TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) Mar 8 14:22:58 jutta kernel: TCP: Hash tables configured (established 524288 bind 65536) Mar 8 14:22:58 jutta kernel: TCP: reno registered Mar 8 14:22:58 jutta kernel: UDP hash table entries: 65536 (order: 9, 2097152 bytes) Mar 8 14:22:58 jutta kernel: UDP-Lite hash table entries: 65536 (order: 9, 2097152 bytes) Mar 8 14:22:58 jutta kernel: NET: Registered protocol family 1 Mar 8 14:22:58 jutta kernel: Unpacking initramfs... Mar 8 14:22:58 jutta kernel: Freeing initrd memory: 18412k freed Mar 8 14:22:58 jutta kernel: PCI-DMA: Using software bounce buffering for IO (SWIOTLB) Mar 8 14:22:58 jutta kernel: software IO TLB [mem 0x7b740000-0x7f740000] (64MB) mapped at [ffff88007b740000-ffff88007f73ffff] Mar 8 14:22:58 jutta kernel: microcode: CPU0 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU1 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU2 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU3 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU4 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU5 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU6 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU7 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU8 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU9 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU10 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU11 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU12 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU13 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU14 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: tsc: Refined TSC clocksource calibration: 1994.999 MHz Mar 8 14:22:58 jutta kernel: Switching to clocksource tsc Mar 8 14:22:58 jutta kernel: microcode: CPU15 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU16 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU17 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU18 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU19 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU20 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU21 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU22 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU23 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU24 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU25 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU26 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU27 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU28 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU29 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU30 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU31 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU32 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU33 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU34 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU35 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU36 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU37 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU38 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU39 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU40 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU41 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU42 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU43 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU44 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU45 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU46 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU47 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU48 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU49 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU50 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU51 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU52 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU53 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU54 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU55 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU56 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU57 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU58 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU59 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU60 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU61 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU62 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: CPU63 sig=0x206f2, pf=0x4, revision=0x37 Mar 8 14:22:58 jutta kernel: microcode: Microcode Update Driver: v2.00 , Peter Oruba Mar 8 14:22:58 jutta kernel: sha1_ssse3: Using SSSE3 optimized SHA-1 implementation Mar 8 14:22:58 jutta kernel: sha256_ssse3: Using SSSE3 optimized SHA-256 implementation Mar 8 14:22:58 jutta kernel: futex hash table entries: 32768 (order: 9, 2097152 bytes) Mar 8 14:22:58 jutta kernel: Initialise system trusted keyring Mar 8 14:22:58 jutta kernel: audit: initializing netlink socket (disabled) Mar 8 14:22:58 jutta kernel: type=2000 audit(1457468523.823:1): initialized Mar 8 14:22:58 jutta kernel: HugeTLB registered 1 GB page size, pre-allocated 0 pages Mar 8 14:22:58 jutta kernel: HugeTLB registered 2 MB page size, pre-allocated 0 pages Mar 8 14:22:58 jutta kernel: zpool: loaded Mar 8 14:22:58 jutta kernel: zbud: loaded Mar 8 14:22:58 jutta kernel: VFS: Disk quotas dquot_6.5.2 Mar 8 14:22:58 jutta kernel: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) Mar 8 14:22:58 jutta kernel: msgmni has been set to 32768 Mar 8 14:22:58 jutta kernel: Key type big_key registered Mar 8 14:22:58 jutta kernel: NET: Registered protocol family 38 Mar 8 14:22:58 jutta kernel: Key type asymmetric registered Mar 8 14:22:58 jutta kernel: Asymmetric key parser 'x509' registered Mar 8 14:22:58 jutta kernel: Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) Mar 8 14:22:58 jutta kernel: io scheduler noop registered Mar 8 14:22:58 jutta kernel: io scheduler deadline registered (default) Mar 8 14:22:58 jutta kernel: io scheduler cfq registered Mar 8 14:22:58 jutta kernel: pcieport 0000:00:1c.4: enabling device (0144 -> 0147) Mar 8 14:22:58 jutta kernel: pcieport 0000:00:01.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:03.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:05.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci 0000:21:00.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:07.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:09.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci 0000:61:00.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci 0000:61:00.1: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:00:1c.4: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:00.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci 0000:81:00.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci 0000:81:00.1: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:01.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:03.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:05.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:07.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pcieport 0000:80:09.0: Signaling PME through PCIe PME interrupt Mar 8 14:22:58 jutta kernel: pci_hotplug: PCI Hot Plug PCI Core version: 0.5 Mar 8 14:22:58 jutta kernel: pciehp 0000:00:1c.0:pcie04: Slot #0 AttnBtn- AttnInd- PwrInd- PwrCtrl- MRL- Interlock- NoCompl- LLActRep+ Mar 8 14:22:58 jutta kernel: pciehp 0000:00:1c.4:pcie04: Slot #11 AttnBtn- AttnInd- PwrInd- PwrCtrl- MRL- Interlock- NoCompl- LLActRep+ Mar 8 14:22:58 jutta kernel: pciehp: PCI Express Hot Plug Controller Driver version: 0.4 Mar 8 14:22:58 jutta kernel: input: Power Button as /devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input0 Mar 8 14:22:58 jutta kernel: ACPI: Power Button [PWRB] Mar 8 14:22:58 jutta kernel: input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input1 Mar 8 14:22:58 jutta kernel: ACPI: Power Button [PWRF] Mar 8 14:22:58 jutta kernel: ACPI: Requesting acpi_cpufreq Mar 8 14:22:58 jutta kernel: ERST: Can not request iomem region <0x 7f74e000-0x 7f750000> for ERST. Mar 8 14:22:58 jutta kernel: [Firmware Warn]: GHES: Poll interval is 0 for generic hardware error source: 1, disabled. Mar 8 14:22:58 jutta kernel: GHES: APEI firmware first mode is enabled by APEI bit and WHEA _OSC. Mar 8 14:22:58 jutta kernel: Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled Mar 8 14:22:58 jutta kernel: 00:0a: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Mar 8 14:22:58 jutta kernel: Non-volatile memory driver v1.3 Mar 8 14:22:58 jutta kernel: Linux agpgart interface v0.103 Mar 8 14:22:58 jutta kernel: crash memory driver: version 1.1 Mar 8 14:22:58 jutta kernel: rdac: device handler registered Mar 8 14:22:58 jutta kernel: hp_sw: device handler registered Mar 8 14:22:58 jutta kernel: emc: device handler registered Mar 8 14:22:58 jutta kernel: alua: device handler registered Mar 8 14:22:58 jutta kernel: libphy: Fixed MDIO Bus: probed Mar 8 14:22:58 jutta kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Mar 8 14:22:58 jutta kernel: ehci-pci: EHCI PCI platform driver Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1a.7: EHCI Host Controller Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1a.7: new USB bus registered, assigned bus number 1 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1a.7: debug port 1 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1a.7: irq 18, io mem 0xcf4fc000 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1a.7: USB 2.0 started, EHCI 1.00 Mar 8 14:22:58 jutta kernel: usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 Mar 8 14:22:58 jutta kernel: usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb1: Product: EHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb1: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 ehci_hcd Mar 8 14:22:58 jutta kernel: usb usb1: SerialNumber: 0000:00:1a.7 Mar 8 14:22:58 jutta kernel: hub 1-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 1-0:1.0: 6 ports detected Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1d.7: EHCI Host Controller Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 2 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1d.7: debug port 1 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1d.7: irq 23, io mem 0xcf4fa000 Mar 8 14:22:58 jutta kernel: ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00 Mar 8 14:22:58 jutta kernel: usb usb2: New USB device found, idVendor=1d6b, idProduct=0002 Mar 8 14:22:58 jutta kernel: usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb2: Product: EHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb2: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 ehci_hcd Mar 8 14:22:58 jutta kernel: usb usb2: SerialNumber: 0000:00:1d.7 Mar 8 14:22:58 jutta kernel: hub 2-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 2-0:1.0: 6 ports detected Mar 8 14:22:58 jutta kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Mar 8 14:22:58 jutta kernel: usb 1-3: new high-speed USB device number 2 using ehci-pci Mar 8 14:22:58 jutta kernel: ohci-pci: OHCI PCI platform driver Mar 8 14:22:58 jutta kernel: uhci_hcd: USB Universal Host Controller Interface driver Mar 8 14:22:58 jutta kernel: usb 1-3: New USB device found, idVendor=046b, idProduct=ff01 Mar 8 14:22:58 jutta kernel: usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Mar 8 14:22:58 jutta kernel: usb 1-3: Product: Generic Hub Mar 8 14:22:58 jutta kernel: usb 1-3: Manufacturer: American Megatrends Inc. Mar 8 14:22:58 jutta kernel: hub 1-3:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 1-3:1.0: 3 ports detected Mar 8 14:22:58 jutta kernel: usb 2-2: new high-speed USB device number 2 using ehci-pci Mar 8 14:22:58 jutta kernel: usb 2-2: New USB device found, idVendor=0928, idProduct=0000 Mar 8 14:22:58 jutta kernel: usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Mar 8 14:22:58 jutta kernel: usb 2-2: Product: Mass Storage plus Mar 8 14:22:58 jutta kernel: usb 2-2: Manufacturer: OEM Mar 8 14:22:58 jutta kernel: usb 2-2: SerialNumber: ABCDEF0123456789 Mar 8 14:22:58 jutta kernel: usb 2-3: new high-speed USB device number 3 using ehci-pci Mar 8 14:22:58 jutta kernel: usb 2-3: New USB device found, idVendor=04b4, idProduct=6560 Mar 8 14:22:58 jutta kernel: usb 2-3: New USB device strings: Mfr=0, Product=0, SerialNumber=0 Mar 8 14:22:58 jutta kernel: hub 2-3:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 2-3:1.0: 4 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.0: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.0: new USB bus registered, assigned bus number 3 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.0: detected 2 ports Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.0: irq 21, io base 0x00005800 Mar 8 14:22:58 jutta kernel: usb usb3: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb3: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb3: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb3: SerialNumber: 0000:00:1a.0 Mar 8 14:22:58 jutta kernel: hub 3-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 3-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.1: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.1: new USB bus registered, assigned bus number 4 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.1: detected 2 ports Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.1: irq 21, io base 0x00005880 Mar 8 14:22:58 jutta kernel: usb usb4: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb4: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb4: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb4: SerialNumber: 0000:00:1a.1 Mar 8 14:22:58 jutta kernel: hub 4-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 4-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.2: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.2: new USB bus registered, assigned bus number 5 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.2: detected 2 ports Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1a.2: irq 20, io base 0x00005c00 Mar 8 14:22:58 jutta kernel: usb usb5: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb5: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb5: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb5: SerialNumber: 0000:00:1a.2 Mar 8 14:22:58 jutta kernel: hub 5-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 5-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.0: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 6 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.0: detected 2 ports Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.0: irq 23, io base 0x00005080 Mar 8 14:22:58 jutta kernel: usb usb6: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb6: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb6: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb6: SerialNumber: 0000:00:1d.0 Mar 8 14:22:58 jutta kernel: hub 6-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 6-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.1: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 7 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.1: detected 2 ports Mar 8 14:22:58 jutta kernel: usb 5-1: new low-speed USB device number 2 using uhci_hcd Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.1: irq 20, io base 0x00005400 Mar 8 14:22:58 jutta kernel: usb usb7: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb7: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb7: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb7: SerialNumber: 0000:00:1d.1 Mar 8 14:22:58 jutta kernel: hub 7-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 7-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.2: UHCI Host Controller Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 8 Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.2: detected 2 ports Mar 8 14:22:58 jutta kernel: uhci_hcd 0000:00:1d.2: irq 18, io base 0x00005480 Mar 8 14:22:58 jutta kernel: usb usb8: New USB device found, idVendor=1d6b, idProduct=0001 Mar 8 14:22:58 jutta kernel: usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1 Mar 8 14:22:58 jutta kernel: usb usb8: Product: UHCI Host Controller Mar 8 14:22:58 jutta kernel: usb usb8: Manufacturer: Linux 3.10.0-327.10.1.el7.x86_64 uhci_hcd Mar 8 14:22:58 jutta kernel: usb usb8: SerialNumber: 0000:00:1d.2 Mar 8 14:22:58 jutta kernel: hub 8-0:1.0: USB hub found Mar 8 14:22:58 jutta kernel: hub 8-0:1.0: 2 ports detected Mar 8 14:22:58 jutta kernel: usbcore: registered new interface driver usbserial Mar 8 14:22:58 jutta kernel: usb 5-1: New USB device found, idVendor=046b, idProduct=ff10 Mar 8 14:22:58 jutta kernel: usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Mar 8 14:22:58 jutta kernel: usb 5-1: Product: Virtual Keyboard and Mouse Mar 8 14:22:58 jutta kernel: usb 5-1: Manufacturer: American Megatrends Inc. Mar 8 14:22:58 jutta kernel: usbcore: registered new interface driver usbserial_generic Mar 8 14:22:58 jutta kernel: usbserial: USB Serial support registered for generic Mar 8 14:22:58 jutta kernel: i8042: PNP: No PS/2 controller found. Probing ports directly. Mar 8 14:22:58 jutta kernel: i8042: No controller found Mar 8 14:22:58 jutta kernel: mousedev: PS/2 mouse device common for all mice Mar 8 14:22:58 jutta kernel: rtc_cmos 00:02: RTC can wake from S4 Mar 8 14:22:58 jutta kernel: rtc_cmos 00:02: rtc core: registered rtc_cmos as rtc0 Mar 8 14:22:58 jutta kernel: rtc_cmos 00:02: alarms up to one month, y3k, 114 bytes nvram, hpet irqs Mar 8 14:22:58 jutta kernel: cpuidle: using governor menu Mar 8 14:22:58 jutta kernel: hidraw: raw HID events driver (C) Jiri Kosina Mar 8 14:22:58 jutta kernel: input: OEM Mass Storage plus as /devices/pci0000:00/0000:00:1d.7/usb2/2-2/2-2:1.1/input/input2 Mar 8 14:22:58 jutta kernel: hid-generic 0003:0928:0000.0001: input,hidraw0: USB HID v1.11 Device [OEM Mass Storage plus] on usb-0000:00:1d.7-2/input1 Mar 8 14:22:58 jutta kernel: input: American Megatrends Inc. Virtual Keyboard and Mouse as /devices/pci0000:00/0000:00:1a.2/usb5/5-1/5-1:1.0/input/input3 Mar 8 14:22:58 jutta kernel: hid-generic 0003:046B:FF10.0002: input,hidraw1: USB HID v1.10 Keyboard [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-0000:00:1a.2-1/input0 Mar 8 14:22:58 jutta kernel: input: American Megatrends Inc. Virtual Keyboard and Mouse as /devices/pci0000:00/0000:00:1a.2/usb5/5-1/5-1:1.1/input/input4 Mar 8 14:22:58 jutta kernel: hid-generic 0003:046B:FF10.0003: input,hidraw2: USB HID v1.10 Mouse [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-0000:00:1a.2-1/input1 Mar 8 14:22:58 jutta kernel: usbcore: registered new interface driver usbhid Mar 8 14:22:58 jutta kernel: usbhid: USB HID core driver Mar 8 14:22:58 jutta kernel: drop_monitor: Initializing network drop monitor service Mar 8 14:22:58 jutta kernel: TCP: cubic registered Mar 8 14:22:58 jutta kernel: Initializing XFRM netlink socket Mar 8 14:22:58 jutta kernel: NET: Registered protocol family 10 Mar 8 14:22:58 jutta kernel: NET: Registered protocol family 17 Mar 8 14:22:58 jutta kernel: Loading compiled-in X.509 certificates Mar 8 14:22:58 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a80' Mar 8 14:22:58 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8' Mar 8 14:22:58 jutta kernel: Loaded X.509 cert 'Red Hat Enterprise Linux kernel signing key: e39a6c00a1de4dfaf590628cabecbceb0766328a' Mar 8 14:22:58 jutta kernel: registered taskstats version 1 Mar 8 14:22:58 jutta kernel: Key type trusted registered Mar 8 14:22:58 jutta kernel: Key type encrypted registered Mar 8 14:22:58 jutta kernel: IMA: No TPM chip found, activating TPM-bypass! Mar 8 14:22:58 jutta kernel: rtc_cmos 00:02: setting system clock to 2016-03-08 20:22:55 UTC (1457468575) Mar 8 14:22:58 jutta kernel: Freeing unused kernel memory: 1620k freed Mar 8 14:22:58 jutta systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 14:22:58 jutta systemd[1]: Detected architecture x86-64. Mar 8 14:22:58 jutta systemd[1]: Running in initial RAM disk. Mar 8 14:22:58 jutta systemd[1]: Set hostname to . Mar 8 14:22:58 jutta systemd[1]: Reached target Local File Systems. Mar 8 14:22:58 jutta systemd[1]: Starting Local File Systems. Mar 8 14:22:58 jutta systemd[1]: Reached target Swap. Mar 8 14:22:58 jutta systemd[1]: Starting Swap. Mar 8 14:22:58 jutta systemd[1]: Created slice -.slice. Mar 8 14:22:58 jutta systemd[1]: Starting -.slice. Mar 8 14:22:58 jutta systemd[1]: Listening on udev Control Socket. Mar 8 14:22:58 jutta systemd[1]: Starting udev Control Socket. Mar 8 14:22:58 jutta systemd[1]: Created slice System Slice. Mar 8 14:22:58 jutta systemd[1]: Starting System Slice. Mar 8 14:22:58 jutta systemd[1]: Reached target Slices. Mar 8 14:22:58 jutta systemd[1]: Starting Slices. Mar 8 14:22:58 jutta systemd[1]: Reached target Timers. Mar 8 14:22:58 jutta systemd[1]: Starting Timers. Mar 8 14:22:58 jutta systemd[1]: Listening on Journal Socket. Mar 8 14:22:58 jutta systemd[1]: Starting Journal Socket. Mar 8 14:22:58 jutta systemd[1]: Starting Create list of required static device nodes for the current kernel... Mar 8 14:22:58 jutta systemd[1]: Started dracut ask for additional cmdline parameters. Mar 8 14:22:58 jutta systemd[1]: Starting dracut cmdline hook... Mar 8 14:22:58 jutta systemd[1]: Starting Journal Service... Mar 8 14:22:58 jutta systemd[1]: Started Load Kernel Modules. Mar 8 14:22:58 jutta journal: Journal started Mar 8 14:22:58 jutta systemd[1]: Starting Apply Kernel Variables... Mar 8 14:22:58 jutta systemd[1]: Starting Setup Virtual Console... Mar 8 14:22:58 jutta systemd[1]: Listening on udev Kernel Socket. Mar 8 14:22:58 jutta systemd[1]: Starting udev Kernel Socket. Mar 8 14:22:58 jutta systemd[1]: Reached target Sockets. Mar 8 14:22:58 jutta systemd[1]: Starting Sockets. Mar 8 14:22:58 jutta systemd[1]: Started Journal Service. Mar 8 14:22:58 jutta systemd: Started Create list of required static device nodes for the current kernel. Mar 8 14:22:58 jutta systemd: Started dracut cmdline hook. Mar 8 14:22:58 jutta systemd: Started Apply Kernel Variables. Mar 8 14:22:58 jutta systemd: Started Setup Virtual Console. Mar 8 14:22:58 jutta systemd: Starting dracut pre-udev hook... Mar 8 14:22:59 jutta kernel: device-mapper: uevent: version 1.0.3 Mar 8 14:22:59 jutta kernel: device-mapper: ioctl: 4.33.0-ioctl (2015-8-18) initialised: dm-devel at redhat.com Mar 8 14:22:59 jutta systemd: Starting Create Static Device Nodes in /dev... Mar 8 14:22:59 jutta systemd-tmpfiles: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring Mar 8 14:22:59 jutta systemd-tmpfiles: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring Mar 8 14:22:59 jutta systemd-tmpfiles: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring Mar 8 14:22:59 jutta systemd-tmpfiles: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring Mar 8 14:22:59 jutta systemd: Started Create Static Device Nodes in /dev. Mar 8 14:22:59 jutta systemd: Started dracut pre-udev hook. Mar 8 14:22:59 jutta systemd: Starting udev Kernel Device Manager... Mar 8 14:22:59 jutta systemd-udevd: starting version 219 Mar 8 14:22:59 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 14:22:59 jutta systemd: Started udev Kernel Device Manager. Mar 8 14:22:59 jutta systemd: Started dracut pre-trigger hook. Mar 8 14:22:59 jutta systemd: Starting udev Coldplug all Devices... Mar 8 14:22:59 jutta systemd: Mounting Configuration File System... Mar 8 14:22:59 jutta kernel: usb-storage 2-2:1.0: USB Mass Storage device detected Mar 8 14:22:59 jutta kernel: scsi host0: usb-storage 2-2:1.0 Mar 8 14:22:59 jutta kernel: usbcore: registered new interface driver usb-storage Mar 8 14:22:59 jutta systemd: Mounted Configuration File System. Mar 8 14:22:59 jutta kernel: [drm] Initialized drm 1.1.0 20060810 Mar 8 14:23:00 jutta kernel: dca service started, version 1.12.1 Mar 8 14:23:00 jutta kernel: mpt2sas version 20.100.00.00 loaded Mar 8 14:23:00 jutta kernel: mpt2sas0: 64 BIT PCI BUS DMA ADDRESSING SUPPORTED, total mem (263960236 kB) Mar 8 14:23:00 jutta kernel: mpt2sas0: MSI-X vectors supported: 1, no of cores: 64, max_msix_vectors: 8 Mar 8 14:23:00 jutta kernel: mpt2sas0-msix0: PCI-MSI-X enabled: IRQ 38 Mar 8 14:23:00 jutta kernel: mpt2sas0: iomem(0x00000000cf5fc000), mapped(0xffffc900180f0000), size(16384) Mar 8 14:23:00 jutta kernel: mpt2sas0: ioport(0x0000000000007000), size(256) Mar 8 14:23:00 jutta kernel: mpt2sas0: sending diag reset !! Mar 8 14:23:00 jutta kernel: pcieport 0000:00:05.0: AER: Corrected error received: id=0028 Mar 8 14:23:00 jutta kernel: pcieport 0000:00:05.0: PCIe Bus Error: severity=Corrected, type=Physical Layer, id=0028(Receiver ID) Mar 8 14:23:00 jutta kernel: pcieport 0000:00:05.0: device [8086:340c] error status/mask=00000001/00002000 Mar 8 14:23:00 jutta kernel: pcieport 0000:00:05.0: [ 0] Receiver Error Mar 8 14:23:00 jutta kernel: scsi 0:0:0:0: CD-ROM TEAC DV-W28SS-V 1.0B PQ: 0 ANSI: 0 Mar 8 14:23:00 jutta systemd: Started udev Coldplug all Devices. Mar 8 14:23:00 jutta systemd: Starting Show Plymouth Boot Screen... Mar 8 14:23:01 jutta kernel: pps_core: LinuxPPS API ver. 1 registered Mar 8 14:23:01 jutta kernel: mpt2sas0: diag reset: SUCCESS Mar 8 14:23:01 jutta kernel: mpt2sas0: Allocated physical memory: size(3813 kB) Mar 8 14:23:01 jutta kernel: mpt2sas0: Current Controller Queue Depth(1676), Max Controller Queue Depth(1871) Mar 8 14:23:01 jutta kernel: mpt2sas0: Scatter Gather Elements per IO(128) Mar 8 14:23:01 jutta kernel: mpt2sas0: log_info(0x30030100): originator(IOP), code(0x03), sub_code(0x0100) Mar 8 14:23:01 jutta kernel: mpt2sas0: log_info(0x30030100): originator(IOP), code(0x03), sub_code(0x0100) Mar 8 14:23:01 jutta kernel: mpt2sas0: LSISAS2008: FWVersion(05.00.17.00), ChipRevision(0x03), BiosVersion(07.05.05.00) Mar 8 14:23:01 jutta kernel: mpt2sas0: Protocol=(Initiator,Target), Capabilities=(Raid,TLR,EEDP,Snapshot Buffer,Diag Trace Buffer,Task Set Full,NCQ) Mar 8 14:23:01 jutta kernel: scsi host1: Fusion MPT SAS Host Mar 8 14:23:01 jutta kernel: mpt2sas0: sending port enable !! Mar 8 14:23:01 jutta kernel: pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti Mar 8 14:23:02 jutta systemd: Starting dracut initqueue hook... Mar 8 14:23:03 jutta kernel: PTP clock support registered Mar 8 14:23:03 jutta kernel: ahci 0000:00:1f.2: SSS flag set, parallel bus scan disabled Mar 8 14:23:03 jutta kernel: ahci 0000:00:1f.2: AHCI 0001.0200 32 slots 6 ports 3 Gbps 0x3f impl SATA mode Mar 8 14:23:03 jutta kernel: ahci 0000:00:1f.2: flags: 64bit ncq sntf stag pm led clo pio slum part ccc ems sxs Mar 8 14:23:03 jutta kernel: scsi host2: ahci Mar 8 14:23:03 jutta kernel: scsi host3: ahci Mar 8 14:23:03 jutta kernel: scsi host4: ahci Mar 8 14:23:03 jutta kernel: scsi host5: ahci Mar 8 14:23:03 jutta kernel: scsi host6: ahci Mar 8 14:23:03 jutta kernel: scsi host7: ahci Mar 8 14:23:03 jutta kernel: ata1: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6100 irq 39 Mar 8 14:23:03 jutta kernel: ata2: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6180 irq 40 Mar 8 14:23:03 jutta kernel: ata3: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6200 irq 41 Mar 8 14:23:03 jutta kernel: ata4: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6280 irq 42 Mar 8 14:23:03 jutta kernel: ata5: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6300 irq 43 Mar 8 14:23:03 jutta kernel: ata6: SATA max UDMA/133 abar m2048 at 0xcf4f6000 port 0xcf4f6380 irq 44 Mar 8 14:23:03 jutta kernel: ata1: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:03 jutta kernel: mpt2sas0: host_add: handle(0x0001), sas_addr(0x500605b003d783f0), phys(8) Mar 8 14:23:03 jutta systemd: Reached target System Initialization. Mar 8 14:23:03 jutta systemd: Starting System Initialization. Mar 8 14:23:03 jutta systemd: Received SIGRTMIN+20 from PID 849 (plymouthd). Mar 8 14:23:03 jutta systemd: Started Show Plymouth Boot Screen. Mar 8 14:23:03 jutta systemd: Started Dispatch Password Requests to Console Directory Watch. Mar 8 14:23:03 jutta systemd: Reached target Paths. Mar 8 14:23:03 jutta systemd: Starting Paths. Mar 8 14:23:03 jutta systemd: Started Forward Password Requests to Plymouth Directory Watch. Mar 8 14:23:03 jutta systemd: Starting Forward Password Requests to Plymouth Directory Watch. Mar 8 14:23:03 jutta systemd: Reached target Basic System. Mar 8 14:23:03 jutta systemd: Starting Basic System. Mar 8 14:23:03 jutta kernel: igb: Intel(R) Gigabit Ethernet Network Driver - version 5.2.15-k Mar 8 14:23:03 jutta kernel: igb: Copyright (c) 2007-2014 Intel Corporation. Mar 8 14:23:03 jutta kernel: igb 0000:61:00.0: added PHC on eth0 Mar 8 14:23:03 jutta kernel: igb 0000:61:00.0: Intel(R) Gigabit Ethernet Network Connection Mar 8 14:23:03 jutta kernel: igb 0000:61:00.0: eth0: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e6 Mar 8 14:23:03 jutta kernel: igb 0000:61:00.0: eth0: PBA No: Unknown Mar 8 14:23:03 jutta kernel: igb 0000:61:00.0: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 14:23:05 jutta kernel: igb 0000:61:00.1: added PHC on eth1 Mar 8 14:23:05 jutta kernel: igb 0000:61:00.1: Intel(R) Gigabit Ethernet Network Connection Mar 8 14:23:05 jutta kernel: igb 0000:61:00.1: eth1: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e7 Mar 8 14:23:05 jutta kernel: igb 0000:61:00.1: eth1: PBA No: Unknown Mar 8 14:23:05 jutta kernel: igb 0000:61:00.1: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 14:23:05 jutta kernel: igb 0000:81:00.0: added PHC on eth2 Mar 8 14:23:05 jutta kernel: igb 0000:81:00.0: Intel(R) Gigabit Ethernet Network Connection Mar 8 14:23:05 jutta kernel: igb 0000:81:00.0: eth2: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e8 Mar 8 14:23:05 jutta kernel: igb 0000:81:00.0: eth2: PBA No: Unknown Mar 8 14:23:05 jutta kernel: igb 0000:81:00.0: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 14:23:05 jutta kernel: igb 0000:81:00.1: added PHC on eth3 Mar 8 14:23:05 jutta kernel: igb 0000:81:00.1: Intel(R) Gigabit Ethernet Network Connection Mar 8 14:23:05 jutta kernel: igb 0000:81:00.1: eth3: (PCIe:2.5Gb/s:Width x4) 00:10:e0:0f:92:e9 Mar 8 14:23:05 jutta kernel: igb 0000:81:00.1: eth3: PBA No: Unknown Mar 8 14:23:05 jutta kernel: igb 0000:81:00.1: Using MSI-X interrupts. 8 rx queue(s), 8 tx queue(s) Mar 8 14:23:05 jutta kernel: sr 0:0:0:0: [sr0] scsi3-mmc drive: 24x/24x writer dvd-ram cd/rw xa/form2 cdda caddy Mar 8 14:23:05 jutta kernel: cdrom: Uniform CD-ROM driver Revision: 3.20 Mar 8 14:23:09 jutta kernel: mpt2sas0: port enable: SUCCESS Mar 8 14:23:09 jutta kernel: scsi 1:0:0:0: Direct-Access SEAGATE ST960005SSUN600G 0606 PQ: 0 ANSI: 6 Mar 8 14:23:09 jutta kernel: scsi 1:0:0:0: SSP: handle(0x0009), sas_addr(0x5000c500436ae53d), phy(3), device_name(0x00c500503ce56a43) Mar 8 14:23:09 jutta kernel: scsi 1:0:0:0: SSP: enclosure_logical_id(0x500605b003d783f0), slot(0) Mar 8 14:23:09 jutta kernel: scsi 1:0:0:0: qdepth(254), tagged(1), simple(0), ordered(0), scsi_level(7), cmd_que(1) Mar 8 14:23:10 jutta kernel: ata2: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:10 jutta kernel: ata3: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:10 jutta kernel: ata4: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:11 jutta kernel: ata5: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:11 jutta kernel: ata6: SATA link down (SStatus 0 SControl 300) Mar 8 14:23:11 jutta kernel: sd 1:0:0:0: [sda] 1172123568 512-byte logical blocks: (600 GB/558 GiB) Mar 8 14:23:11 jutta kernel: sd 1:0:0:0: [sda] Write Protect is off Mar 8 14:23:11 jutta kernel: sd 1:0:0:0: [sda] Write cache: disabled, read cache: enabled, supports DPO and FUA Mar 8 14:23:11 jutta kernel: sda: sda1 sda2 Mar 8 14:23:11 jutta kernel: sd 1:0:0:0: [sda] Attached SCSI disk Mar 8 14:23:12 jutta systemd: Found device /dev/mapper/rootvg-lv_root. Mar 8 14:23:12 jutta systemd: Starting File System Check on /dev/mapper/rootvg-lv_root... Mar 8 14:23:12 jutta systemd-fsck: /sbin/fsck.xfs: XFS file system. Mar 8 14:23:12 jutta systemd: Started File System Check on /dev/mapper/rootvg-lv_root. Mar 8 14:23:12 jutta systemd: Started dracut initqueue hook. Mar 8 14:23:12 jutta systemd: Reached target Remote File Systems (Pre). Mar 8 14:23:12 jutta systemd: Starting Remote File Systems (Pre). Mar 8 14:23:12 jutta systemd: Reached target Remote File Systems. Mar 8 14:23:12 jutta systemd: Starting Remote File Systems. Mar 8 14:23:12 jutta systemd: Started dracut pre-mount hook. Mar 8 14:23:12 jutta systemd: Mounting /sysroot... Mar 8 14:23:12 jutta kernel: SGI XFS with ACLs, security attributes, no debug enabled Mar 8 14:23:12 jutta kernel: XFS (dm-0): Mounting V4 Filesystem Mar 8 14:23:12 jutta kernel: XFS (dm-0): Ending clean mount Mar 8 14:23:12 jutta systemd: Mounted /sysroot. Mar 8 14:23:12 jutta systemd: Reached target Initrd Root File System. Mar 8 14:23:12 jutta systemd: Starting Initrd Root File System. Mar 8 14:23:12 jutta systemd: Starting Reload Configuration from the Real Root... Mar 8 14:23:12 jutta systemd: Reloading. Mar 8 14:23:12 jutta systemd: Started Reload Configuration from the Real Root. Mar 8 14:23:12 jutta systemd: Reached target Initrd File Systems. Mar 8 14:23:12 jutta systemd: Starting Initrd File Systems. Mar 8 14:23:12 jutta systemd: Started dracut mount hook. Mar 8 14:23:12 jutta systemd: Reached target Initrd Default Target. Mar 8 14:23:12 jutta systemd: Starting Initrd Default Target. Mar 8 14:23:12 jutta systemd: Starting dracut pre-pivot and cleanup hook... Mar 8 14:23:12 jutta systemd: Started dracut pre-pivot and cleanup hook. Mar 8 14:23:12 jutta systemd: Starting Cleaning Up and Shutting Down Daemons... Mar 8 14:23:12 jutta systemd: Starting Plymouth switch root service... Mar 8 14:23:12 jutta systemd: Stopped target Timers. Mar 8 14:23:12 jutta systemd: Stopping Timers. Mar 8 14:23:12 jutta systemd: Stopped Cleaning Up and Shutting Down Daemons. Mar 8 14:23:12 jutta systemd: Stopped dracut pre-pivot and cleanup hook. Mar 8 14:23:12 jutta systemd: Stopping dracut pre-pivot and cleanup hook... Mar 8 14:23:12 jutta systemd: Stopped target Remote File Systems. Mar 8 14:23:12 jutta systemd: Stopping Remote File Systems. Mar 8 14:23:12 jutta systemd: Stopped target Remote File Systems (Pre). Mar 8 14:23:12 jutta systemd: Stopping Remote File Systems (Pre). Mar 8 14:23:12 jutta systemd: Stopped dracut initqueue hook. Mar 8 14:23:12 jutta systemd: Stopping dracut initqueue hook... Mar 8 14:23:12 jutta systemd: Stopped target Initrd Default Target. Mar 8 14:23:12 jutta systemd: Stopping Initrd Default Target. Mar 8 14:23:12 jutta systemd: Stopped target Basic System. Mar 8 14:23:12 jutta systemd: Stopping Basic System. Mar 8 14:23:12 jutta systemd: Stopped target Sockets. Mar 8 14:23:12 jutta systemd: Stopping Sockets. Mar 8 14:23:12 jutta systemd: Stopped target Paths. Mar 8 14:23:12 jutta systemd: Stopping Paths. Mar 8 14:23:12 jutta systemd: Stopped target Slices. Mar 8 14:23:12 jutta systemd: Stopping Slices. Mar 8 14:23:12 jutta systemd: Stopped target System Initialization. Mar 8 14:23:12 jutta systemd: Stopping System Initialization. Mar 8 14:23:12 jutta systemd: Stopping udev Kernel Device Manager... Mar 8 14:23:12 jutta systemd: Stopped target Swap. Mar 8 14:23:12 jutta systemd: Stopping Swap. Mar 8 14:23:12 jutta systemd: Stopped Apply Kernel Variables. Mar 8 14:23:12 jutta systemd: Stopping Apply Kernel Variables... Mar 8 14:23:12 jutta systemd: Stopped target Local File Systems. Mar 8 14:23:12 jutta systemd: Stopping Local File Systems. Mar 8 14:23:12 jutta systemd: Stopped udev Coldplug all Devices. Mar 8 14:23:12 jutta systemd: Stopping udev Coldplug all Devices... Mar 8 14:23:12 jutta systemd: Started Plymouth switch root service. Mar 8 14:23:12 jutta systemd: Stopped udev Kernel Device Manager. Mar 8 14:23:12 jutta systemd: Stopped dracut pre-udev hook. Mar 8 14:23:12 jutta systemd: Stopping dracut pre-udev hook... Mar 8 14:23:12 jutta systemd: Stopped dracut cmdline hook. Mar 8 14:23:12 jutta systemd: Stopping dracut cmdline hook... Mar 8 14:23:12 jutta systemd: Stopped Create Static Device Nodes in /dev. Mar 8 14:23:12 jutta systemd: Stopping Create Static Device Nodes in /dev... Mar 8 14:23:12 jutta systemd: Stopped Create list of required static device nodes for the current kernel. Mar 8 14:23:12 jutta systemd: Stopping Create list of required static device nodes for the current kernel... Mar 8 14:23:12 jutta systemd: Closed udev Kernel Socket. Mar 8 14:23:12 jutta systemd: Stopping udev Kernel Socket. Mar 8 14:23:12 jutta systemd: Closed udev Control Socket. Mar 8 14:23:12 jutta systemd: Stopping udev Control Socket. Mar 8 14:23:12 jutta systemd: Starting Cleanup udevd DB... Mar 8 14:23:12 jutta systemd: Started Cleanup udevd DB. Mar 8 14:23:12 jutta systemd: Reached target Switch Root. Mar 8 14:23:12 jutta systemd: Starting Switch Root. Mar 8 14:23:12 jutta systemd: Starting Switch Root... Mar 8 14:23:12 jutta systemd: Switching root. Mar 8 14:23:13 jutta journal: Journal stopped Mar 8 14:23:14 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 14:23:14 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 14:23:14 jutta systemd-journald[707]: Received SIGTERM from PID 1 (n/a). Mar 8 14:23:14 jutta kernel: SELinux: Disabled at runtime. Mar 8 14:23:14 jutta kernel: type=1404 audit(1457468593.308:2): selinux=0 auid=4294967295 ses=4294967295 Mar 8 14:23:14 jutta kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Mar 8 14:23:14 jutta systemd[1]: Inserted module 'ip_tables' Mar 8 14:23:14 jutta journal: Journal started Mar 8 14:23:14 jutta systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Mar 8 14:23:14 jutta systemd: Detected architecture x86-64. Mar 8 14:23:14 jutta systemd: Set hostname to . Mar 8 14:23:14 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:23:14 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:23:14 jutta systemd: Mounted Debug File System. Mar 8 14:23:14 jutta systemd: Mounted POSIX Message Queue File System. Mar 8 14:23:14 jutta systemd: Mounted Huge Pages File System. Mar 8 14:23:14 jutta systemd: Started Remount Root and Kernel File Systems. Mar 8 14:23:14 jutta systemd: Started First Boot Wizard. Mar 8 14:23:14 jutta systemd: Started Rebuild Hardware Database. Mar 8 14:23:14 jutta systemd: Starting udev Coldplug all Devices... Mar 8 14:23:14 jutta systemd: Starting Configure read-only root support... Mar 8 14:23:14 jutta systemd: Started Rebuild Dynamic Linker Cache. Mar 8 14:23:14 jutta systemd: Started Apply Kernel Variables. Mar 8 14:23:14 jutta systemd: Started LVM2 metadata daemon. Mar 8 14:23:14 jutta systemd: Starting LVM2 metadata daemon... Mar 8 14:23:14 jutta systemd: Started udev Coldplug all Devices. Mar 8 14:23:14 jutta systemd: Started Create Static Device Nodes in /dev. Mar 8 14:23:14 jutta systemd: Reached target Local File Systems (Pre). Mar 8 14:23:14 jutta systemd: Starting Local File Systems (Pre). Mar 8 14:23:14 jutta systemd: Starting udev Kernel Device Manager... Mar 8 14:23:14 jutta systemd-udevd: starting version 219 Mar 8 14:23:14 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 14:23:14 jutta systemd: Started Configure read-only root support. Mar 8 14:23:15 jutta systemd: Started udev Kernel Device Manager. Mar 8 14:23:15 jutta systemd: Found device /dev/ttyS0. Mar 8 14:23:15 jutta kernel: EDAC MC: Ver: 3.0.0 Mar 8 14:23:15 jutta lvm: 2 logical volume(s) in volume group "rootvg" monitored Mar 8 14:23:15 jutta kernel: ACPI Warning: SystemIO range 0x0000000000000828-0x000000000000082f conflicts with OpRegion 0x0000000000000800-0x000000000000084f (\PMRG) (20130517/utaddress-254) Mar 8 14:23:15 jutta kernel: ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver Mar 8 14:23:15 jutta kernel: lpc_ich: Resource conflict(s) found affecting gpio_ich Mar 8 14:23:15 jutta systemd: Started Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling. Mar 8 14:23:15 jutta kernel: i801_smbus 0000:00:1f.3: SMBus using PCI interrupt Mar 8 14:23:16 jutta kernel: shpchp: Standard Hot Plug PCI Controller Driver version: 0.4 Mar 8 14:23:16 jutta kernel: input: PC Speaker as /devices/platform/pcspkr/input/input5 Mar 8 14:23:16 jutta kernel: ipmi message handler version 39.2 Mar 8 14:23:16 jutta kernel: sr 0:0:0:0: Attached scsi generic sg0 type 5 Mar 8 14:23:16 jutta kernel: sd 1:0:0:0: Attached scsi generic sg1 type 0 Mar 8 14:23:16 jutta kernel: IPMI System Interface driver. Mar 8 14:23:16 jutta kernel: ipmi_si: probing via ACPI Mar 8 14:23:16 jutta kernel: ipmi_si 00:08: [io 0x0ca2] regsize 1 spacing 4 irq 0 Mar 8 14:23:17 jutta kernel: ipmi_si: Adding ACPI-specified kcs state machine Mar 8 14:23:17 jutta kernel: ipmi_si: probing via SMBIOS Mar 8 14:23:17 jutta kernel: ipmi_si: SMBIOS: io 0xca2 regsize 1 spacing 4 irq 0 Mar 8 14:23:17 jutta kernel: ipmi_si: Adding SMBIOS-specified kcs state machine duplicate interface Mar 8 14:23:17 jutta kernel: ipmi_si: probing via SPMI Mar 8 14:23:17 jutta kernel: ipmi_si: SPMI: io 0xca2 regsize 4 spacing 4 irq 0 Mar 8 14:23:17 jutta kernel: ipmi_si: Adding SPMI-specified kcs state machine duplicate interface Mar 8 14:23:17 jutta kernel: ipmi_si: Trying ACPI-specified kcs state machine at i/o address 0xca2, slave address 0x0, irq 0 Mar 8 14:23:17 jutta kernel: ipmi_si 00:08: Found new BMC (man_id: 0x00002a, prod_id: 0x4701, dev_id: 0x20) Mar 8 14:23:17 jutta kernel: ipmi_si 00:08: IPMI kcs interface initialized Mar 8 14:23:17 jutta kernel: iTCO_vendor_support: vendor-support=0 Mar 8 14:23:17 jutta systemd: Found device /dev/mapper/rootvg-lv_swap. Mar 8 14:23:17 jutta systemd: Activating swap /dev/mapper/rootvg-lv_swap... Mar 8 14:23:17 jutta kernel: alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni) Mar 8 14:23:17 jutta kernel: Adding 4194300k swap on /dev/mapper/rootvg-lv_swap. Priority:-1 extents:1 across:4194300k FS Mar 8 14:23:17 jutta systemd: Activated swap /dev/mapper/rootvg-lv_swap. Mar 8 14:23:17 jutta kernel: iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 Mar 8 14:23:17 jutta kernel: iTCO_wdt: unable to reset NO_REBOOT flag, device disabled by hardware/BIOS Mar 8 14:23:17 jutta systemd: Found device ST960005SSUN600G 1. Mar 8 14:23:17 jutta systemd: Mounting /boot... Mar 8 14:23:17 jutta kernel: IPMI SSIF Interface driver Mar 8 14:23:17 jutta kernel: XFS (sda1): Mounting V4 Filesystem Mar 8 14:23:18 jutta systemd: Created slice system-lvm2\x2dpvscan.slice. Mar 8 14:23:18 jutta systemd: Starting system-lvm2\x2dpvscan.slice. Mar 8 14:23:18 jutta systemd: Starting LVM2 PV scan on device 8:2... Mar 8 14:23:18 jutta systemd: Reached target Swap. Mar 8 14:23:18 jutta systemd: Starting Swap. Mar 8 14:23:18 jutta kernel: alg: No test for crc32 (crc32-pclmul) Mar 8 14:23:18 jutta lvm: 3 logical volume(s) in volume group "rootvg" now active Mar 8 14:23:18 jutta systemd: Found device /dev/mapper/rootvg-lv_var. Mar 8 14:23:18 jutta systemd: Started LVM2 PV scan on device 8:2. Mar 8 14:23:18 jutta systemd: Mounting /var... Mar 8 14:23:18 jutta kernel: XFS (dm-2): Mounting V4 Filesystem Mar 8 14:23:33 jutta kernel: XFS (dm-2): Ending clean mount Mar 8 14:23:33 jutta systemd: Mounted /var. Mar 8 14:23:33 jutta systemd: Starting Load/Save Random Seed... Mar 8 14:23:33 jutta systemd: Starting Flush Journal to Persistent Storage... Mar 8 14:23:33 jutta journal: Runtime journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 125.8G available ? current limit 4.0G). Mar 8 14:23:33 jutta systemd: Started Load/Save Random Seed. Mar 8 14:23:33 jutta systemd: Started Flush Journal to Persistent Storage. Mar 8 14:23:34 jutta kernel: XFS (sda1): Ending clean mount Mar 8 14:23:34 jutta systemd: Mounted /boot. Mar 8 14:23:34 jutta systemd: Reached target Local File Systems. Mar 8 14:23:34 jutta systemd: Starting Local File Systems. Mar 8 14:23:34 jutta systemd: Started Mark the need to relabel after reboot. Mar 8 14:23:34 jutta systemd: Started Commit a transient machine-id on disk. Mar 8 14:23:34 jutta systemd: Started Relabel all filesystems, if necessary. Mar 8 14:23:34 jutta systemd: Started Rebuild Journal Catalog. Mar 8 14:23:34 jutta systemd: Started Update is Completed. Mar 8 14:23:34 jutta systemd: Starting Tell Plymouth To Write Out Runtime Data... Mar 8 14:23:34 jutta systemd: Starting Import network configuration from initramfs... Mar 8 14:23:34 jutta systemd: Started Reconfigure the system on administrator request. Mar 8 14:23:34 jutta systemd: Started Tell Plymouth To Write Out Runtime Data. Mar 8 14:23:34 jutta systemd: Started Import network configuration from initramfs. Mar 8 14:23:34 jutta systemd: Starting Create Volatile Files and Directories... Mar 8 14:23:34 jutta systemd: Started Create Volatile Files and Directories. Mar 8 14:23:34 jutta systemd: Starting Security Auditing Service... Mar 8 14:23:34 jutta auditd[1407]: Started dispatcher: /sbin/audispd pid: 1418 Mar 8 14:23:34 jutta augenrules: /sbin/augenrules: No change Mar 8 14:23:34 jutta audispd: No plugins found, exiting Mar 8 14:23:34 jutta kernel: type=1305 audit(1457468614.668:3): audit_pid=1407 old=0 auid=4294967295 ses=4294967295 res=1 Mar 8 14:23:34 jutta auditd[1407]: Init complete, auditd 2.4.1 listening for events (startup state enable) Mar 8 14:23:34 jutta augenrules: No rules Mar 8 14:23:34 jutta augenrules: enabled 1 Mar 8 14:23:34 jutta augenrules: flag 1 Mar 8 14:23:34 jutta augenrules: pid 1407 Mar 8 14:23:34 jutta augenrules: rate_limit 0 Mar 8 14:23:34 jutta augenrules: backlog_limit 320 Mar 8 14:23:34 jutta augenrules: lost 0 Mar 8 14:23:34 jutta augenrules: backlog 1 Mar 8 14:23:34 jutta systemd: Started Security Auditing Service. Mar 8 14:23:34 jutta systemd: Starting Update UTMP about System Boot/Shutdown... Mar 8 14:23:34 jutta systemd: Started Update UTMP about System Boot/Shutdown. Mar 8 14:23:34 jutta systemd: Reached target System Initialization. Mar 8 14:23:34 jutta systemd: Starting System Initialization. Mar 8 14:23:34 jutta systemd: Listening on D-Bus System Message Bus Socket. Mar 8 14:23:34 jutta systemd: Starting D-Bus System Message Bus Socket. Mar 8 14:23:34 jutta systemd: Reached target Sockets. Mar 8 14:23:34 jutta systemd: Starting Sockets. Mar 8 14:23:34 jutta systemd: Started Flexible branding. Mar 8 14:23:34 jutta systemd: Starting Flexible branding. Mar 8 14:23:34 jutta systemd: Reached target Paths. Mar 8 14:23:34 jutta systemd: Starting Paths. Mar 8 14:23:34 jutta systemd: Reached target Basic System. Mar 8 14:23:34 jutta systemd: Starting Basic System. Mar 8 14:23:34 jutta systemd: Starting Dump dmesg to /var/log/dmesg... Mar 8 14:23:34 jutta systemd: Starting Dynamic System Tuning Daemon... Mar 8 14:23:34 jutta systemd: Starting LSB: Bring up/down networking... Mar 8 14:23:34 jutta systemd: Starting firewalld - dynamic firewall daemon... Mar 8 14:23:34 jutta systemd: Starting Login Service... Mar 8 14:23:34 jutta systemd: Started irqbalance daemon. Mar 8 14:23:34 jutta systemd: Starting irqbalance daemon... Mar 8 14:23:34 jutta systemd: Starting Permit User Sessions... Mar 8 14:23:34 jutta systemd: Starting Load CPU microcode update... Mar 8 14:23:34 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 14:23:34 jutta systemd: Started OpenSSH server daemon. Mar 8 14:23:34 jutta systemd: Starting OpenSSH server daemon... Mar 8 14:23:34 jutta systemd: Starting Postfix Mail Transport Agent... Mar 8 14:23:34 jutta systemd: Started Entropy Daemon based on the HAVEGE algorithm. Mar 8 14:23:34 jutta systemd: Starting Entropy Daemon based on the HAVEGE algorithm... Mar 8 14:23:34 jutta systemd: Starting Network Time Service... Mar 8 14:23:34 jutta systemd: Starting Resets System Activity Logs... Mar 8 14:23:34 jutta systemd: Started D-Bus System Message Bus. Mar 8 14:23:35 jutta ntpd[1457]: ntpd 4.2.6p5 at 1.2349-o Wed Jan 20 15:22:38 UTC 2016 (1) Mar 8 14:23:35 jutta ntpd[1513]: proto: precision = 0.125 usec Mar 8 14:23:35 jutta ntpd[1513]: 0.0.0.0 c01d 0d kern kernel time sync enabled Mar 8 14:23:35 jutta ntpd[1513]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 8 14:23:35 jutta ntpd[1513]: Listen and drop on 1 v6wildcard :: UDP 123 Mar 8 14:23:35 jutta ntpd[1513]: Listen normally on 2 lo 127.0.0.1 UDP 123 Mar 8 14:23:35 jutta ntpd[1513]: Listen normally on 3 lo ::1 UDP 123 Mar 8 14:23:35 jutta ntpd[1513]: Listening on routing socket on fd #20 for interface updates Mar 8 14:23:35 jutta dbus[1459]: [system] Successfully activated service 'org.freedesktop.systemd1' Mar 8 14:23:35 jutta dbus-daemon: dbus[1459]: [system] Successfully activated service 'org.freedesktop.systemd1' Mar 8 14:23:35 jutta systemd: Starting D-Bus System Message Bus... Mar 8 14:23:35 jutta systemd: Starting Enable periodic update of entitlement certificates.... Mar 8 14:23:35 jutta systemd: Starting System Logging Service... Mar 8 14:23:35 jutta systemd: Started Daily Cleanup of Temporary Directories. Mar 8 14:23:35 jutta systemd: Starting Daily Cleanup of Temporary Directories. Mar 8 14:23:35 jutta systemd: Reached target Timers. Mar 8 14:23:35 jutta systemd: Starting Timers. Mar 8 14:23:35 jutta systemd: Started Dump dmesg to /var/log/dmesg. Mar 8 14:23:35 jutta systemd: Started Permit User Sessions. Mar 8 14:23:35 jutta systemd: Started Load CPU microcode update. Mar 8 14:23:35 jutta systemd: Started Network Time Service. Mar 8 14:23:35 jutta systemd: Started Resets System Activity Logs. Mar 8 14:23:35 jutta ntpd[1513]: Deferring DNS for time1.cc.umanitoba.ca 1 Mar 8 14:23:35 jutta ntpd[1513]: Deferring DNS for time2.cc.umanitoba.ca 1 Mar 8 14:23:35 jutta ntpd[1513]: Deferring DNS for time3.cc.umanitoba.ca 1 Mar 8 14:23:35 jutta ntpd[1513]: 0.0.0.0 c016 06 restart Mar 8 14:23:35 jutta ntpd[1513]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM Mar 8 14:23:35 jutta ntpd[1513]: 0.0.0.0 c011 01 freq_not_set Mar 8 14:23:35 jutta systemd: Starting Wait for Plymouth Boot Screen to Quit... Mar 8 14:23:35 jutta systemd-logind: Watching system buttons on /dev/input/event1 (Power Button) Mar 8 14:23:35 jutta systemd-logind: Watching system buttons on /dev/input/event0 (Power Button) Mar 8 14:23:35 jutta systemd-logind: New seat seat0. Mar 8 14:23:35 jutta systemd: Started Command Scheduler. Mar 8 14:23:35 jutta systemd: Starting Command Scheduler... Mar 8 14:23:35 jutta systemd: Starting Terminate Plymouth Boot Screen... Mar 8 14:23:35 jutta systemd: Started Login Service. Mar 8 14:23:35 jutta systemd: Started Enable periodic update of entitlement certificates.. Mar 8 14:23:35 jutta systemd: Received SIGRTMIN+21 from PID 849 (plymouthd). Mar 8 14:23:35 jutta haveged: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 4.8.2 ITV); collect: 128K Mar 8 14:23:35 jutta haveged: haveged: cpu: (L4 VC); data: 32K (L2 L4 V); inst: 32K (L2 L4 V); idx: 21/40; sz: 32709/60538 Mar 8 14:23:35 jutta haveged: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 8.00576 Mar 8 14:23:35 jutta haveged: haveged: fills: 0, generated: 0 Mar 8 14:23:35 jutta network: Bringing up loopback interface: [ OK ] Mar 8 14:23:35 jutta network: Bringing up interface eth0: Mar 8 14:23:35 jutta aliasesdb: postalias: warning: /etc/aliases.db: duplicate entry: "postmaster" Mar 8 14:23:35 jutta kernel: IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Mar 8 14:23:35 jutta kernel: nf_conntrack version 0.5.0 (65536 buckets, 262144 max) Mar 8 14:23:35 jutta kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team Mar 8 14:23:36 jutta kernel: Ebtables v2.0 registered Mar 8 14:23:36 jutta kernel: Bridge firewalling registered Mar 8 14:23:37 jutta ntpd_intres[1527]: host name not found: time1.cc.umanitoba.ca Mar 8 14:23:37 jutta ntpd_intres[1527]: host name not found: time2.cc.umanitoba.ca Mar 8 14:23:37 jutta ntpd_intres[1527]: host name not found: time3.cc.umanitoba.ca Mar 8 14:23:37 jutta kernel: igb 0000:61:00.0 eth0: igb: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX Mar 8 14:23:37 jutta kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Mar 8 14:23:37 jutta systemd: Started System Logging Service. Mar 8 14:23:37 jutta systemd: Started Wait for Plymouth Boot Screen to Quit. Mar 8 14:23:37 jutta systemd: Started Terminate Plymouth Boot Screen. Mar 8 14:23:37 jutta systemd: Started Dynamic System Tuning Daemon. Mar 8 14:23:37 jutta systemd: Started firewalld - dynamic firewall daemon. Mar 8 14:23:37 jutta systemd: Started Serial Getty on ttyS0. Mar 8 14:23:37 jutta systemd: Starting Serial Getty on ttyS0... Mar 8 14:23:37 jutta systemd: Started Getty on tty1. Mar 8 14:23:37 jutta systemd: Starting Getty on tty1... Mar 8 14:23:37 jutta systemd: Reached target Login Prompts. Mar 8 14:23:37 jutta systemd: Starting Login Prompts. Mar 8 14:23:38 jutta dhclient[2324]: DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x437f8a1d) Mar 8 14:23:38 jutta dhclient[2324]: DHCPACK from 130.179.16.1 (xid=0x437f8a1d) Mar 8 14:23:38 jutta systemd: Started Postfix Mail Transport Agent. Mar 8 14:23:40 jutta NET[2413]: /usr/sbin/dhclient-script : updated /etc/resolv.conf Mar 8 14:23:40 jutta dhclient[2324]: bound to 130.179.19.176 -- renewal in 555444 seconds. Mar 8 14:23:40 jutta network: Determining IP information for eth0... done. Mar 8 14:23:40 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:40 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:40 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:40 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:40 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:40 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.4" (uid=0 pid=2423 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.5" (uid=0 pid=2460 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --zone= ") Mar 8 14:23:41 jutta network: [ OK ] Mar 8 14:23:41 jutta systemd: Started LSB: Bring up/down networking. Mar 8 14:23:41 jutta systemd: Reached target Network is Online. Mar 8 14:23:41 jutta systemd: Starting Network is Online. Mar 8 14:23:41 jutta systemd: Starting LSB: Starts the Spacewalk Daemon... Mar 8 14:23:41 jutta systemd: Starting Crash recovery kernel arming... Mar 8 14:23:41 jutta rhnsd: Starting Spacewalk Daemon: [ OK ] Mar 8 14:23:41 jutta rhnsd[2502]: Spacewalk Services Daemon starting up, check in interval 240 minutes. Mar 8 14:23:41 jutta systemd: Started LSB: Starts the Spacewalk Daemon. Mar 8 14:23:41 jutta systemd: Reached target Multi-User System. Mar 8 14:23:41 jutta systemd: Starting Multi-User System. Mar 8 14:23:41 jutta systemd: Starting Update UTMP about System Runlevel Changes... Mar 8 14:23:41 jutta systemd: Started Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 14:23:41 jutta systemd: Starting Stop Read-Ahead Data Collection 10s After Completed Startup. Mar 8 14:23:41 jutta systemd: Started Update UTMP about System Runlevel Changes. Mar 8 14:23:42 jutta kdumpctl: No kdump initial ramdisk found. Mar 8 14:23:42 jutta kdumpctl: Rebuilding /boot/initramfs-3.10.0-327.10.1.el7.x86_64kdump.img Mar 8 14:23:43 jutta ntpd[1513]: Listen normally on 4 eth0 130.179.19.176 UDP 123 Mar 8 14:23:43 jutta ntpd[1513]: Listen normally on 5 eth0 fe80::210:e0ff:fe0f:92e6 UDP 123 Mar 8 14:23:43 jutta kdumpctl: Warning: There might not be enough space to save a vmcore. Mar 8 14:23:43 jutta kdumpctl: The size of /dev/mapper/rootvg-lv_var should be greater than 263960236 kilo bytes. Mar 8 14:23:43 jutta dracut: dracut- Mar 8 14:23:43 jutta dracut: Executing: /usr/sbin/dracut --hostonly --hostonly-cmdline --hostonly-i18n -o "plymouth dash resume ifcfg" --mount "/dev/mapper/rootvg-lv_var /kdumproot//var xfs defaults,x-initrd.mount" -f /boot/initramfs-3.10.0-327.10.1.el7.x86_64kdump.img 3.10.0-327.10.1.el7.x86_64 Mar 8 14:23:44 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'ifcfg' will not be installed, because it's in the list to be omitted! Mar 8 14:23:44 jutta dracut: dracut module 'plymouth' will not be installed, because it's in the list to be omitted! Mar 8 14:23:44 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:23:44 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:23:45 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:23:45 jutta dracut: dracut module 'resume' will not be installed, because it's in the list to be omitted! Mar 8 14:23:45 jutta ntpd_intres[1527]: DNS time1.cc.umanitoba.ca -> 130.179.17.21 Mar 8 14:23:45 jutta ntpd_intres[1527]: DNS time2.cc.umanitoba.ca -> 130.179.16.34 Mar 8 14:23:45 jutta ntpd_intres[1527]: DNS time3.cc.umanitoba.ca -> 130.179.16.67 Mar 8 14:23:45 jutta dracut: dracut module 'modsign' will not be installed, because command 'keyctl' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'crypt' will not be installed, because command 'cryptsetup' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'fcoe' will not be installed, because command 'dcbtool' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fipvlan' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'fcoe' will not be installed, because command 'lldpad' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoemon' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'fcoe' will not be installed, because command 'fcoeadm' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! Mar 8 14:23:45 jutta dracut: dracut module 'nbd' will not be installed, because command 'nbd-client' could not be found! Mar 8 14:23:45 jutta dracut: 95nfs: Could not find any command of 'rpcbind portmap'! Mar 8 14:23:45 jutta dracut: *** Including module: bash *** Mar 8 14:23:45 jutta dracut: *** Including module: nss-softokn *** Mar 8 14:23:45 jutta dracut: *** Including module: i18n *** Mar 8 14:23:45 jutta dracut: *** Including module: network *** Mar 8 14:23:46 jutta ntpd[1513]: 0.0.0.0 c614 04 freq_mode Mar 8 14:23:46 jutta dracut: *** Including module: dm *** Mar 8 14:23:46 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:23:46 jutta dracut: Skipping udev rule: 60-persistent-storage-dm.rules Mar 8 14:23:46 jutta dracut: Skipping udev rule: 55-dm.rules Mar 8 14:23:46 jutta dracut: *** Including module: kernel-modules *** Mar 8 14:23:50 jutta dracut: *** Including module: lvm *** Mar 8 14:23:50 jutta dracut: Skipping udev rule: 64-device-mapper.rules Mar 8 14:23:50 jutta dracut: Skipping udev rule: 56-lvm.rules Mar 8 14:23:50 jutta dracut: Skipping udev rule: 60-persistent-storage-lvm.rules Mar 8 14:23:50 jutta dracut: *** Including module: fstab-sys *** Mar 8 14:23:50 jutta dracut: *** Including module: rootfs-block *** Mar 8 14:23:50 jutta dracut: *** Including module: terminfo *** Mar 8 14:23:50 jutta dracut: *** Including module: udev-rules *** Mar 8 14:23:50 jutta dracut: Skipping udev rule: 91-permissions.rules Mar 8 14:23:50 jutta dracut: *** Including module: biosdevname *** Mar 8 14:23:50 jutta dracut: *** Including module: systemd *** Mar 8 14:23:51 jutta dracut: *** Including module: usrmount *** Mar 8 14:23:51 jutta dracut: *** Including module: base *** Mar 8 14:23:51 jutta dracut: *** Including module: fs-lib *** Mar 8 14:23:51 jutta dracut: *** Including module: kdumpbase *** Mar 8 14:23:52 jutta dracut: *** Including module: shutdown *** Mar 8 14:23:52 jutta dracut: *** Including modules done *** Mar 8 14:23:52 jutta dracut: *** Installing kernel module dependencies and firmware *** Mar 8 14:23:52 jutta dracut: *** Installing kernel module dependencies and firmware done *** Mar 8 14:23:52 jutta dracut: *** Resolving executable dependencies *** Mar 8 14:23:53 jutta dracut: *** Resolving executable dependencies done*** Mar 8 14:23:53 jutta dracut: *** Hardlinking files *** Mar 8 14:23:53 jutta dracut: *** Hardlinking files done *** Mar 8 14:23:53 jutta dracut: *** Stripping files *** Mar 8 14:23:54 jutta dracut: *** Stripping files done *** Mar 8 14:23:54 jutta dracut: *** Generating early-microcode cpio image *** Mar 8 14:23:54 jutta dracut: *** Constructing GenuineIntel.bin **** Mar 8 14:23:54 jutta dracut: *** Store current command line parameters *** Mar 8 14:23:54 jutta dracut: *** Creating image file *** Mar 8 14:24:06 jutta systemd: Created slice user-49273.slice. Mar 8 14:24:06 jutta systemd: Starting user-49273.slice. Mar 8 14:24:06 jutta systemd-logind: New session 1 of user fonsecah. Mar 8 14:24:06 jutta systemd: Started Session 1 of user fonsecah. Mar 8 14:24:06 jutta systemd: Starting Session 1 of user fonsecah. Mar 8 14:24:06 jutta dracut: *** Creating image file done *** Mar 8 14:24:11 jutta kdumpctl: kexec: loaded kdump kernel Mar 8 14:24:11 jutta kdumpctl: Starting kdump: [OK] Mar 8 14:24:11 jutta systemd: Started Crash recovery kernel arming. Mar 8 14:24:11 jutta systemd: Startup finished in 31.821s (kernel) + 17.545s (initrd) + 57.857s (userspace) = 1min 47.224s. Mar 8 14:24:11 jutta systemd: Starting Stop Read-Ahead Data Collection... Mar 8 14:24:11 jutta systemd: Started Stop Read-Ahead Data Collection. Mar 8 14:24:12 jutta su: (to root) fonsecah on pts/0 Mar 8 14:29:54 jutta systemd: Stopping OpenSSH server daemon... Mar 8 14:29:54 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 14:29:54 jutta systemd: Started OpenSSH server daemon. Mar 8 14:29:54 jutta systemd: Starting OpenSSH server daemon... Mar 8 14:30:01 jutta systemd: Created slice user-0.slice. Mar 8 14:30:01 jutta systemd: Starting user-0.slice. Mar 8 14:30:01 jutta systemd: Started Session 2 of user root. Mar 8 14:30:01 jutta systemd: Starting Session 2 of user root. Mar 8 14:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 14:30:01 jutta systemd: Stopping user-0.slice. Mar 8 14:34:25 jutta systemd: Stopping OpenSSH server daemon... Mar 8 14:34:25 jutta systemd: Started OpenSSH Server Key Generation. Mar 8 14:34:25 jutta systemd: Started OpenSSH server daemon. Mar 8 14:34:25 jutta systemd: Starting OpenSSH server daemon... Mar 8 14:36:15 jutta systemd: Created slice user-0.slice. Mar 8 14:36:15 jutta systemd: Starting user-0.slice. Mar 8 14:36:15 jutta systemd-logind: New session 3 of user root. Mar 8 14:36:15 jutta systemd: Started Session 3 of user root. Mar 8 14:36:15 jutta systemd: Starting Session 3 of user root. Mar 8 14:36:17 jutta systemd-logind: Removed session 3. Mar 8 14:36:17 jutta systemd: Removed slice user-0.slice. Mar 8 14:36:17 jutta systemd: Stopping user-0.slice. Mar 8 14:37:29 jutta systemd: Starting Cleanup of Temporary Directories... Mar 8 14:37:29 jutta systemd: Started Cleanup of Temporary Directories. Mar 8 14:40:01 jutta systemd: Created slice user-0.slice. Mar 8 14:40:01 jutta systemd: Starting user-0.slice. Mar 8 14:40:01 jutta systemd: Started Session 4 of user root. Mar 8 14:40:01 jutta systemd: Starting Session 4 of user root. Mar 8 14:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 14:40:01 jutta systemd: Stopping user-0.slice. Mar 8 14:40:32 jutta ntpd[1513]: 0.0.0.0 0612 02 freq_set kernel 43.661 PPM Mar 8 14:40:32 jutta ntpd[1513]: 0.0.0.0 0615 05 clock_sync Mar 8 14:43:00 jutta yum[11613]: Installed: libtalloc-2.1.2-1.el7.x86_64 Mar 8 14:43:00 jutta yum[11613]: Installed: libtevent-0.9.25-1.el7.x86_64 Mar 8 14:43:00 jutta yum[11613]: Installed: libtdb-1.3.6-2.el7.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libldb-1.1.20-1.el7_2.2.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libbasicobjects-0.1.1-25.el7.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libref_array-0.1.5-25.el7.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libcollection-0.6.2-25.el7.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libdhash-0.4.3-25.el7.x86_64 Mar 8 14:43:01 jutta yum[11613]: Installed: libsss_idmap-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:02 jutta yum[11613]: Installed: openldap-clients-2.4.40-8.el7.x86_64 Mar 8 14:43:02 jutta yum[11613]: Installed: python-pyasn1-0.1.6-2.el7.noarch Mar 8 14:43:02 jutta yum[11613]: Installed: cyrus-sasl-gssapi-2.1.26-20.el7_2.x86_64 Mar 8 14:43:02 jutta yum[11613]: Installed: python-ldap-2.4.15-2.el7.x86_64 Mar 8 14:43:03 jutta yum[11613]: Installed: libsss_nss_idmap-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:03 jutta yum[11613]: Installed: apr-1.4.8-3.el7.x86_64 Mar 8 14:43:03 jutta yum[11613]: Installed: python-krbV-1.0.90-8.el7.x86_64 Mar 8 14:43:03 jutta yum[11613]: Installed: xmlrpc-c-1.32.5-1905.svn2451.el7.x86_64 Mar 8 14:43:04 jutta yum[11613]: Installed: python-dns-1.12.0-1.20150617git465785f.el7.noarch Mar 8 14:43:04 jutta yum[11613]: Installed: libevent-2.0.21-4.el7.x86_64 Mar 8 14:43:04 jutta yum[11613]: Installed: fontpackages-filesystem-1.44-8.el7.noarch Mar 8 14:43:04 jutta yum[11613]: Installed: libtirpc-0.2.4-0.6.el7.x86_64 Mar 8 14:43:04 jutta yum[11613]: Installed: python-six-1.9.0-2.el7.noarch Mar 8 14:43:04 jutta yum[11613]: Installed: libnfsidmap-0.25-12.el7.x86_64 Mar 8 14:43:04 jutta yum[11613]: Installed: python-sssdconfig-1.13.0-40.el7_2.1.noarch Mar 8 14:43:05 jutta yum[11613]: Installed: xmlrpc-c-client-1.32.5-1905.svn2451.el7.x86_64 Mar 8 14:43:05 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:05 jutta systemd: Reloading. Mar 8 14:43:05 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:05 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:05 jutta yum[11613]: Installed: certmonger-0.78.4-1.el7.x86_64 Mar 8 14:43:06 jutta yum[11613]: Installed: apr-util-1.5.2-6.el7.x86_64 Mar 8 14:43:06 jutta yum[11613]: Installed: libverto-tevent-0.2.5-4.el7.x86_64 Mar 8 14:43:06 jutta yum[11613]: Installed: psmisc-22.20-9.el7.x86_64 Mar 8 14:43:06 jutta yum[11613]: Installed: keyutils-1.5.8-3.el7.x86_64 Mar 8 14:43:07 jutta yum[11613]: Installed: 1:net-snmp-libs-5.7.2-24.el7.x86_64 Mar 8 14:43:07 jutta yum[11613]: Installed: libipa_hbac-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:07 jutta yum[11613]: Installed: svrcore-4.0.4-11.el7.x86_64 Mar 8 14:43:07 jutta yum[11613]: Installed: 389-ds-base-libs-1.3.4.0-26.el7_2.x86_64 Mar 8 14:43:07 jutta yum[11613]: Installed: python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:07 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:07 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:07 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:07 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta systemd: Reloading. Mar 8 14:43:08 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:08 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:08 jutta yum[11613]: Installed: oddjob-0.31.5-4.el7.x86_64 Mar 8 14:43:08 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta yum[11613]: Installed: oddjob-mkhomedir-0.31.5-4.el7.x86_64 Mar 8 14:43:08 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:43:08 jutta yum[11613]: Installed: httpd-tools-2.4.6-40.el7.x86_64 Mar 8 14:43:08 jutta yum[11613]: Installed: python-qrcode-core-5.0.1-1.el7.noarch Mar 8 14:43:09 jutta systemd: Reloading. Mar 8 14:43:09 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:09 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:09 jutta yum[11613]: Installed: rpcbind-0.2.0-33.el7_2.x86_64 Mar 8 14:43:09 jutta yum[11613]: Installed: fontawesome-fonts-4.1.0-2.el7.noarch Mar 8 14:43:09 jutta yum[11613]: Installed: open-sans-fonts-1.10-1.el7.noarch Mar 8 14:43:11 jutta yum[11613]: Installed: fontconfig-2.10.95-7.el7.x86_64 Mar 8 14:43:11 jutta yum[11613]: Installed: python-kdcproxy-0.3.2-1.el7.noarch Mar 8 14:43:11 jutta yum[11613]: Installed: sssd-client-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:11 jutta yum[11613]: Installed: slapi-nis-0.54-6.el7_2.x86_64 Mar 8 14:43:11 jutta yum[11613]: Installed: pytalloc-2.1.2-1.el7.x86_64 Mar 8 14:43:12 jutta yum[11613]: Installed: 1:perl-parent-0.225-244.el7.noarch Mar 8 14:43:12 jutta yum[11613]: Installed: perl-HTTP-Tiny-0.033-3.el7.noarch Mar 8 14:43:12 jutta yum[11613]: Installed: perl-podlators-2.5.1-3.el7.noarch Mar 8 14:43:12 jutta yum[11613]: Installed: perl-Pod-Perldoc-3.20-4.el7.noarch Mar 8 14:43:12 jutta yum[11613]: Installed: 1:perl-Pod-Escapes-1.04-286.el7.noarch Mar 8 14:43:13 jutta yum[11613]: Installed: perl-Text-ParseWords-3.29-4.el7.noarch Mar 8 14:43:13 jutta yum[11613]: Installed: perl-Encode-2.51-7.el7.x86_64 Mar 8 14:43:13 jutta yum[11613]: Installed: perl-Pod-Usage-1.63-3.el7.noarch Mar 8 14:43:14 jutta yum[11613]: Installed: 4:perl-libs-5.16.3-286.el7.x86_64 Mar 8 14:43:14 jutta yum[11613]: Installed: perl-Storable-2.45-3.el7.x86_64 Mar 8 14:43:14 jutta yum[11613]: Installed: 4:perl-Time-HiRes-1.9725-3.el7.x86_64 Mar 8 14:43:14 jutta yum[11613]: Installed: perl-threads-1.87-4.el7.x86_64 Mar 8 14:43:14 jutta yum[11613]: Installed: perl-Carp-1.26-244.el7.noarch Mar 8 14:43:15 jutta yum[11613]: Installed: perl-Exporter-5.68-3.el7.noarch Mar 8 14:43:15 jutta yum[11613]: Installed: perl-Filter-1.49-3.el7.x86_64 Mar 8 14:43:15 jutta yum[11613]: Installed: perl-constant-1.27-2.el7.noarch Mar 8 14:43:15 jutta yum[11613]: Installed: 4:perl-macros-5.16.3-286.el7.x86_64 Mar 8 14:43:15 jutta yum[11613]: Installed: perl-Time-Local-1.2300-2.el7.noarch Mar 8 14:43:16 jutta yum[11613]: Installed: perl-Socket-2.010-3.el7.x86_64 Mar 8 14:43:16 jutta yum[11613]: Installed: perl-threads-shared-1.43-6.el7.x86_64 Mar 8 14:43:16 jutta yum[11613]: Installed: perl-File-Temp-0.23.01-3.el7.noarch Mar 8 14:43:16 jutta yum[11613]: Installed: perl-File-Path-2.09-2.el7.noarch Mar 8 14:43:16 jutta yum[11613]: Installed: 1:perl-Pod-Simple-3.28-4.el7.noarch Mar 8 14:43:17 jutta yum[11613]: Installed: perl-PathTools-3.40-5.el7.x86_64 Mar 8 14:43:17 jutta yum[11613]: Installed: perl-Scalar-List-Utils-1.27-248.el7.x86_64 Mar 8 14:43:17 jutta yum[11613]: Installed: perl-Getopt-Long-2.40-2.el7.noarch Mar 8 14:43:20 jutta yum[11613]: Installed: 4:perl-5.16.3-286.el7.x86_64 Mar 8 14:43:20 jutta yum[11613]: Installed: perl-File-Slurp-9999.19-6.el7.noarch Mar 8 14:43:20 jutta yum[11613]: Installed: perl-Data-Dumper-2.145-3.el7.x86_64 Mar 8 14:43:20 jutta yum[11613]: Installed: perl-Mozilla-LDAP-1.5.3-12.el7.x86_64 Mar 8 14:43:20 jutta yum[11613]: Installed: perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 Mar 8 14:43:20 jutta yum[11613]: Installed: perl-DB_File-1.830-6.el7.x86_64 Mar 8 14:43:21 jutta systemd: Reloading. Mar 8 14:43:21 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:21 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:21 jutta yum[11613]: Installed: memcached-1.4.15-9.el7.x86_64 Mar 8 14:43:21 jutta yum[11613]: Installed: nuxwdog-1.0.3-4.el7_2.x86_64 Mar 8 14:43:21 jutta yum[11613]: Installed: 1:perl-Package-Constants-0.02-286.el7.noarch Mar 8 14:43:21 jutta yum[11613]: Installed: perl-NetAddr-IP-4.069-3.el7.x86_64 Mar 8 14:43:22 jutta yum[11613]: Installed: 1:net-snmp-agent-libs-5.7.2-24.el7.x86_64 Mar 8 14:43:22 jutta yum[11613]: Installed: 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 Mar 8 14:43:22 jutta yum[11613]: Installed: perl-IO-Compress-2.061-2.el7.noarch Mar 8 14:43:22 jutta yum[11613]: Installed: 1:perl-IO-Zlib-1.10-286.el7.noarch Mar 8 14:43:23 jutta yum[11613]: Installed: perl-Archive-Tar-1.92-2.el7.noarch Mar 8 14:43:23 jutta yum[11613]: Installed: lksctp-tools-1.0.13-3.el7.x86_64 Mar 8 14:43:23 jutta yum[11613]: Installed: python-memcached-1.48-4.el7.noarch Mar 8 14:43:23 jutta yum[11613]: Installed: pam_krb5-2.4.8-4.el7.x86_64 Mar 8 14:43:24 jutta yum[11613]: Installed: libcgroup-0.41-8.el7.x86_64 Mar 8 14:43:24 jutta yum[11613]: Installed: cyrus-sasl-md5-2.1.26-20.el7_2.x86_64 Mar 8 14:43:24 jutta yum[11613]: Installed: python-enum34-1.0.4-1.el7.noarch Mar 8 14:43:24 jutta yum[11613]: Installed: krb5-pkinit-1.13.2-10.el7.x86_64 Mar 8 14:43:24 jutta yum[11613]: Installed: zip-3.0-10.el7.x86_64 Mar 8 14:43:25 jutta systemd: Reloading. Mar 8 14:43:25 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:25 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:25 jutta yum[11613]: Installed: net-tools-2.0-0.17.20131004git.el7.x86_64 Mar 8 14:43:25 jutta yum[11613]: Installed: pyusb-1.0.0-0.11.b1.el7.noarch Mar 8 14:43:25 jutta yum[11613]: Installed: python-yubico-1.2.3-1.el7.noarch Mar 8 14:43:25 jutta yum[11613]: Installed: python-sss-murmur-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:26 jutta yum[11613]: Installed: krb5-workstation-1.13.2-10.el7.x86_64 Mar 8 14:43:26 jutta yum[11613]: Installed: 32:bind-libs-9.9.4-29.el7_2.2.x86_64 Mar 8 14:43:26 jutta yum[11613]: Installed: 32:bind-utils-9.9.4-29.el7_2.2.x86_64 Mar 8 14:43:27 jutta yum[11613]: Installed: systemd-python-219-19.el7_2.4.x86_64 Mar 8 14:43:27 jutta yum[11613]: Installed: mailcap-2.1.41-2.el7.noarch Mar 8 14:43:28 jutta systemd: Reloading. Mar 8 14:43:28 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:28 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:28 jutta yum[11613]: Installed: httpd-2.4.6-40.el7.x86_64 Mar 8 14:43:28 jutta yum[11613]: Installed: mod_wsgi-3.4-12.el7_0.x86_64 Mar 8 14:43:31 jutta yum[11613]: Installed: mod_nss-1.0.11-6.el7.x86_64 Mar 8 14:43:32 jutta yum[11613]: Installed: mod_auth_gssapi-1.3.1-1.el7.x86_64 Mar 8 14:43:32 jutta yum[11613]: Installed: libjpeg-turbo-1.2.90-5.el7.x86_64 Mar 8 14:43:32 jutta yum[11613]: Installed: audit-libs-python-2.4.1-5.el7.x86_64 Mar 8 14:43:32 jutta yum[11613]: Installed: 1:quota-nls-4.01-11.el7.noarch Mar 8 14:43:33 jutta yum[11613]: Installed: libX11-common-1.6.3-2.el7.noarch Mar 8 14:43:33 jutta yum[11613]: Installed: avahi-libs-0.6.31-15.el7_2.1.x86_64 Mar 8 14:43:33 jutta yum[11613]: Installed: 1:cups-libs-1.6.3-22.el7.x86_64 Mar 8 14:43:33 jutta yum[11613]: Installed: samba-libs-4.2.3-11.el7_2.x86_64 Mar 8 14:43:34 jutta yum[11613]: Installed: samba-common-tools-4.2.3-11.el7_2.x86_64 Mar 8 14:43:34 jutta yum[11613]: Installed: samba-common-4.2.3-11.el7_2.noarch Mar 8 14:43:34 jutta yum[11613]: Installed: libwbclient-4.2.3-11.el7_2.x86_64 Mar 8 14:43:35 jutta yum[11613]: Installed: samba-client-libs-4.2.3-11.el7_2.x86_64 Mar 8 14:43:36 jutta yum[11613]: Installed: samba-common-libs-4.2.3-11.el7_2.x86_64 Mar 8 14:43:36 jutta yum[11613]: Installed: libsmbclient-4.2.3-11.el7_2.x86_64 Mar 8 14:43:36 jutta yum[11613]: Installed: python-nss-0.16.0-3.el7.x86_64 Mar 8 14:43:36 jutta yum[11613]: Installed: python-IPy-0.75-6.el7.noarch Mar 8 14:43:37 jutta yum[11613]: Installed: softhsm-2.0.0rc1-3.el7.x86_64 Mar 8 14:43:37 jutta yum[11613]: Installed: tcp_wrappers-7.6-77.el7.x86_64 Mar 8 14:43:37 jutta yum[11613]: Installed: 1:quota-4.01-11.el7.x86_64 Mar 8 14:43:37 jutta yum[11613]: Installed: checkpolicy-2.1.12-6.el7.x86_64 Mar 8 14:43:38 jutta yum[11613]: Installed: python-kerberos-1.1-15.el7.x86_64 Mar 8 14:43:38 jutta yum[11613]: Installed: libsemanage-python-2.1.10-18.el7.x86_64 Mar 8 14:43:38 jutta yum[11613]: Installed: tzdata-java-2016a-1.el7.noarch Mar 8 14:43:38 jutta yum[11613]: Installed: libpath_utils-0.2.1-25.el7.x86_64 Mar 8 14:43:39 jutta yum[11613]: Installed: libini_config-1.2.0-25.el7.x86_64 Mar 8 14:43:39 jutta systemd: Reloading. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:39 jutta yum[11613]: Installed: gssproxy-0.4.1-7.el7.x86_64 Mar 8 14:43:39 jutta systemd: Reloading. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:39 jutta systemd: Starting Preprocess NFS configuration... Mar 8 14:43:39 jutta systemd: Started Preprocess NFS configuration. Mar 8 14:43:39 jutta systemd: Reloading. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:39 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:40 jutta systemd: Reloading. Mar 8 14:43:40 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:40 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:40 jutta yum[11613]: Installed: 1:nfs-utils-1.3.0-0.21.el7_2.x86_64 Mar 8 14:43:40 jutta yum[11613]: Installed: python-netaddr-0.7.5-7.el7.noarch Mar 8 14:43:42 jutta yum[11613]: Installed: libicu-50.1.2-15.el7.x86_64 Mar 8 14:43:42 jutta yum[11613]: Installed: libnl3-3.2.21-10.el7.x86_64 Mar 8 14:43:42 jutta yum[11613]: Installed: libXau-1.0.8-2.1.el7.x86_64 Mar 8 14:43:42 jutta yum[11613]: Installed: libxcb-1.11-4.el7.x86_64 Mar 8 14:43:43 jutta yum[11613]: Installed: libX11-1.6.3-2.el7.x86_64 Mar 8 14:43:43 jutta yum[11613]: Installed: libXext-1.3.3-3.el7.x86_64 Mar 8 14:43:43 jutta yum[11613]: Installed: libXi-1.7.4-2.el7.x86_64 Mar 8 14:43:43 jutta yum[11613]: Installed: libXrender-0.9.8-2.1.el7.x86_64 Mar 8 14:43:44 jutta yum[11613]: Installed: libXft-2.3.2-2.el7.x86_64 Mar 8 14:43:44 jutta yum[11613]: Installed: libXtst-1.2.2-2.1.el7.x86_64 Mar 8 14:43:44 jutta yum[11613]: Installed: python-backports-1.0-8.el7.x86_64 Mar 8 14:43:44 jutta yum[11613]: Installed: python-backports-ssl_match_hostname-3.4.0.2-4.el7.noarch Mar 8 14:43:45 jutta yum[11613]: Installed: python-setuptools-0.9.8-4.el7.noarch Mar 8 14:43:45 jutta yum[11613]: Installed: python-urllib3-1.10.2-2.el7_1.noarch Mar 8 14:43:45 jutta yum[11613]: Installed: python-ply-3.4-10.el7.noarch Mar 8 14:43:45 jutta yum[11613]: Installed: python-pycparser-2.14-1.el7.noarch Mar 8 14:43:46 jutta yum[11613]: Installed: python-cffi-0.8.6-2.el7.x86_64 Mar 8 14:43:46 jutta yum[11613]: Installed: python-cryptography-0.8.2-1.el7.x86_64 Mar 8 14:43:47 jutta yum[11613]: Installed: ipa-python-4.2.0-15.el7_2.6.x86_64 Mar 8 14:43:47 jutta yum[11613]: Installed: c-ares-1.10.0-3.el7.x86_64 Mar 8 14:43:48 jutta systemd: Reloading. Mar 8 14:43:48 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:43:48 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:43:48 jutta yum[11613]: Installed: sssd-common-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:48 jutta yum[11613]: Installed: sssd-krb5-common-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:48 jutta yum[11613]: Installed: sssd-common-pac-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:49 jutta yum[11613]: Installed: sssd-ipa-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:49 jutta yum[11613]: Installed: sssd-ad-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:49 jutta yum[11613]: Installed: sssd-ldap-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:49 jutta yum[11613]: Installed: sssd-krb5-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:50 jutta yum[11613]: Installed: sssd-proxy-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:50 jutta yum[11613]: Installed: sssd-1.13.0-40.el7_2.1.x86_64 Mar 8 14:43:50 jutta yum[11613]: Installed: alsa-lib-1.0.28-2.el7.x86_64 Mar 8 14:43:50 jutta yum[11613]: Installed: python-javapackages-3.4.1-11.el7.noarch Mar 8 14:43:51 jutta yum[11613]: Installed: javapackages-tools-3.4.1-11.el7.noarch Mar 8 14:43:57 jutta yum[11613]: Installed: 1:java-1.8.0-openjdk-headless-1.8.0.71-2.b15.el7_2.x86_64 Mar 8 14:43:59 jutta yum[11613]: Installed: 1:java-1.8.0-ibm-devel-1.8.0.2.10-1jpp.1.el7.x86_64 Mar 8 14:44:13 jutta yum[11613]: Installed: 1:java-1.8.0-ibm-1.8.0.2.10-1jpp.1.el7.x86_64 Mar 8 14:44:13 jutta yum[11613]: Installed: relaxngDatatype-1.0-11.el7.noarch Mar 8 14:44:14 jutta yum[11613]: Installed: xml-commons-apis-1.4.01-16.el7.noarch Mar 8 14:44:14 jutta yum[11613]: Installed: xml-commons-resolver-1.2-15.el7.noarch Mar 8 14:44:14 jutta yum[11613]: Installed: xalan-j2-2.7.1-23.el7.noarch Mar 8 14:44:15 jutta yum[11613]: Installed: xerces-j2-2.11.0-17.el7_0.noarch Mar 8 14:44:15 jutta yum[11613]: Installed: tomcat-servlet-3.0-api-7.0.54-2.el7_1.noarch Mar 8 14:44:15 jutta yum[11613]: Installed: apache-commons-codec-1.8-7.el7.noarch Mar 8 14:44:15 jutta yum[11613]: Installed: 1:isorelax-0-0.15.release20050331.el7.noarch Mar 8 14:44:15 jutta yum[11613]: Installed: bea-stax-api-1.2.0-9.el7.noarch Mar 8 14:44:16 jutta yum[11613]: Installed: 1:msv-xsdlib-2013.5.1-6.el7.noarch Mar 8 14:44:16 jutta yum[11613]: Installed: xsom-0-10.20110809svn.el7.noarch Mar 8 14:44:16 jutta yum[11613]: Installed: apache-commons-pool-1.6-9.el7.noarch Mar 8 14:44:16 jutta yum[11613]: Installed: jss-4.2.6-37.el7.x86_64 Mar 8 14:44:17 jutta yum[11613]: Installed: apache-commons-lang-2.6-15.el7.noarch Mar 8 14:44:17 jutta yum[11613]: Installed: apache-commons-collections-3.2.1-22.el7_2.noarch Mar 8 14:44:18 jutta yum[11613]: Installed: stax2-api-3.1.1-10.el7.noarch Mar 8 14:44:18 jutta yum[11613]: Installed: rngom-201103-0.8.20120119svn.el7.noarch Mar 8 14:44:18 jutta systemd: Reloading. Mar 8 14:44:18 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:18 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:18 jutta yum[11613]: Installed: 1:hsqldb-1.8.1.3-13.el7.noarch Mar 8 14:44:19 jutta yum[11613]: Installed: ant-1.9.2-9.el7.noarch Mar 8 14:44:19 jutta yum[11613]: Installed: resteasy-base-jaxrs-api-3.0.6-1.el7.noarch Mar 8 14:44:19 jutta yum[11613]: Installed: 1:apache-commons-io-2.4-12.el7.noarch Mar 8 14:44:19 jutta yum[11613]: Installed: geronimo-jms-1.1.1-19.el7.noarch Mar 8 14:44:20 jutta yum[11613]: Installed: javassist-3.16.1-10.el7.noarch Mar 8 14:44:20 jutta yum[11613]: Installed: bea-stax-1.2.0-9.el7.noarch Mar 8 14:44:20 jutta yum[11613]: Installed: jvnet-parent-4-2.el7.noarch Mar 8 14:44:20 jutta yum[11613]: Installed: codemodel-2.6-9.el7.noarch Mar 8 14:44:21 jutta yum[11613]: Installed: istack-commons-2.17-4.el7.noarch Mar 8 14:44:21 jutta yum[11613]: Installed: stax-ex-1.7.1-6.el7.noarch Mar 8 14:44:21 jutta yum[11613]: Installed: scannotation-1.0.3-0.7.r12.el7.noarch Mar 8 14:44:22 jutta yum[11613]: Installed: 1:msv-msv-2013.5.1-6.el7.noarch Mar 8 14:44:22 jutta yum[11613]: Installed: ldapjdk-4.18-14.el7.noarch Mar 8 14:44:22 jutta yum[11613]: Installed: glassfish-fastinfoset-1.2.12-9.el7.noarch Mar 8 14:44:22 jutta yum[11613]: Installed: tomcat-jsp-2.2-api-7.0.54-2.el7_1.noarch Mar 8 14:44:23 jutta yum[11613]: Installed: jing-20091111-14.el7.noarch Mar 8 14:44:23 jutta yum[11613]: Installed: objectweb-asm-3.3.1-9.el7.noarch Mar 8 14:44:23 jutta yum[11613]: Installed: glassfish-dtd-parser-1.2-0.8.20120120svn.el7.noarch Mar 8 14:44:23 jutta yum[11613]: Installed: httpcomponents-core-4.2.4-6.el7.noarch Mar 8 14:44:24 jutta yum[11613]: Installed: regexp-1.5-13.el7.noarch Mar 8 14:44:24 jutta yum[11613]: Installed: bcel-5.2-18.el7.noarch Mar 8 14:44:24 jutta yum[11613]: Installed: joda-convert-1.3-5.el7.noarch Mar 8 14:44:24 jutta yum[11613]: Installed: joda-time-2.2-3.tzdata2013c.el7.noarch Mar 8 14:44:25 jutta yum[11613]: Installed: apache-commons-cli-1.2-13.el7.noarch Mar 8 14:44:25 jutta yum[11613]: Installed: geronimo-jta-1.1.1-17.el7.noarch Mar 8 14:44:25 jutta yum[11613]: Installed: apache-commons-dbcp-1.4-17.el7.noarch Mar 8 14:44:25 jutta yum[11613]: Installed: antlr-tool-2.7.7-30.el7.noarch Mar 8 14:44:25 jutta yum[11613]: Installed: args4j-2.0.16-13.el7.noarch Mar 8 14:44:26 jutta yum[11613]: Installed: txw2-20110809-8.el7.noarch Mar 8 14:44:26 jutta yum[11613]: Installed: apache-commons-daemon-1.0.13-6.el7.x86_64 Mar 8 14:44:26 jutta yum[11613]: Installed: easymock2-2.5.2-12.el7.noarch Mar 8 14:44:26 jutta yum[11613]: Installed: qdox-1.12.1-9.el7.noarch Mar 8 14:44:26 jutta yum[11613]: Installed: hamcrest-1.3-6.el7.noarch Mar 8 14:44:27 jutta yum[11613]: Installed: junit-4.11-8.el7.noarch Mar 8 14:44:27 jutta yum[11613]: Installed: xpp3-1.1.3.8-11.el7.noarch Mar 8 14:44:27 jutta yum[11613]: Installed: javamail-1.4.6-8.el7.noarch Mar 8 14:44:27 jutta yum[11613]: Installed: log4j-1.2.17-15.el7.noarch Mar 8 14:44:28 jutta yum[11613]: Installed: avalon-logkit-2.1-14.el7.noarch Mar 8 14:44:29 jutta yum[11613]: Installed: apache-commons-logging-1.1.2-7.el7.noarch Mar 8 14:44:29 jutta yum[11613]: Installed: avalon-framework-4.3-10.el7.noarch Mar 8 14:44:29 jutta yum[11613]: Installed: httpcomponents-client-4.2.5-5.el7_0.noarch Mar 8 14:44:29 jutta yum[11613]: Installed: 1:jakarta-commons-httpclient-3.1-16.el7_0.noarch Mar 8 14:44:30 jutta yum[11613]: Installed: ws-jaxme-0.5.2-10.el7.noarch Mar 8 14:44:30 jutta yum[11613]: Installed: jdom-1.1.3-6.el7.noarch Mar 8 14:44:30 jutta yum[11613]: Installed: jaxen-1.1.3-11.el7.noarch Mar 8 14:44:30 jutta yum[11613]: Installed: dom4j-1.6.1-20.el7.noarch Mar 8 14:44:30 jutta yum[11613]: Installed: glassfish-jaxb-api-2.2.7-4.el7.noarch Mar 8 14:44:31 jutta yum[11613]: Installed: glassfish-jaxb-2.2.5-6.el7.noarch Mar 8 14:44:31 jutta yum[11613]: Installed: resteasy-base-jaxb-provider-3.0.6-1.el7.noarch Mar 8 14:44:31 jutta yum[11613]: Installed: jboss-annotations-1.1-api-1.0.1-0.6.20120212git76e1a2.el7.noarch Mar 8 14:44:31 jutta yum[11613]: Installed: resteasy-base-jaxrs-3.0.6-1.el7.noarch Mar 8 14:44:32 jutta yum[11613]: Installed: resteasy-base-client-3.0.6-1.el7.noarch Mar 8 14:44:32 jutta yum[11613]: Installed: resteasy-base-atom-provider-3.0.6-1.el7.noarch Mar 8 14:44:32 jutta yum[11613]: Installed: jsr-311-1.1.1-6.el7.noarch Mar 8 14:44:32 jutta yum[11613]: Installed: jackson-1.9.4-7.el7.noarch Mar 8 14:44:32 jutta yum[11613]: Installed: resteasy-base-jackson-provider-3.0.6-1.el7.noarch Mar 8 14:44:33 jutta yum[11613]: Installed: nuxwdog-client-java-1.0.3-4.el7_2.x86_64 Mar 8 14:44:33 jutta yum[11613]: Installed: tomcat-el-2.2-api-7.0.54-2.el7_1.noarch Mar 8 14:44:34 jutta yum[11613]: Installed: 1:ecj-4.2.1-8.el7.x86_64 Mar 8 14:44:34 jutta yum[11613]: Installed: tomcat-lib-7.0.54-2.el7_1.noarch Mar 8 14:44:35 jutta systemd: Reloading. Mar 8 14:44:35 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:35 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:35 jutta yum[11613]: Installed: tomcat-7.0.54-2.el7_1.noarch Mar 8 14:44:35 jutta yum[11613]: Installed: tomcatjss-7.1.2-1.el7.noarch Mar 8 14:44:35 jutta yum[11613]: Installed: jakarta-oro-2.0.8-16.el7.noarch Mar 8 14:44:35 jutta yum[11613]: Installed: velocity-1.7-10.el7.noarch Mar 8 14:44:36 jutta yum[11613]: Installed: setools-libs-3.3.7-46.el7.x86_64 Mar 8 14:44:36 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:44:36 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:44:36 jutta dbus[1459]: [system] Reloaded configuration Mar 8 14:44:36 jutta dbus-daemon: dbus[1459]: [system] Reloaded configuration Mar 8 14:44:36 jutta yum[11613]: Installed: policycoreutils-python-2.2.5-20.el7.x86_64 Mar 8 14:44:37 jutta systemd: Reloading. Mar 8 14:44:37 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:37 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:37 jutta systemd: Reloading. Mar 8 14:44:37 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:37 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:37 jutta yum[11613]: Installed: 389-ds-base-1.3.4.0-26.el7_2.x86_64 Mar 8 14:44:37 jutta yum[11613]: Installed: words-3.0-22.el7.noarch Mar 8 14:44:38 jutta systemd: Reloading. Mar 8 14:44:38 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:38 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:38 jutta yum[11613]: Installed: krb5-server-1.13.2-10.el7.x86_64 Mar 8 14:44:38 jutta yum[11613]: Installed: python-chardet-2.2.1-1.el7_1.noarch Mar 8 14:44:39 jutta yum[11613]: Installed: python-requests-2.6.0-1.el7_1.noarch Mar 8 14:44:39 jutta yum[11613]: Installed: pki-base-10.2.5-6.el7.noarch Mar 8 14:44:39 jutta yum[11613]: Installed: pki-tools-10.2.5-6.el7.x86_64 Mar 8 14:44:41 jutta systemd: Reloading. Mar 8 14:44:41 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:41 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:41 jutta yum[11613]: Installed: pki-server-10.2.5-6.el7.noarch Mar 8 14:44:41 jutta yum[11613]: Installed: pki-ca-10.2.5-6.el7.noarch Mar 8 14:44:41 jutta yum[11613]: Installed: pki-kra-10.2.5-6.el7.noarch Mar 8 14:44:42 jutta yum[11613]: Installed: hesiod-3.2.1-3.el7.x86_64 Mar 8 14:44:42 jutta systemd: Reloading. Mar 8 14:44:42 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:42 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:42 jutta yum[11613]: Installed: 1:autofs-5.0.7-54.el7.x86_64 Mar 8 14:44:42 jutta yum[11613]: Installed: ipa-client-4.2.0-15.el7_2.6.x86_64 Mar 8 14:44:43 jutta yum[11613]: Installed: ipa-admintools-4.2.0-15.el7_2.6.x86_64 Mar 8 14:44:44 jutta systemd: Reloading. Mar 8 14:44:44 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:44 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:44:44 jutta yum[11613]: Installed: ipa-server-4.2.0-15.el7_2.6.x86_64 Mar 8 14:44:44 jutta yum[11613]: Installed: redhat-access-plugin-ipa-0.9.1-2.el7.noarch Mar 8 14:44:44 jutta systemd: Reloading. Mar 8 14:44:44 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 8 14:44:44 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 8 14:47:10 jutta systemd-udevd: Network interface NamePolicy= disabled on kernel command line, ignoring. Mar 8 14:50:01 jutta systemd: Created slice user-0.slice. Mar 8 14:50:01 jutta systemd: Starting user-0.slice. Mar 8 14:50:01 jutta systemd: Started Session 5 of user root. Mar 8 14:50:01 jutta systemd: Starting Session 5 of user root. Mar 8 14:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 14:50:01 jutta systemd: Stopping user-0.slice. Mar 8 15:00:01 jutta systemd: Created slice user-0.slice. Mar 8 15:00:01 jutta systemd: Starting user-0.slice. Mar 8 15:00:01 jutta systemd: Started Session 6 of user root. Mar 8 15:00:01 jutta systemd: Starting Session 6 of user root. Mar 8 15:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:00:01 jutta systemd: Stopping user-0.slice. Mar 8 15:01:01 jutta systemd: Created slice user-0.slice. Mar 8 15:01:01 jutta systemd: Starting user-0.slice. Mar 8 15:01:01 jutta systemd: Started Session 7 of user root. Mar 8 15:01:01 jutta systemd: Starting Session 7 of user root. Mar 8 15:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:01:01 jutta systemd: Stopping user-0.slice. Mar 8 15:10:01 jutta systemd: Created slice user-0.slice. Mar 8 15:10:01 jutta systemd: Starting user-0.slice. Mar 8 15:10:01 jutta systemd: Started Session 8 of user root. Mar 8 15:10:01 jutta systemd: Starting Session 8 of user root. Mar 8 15:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:10:01 jutta systemd: Stopping user-0.slice. Mar 8 15:20:01 jutta systemd: Created slice user-0.slice. Mar 8 15:20:01 jutta systemd: Starting user-0.slice. Mar 8 15:20:01 jutta systemd: Started Session 9 of user root. Mar 8 15:20:01 jutta systemd: Starting Session 9 of user root. Mar 8 15:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:20:01 jutta systemd: Stopping user-0.slice. Mar 8 15:30:01 jutta systemd: Created slice user-0.slice. Mar 8 15:30:01 jutta systemd: Starting user-0.slice. Mar 8 15:30:01 jutta systemd: Started Session 10 of user root. Mar 8 15:30:01 jutta systemd: Starting Session 10 of user root. Mar 8 15:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:30:01 jutta systemd: Stopping user-0.slice. Mar 8 15:40:01 jutta systemd: Created slice user-0.slice. Mar 8 15:40:01 jutta systemd: Starting user-0.slice. Mar 8 15:40:01 jutta systemd: Started Session 11 of user root. Mar 8 15:40:01 jutta systemd: Starting Session 11 of user root. Mar 8 15:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:40:01 jutta systemd: Stopping user-0.slice. Mar 8 15:50:01 jutta systemd: Created slice user-0.slice. Mar 8 15:50:01 jutta systemd: Starting user-0.slice. Mar 8 15:50:01 jutta systemd: Started Session 12 of user root. Mar 8 15:50:01 jutta systemd: Starting Session 12 of user root. Mar 8 15:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 15:50:01 jutta systemd: Stopping user-0.slice. Mar 8 16:00:01 jutta systemd: Created slice user-0.slice. Mar 8 16:00:01 jutta systemd: Starting user-0.slice. Mar 8 16:00:01 jutta systemd: Started Session 13 of user root. Mar 8 16:00:01 jutta systemd: Starting Session 13 of user root. Mar 8 16:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:00:01 jutta systemd: Stopping user-0.slice. Mar 8 16:01:01 jutta systemd: Created slice user-0.slice. Mar 8 16:01:01 jutta systemd: Starting user-0.slice. Mar 8 16:01:01 jutta systemd: Started Session 14 of user root. Mar 8 16:01:01 jutta systemd: Starting Session 14 of user root. Mar 8 16:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:01:01 jutta systemd: Stopping user-0.slice. Mar 8 16:10:01 jutta systemd: Created slice user-0.slice. Mar 8 16:10:01 jutta systemd: Starting user-0.slice. Mar 8 16:10:01 jutta systemd: Started Session 15 of user root. Mar 8 16:10:01 jutta systemd: Starting Session 15 of user root. Mar 8 16:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:10:01 jutta systemd: Stopping user-0.slice. Mar 8 16:20:01 jutta systemd: Created slice user-0.slice. Mar 8 16:20:01 jutta systemd: Starting user-0.slice. Mar 8 16:20:01 jutta systemd: Started Session 16 of user root. Mar 8 16:20:01 jutta systemd: Starting Session 16 of user root. Mar 8 16:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:20:01 jutta systemd: Stopping user-0.slice. Mar 8 16:30:01 jutta systemd: Created slice user-0.slice. Mar 8 16:30:01 jutta systemd: Starting user-0.slice. Mar 8 16:30:01 jutta systemd: Started Session 17 of user root. Mar 8 16:30:01 jutta systemd: Starting Session 17 of user root. Mar 8 16:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:30:01 jutta systemd: Stopping user-0.slice. Mar 8 16:40:01 jutta systemd: Created slice user-0.slice. Mar 8 16:40:01 jutta systemd: Starting user-0.slice. Mar 8 16:40:01 jutta systemd: Started Session 18 of user root. Mar 8 16:40:01 jutta systemd: Starting Session 18 of user root. Mar 8 16:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:40:01 jutta systemd: Stopping user-0.slice. Mar 8 16:47:24 jutta systemd-logind: Removed session 1. Mar 8 16:47:24 jutta systemd: Removed slice user-49273.slice. Mar 8 16:47:24 jutta systemd: Stopping user-49273.slice. Mar 8 16:50:01 jutta systemd: Created slice user-0.slice. Mar 8 16:50:01 jutta systemd: Starting user-0.slice. Mar 8 16:50:01 jutta systemd: Started Session 19 of user root. Mar 8 16:50:01 jutta systemd: Starting Session 19 of user root. Mar 8 16:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 16:50:01 jutta systemd: Stopping user-0.slice. Mar 8 17:00:01 jutta systemd: Created slice user-0.slice. Mar 8 17:00:01 jutta systemd: Starting user-0.slice. Mar 8 17:00:01 jutta systemd: Started Session 20 of user root. Mar 8 17:00:01 jutta systemd: Starting Session 20 of user root. Mar 8 17:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:00:01 jutta systemd: Stopping user-0.slice. Mar 8 17:01:01 jutta systemd: Created slice user-0.slice. Mar 8 17:01:01 jutta systemd: Starting user-0.slice. Mar 8 17:01:01 jutta systemd: Started Session 21 of user root. Mar 8 17:01:01 jutta systemd: Starting Session 21 of user root. Mar 8 17:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:01:01 jutta systemd: Stopping user-0.slice. Mar 8 17:10:01 jutta systemd: Created slice user-0.slice. Mar 8 17:10:01 jutta systemd: Starting user-0.slice. Mar 8 17:10:01 jutta systemd: Started Session 22 of user root. Mar 8 17:10:01 jutta systemd: Starting Session 22 of user root. Mar 8 17:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:10:01 jutta systemd: Stopping user-0.slice. Mar 8 17:20:02 jutta systemd: Created slice user-0.slice. Mar 8 17:20:02 jutta systemd: Starting user-0.slice. Mar 8 17:20:02 jutta systemd: Started Session 23 of user root. Mar 8 17:20:02 jutta systemd: Starting Session 23 of user root. Mar 8 17:20:02 jutta systemd: Removed slice user-0.slice. Mar 8 17:20:02 jutta systemd: Stopping user-0.slice. Mar 8 17:30:01 jutta systemd: Created slice user-0.slice. Mar 8 17:30:01 jutta systemd: Starting user-0.slice. Mar 8 17:30:01 jutta systemd: Started Session 24 of user root. Mar 8 17:30:01 jutta systemd: Starting Session 24 of user root. Mar 8 17:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:30:01 jutta systemd: Stopping user-0.slice. Mar 8 17:40:01 jutta systemd: Created slice user-0.slice. Mar 8 17:40:01 jutta systemd: Starting user-0.slice. Mar 8 17:40:01 jutta systemd: Started Session 25 of user root. Mar 8 17:40:01 jutta systemd: Starting Session 25 of user root. Mar 8 17:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:40:01 jutta systemd: Stopping user-0.slice. Mar 8 17:50:01 jutta systemd: Created slice user-0.slice. Mar 8 17:50:01 jutta systemd: Starting user-0.slice. Mar 8 17:50:01 jutta systemd: Started Session 26 of user root. Mar 8 17:50:01 jutta systemd: Starting Session 26 of user root. Mar 8 17:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 17:50:01 jutta systemd: Stopping user-0.slice. Mar 8 18:00:01 jutta systemd: Created slice user-0.slice. Mar 8 18:00:01 jutta systemd: Starting user-0.slice. Mar 8 18:00:01 jutta systemd: Started Session 27 of user root. Mar 8 18:00:01 jutta systemd: Starting Session 27 of user root. Mar 8 18:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:00:01 jutta systemd: Stopping user-0.slice. Mar 8 18:01:01 jutta systemd: Created slice user-0.slice. Mar 8 18:01:01 jutta systemd: Starting user-0.slice. Mar 8 18:01:01 jutta systemd: Started Session 28 of user root. Mar 8 18:01:01 jutta systemd: Starting Session 28 of user root. Mar 8 18:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:01:01 jutta systemd: Stopping user-0.slice. Mar 8 18:10:01 jutta systemd: Created slice user-0.slice. Mar 8 18:10:01 jutta systemd: Starting user-0.slice. Mar 8 18:10:01 jutta systemd: Started Session 29 of user root. Mar 8 18:10:01 jutta systemd: Starting Session 29 of user root. Mar 8 18:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:10:01 jutta systemd: Stopping user-0.slice. Mar 8 18:20:01 jutta systemd: Created slice user-0.slice. Mar 8 18:20:01 jutta systemd: Starting user-0.slice. Mar 8 18:20:01 jutta systemd: Started Session 30 of user root. Mar 8 18:20:01 jutta systemd: Starting Session 30 of user root. Mar 8 18:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:20:01 jutta systemd: Stopping user-0.slice. Mar 8 18:30:01 jutta systemd: Created slice user-0.slice. Mar 8 18:30:01 jutta systemd: Starting user-0.slice. Mar 8 18:30:01 jutta systemd: Started Session 31 of user root. Mar 8 18:30:01 jutta systemd: Starting Session 31 of user root. Mar 8 18:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:30:01 jutta systemd: Stopping user-0.slice. Mar 8 18:40:01 jutta systemd: Created slice user-0.slice. Mar 8 18:40:01 jutta systemd: Starting user-0.slice. Mar 8 18:40:01 jutta systemd: Started Session 32 of user root. Mar 8 18:40:01 jutta systemd: Starting Session 32 of user root. Mar 8 18:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:40:01 jutta systemd: Stopping user-0.slice. Mar 8 18:50:01 jutta systemd: Created slice user-0.slice. Mar 8 18:50:01 jutta systemd: Starting user-0.slice. Mar 8 18:50:01 jutta systemd: Started Session 33 of user root. Mar 8 18:50:01 jutta systemd: Starting Session 33 of user root. Mar 8 18:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 18:50:01 jutta systemd: Stopping user-0.slice. Mar 8 19:00:01 jutta systemd: Created slice user-0.slice. Mar 8 19:00:01 jutta systemd: Starting user-0.slice. Mar 8 19:00:01 jutta systemd: Started Session 34 of user root. Mar 8 19:00:01 jutta systemd: Starting Session 34 of user root. Mar 8 19:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:00:01 jutta systemd: Stopping user-0.slice. Mar 8 19:01:01 jutta systemd: Created slice user-0.slice. Mar 8 19:01:01 jutta systemd: Starting user-0.slice. Mar 8 19:01:01 jutta systemd: Started Session 35 of user root. Mar 8 19:01:01 jutta systemd: Starting Session 35 of user root. Mar 8 19:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:01:01 jutta systemd: Stopping user-0.slice. Mar 8 19:10:01 jutta systemd: Created slice user-0.slice. Mar 8 19:10:01 jutta systemd: Starting user-0.slice. Mar 8 19:10:01 jutta systemd: Started Session 36 of user root. Mar 8 19:10:01 jutta systemd: Starting Session 36 of user root. Mar 8 19:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:10:01 jutta systemd: Stopping user-0.slice. Mar 8 19:20:01 jutta systemd: Created slice user-0.slice. Mar 8 19:20:01 jutta systemd: Starting user-0.slice. Mar 8 19:20:01 jutta systemd: Started Session 37 of user root. Mar 8 19:20:01 jutta systemd: Starting Session 37 of user root. Mar 8 19:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:20:01 jutta systemd: Stopping user-0.slice. Mar 8 19:30:01 jutta systemd: Created slice user-0.slice. Mar 8 19:30:01 jutta systemd: Starting user-0.slice. Mar 8 19:30:01 jutta systemd: Started Session 38 of user root. Mar 8 19:30:01 jutta systemd: Starting Session 38 of user root. Mar 8 19:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:30:01 jutta systemd: Stopping user-0.slice. Mar 8 19:40:01 jutta systemd: Created slice user-0.slice. Mar 8 19:40:01 jutta systemd: Starting user-0.slice. Mar 8 19:40:01 jutta systemd: Started Session 39 of user root. Mar 8 19:40:01 jutta systemd: Starting Session 39 of user root. Mar 8 19:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:40:01 jutta systemd: Stopping user-0.slice. Mar 8 19:50:01 jutta systemd: Created slice user-0.slice. Mar 8 19:50:01 jutta systemd: Starting user-0.slice. Mar 8 19:50:01 jutta systemd: Started Session 40 of user root. Mar 8 19:50:01 jutta systemd: Starting Session 40 of user root. Mar 8 19:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 19:50:01 jutta systemd: Stopping user-0.slice. Mar 8 20:00:01 jutta systemd: Created slice user-0.slice. Mar 8 20:00:01 jutta systemd: Starting user-0.slice. Mar 8 20:00:01 jutta systemd: Started Session 41 of user root. Mar 8 20:00:01 jutta systemd: Starting Session 41 of user root. Mar 8 20:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:00:01 jutta systemd: Stopping user-0.slice. Mar 8 20:01:01 jutta systemd: Created slice user-0.slice. Mar 8 20:01:01 jutta systemd: Starting user-0.slice. Mar 8 20:01:01 jutta systemd: Started Session 42 of user root. Mar 8 20:01:01 jutta systemd: Starting Session 42 of user root. Mar 8 20:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:01:01 jutta systemd: Stopping user-0.slice. Mar 8 20:10:01 jutta systemd: Created slice user-0.slice. Mar 8 20:10:01 jutta systemd: Starting user-0.slice. Mar 8 20:10:01 jutta systemd: Started Session 43 of user root. Mar 8 20:10:01 jutta systemd: Starting Session 43 of user root. Mar 8 20:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:10:01 jutta systemd: Stopping user-0.slice. Mar 8 20:20:01 jutta systemd: Created slice user-0.slice. Mar 8 20:20:01 jutta systemd: Starting user-0.slice. Mar 8 20:20:01 jutta systemd: Started Session 44 of user root. Mar 8 20:20:01 jutta systemd: Starting Session 44 of user root. Mar 8 20:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:20:01 jutta systemd: Stopping user-0.slice. Mar 8 20:30:01 jutta systemd: Created slice user-0.slice. Mar 8 20:30:01 jutta systemd: Starting user-0.slice. Mar 8 20:30:01 jutta systemd: Started Session 45 of user root. Mar 8 20:30:01 jutta systemd: Starting Session 45 of user root. Mar 8 20:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:30:01 jutta systemd: Stopping user-0.slice. Mar 8 20:40:01 jutta systemd: Created slice user-0.slice. Mar 8 20:40:01 jutta systemd: Starting user-0.slice. Mar 8 20:40:01 jutta systemd: Started Session 46 of user root. Mar 8 20:40:01 jutta systemd: Starting Session 46 of user root. Mar 8 20:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:40:01 jutta systemd: Stopping user-0.slice. Mar 8 20:50:01 jutta systemd: Created slice user-0.slice. Mar 8 20:50:01 jutta systemd: Starting user-0.slice. Mar 8 20:50:01 jutta systemd: Started Session 47 of user root. Mar 8 20:50:01 jutta systemd: Starting Session 47 of user root. Mar 8 20:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 20:50:01 jutta systemd: Stopping user-0.slice. Mar 8 21:00:01 jutta systemd: Created slice user-0.slice. Mar 8 21:00:01 jutta systemd: Starting user-0.slice. Mar 8 21:00:01 jutta systemd: Started Session 48 of user root. Mar 8 21:00:01 jutta systemd: Starting Session 48 of user root. Mar 8 21:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:00:01 jutta systemd: Stopping user-0.slice. Mar 8 21:01:01 jutta systemd: Created slice user-0.slice. Mar 8 21:01:01 jutta systemd: Starting user-0.slice. Mar 8 21:01:01 jutta systemd: Started Session 49 of user root. Mar 8 21:01:01 jutta systemd: Starting Session 49 of user root. Mar 8 21:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:01:01 jutta systemd: Stopping user-0.slice. Mar 8 21:10:01 jutta systemd: Created slice user-0.slice. Mar 8 21:10:01 jutta systemd: Starting user-0.slice. Mar 8 21:10:01 jutta systemd: Started Session 50 of user root. Mar 8 21:10:01 jutta systemd: Starting Session 50 of user root. Mar 8 21:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:10:01 jutta systemd: Stopping user-0.slice. Mar 8 21:20:01 jutta systemd: Created slice user-0.slice. Mar 8 21:20:01 jutta systemd: Starting user-0.slice. Mar 8 21:20:01 jutta systemd: Started Session 51 of user root. Mar 8 21:20:01 jutta systemd: Starting Session 51 of user root. Mar 8 21:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:20:01 jutta systemd: Stopping user-0.slice. Mar 8 21:30:01 jutta systemd: Created slice user-0.slice. Mar 8 21:30:01 jutta systemd: Starting user-0.slice. Mar 8 21:30:01 jutta systemd: Started Session 52 of user root. Mar 8 21:30:01 jutta systemd: Starting Session 52 of user root. Mar 8 21:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:30:01 jutta systemd: Stopping user-0.slice. Mar 8 21:40:01 jutta systemd: Created slice user-0.slice. Mar 8 21:40:01 jutta systemd: Starting user-0.slice. Mar 8 21:40:01 jutta systemd: Started Session 53 of user root. Mar 8 21:40:01 jutta systemd: Starting Session 53 of user root. Mar 8 21:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 21:40:01 jutta systemd: Stopping user-0.slice. Mar 8 21:50:01 jutta systemd: Created slice user-0.slice. Mar 8 21:50:01 jutta systemd: Starting user-0.slice. Mar 8 21:50:01 jutta systemd: Started Session 54 of user root. Mar 8 21:50:01 jutta systemd: Starting Session 54 of user root. Mar 8 21:50:02 jutta systemd: Removed slice user-0.slice. Mar 8 21:50:02 jutta systemd: Stopping user-0.slice. Mar 8 22:00:01 jutta systemd: Created slice user-0.slice. Mar 8 22:00:01 jutta systemd: Starting user-0.slice. Mar 8 22:00:01 jutta systemd: Started Session 55 of user root. Mar 8 22:00:01 jutta systemd: Starting Session 55 of user root. Mar 8 22:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:00:01 jutta systemd: Stopping user-0.slice. Mar 8 22:01:01 jutta systemd: Created slice user-0.slice. Mar 8 22:01:01 jutta systemd: Starting user-0.slice. Mar 8 22:01:01 jutta systemd: Started Session 56 of user root. Mar 8 22:01:01 jutta systemd: Starting Session 56 of user root. Mar 8 22:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:01:01 jutta systemd: Stopping user-0.slice. Mar 8 22:10:01 jutta systemd: Created slice user-0.slice. Mar 8 22:10:01 jutta systemd: Starting user-0.slice. Mar 8 22:10:01 jutta systemd: Started Session 57 of user root. Mar 8 22:10:01 jutta systemd: Starting Session 57 of user root. Mar 8 22:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:10:01 jutta systemd: Stopping user-0.slice. Mar 8 22:20:01 jutta systemd: Created slice user-0.slice. Mar 8 22:20:01 jutta systemd: Starting user-0.slice. Mar 8 22:20:01 jutta systemd: Started Session 58 of user root. Mar 8 22:20:01 jutta systemd: Starting Session 58 of user root. Mar 8 22:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:20:01 jutta systemd: Stopping user-0.slice. Mar 8 22:30:01 jutta systemd: Created slice user-0.slice. Mar 8 22:30:01 jutta systemd: Starting user-0.slice. Mar 8 22:30:01 jutta systemd: Started Session 59 of user root. Mar 8 22:30:01 jutta systemd: Starting Session 59 of user root. Mar 8 22:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:30:01 jutta systemd: Stopping user-0.slice. Mar 8 22:40:01 jutta systemd: Created slice user-0.slice. Mar 8 22:40:01 jutta systemd: Starting user-0.slice. Mar 8 22:40:01 jutta systemd: Started Session 60 of user root. Mar 8 22:40:01 jutta systemd: Starting Session 60 of user root. Mar 8 22:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:40:01 jutta systemd: Stopping user-0.slice. Mar 8 22:50:01 jutta systemd: Created slice user-0.slice. Mar 8 22:50:01 jutta systemd: Starting user-0.slice. Mar 8 22:50:01 jutta systemd: Started Session 61 of user root. Mar 8 22:50:01 jutta systemd: Starting Session 61 of user root. Mar 8 22:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 22:50:01 jutta systemd: Stopping user-0.slice. Mar 8 23:00:01 jutta systemd: Created slice user-0.slice. Mar 8 23:00:01 jutta systemd: Starting user-0.slice. Mar 8 23:00:01 jutta systemd: Started Session 62 of user root. Mar 8 23:00:01 jutta systemd: Starting Session 62 of user root. Mar 8 23:00:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:00:01 jutta systemd: Stopping user-0.slice. Mar 8 23:01:01 jutta systemd: Created slice user-0.slice. Mar 8 23:01:01 jutta systemd: Starting user-0.slice. Mar 8 23:01:01 jutta systemd: Started Session 63 of user root. Mar 8 23:01:01 jutta systemd: Starting Session 63 of user root. Mar 8 23:01:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:01:01 jutta systemd: Stopping user-0.slice. Mar 8 23:10:01 jutta systemd: Created slice user-0.slice. Mar 8 23:10:01 jutta systemd: Starting user-0.slice. Mar 8 23:10:01 jutta systemd: Started Session 64 of user root. Mar 8 23:10:01 jutta systemd: Starting Session 64 of user root. Mar 8 23:10:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:10:01 jutta systemd: Stopping user-0.slice. Mar 8 23:20:01 jutta systemd: Created slice user-0.slice. Mar 8 23:20:01 jutta systemd: Starting user-0.slice. Mar 8 23:20:01 jutta systemd: Started Session 65 of user root. Mar 8 23:20:01 jutta systemd: Starting Session 65 of user root. Mar 8 23:20:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:20:01 jutta systemd: Stopping user-0.slice. Mar 8 23:30:01 jutta systemd: Created slice user-0.slice. Mar 8 23:30:01 jutta systemd: Starting user-0.slice. Mar 8 23:30:01 jutta systemd: Started Session 66 of user root. Mar 8 23:30:01 jutta systemd: Starting Session 66 of user root. Mar 8 23:30:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:30:01 jutta systemd: Stopping user-0.slice. Mar 8 23:40:01 jutta systemd: Created slice user-0.slice. Mar 8 23:40:01 jutta systemd: Starting user-0.slice. Mar 8 23:40:01 jutta systemd: Started Session 67 of user root. Mar 8 23:40:01 jutta systemd: Starting Session 67 of user root. Mar 8 23:40:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:40:01 jutta systemd: Stopping user-0.slice. Mar 8 23:50:01 jutta systemd: Created slice user-0.slice. Mar 8 23:50:01 jutta systemd: Starting user-0.slice. Mar 8 23:50:01 jutta systemd: Started Session 68 of user root. Mar 8 23:50:01 jutta systemd: Starting Session 68 of user root. Mar 8 23:50:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:50:01 jutta systemd: Stopping user-0.slice. Mar 8 23:53:01 jutta systemd: Created slice user-0.slice. Mar 8 23:53:01 jutta systemd: Starting user-0.slice. Mar 8 23:53:01 jutta systemd: Started Session 69 of user root. Mar 8 23:53:01 jutta systemd: Starting Session 69 of user root. Mar 8 23:53:01 jutta systemd: Removed slice user-0.slice. Mar 8 23:53:01 jutta systemd: Stopping user-0.slice. Mar 9 00:00:01 jutta systemd: Created slice user-0.slice. Mar 9 00:00:01 jutta systemd: Starting user-0.slice. Mar 9 00:00:01 jutta systemd: Started Session 70 of user root. Mar 9 00:00:01 jutta systemd: Starting Session 70 of user root. Mar 9 00:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:00:01 jutta systemd: Stopping user-0.slice. Mar 9 00:01:01 jutta systemd: Created slice user-0.slice. Mar 9 00:01:01 jutta systemd: Starting user-0.slice. Mar 9 00:01:01 jutta systemd: Started Session 71 of user root. Mar 9 00:01:01 jutta systemd: Starting Session 71 of user root. Mar 9 00:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:01:01 jutta systemd: Stopping user-0.slice. Mar 9 00:10:01 jutta systemd: Created slice user-0.slice. Mar 9 00:10:01 jutta systemd: Starting user-0.slice. Mar 9 00:10:01 jutta systemd: Started Session 72 of user root. Mar 9 00:10:01 jutta systemd: Starting Session 72 of user root. Mar 9 00:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:10:01 jutta systemd: Stopping user-0.slice. Mar 9 00:20:01 jutta systemd: Created slice user-0.slice. Mar 9 00:20:01 jutta systemd: Starting user-0.slice. Mar 9 00:20:01 jutta systemd: Started Session 73 of user root. Mar 9 00:20:01 jutta systemd: Starting Session 73 of user root. Mar 9 00:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:20:01 jutta systemd: Stopping user-0.slice. Mar 9 00:30:01 jutta systemd: Created slice user-0.slice. Mar 9 00:30:01 jutta systemd: Starting user-0.slice. Mar 9 00:30:01 jutta systemd: Started Session 74 of user root. Mar 9 00:30:01 jutta systemd: Starting Session 74 of user root. Mar 9 00:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:30:01 jutta systemd: Stopping user-0.slice. Mar 9 00:40:01 jutta systemd: Created slice user-0.slice. Mar 9 00:40:01 jutta systemd: Starting user-0.slice. Mar 9 00:40:01 jutta systemd: Started Session 75 of user root. Mar 9 00:40:01 jutta systemd: Starting Session 75 of user root. Mar 9 00:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:40:01 jutta systemd: Stopping user-0.slice. Mar 9 00:50:01 jutta systemd: Created slice user-0.slice. Mar 9 00:50:01 jutta systemd: Starting user-0.slice. Mar 9 00:50:01 jutta systemd: Started Session 76 of user root. Mar 9 00:50:01 jutta systemd: Starting Session 76 of user root. Mar 9 00:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 00:50:01 jutta systemd: Stopping user-0.slice. Mar 9 01:00:01 jutta systemd: Created slice user-0.slice. Mar 9 01:00:01 jutta systemd: Starting user-0.slice. Mar 9 01:00:01 jutta systemd: Started Session 77 of user root. Mar 9 01:00:01 jutta systemd: Starting Session 77 of user root. Mar 9 01:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:00:01 jutta systemd: Stopping user-0.slice. Mar 9 01:01:01 jutta systemd: Created slice user-0.slice. Mar 9 01:01:01 jutta systemd: Starting user-0.slice. Mar 9 01:01:01 jutta systemd: Started Session 78 of user root. Mar 9 01:01:01 jutta systemd: Starting Session 78 of user root. Mar 9 01:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:01:01 jutta systemd: Stopping user-0.slice. Mar 9 01:10:01 jutta systemd: Created slice user-0.slice. Mar 9 01:10:01 jutta systemd: Starting user-0.slice. Mar 9 01:10:01 jutta systemd: Started Session 79 of user root. Mar 9 01:10:01 jutta systemd: Starting Session 79 of user root. Mar 9 01:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:10:01 jutta systemd: Stopping user-0.slice. Mar 9 01:20:01 jutta systemd: Created slice user-0.slice. Mar 9 01:20:01 jutta systemd: Starting user-0.slice. Mar 9 01:20:01 jutta systemd: Started Session 80 of user root. Mar 9 01:20:01 jutta systemd: Starting Session 80 of user root. Mar 9 01:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:20:01 jutta systemd: Stopping user-0.slice. Mar 9 01:30:01 jutta systemd: Created slice user-0.slice. Mar 9 01:30:01 jutta systemd: Starting user-0.slice. Mar 9 01:30:01 jutta systemd: Started Session 81 of user root. Mar 9 01:30:01 jutta systemd: Starting Session 81 of user root. Mar 9 01:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:30:01 jutta systemd: Stopping user-0.slice. Mar 9 01:40:01 jutta systemd: Created slice user-0.slice. Mar 9 01:40:01 jutta systemd: Starting user-0.slice. Mar 9 01:40:01 jutta systemd: Started Session 82 of user root. Mar 9 01:40:01 jutta systemd: Starting Session 82 of user root. Mar 9 01:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 01:40:01 jutta systemd: Stopping user-0.slice. Mar 9 01:50:01 jutta systemd: Created slice user-0.slice. Mar 9 01:50:01 jutta systemd: Starting user-0.slice. Mar 9 01:50:01 jutta systemd: Started Session 83 of user root. Mar 9 01:50:01 jutta systemd: Starting Session 83 of user root. Mar 9 01:50:02 jutta systemd: Removed slice user-0.slice. Mar 9 01:50:02 jutta systemd: Stopping user-0.slice. Mar 9 02:00:01 jutta systemd: Created slice user-0.slice. Mar 9 02:00:01 jutta systemd: Starting user-0.slice. Mar 9 02:00:01 jutta systemd: Started Session 84 of user root. Mar 9 02:00:01 jutta systemd: Starting Session 84 of user root. Mar 9 02:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:00:01 jutta systemd: Stopping user-0.slice. Mar 9 02:01:01 jutta systemd: Created slice user-0.slice. Mar 9 02:01:01 jutta systemd: Starting user-0.slice. Mar 9 02:01:01 jutta systemd: Started Session 85 of user root. Mar 9 02:01:01 jutta systemd: Starting Session 85 of user root. Mar 9 02:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:01:01 jutta systemd: Stopping user-0.slice. Mar 9 02:10:01 jutta systemd: Created slice user-0.slice. Mar 9 02:10:01 jutta systemd: Starting user-0.slice. Mar 9 02:10:01 jutta systemd: Started Session 86 of user root. Mar 9 02:10:01 jutta systemd: Starting Session 86 of user root. Mar 9 02:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:10:01 jutta systemd: Stopping user-0.slice. Mar 9 02:20:01 jutta systemd: Created slice user-0.slice. Mar 9 02:20:01 jutta systemd: Starting user-0.slice. Mar 9 02:20:01 jutta systemd: Started Session 87 of user root. Mar 9 02:20:01 jutta systemd: Starting Session 87 of user root. Mar 9 02:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:20:01 jutta systemd: Stopping user-0.slice. Mar 9 02:30:01 jutta systemd: Created slice user-0.slice. Mar 9 02:30:01 jutta systemd: Starting user-0.slice. Mar 9 02:30:01 jutta systemd: Started Session 88 of user root. Mar 9 02:30:01 jutta systemd: Starting Session 88 of user root. Mar 9 02:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:30:01 jutta systemd: Stopping user-0.slice. Mar 9 02:40:01 jutta systemd: Created slice user-0.slice. Mar 9 02:40:01 jutta systemd: Starting user-0.slice. Mar 9 02:40:01 jutta systemd: Started Session 89 of user root. Mar 9 02:40:01 jutta systemd: Starting Session 89 of user root. Mar 9 02:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:40:01 jutta systemd: Stopping user-0.slice. Mar 9 02:50:01 jutta systemd: Created slice user-0.slice. Mar 9 02:50:01 jutta systemd: Starting user-0.slice. Mar 9 02:50:01 jutta systemd: Started Session 90 of user root. Mar 9 02:50:01 jutta systemd: Starting Session 90 of user root. Mar 9 02:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 02:50:01 jutta systemd: Stopping user-0.slice. Mar 9 03:00:01 jutta systemd: Created slice user-0.slice. Mar 9 03:00:01 jutta systemd: Starting user-0.slice. Mar 9 03:00:01 jutta systemd: Started Session 91 of user root. Mar 9 03:00:01 jutta systemd: Starting Session 91 of user root. Mar 9 03:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 03:00:01 jutta systemd: Stopping user-0.slice. Mar 9 03:01:01 jutta systemd: Created slice user-0.slice. Mar 9 03:01:01 jutta systemd: Starting user-0.slice. Mar 9 03:01:01 jutta systemd: Started Session 92 of user root. Mar 9 03:01:01 jutta systemd: Starting Session 92 of user root. Mar 9 03:10:01 jutta systemd: Started Session 93 of user root. Mar 9 03:10:01 jutta systemd: Starting Session 93 of user root. Mar 9 03:20:01 jutta systemd: Started Session 94 of user root. Mar 9 03:20:01 jutta systemd: Starting Session 94 of user root. Mar 9 03:30:01 jutta systemd: Started Session 95 of user root. Mar 9 03:30:01 jutta systemd: Starting Session 95 of user root. Mar 9 03:31:07 jutta rhsmd: This system is registered to RHN Classic. Mar 9 03:31:07 jutta systemd: Removed slice user-0.slice. Mar 9 03:31:07 jutta systemd: Stopping user-0.slice. Mar 9 03:40:01 jutta systemd: Created slice user-0.slice. Mar 9 03:40:01 jutta systemd: Starting user-0.slice. Mar 9 03:40:01 jutta systemd: Started Session 96 of user root. Mar 9 03:40:01 jutta systemd: Starting Session 96 of user root. Mar 9 03:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 03:40:01 jutta systemd: Stopping user-0.slice. Mar 9 03:50:01 jutta systemd: Created slice user-0.slice. Mar 9 03:50:01 jutta systemd: Starting user-0.slice. Mar 9 03:50:01 jutta systemd: Started Session 97 of user root. Mar 9 03:50:01 jutta systemd: Starting Session 97 of user root. Mar 9 03:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 03:50:01 jutta systemd: Stopping user-0.slice. Mar 9 04:00:01 jutta systemd: Created slice user-0.slice. Mar 9 04:00:01 jutta systemd: Starting user-0.slice. Mar 9 04:00:01 jutta systemd: Started Session 98 of user root. Mar 9 04:00:01 jutta systemd: Starting Session 98 of user root. Mar 9 04:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:00:01 jutta systemd: Stopping user-0.slice. Mar 9 04:01:01 jutta systemd: Created slice user-0.slice. Mar 9 04:01:01 jutta systemd: Starting user-0.slice. Mar 9 04:01:01 jutta systemd: Started Session 99 of user root. Mar 9 04:01:01 jutta systemd: Starting Session 99 of user root. Mar 9 04:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:01:01 jutta systemd: Stopping user-0.slice. Mar 9 04:10:01 jutta systemd: Created slice user-0.slice. Mar 9 04:10:01 jutta systemd: Starting user-0.slice. Mar 9 04:10:01 jutta systemd: Started Session 100 of user root. Mar 9 04:10:01 jutta systemd: Starting Session 100 of user root. Mar 9 04:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:10:01 jutta systemd: Stopping user-0.slice. Mar 9 04:20:01 jutta systemd: Created slice user-0.slice. Mar 9 04:20:01 jutta systemd: Starting user-0.slice. Mar 9 04:20:01 jutta systemd: Started Session 101 of user root. Mar 9 04:20:01 jutta systemd: Starting Session 101 of user root. Mar 9 04:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:20:01 jutta systemd: Stopping user-0.slice. Mar 9 04:30:01 jutta systemd: Created slice user-0.slice. Mar 9 04:30:01 jutta systemd: Starting user-0.slice. Mar 9 04:30:01 jutta systemd: Started Session 102 of user root. Mar 9 04:30:01 jutta systemd: Starting Session 102 of user root. Mar 9 04:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:30:01 jutta systemd: Stopping user-0.slice. Mar 9 04:40:01 jutta systemd: Created slice user-0.slice. Mar 9 04:40:01 jutta systemd: Starting user-0.slice. Mar 9 04:40:01 jutta systemd: Started Session 103 of user root. Mar 9 04:40:01 jutta systemd: Starting Session 103 of user root. Mar 9 04:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:40:01 jutta systemd: Stopping user-0.slice. Mar 9 04:50:01 jutta systemd: Created slice user-0.slice. Mar 9 04:50:01 jutta systemd: Starting user-0.slice. Mar 9 04:50:01 jutta systemd: Started Session 104 of user root. Mar 9 04:50:01 jutta systemd: Starting Session 104 of user root. Mar 9 04:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 04:50:01 jutta systemd: Stopping user-0.slice. Mar 9 05:00:01 jutta systemd: Created slice user-0.slice. Mar 9 05:00:01 jutta systemd: Starting user-0.slice. Mar 9 05:00:01 jutta systemd: Started Session 105 of user root. Mar 9 05:00:01 jutta systemd: Starting Session 105 of user root. Mar 9 05:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:00:01 jutta systemd: Stopping user-0.slice. Mar 9 05:01:01 jutta systemd: Created slice user-0.slice. Mar 9 05:01:01 jutta systemd: Starting user-0.slice. Mar 9 05:01:01 jutta systemd: Started Session 106 of user root. Mar 9 05:01:01 jutta systemd: Starting Session 106 of user root. Mar 9 05:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:01:01 jutta systemd: Stopping user-0.slice. Mar 9 05:10:01 jutta systemd: Created slice user-0.slice. Mar 9 05:10:01 jutta systemd: Starting user-0.slice. Mar 9 05:10:01 jutta systemd: Started Session 107 of user root. Mar 9 05:10:01 jutta systemd: Starting Session 107 of user root. Mar 9 05:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:10:01 jutta systemd: Stopping user-0.slice. Mar 9 05:20:01 jutta systemd: Created slice user-0.slice. Mar 9 05:20:01 jutta systemd: Starting user-0.slice. Mar 9 05:20:01 jutta systemd: Started Session 108 of user root. Mar 9 05:20:01 jutta systemd: Starting Session 108 of user root. Mar 9 05:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:20:01 jutta systemd: Stopping user-0.slice. Mar 9 05:30:01 jutta systemd: Created slice user-0.slice. Mar 9 05:30:01 jutta systemd: Starting user-0.slice. Mar 9 05:30:01 jutta systemd: Started Session 109 of user root. Mar 9 05:30:01 jutta systemd: Starting Session 109 of user root. Mar 9 05:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:30:01 jutta systemd: Stopping user-0.slice. Mar 9 05:40:01 jutta systemd: Created slice user-0.slice. Mar 9 05:40:01 jutta systemd: Starting user-0.slice. Mar 9 05:40:01 jutta systemd: Started Session 110 of user root. Mar 9 05:40:01 jutta systemd: Starting Session 110 of user root. Mar 9 05:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:40:01 jutta systemd: Stopping user-0.slice. Mar 9 05:50:01 jutta systemd: Created slice user-0.slice. Mar 9 05:50:01 jutta systemd: Starting user-0.slice. Mar 9 05:50:01 jutta systemd: Started Session 111 of user root. Mar 9 05:50:01 jutta systemd: Starting Session 111 of user root. Mar 9 05:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 05:50:01 jutta systemd: Stopping user-0.slice. Mar 9 06:00:01 jutta systemd: Created slice user-0.slice. Mar 9 06:00:01 jutta systemd: Starting user-0.slice. Mar 9 06:00:01 jutta systemd: Started Session 112 of user root. Mar 9 06:00:01 jutta systemd: Starting Session 112 of user root. Mar 9 06:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:00:01 jutta systemd: Stopping user-0.slice. Mar 9 06:01:01 jutta systemd: Created slice user-0.slice. Mar 9 06:01:01 jutta systemd: Starting user-0.slice. Mar 9 06:01:01 jutta systemd: Started Session 113 of user root. Mar 9 06:01:01 jutta systemd: Starting Session 113 of user root. Mar 9 06:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:01:01 jutta systemd: Stopping user-0.slice. Mar 9 06:10:01 jutta systemd: Created slice user-0.slice. Mar 9 06:10:01 jutta systemd: Starting user-0.slice. Mar 9 06:10:01 jutta systemd: Started Session 114 of user root. Mar 9 06:10:01 jutta systemd: Starting Session 114 of user root. Mar 9 06:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:10:01 jutta systemd: Stopping user-0.slice. Mar 9 06:20:02 jutta systemd: Created slice user-0.slice. Mar 9 06:20:02 jutta systemd: Starting user-0.slice. Mar 9 06:20:02 jutta systemd: Started Session 115 of user root. Mar 9 06:20:02 jutta systemd: Starting Session 115 of user root. Mar 9 06:20:02 jutta systemd: Removed slice user-0.slice. Mar 9 06:20:02 jutta systemd: Stopping user-0.slice. Mar 9 06:30:01 jutta systemd: Created slice user-0.slice. Mar 9 06:30:01 jutta systemd: Starting user-0.slice. Mar 9 06:30:01 jutta systemd: Started Session 116 of user root. Mar 9 06:30:01 jutta systemd: Starting Session 116 of user root. Mar 9 06:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:30:01 jutta systemd: Stopping user-0.slice. Mar 9 06:40:01 jutta systemd: Created slice user-0.slice. Mar 9 06:40:01 jutta systemd: Starting user-0.slice. Mar 9 06:40:01 jutta systemd: Started Session 117 of user root. Mar 9 06:40:01 jutta systemd: Starting Session 117 of user root. Mar 9 06:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:40:01 jutta systemd: Stopping user-0.slice. Mar 9 06:50:01 jutta systemd: Created slice user-0.slice. Mar 9 06:50:01 jutta systemd: Starting user-0.slice. Mar 9 06:50:01 jutta systemd: Started Session 118 of user root. Mar 9 06:50:01 jutta systemd: Starting Session 118 of user root. Mar 9 06:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 06:50:01 jutta systemd: Stopping user-0.slice. Mar 9 07:00:01 jutta systemd: Created slice user-0.slice. Mar 9 07:00:01 jutta systemd: Starting user-0.slice. Mar 9 07:00:01 jutta systemd: Started Session 119 of user root. Mar 9 07:00:01 jutta systemd: Starting Session 119 of user root. Mar 9 07:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:00:01 jutta systemd: Stopping user-0.slice. Mar 9 07:01:01 jutta systemd: Created slice user-0.slice. Mar 9 07:01:01 jutta systemd: Starting user-0.slice. Mar 9 07:01:01 jutta systemd: Started Session 120 of user root. Mar 9 07:01:01 jutta systemd: Starting Session 120 of user root. Mar 9 07:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:01:01 jutta systemd: Stopping user-0.slice. Mar 9 07:10:01 jutta systemd: Created slice user-0.slice. Mar 9 07:10:01 jutta systemd: Starting user-0.slice. Mar 9 07:10:01 jutta systemd: Started Session 121 of user root. Mar 9 07:10:01 jutta systemd: Starting Session 121 of user root. Mar 9 07:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:10:01 jutta systemd: Stopping user-0.slice. Mar 9 07:20:01 jutta systemd: Created slice user-0.slice. Mar 9 07:20:01 jutta systemd: Starting user-0.slice. Mar 9 07:20:01 jutta systemd: Started Session 122 of user root. Mar 9 07:20:01 jutta systemd: Starting Session 122 of user root. Mar 9 07:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:20:01 jutta systemd: Stopping user-0.slice. Mar 9 07:30:01 jutta systemd: Created slice user-0.slice. Mar 9 07:30:01 jutta systemd: Starting user-0.slice. Mar 9 07:30:01 jutta systemd: Started Session 123 of user root. Mar 9 07:30:01 jutta systemd: Starting Session 123 of user root. Mar 9 07:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:30:01 jutta systemd: Stopping user-0.slice. Mar 9 07:40:01 jutta systemd: Created slice user-0.slice. Mar 9 07:40:01 jutta systemd: Starting user-0.slice. Mar 9 07:40:01 jutta systemd: Started Session 124 of user root. Mar 9 07:40:01 jutta systemd: Starting Session 124 of user root. Mar 9 07:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:40:01 jutta systemd: Stopping user-0.slice. Mar 9 07:50:01 jutta systemd: Created slice user-0.slice. Mar 9 07:50:01 jutta systemd: Starting user-0.slice. Mar 9 07:50:01 jutta systemd: Started Session 125 of user root. Mar 9 07:50:01 jutta systemd: Starting Session 125 of user root. Mar 9 07:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 07:50:01 jutta systemd: Stopping user-0.slice. Mar 9 08:00:01 jutta systemd: Created slice user-0.slice. Mar 9 08:00:01 jutta systemd: Starting user-0.slice. Mar 9 08:00:01 jutta systemd: Started Session 126 of user root. Mar 9 08:00:01 jutta systemd: Starting Session 126 of user root. Mar 9 08:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:00:01 jutta systemd: Stopping user-0.slice. Mar 9 08:01:01 jutta systemd: Created slice user-0.slice. Mar 9 08:01:01 jutta systemd: Starting user-0.slice. Mar 9 08:01:01 jutta systemd: Started Session 127 of user root. Mar 9 08:01:01 jutta systemd: Starting Session 127 of user root. Mar 9 08:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:01:01 jutta systemd: Stopping user-0.slice. Mar 9 08:10:01 jutta systemd: Created slice user-0.slice. Mar 9 08:10:01 jutta systemd: Starting user-0.slice. Mar 9 08:10:01 jutta systemd: Started Session 128 of user root. Mar 9 08:10:01 jutta systemd: Starting Session 128 of user root. Mar 9 08:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:10:01 jutta systemd: Stopping user-0.slice. Mar 9 08:20:01 jutta systemd: Created slice user-0.slice. Mar 9 08:20:01 jutta systemd: Starting user-0.slice. Mar 9 08:20:01 jutta systemd: Started Session 129 of user root. Mar 9 08:20:01 jutta systemd: Starting Session 129 of user root. Mar 9 08:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:20:01 jutta systemd: Stopping user-0.slice. Mar 9 08:30:01 jutta systemd: Created slice user-0.slice. Mar 9 08:30:01 jutta systemd: Starting user-0.slice. Mar 9 08:30:01 jutta systemd: Started Session 130 of user root. Mar 9 08:30:01 jutta systemd: Starting Session 130 of user root. Mar 9 08:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:30:01 jutta systemd: Stopping user-0.slice. Mar 9 08:40:01 jutta systemd: Created slice user-0.slice. Mar 9 08:40:01 jutta systemd: Starting user-0.slice. Mar 9 08:40:01 jutta systemd: Started Session 131 of user root. Mar 9 08:40:01 jutta systemd: Starting Session 131 of user root. Mar 9 08:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:40:01 jutta systemd: Stopping user-0.slice. Mar 9 08:50:01 jutta systemd: Created slice user-0.slice. Mar 9 08:50:01 jutta systemd: Starting user-0.slice. Mar 9 08:50:01 jutta systemd: Started Session 132 of user root. Mar 9 08:50:01 jutta systemd: Starting Session 132 of user root. Mar 9 08:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 08:50:01 jutta systemd: Stopping user-0.slice. Mar 9 09:00:01 jutta systemd: Created slice user-0.slice. Mar 9 09:00:01 jutta systemd: Starting user-0.slice. Mar 9 09:00:01 jutta systemd: Started Session 133 of user root. Mar 9 09:00:01 jutta systemd: Starting Session 133 of user root. Mar 9 09:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:00:01 jutta systemd: Stopping user-0.slice. Mar 9 09:01:01 jutta systemd: Created slice user-0.slice. Mar 9 09:01:01 jutta systemd: Starting user-0.slice. Mar 9 09:01:01 jutta systemd: Started Session 134 of user root. Mar 9 09:01:01 jutta systemd: Starting Session 134 of user root. Mar 9 09:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:01:01 jutta systemd: Stopping user-0.slice. Mar 9 09:10:01 jutta systemd: Created slice user-0.slice. Mar 9 09:10:01 jutta systemd: Starting user-0.slice. Mar 9 09:10:01 jutta systemd: Started Session 135 of user root. Mar 9 09:10:01 jutta systemd: Starting Session 135 of user root. Mar 9 09:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:10:01 jutta systemd: Stopping user-0.slice. Mar 9 09:20:01 jutta systemd: Created slice user-0.slice. Mar 9 09:20:01 jutta systemd: Starting user-0.slice. Mar 9 09:20:01 jutta systemd: Started Session 136 of user root. Mar 9 09:20:01 jutta systemd: Starting Session 136 of user root. Mar 9 09:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:20:01 jutta systemd: Stopping user-0.slice. Mar 9 09:30:01 jutta systemd: Created slice user-0.slice. Mar 9 09:30:01 jutta systemd: Starting user-0.slice. Mar 9 09:30:01 jutta systemd: Started Session 137 of user root. Mar 9 09:30:01 jutta systemd: Starting Session 137 of user root. Mar 9 09:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:30:01 jutta systemd: Stopping user-0.slice. Mar 9 09:40:01 jutta systemd: Created slice user-0.slice. Mar 9 09:40:01 jutta systemd: Starting user-0.slice. Mar 9 09:40:01 jutta systemd: Started Session 138 of user root. Mar 9 09:40:01 jutta systemd: Starting Session 138 of user root. Mar 9 09:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:40:01 jutta systemd: Stopping user-0.slice. Mar 9 09:50:01 jutta systemd: Created slice user-0.slice. Mar 9 09:50:01 jutta systemd: Starting user-0.slice. Mar 9 09:50:01 jutta systemd: Started Session 139 of user root. Mar 9 09:50:01 jutta systemd: Starting Session 139 of user root. Mar 9 09:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 09:50:01 jutta systemd: Stopping user-0.slice. Mar 9 10:00:01 jutta systemd: Created slice user-0.slice. Mar 9 10:00:01 jutta systemd: Starting user-0.slice. Mar 9 10:00:01 jutta systemd: Started Session 140 of user root. Mar 9 10:00:01 jutta systemd: Starting Session 140 of user root. Mar 9 10:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:00:01 jutta systemd: Stopping user-0.slice. Mar 9 10:01:01 jutta systemd: Created slice user-0.slice. Mar 9 10:01:01 jutta systemd: Starting user-0.slice. Mar 9 10:01:01 jutta systemd: Started Session 141 of user root. Mar 9 10:01:01 jutta systemd: Starting Session 141 of user root. Mar 9 10:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:01:01 jutta systemd: Stopping user-0.slice. Mar 9 10:10:01 jutta systemd: Created slice user-0.slice. Mar 9 10:10:01 jutta systemd: Starting user-0.slice. Mar 9 10:10:01 jutta systemd: Started Session 142 of user root. Mar 9 10:10:01 jutta systemd: Starting Session 142 of user root. Mar 9 10:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:10:01 jutta systemd: Stopping user-0.slice. Mar 9 10:20:01 jutta systemd: Created slice user-0.slice. Mar 9 10:20:01 jutta systemd: Starting user-0.slice. Mar 9 10:20:01 jutta systemd: Started Session 143 of user root. Mar 9 10:20:01 jutta systemd: Starting Session 143 of user root. Mar 9 10:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:20:01 jutta systemd: Stopping user-0.slice. Mar 9 10:30:01 jutta systemd: Created slice user-0.slice. Mar 9 10:30:01 jutta systemd: Starting user-0.slice. Mar 9 10:30:01 jutta systemd: Started Session 144 of user root. Mar 9 10:30:01 jutta systemd: Starting Session 144 of user root. Mar 9 10:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:30:01 jutta systemd: Stopping user-0.slice. Mar 9 10:40:01 jutta systemd: Created slice user-0.slice. Mar 9 10:40:01 jutta systemd: Starting user-0.slice. Mar 9 10:40:01 jutta systemd: Started Session 145 of user root. Mar 9 10:40:01 jutta systemd: Starting Session 145 of user root. Mar 9 10:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 10:40:01 jutta systemd: Stopping user-0.slice. Mar 9 10:50:01 jutta systemd: Created slice user-0.slice. Mar 9 10:50:01 jutta systemd: Starting user-0.slice. Mar 9 10:50:01 jutta systemd: Started Session 146 of user root. Mar 9 10:50:01 jutta systemd: Starting Session 146 of user root. Mar 9 10:50:02 jutta systemd: Removed slice user-0.slice. Mar 9 10:50:02 jutta systemd: Stopping user-0.slice. Mar 9 11:00:01 jutta systemd: Created slice user-0.slice. Mar 9 11:00:01 jutta systemd: Starting user-0.slice. Mar 9 11:00:01 jutta systemd: Started Session 147 of user root. Mar 9 11:00:01 jutta systemd: Starting Session 147 of user root. Mar 9 11:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:00:01 jutta systemd: Stopping user-0.slice. Mar 9 11:01:01 jutta systemd: Created slice user-0.slice. Mar 9 11:01:01 jutta systemd: Starting user-0.slice. Mar 9 11:01:01 jutta systemd: Started Session 148 of user root. Mar 9 11:01:01 jutta systemd: Starting Session 148 of user root. Mar 9 11:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:01:01 jutta systemd: Stopping user-0.slice. Mar 9 11:10:01 jutta systemd: Created slice user-0.slice. Mar 9 11:10:01 jutta systemd: Starting user-0.slice. Mar 9 11:10:01 jutta systemd: Started Session 149 of user root. Mar 9 11:10:01 jutta systemd: Starting Session 149 of user root. Mar 9 11:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:10:01 jutta systemd: Stopping user-0.slice. Mar 9 11:20:01 jutta systemd: Created slice user-0.slice. Mar 9 11:20:01 jutta systemd: Starting user-0.slice. Mar 9 11:20:01 jutta systemd: Started Session 150 of user root. Mar 9 11:20:01 jutta systemd: Starting Session 150 of user root. Mar 9 11:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:20:01 jutta systemd: Stopping user-0.slice. Mar 9 11:30:01 jutta systemd: Created slice user-0.slice. Mar 9 11:30:01 jutta systemd: Starting user-0.slice. Mar 9 11:30:01 jutta systemd: Started Session 151 of user root. Mar 9 11:30:01 jutta systemd: Starting Session 151 of user root. Mar 9 11:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:30:01 jutta systemd: Stopping user-0.slice. Mar 9 11:40:01 jutta systemd: Created slice user-0.slice. Mar 9 11:40:01 jutta systemd: Starting user-0.slice. Mar 9 11:40:01 jutta systemd: Started Session 152 of user root. Mar 9 11:40:01 jutta systemd: Starting Session 152 of user root. Mar 9 11:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:40:01 jutta systemd: Stopping user-0.slice. Mar 9 11:50:01 jutta systemd: Created slice user-0.slice. Mar 9 11:50:01 jutta systemd: Starting user-0.slice. Mar 9 11:50:01 jutta systemd: Started Session 153 of user root. Mar 9 11:50:01 jutta systemd: Starting Session 153 of user root. Mar 9 11:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 11:50:01 jutta systemd: Stopping user-0.slice. Mar 9 12:00:01 jutta systemd: Created slice user-0.slice. Mar 9 12:00:01 jutta systemd: Starting user-0.slice. Mar 9 12:00:01 jutta systemd: Started Session 154 of user root. Mar 9 12:00:01 jutta systemd: Starting Session 154 of user root. Mar 9 12:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:00:01 jutta systemd: Stopping user-0.slice. Mar 9 12:01:01 jutta systemd: Created slice user-0.slice. Mar 9 12:01:01 jutta systemd: Starting user-0.slice. Mar 9 12:01:01 jutta systemd: Started Session 155 of user root. Mar 9 12:01:01 jutta systemd: Starting Session 155 of user root. Mar 9 12:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:01:01 jutta systemd: Stopping user-0.slice. Mar 9 12:10:01 jutta systemd: Created slice user-0.slice. Mar 9 12:10:01 jutta systemd: Starting user-0.slice. Mar 9 12:10:01 jutta systemd: Started Session 156 of user root. Mar 9 12:10:01 jutta systemd: Starting Session 156 of user root. Mar 9 12:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:10:01 jutta systemd: Stopping user-0.slice. Mar 9 12:20:01 jutta systemd: Created slice user-0.slice. Mar 9 12:20:01 jutta systemd: Starting user-0.slice. Mar 9 12:20:01 jutta systemd: Started Session 157 of user root. Mar 9 12:20:01 jutta systemd: Starting Session 157 of user root. Mar 9 12:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:20:01 jutta systemd: Stopping user-0.slice. Mar 9 12:30:01 jutta systemd: Created slice user-0.slice. Mar 9 12:30:01 jutta systemd: Starting user-0.slice. Mar 9 12:30:01 jutta systemd: Started Session 158 of user root. Mar 9 12:30:01 jutta systemd: Starting Session 158 of user root. Mar 9 12:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:30:01 jutta systemd: Stopping user-0.slice. Mar 9 12:40:01 jutta systemd: Created slice user-0.slice. Mar 9 12:40:01 jutta systemd: Starting user-0.slice. Mar 9 12:40:01 jutta systemd: Started Session 159 of user root. Mar 9 12:40:01 jutta systemd: Starting Session 159 of user root. Mar 9 12:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:40:01 jutta systemd: Stopping user-0.slice. Mar 9 12:50:01 jutta systemd: Created slice user-0.slice. Mar 9 12:50:01 jutta systemd: Starting user-0.slice. Mar 9 12:50:01 jutta systemd: Started Session 160 of user root. Mar 9 12:50:01 jutta systemd: Starting Session 160 of user root. Mar 9 12:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 12:50:01 jutta systemd: Stopping user-0.slice. Mar 9 13:00:01 jutta systemd: Created slice user-0.slice. Mar 9 13:00:01 jutta systemd: Starting user-0.slice. Mar 9 13:00:01 jutta systemd: Started Session 161 of user root. Mar 9 13:00:01 jutta systemd: Starting Session 161 of user root. Mar 9 13:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:00:01 jutta systemd: Stopping user-0.slice. Mar 9 13:01:01 jutta systemd: Created slice user-0.slice. Mar 9 13:01:01 jutta systemd: Starting user-0.slice. Mar 9 13:01:01 jutta systemd: Started Session 162 of user root. Mar 9 13:01:01 jutta systemd: Starting Session 162 of user root. Mar 9 13:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:01:01 jutta systemd: Stopping user-0.slice. Mar 9 13:10:01 jutta systemd: Created slice user-0.slice. Mar 9 13:10:01 jutta systemd: Starting user-0.slice. Mar 9 13:10:01 jutta systemd: Started Session 163 of user root. Mar 9 13:10:01 jutta systemd: Starting Session 163 of user root. Mar 9 13:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:10:01 jutta systemd: Stopping user-0.slice. Mar 9 13:20:01 jutta systemd: Created slice user-0.slice. Mar 9 13:20:01 jutta systemd: Starting user-0.slice. Mar 9 13:20:01 jutta systemd: Started Session 164 of user root. Mar 9 13:20:01 jutta systemd: Starting Session 164 of user root. Mar 9 13:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:20:01 jutta systemd: Stopping user-0.slice. Mar 9 13:30:01 jutta systemd: Created slice user-0.slice. Mar 9 13:30:01 jutta systemd: Starting user-0.slice. Mar 9 13:30:01 jutta systemd: Started Session 165 of user root. Mar 9 13:30:01 jutta systemd: Starting Session 165 of user root. Mar 9 13:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:30:01 jutta systemd: Stopping user-0.slice. Mar 9 13:40:01 jutta systemd: Created slice user-0.slice. Mar 9 13:40:01 jutta systemd: Starting user-0.slice. Mar 9 13:40:01 jutta systemd: Started Session 166 of user root. Mar 9 13:40:01 jutta systemd: Starting Session 166 of user root. Mar 9 13:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:40:01 jutta systemd: Stopping user-0.slice. Mar 9 13:50:01 jutta systemd: Created slice user-0.slice. Mar 9 13:50:01 jutta systemd: Starting user-0.slice. Mar 9 13:50:01 jutta systemd: Started Session 167 of user root. Mar 9 13:50:01 jutta systemd: Starting Session 167 of user root. Mar 9 13:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 13:50:01 jutta systemd: Stopping user-0.slice. Mar 9 14:00:01 jutta systemd: Created slice user-0.slice. Mar 9 14:00:01 jutta systemd: Starting user-0.slice. Mar 9 14:00:01 jutta systemd: Started Session 168 of user root. Mar 9 14:00:01 jutta systemd: Starting Session 168 of user root. Mar 9 14:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:00:01 jutta systemd: Stopping user-0.slice. Mar 9 14:01:01 jutta systemd: Created slice user-0.slice. Mar 9 14:01:01 jutta systemd: Starting user-0.slice. Mar 9 14:01:01 jutta systemd: Started Session 169 of user root. Mar 9 14:01:01 jutta systemd: Starting Session 169 of user root. Mar 9 14:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:01:01 jutta systemd: Stopping user-0.slice. Mar 9 14:10:01 jutta systemd: Created slice user-0.slice. Mar 9 14:10:01 jutta systemd: Starting user-0.slice. Mar 9 14:10:01 jutta systemd: Started Session 170 of user root. Mar 9 14:10:01 jutta systemd: Starting Session 170 of user root. Mar 9 14:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:10:01 jutta systemd: Stopping user-0.slice. Mar 9 14:20:01 jutta systemd: Created slice user-0.slice. Mar 9 14:20:01 jutta systemd: Starting user-0.slice. Mar 9 14:20:01 jutta systemd: Started Session 171 of user root. Mar 9 14:20:01 jutta systemd: Starting Session 171 of user root. Mar 9 14:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:20:01 jutta systemd: Stopping user-0.slice. Mar 9 14:30:01 jutta systemd: Created slice user-0.slice. Mar 9 14:30:01 jutta systemd: Starting user-0.slice. Mar 9 14:30:01 jutta systemd: Started Session 172 of user root. Mar 9 14:30:01 jutta systemd: Starting Session 172 of user root. Mar 9 14:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:30:01 jutta systemd: Stopping user-0.slice. Mar 9 14:37:39 jutta systemd: Starting Cleanup of Temporary Directories... Mar 9 14:37:39 jutta systemd: Started Cleanup of Temporary Directories. Mar 9 14:40:01 jutta systemd: Created slice user-0.slice. Mar 9 14:40:01 jutta systemd: Starting user-0.slice. Mar 9 14:40:01 jutta systemd: Started Session 173 of user root. Mar 9 14:40:01 jutta systemd: Starting Session 173 of user root. Mar 9 14:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:40:01 jutta systemd: Stopping user-0.slice. Mar 9 14:50:01 jutta systemd: Created slice user-0.slice. Mar 9 14:50:01 jutta systemd: Starting user-0.slice. Mar 9 14:50:01 jutta systemd: Started Session 174 of user root. Mar 9 14:50:01 jutta systemd: Starting Session 174 of user root. Mar 9 14:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 14:50:01 jutta systemd: Stopping user-0.slice. Mar 9 15:00:01 jutta systemd: Created slice user-0.slice. Mar 9 15:00:01 jutta systemd: Starting user-0.slice. Mar 9 15:00:01 jutta systemd: Started Session 175 of user root. Mar 9 15:00:01 jutta systemd: Starting Session 175 of user root. Mar 9 15:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:00:01 jutta systemd: Stopping user-0.slice. Mar 9 15:01:01 jutta systemd: Created slice user-0.slice. Mar 9 15:01:01 jutta systemd: Starting user-0.slice. Mar 9 15:01:01 jutta systemd: Started Session 176 of user root. Mar 9 15:01:01 jutta systemd: Starting Session 176 of user root. Mar 9 15:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:01:01 jutta systemd: Stopping user-0.slice. Mar 9 15:10:01 jutta systemd: Created slice user-0.slice. Mar 9 15:10:01 jutta systemd: Starting user-0.slice. Mar 9 15:10:01 jutta systemd: Started Session 177 of user root. Mar 9 15:10:01 jutta systemd: Starting Session 177 of user root. Mar 9 15:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:10:01 jutta systemd: Stopping user-0.slice. Mar 9 15:20:01 jutta systemd: Created slice user-0.slice. Mar 9 15:20:01 jutta systemd: Starting user-0.slice. Mar 9 15:20:01 jutta systemd: Started Session 178 of user root. Mar 9 15:20:01 jutta systemd: Starting Session 178 of user root. Mar 9 15:20:02 jutta systemd: Removed slice user-0.slice. Mar 9 15:20:02 jutta systemd: Stopping user-0.slice. Mar 9 15:30:01 jutta systemd: Created slice user-0.slice. Mar 9 15:30:01 jutta systemd: Starting user-0.slice. Mar 9 15:30:01 jutta systemd: Started Session 179 of user root. Mar 9 15:30:01 jutta systemd: Starting Session 179 of user root. Mar 9 15:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:30:01 jutta systemd: Stopping user-0.slice. Mar 9 15:40:01 jutta systemd: Created slice user-0.slice. Mar 9 15:40:01 jutta systemd: Starting user-0.slice. Mar 9 15:40:01 jutta systemd: Started Session 180 of user root. Mar 9 15:40:01 jutta systemd: Starting Session 180 of user root. Mar 9 15:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:40:01 jutta systemd: Stopping user-0.slice. Mar 9 15:50:01 jutta systemd: Created slice user-0.slice. Mar 9 15:50:01 jutta systemd: Starting user-0.slice. Mar 9 15:50:01 jutta systemd: Started Session 181 of user root. Mar 9 15:50:01 jutta systemd: Starting Session 181 of user root. Mar 9 15:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 15:50:01 jutta systemd: Stopping user-0.slice. Mar 9 16:00:01 jutta systemd: Created slice user-0.slice. Mar 9 16:00:01 jutta systemd: Starting user-0.slice. Mar 9 16:00:01 jutta systemd: Started Session 182 of user root. Mar 9 16:00:01 jutta systemd: Starting Session 182 of user root. Mar 9 16:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:00:01 jutta systemd: Stopping user-0.slice. Mar 9 16:01:01 jutta systemd: Created slice user-0.slice. Mar 9 16:01:01 jutta systemd: Starting user-0.slice. Mar 9 16:01:01 jutta systemd: Started Session 183 of user root. Mar 9 16:01:01 jutta systemd: Starting Session 183 of user root. Mar 9 16:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:01:01 jutta systemd: Stopping user-0.slice. Mar 9 16:10:01 jutta systemd: Created slice user-0.slice. Mar 9 16:10:01 jutta systemd: Starting user-0.slice. Mar 9 16:10:01 jutta systemd: Started Session 184 of user root. Mar 9 16:10:01 jutta systemd: Starting Session 184 of user root. Mar 9 16:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:10:01 jutta systemd: Stopping user-0.slice. Mar 9 16:20:01 jutta systemd: Created slice user-0.slice. Mar 9 16:20:01 jutta systemd: Starting user-0.slice. Mar 9 16:20:01 jutta systemd: Started Session 185 of user root. Mar 9 16:20:01 jutta systemd: Starting Session 185 of user root. Mar 9 16:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:20:01 jutta systemd: Stopping user-0.slice. Mar 9 16:30:01 jutta systemd: Created slice user-0.slice. Mar 9 16:30:01 jutta systemd: Starting user-0.slice. Mar 9 16:30:01 jutta systemd: Started Session 186 of user root. Mar 9 16:30:01 jutta systemd: Starting Session 186 of user root. Mar 9 16:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:30:01 jutta systemd: Stopping user-0.slice. Mar 9 16:40:01 jutta systemd: Created slice user-0.slice. Mar 9 16:40:01 jutta systemd: Starting user-0.slice. Mar 9 16:40:01 jutta systemd: Started Session 187 of user root. Mar 9 16:40:01 jutta systemd: Starting Session 187 of user root. Mar 9 16:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:40:01 jutta systemd: Stopping user-0.slice. Mar 9 16:50:01 jutta systemd: Created slice user-0.slice. Mar 9 16:50:01 jutta systemd: Starting user-0.slice. Mar 9 16:50:01 jutta systemd: Started Session 188 of user root. Mar 9 16:50:01 jutta systemd: Starting Session 188 of user root. Mar 9 16:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 16:50:01 jutta systemd: Stopping user-0.slice. Mar 9 17:00:01 jutta systemd: Created slice user-0.slice. Mar 9 17:00:01 jutta systemd: Starting user-0.slice. Mar 9 17:00:01 jutta systemd: Started Session 189 of user root. Mar 9 17:00:01 jutta systemd: Starting Session 189 of user root. Mar 9 17:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:00:01 jutta systemd: Stopping user-0.slice. Mar 9 17:01:01 jutta systemd: Created slice user-0.slice. Mar 9 17:01:01 jutta systemd: Starting user-0.slice. Mar 9 17:01:01 jutta systemd: Started Session 190 of user root. Mar 9 17:01:01 jutta systemd: Starting Session 190 of user root. Mar 9 17:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:01:01 jutta systemd: Stopping user-0.slice. Mar 9 17:10:01 jutta systemd: Created slice user-0.slice. Mar 9 17:10:01 jutta systemd: Starting user-0.slice. Mar 9 17:10:01 jutta systemd: Started Session 191 of user root. Mar 9 17:10:01 jutta systemd: Starting Session 191 of user root. Mar 9 17:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:10:01 jutta systemd: Stopping user-0.slice. Mar 9 17:20:01 jutta systemd: Created slice user-0.slice. Mar 9 17:20:01 jutta systemd: Starting user-0.slice. Mar 9 17:20:01 jutta systemd: Started Session 192 of user root. Mar 9 17:20:01 jutta systemd: Starting Session 192 of user root. Mar 9 17:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:20:01 jutta systemd: Stopping user-0.slice. Mar 9 17:30:01 jutta systemd: Created slice user-0.slice. Mar 9 17:30:01 jutta systemd: Starting user-0.slice. Mar 9 17:30:01 jutta systemd: Started Session 193 of user root. Mar 9 17:30:01 jutta systemd: Starting Session 193 of user root. Mar 9 17:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:30:01 jutta systemd: Stopping user-0.slice. Mar 9 17:40:01 jutta systemd: Created slice user-0.slice. Mar 9 17:40:01 jutta systemd: Starting user-0.slice. Mar 9 17:40:01 jutta systemd: Started Session 194 of user root. Mar 9 17:40:01 jutta systemd: Starting Session 194 of user root. Mar 9 17:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:40:01 jutta systemd: Stopping user-0.slice. Mar 9 17:50:01 jutta systemd: Created slice user-0.slice. Mar 9 17:50:01 jutta systemd: Starting user-0.slice. Mar 9 17:50:01 jutta systemd: Started Session 195 of user root. Mar 9 17:50:01 jutta systemd: Starting Session 195 of user root. Mar 9 17:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 17:50:01 jutta systemd: Stopping user-0.slice. Mar 9 18:00:01 jutta systemd: Created slice user-0.slice. Mar 9 18:00:01 jutta systemd: Starting user-0.slice. Mar 9 18:00:01 jutta systemd: Started Session 196 of user root. Mar 9 18:00:01 jutta systemd: Starting Session 196 of user root. Mar 9 18:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:00:01 jutta systemd: Stopping user-0.slice. Mar 9 18:01:01 jutta systemd: Created slice user-0.slice. Mar 9 18:01:01 jutta systemd: Starting user-0.slice. Mar 9 18:01:01 jutta systemd: Started Session 197 of user root. Mar 9 18:01:01 jutta systemd: Starting Session 197 of user root. Mar 9 18:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:01:01 jutta systemd: Stopping user-0.slice. Mar 9 18:10:01 jutta systemd: Created slice user-0.slice. Mar 9 18:10:01 jutta systemd: Starting user-0.slice. Mar 9 18:10:01 jutta systemd: Started Session 198 of user root. Mar 9 18:10:01 jutta systemd: Starting Session 198 of user root. Mar 9 18:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:10:01 jutta systemd: Stopping user-0.slice. Mar 9 18:20:01 jutta systemd: Created slice user-0.slice. Mar 9 18:20:01 jutta systemd: Starting user-0.slice. Mar 9 18:20:01 jutta systemd: Started Session 199 of user root. Mar 9 18:20:01 jutta systemd: Starting Session 199 of user root. Mar 9 18:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:20:01 jutta systemd: Stopping user-0.slice. Mar 9 18:30:01 jutta systemd: Created slice user-0.slice. Mar 9 18:30:01 jutta systemd: Starting user-0.slice. Mar 9 18:30:01 jutta systemd: Started Session 200 of user root. Mar 9 18:30:01 jutta systemd: Starting Session 200 of user root. Mar 9 18:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:30:01 jutta systemd: Stopping user-0.slice. Mar 9 18:40:01 jutta systemd: Created slice user-0.slice. Mar 9 18:40:01 jutta systemd: Starting user-0.slice. Mar 9 18:40:01 jutta systemd: Started Session 201 of user root. Mar 9 18:40:01 jutta systemd: Starting Session 201 of user root. Mar 9 18:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:40:01 jutta systemd: Stopping user-0.slice. Mar 9 18:50:01 jutta systemd: Created slice user-0.slice. Mar 9 18:50:01 jutta systemd: Starting user-0.slice. Mar 9 18:50:01 jutta systemd: Started Session 202 of user root. Mar 9 18:50:01 jutta systemd: Starting Session 202 of user root. Mar 9 18:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 18:50:01 jutta systemd: Stopping user-0.slice. Mar 9 19:00:01 jutta systemd: Created slice user-0.slice. Mar 9 19:00:01 jutta systemd: Starting user-0.slice. Mar 9 19:00:01 jutta systemd: Started Session 203 of user root. Mar 9 19:00:01 jutta systemd: Starting Session 203 of user root. Mar 9 19:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:00:01 jutta systemd: Stopping user-0.slice. Mar 9 19:01:01 jutta systemd: Created slice user-0.slice. Mar 9 19:01:01 jutta systemd: Starting user-0.slice. Mar 9 19:01:01 jutta systemd: Started Session 204 of user root. Mar 9 19:01:01 jutta systemd: Starting Session 204 of user root. Mar 9 19:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:01:01 jutta systemd: Stopping user-0.slice. Mar 9 19:10:01 jutta systemd: Created slice user-0.slice. Mar 9 19:10:01 jutta systemd: Starting user-0.slice. Mar 9 19:10:01 jutta systemd: Started Session 205 of user root. Mar 9 19:10:01 jutta systemd: Starting Session 205 of user root. Mar 9 19:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:10:01 jutta systemd: Stopping user-0.slice. Mar 9 19:20:01 jutta systemd: Created slice user-0.slice. Mar 9 19:20:01 jutta systemd: Starting user-0.slice. Mar 9 19:20:01 jutta systemd: Started Session 206 of user root. Mar 9 19:20:01 jutta systemd: Starting Session 206 of user root. Mar 9 19:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:20:01 jutta systemd: Stopping user-0.slice. Mar 9 19:30:01 jutta systemd: Created slice user-0.slice. Mar 9 19:30:01 jutta systemd: Starting user-0.slice. Mar 9 19:30:01 jutta systemd: Started Session 207 of user root. Mar 9 19:30:01 jutta systemd: Starting Session 207 of user root. Mar 9 19:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:30:01 jutta systemd: Stopping user-0.slice. Mar 9 19:40:01 jutta systemd: Created slice user-0.slice. Mar 9 19:40:01 jutta systemd: Starting user-0.slice. Mar 9 19:40:01 jutta systemd: Started Session 208 of user root. Mar 9 19:40:01 jutta systemd: Starting Session 208 of user root. Mar 9 19:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:40:01 jutta systemd: Stopping user-0.slice. Mar 9 19:50:01 jutta systemd: Created slice user-0.slice. Mar 9 19:50:01 jutta systemd: Starting user-0.slice. Mar 9 19:50:01 jutta systemd: Started Session 209 of user root. Mar 9 19:50:01 jutta systemd: Starting Session 209 of user root. Mar 9 19:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 19:50:01 jutta systemd: Stopping user-0.slice. Mar 9 20:00:01 jutta systemd: Created slice user-0.slice. Mar 9 20:00:01 jutta systemd: Starting user-0.slice. Mar 9 20:00:01 jutta systemd: Started Session 210 of user root. Mar 9 20:00:01 jutta systemd: Starting Session 210 of user root. Mar 9 20:00:02 jutta systemd: Removed slice user-0.slice. Mar 9 20:00:02 jutta systemd: Stopping user-0.slice. Mar 9 20:01:01 jutta systemd: Created slice user-0.slice. Mar 9 20:01:01 jutta systemd: Starting user-0.slice. Mar 9 20:01:01 jutta systemd: Started Session 211 of user root. Mar 9 20:01:01 jutta systemd: Starting Session 211 of user root. Mar 9 20:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:01:01 jutta systemd: Stopping user-0.slice. Mar 9 20:10:01 jutta systemd: Created slice user-0.slice. Mar 9 20:10:01 jutta systemd: Starting user-0.slice. Mar 9 20:10:01 jutta systemd: Started Session 212 of user root. Mar 9 20:10:01 jutta systemd: Starting Session 212 of user root. Mar 9 20:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:10:01 jutta systemd: Stopping user-0.slice. Mar 9 20:20:01 jutta systemd: Created slice user-0.slice. Mar 9 20:20:01 jutta systemd: Starting user-0.slice. Mar 9 20:20:01 jutta systemd: Started Session 213 of user root. Mar 9 20:20:01 jutta systemd: Starting Session 213 of user root. Mar 9 20:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:20:01 jutta systemd: Stopping user-0.slice. Mar 9 20:30:01 jutta systemd: Created slice user-0.slice. Mar 9 20:30:01 jutta systemd: Starting user-0.slice. Mar 9 20:30:01 jutta systemd: Started Session 214 of user root. Mar 9 20:30:01 jutta systemd: Starting Session 214 of user root. Mar 9 20:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:30:01 jutta systemd: Stopping user-0.slice. Mar 9 20:40:01 jutta systemd: Created slice user-0.slice. Mar 9 20:40:01 jutta systemd: Starting user-0.slice. Mar 9 20:40:01 jutta systemd: Started Session 215 of user root. Mar 9 20:40:01 jutta systemd: Starting Session 215 of user root. Mar 9 20:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:40:01 jutta systemd: Stopping user-0.slice. Mar 9 20:50:01 jutta systemd: Created slice user-0.slice. Mar 9 20:50:01 jutta systemd: Starting user-0.slice. Mar 9 20:50:01 jutta systemd: Started Session 216 of user root. Mar 9 20:50:01 jutta systemd: Starting Session 216 of user root. Mar 9 20:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 20:50:01 jutta systemd: Stopping user-0.slice. Mar 9 21:00:01 jutta systemd: Created slice user-0.slice. Mar 9 21:00:01 jutta systemd: Starting user-0.slice. Mar 9 21:00:01 jutta systemd: Started Session 217 of user root. Mar 9 21:00:01 jutta systemd: Starting Session 217 of user root. Mar 9 21:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:00:01 jutta systemd: Stopping user-0.slice. Mar 9 21:01:01 jutta systemd: Created slice user-0.slice. Mar 9 21:01:01 jutta systemd: Starting user-0.slice. Mar 9 21:01:01 jutta systemd: Started Session 218 of user root. Mar 9 21:01:01 jutta systemd: Starting Session 218 of user root. Mar 9 21:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:01:01 jutta systemd: Stopping user-0.slice. Mar 9 21:10:01 jutta systemd: Created slice user-0.slice. Mar 9 21:10:01 jutta systemd: Starting user-0.slice. Mar 9 21:10:01 jutta systemd: Started Session 219 of user root. Mar 9 21:10:01 jutta systemd: Starting Session 219 of user root. Mar 9 21:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:10:01 jutta systemd: Stopping user-0.slice. Mar 9 21:20:01 jutta systemd: Created slice user-0.slice. Mar 9 21:20:01 jutta systemd: Starting user-0.slice. Mar 9 21:20:01 jutta systemd: Started Session 220 of user root. Mar 9 21:20:01 jutta systemd: Starting Session 220 of user root. Mar 9 21:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:20:01 jutta systemd: Stopping user-0.slice. Mar 9 21:30:01 jutta systemd: Created slice user-0.slice. Mar 9 21:30:01 jutta systemd: Starting user-0.slice. Mar 9 21:30:01 jutta systemd: Started Session 221 of user root. Mar 9 21:30:01 jutta systemd: Starting Session 221 of user root. Mar 9 21:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:30:01 jutta systemd: Stopping user-0.slice. Mar 9 21:40:01 jutta systemd: Created slice user-0.slice. Mar 9 21:40:01 jutta systemd: Starting user-0.slice. Mar 9 21:40:01 jutta systemd: Started Session 222 of user root. Mar 9 21:40:01 jutta systemd: Starting Session 222 of user root. Mar 9 21:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:40:01 jutta systemd: Stopping user-0.slice. Mar 9 21:50:01 jutta systemd: Created slice user-0.slice. Mar 9 21:50:01 jutta systemd: Starting user-0.slice. Mar 9 21:50:01 jutta systemd: Started Session 223 of user root. Mar 9 21:50:01 jutta systemd: Starting Session 223 of user root. Mar 9 21:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 21:50:01 jutta systemd: Stopping user-0.slice. Mar 9 22:00:01 jutta systemd: Created slice user-0.slice. Mar 9 22:00:01 jutta systemd: Starting user-0.slice. Mar 9 22:00:01 jutta systemd: Started Session 224 of user root. Mar 9 22:00:01 jutta systemd: Starting Session 224 of user root. Mar 9 22:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:00:01 jutta systemd: Stopping user-0.slice. Mar 9 22:01:01 jutta systemd: Created slice user-0.slice. Mar 9 22:01:01 jutta systemd: Starting user-0.slice. Mar 9 22:01:01 jutta systemd: Started Session 225 of user root. Mar 9 22:01:01 jutta systemd: Starting Session 225 of user root. Mar 9 22:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:01:01 jutta systemd: Stopping user-0.slice. Mar 9 22:10:01 jutta systemd: Created slice user-0.slice. Mar 9 22:10:01 jutta systemd: Starting user-0.slice. Mar 9 22:10:01 jutta systemd: Started Session 226 of user root. Mar 9 22:10:01 jutta systemd: Starting Session 226 of user root. Mar 9 22:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:10:01 jutta systemd: Stopping user-0.slice. Mar 9 22:20:01 jutta systemd: Created slice user-0.slice. Mar 9 22:20:01 jutta systemd: Starting user-0.slice. Mar 9 22:20:01 jutta systemd: Started Session 227 of user root. Mar 9 22:20:01 jutta systemd: Starting Session 227 of user root. Mar 9 22:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:20:01 jutta systemd: Stopping user-0.slice. Mar 9 22:30:01 jutta systemd: Created slice user-0.slice. Mar 9 22:30:01 jutta systemd: Starting user-0.slice. Mar 9 22:30:01 jutta systemd: Started Session 228 of user root. Mar 9 22:30:01 jutta systemd: Starting Session 228 of user root. Mar 9 22:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:30:01 jutta systemd: Stopping user-0.slice. Mar 9 22:40:01 jutta systemd: Created slice user-0.slice. Mar 9 22:40:01 jutta systemd: Starting user-0.slice. Mar 9 22:40:01 jutta systemd: Started Session 229 of user root. Mar 9 22:40:01 jutta systemd: Starting Session 229 of user root. Mar 9 22:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:40:01 jutta systemd: Stopping user-0.slice. Mar 9 22:50:01 jutta systemd: Created slice user-0.slice. Mar 9 22:50:01 jutta systemd: Starting user-0.slice. Mar 9 22:50:01 jutta systemd: Started Session 230 of user root. Mar 9 22:50:01 jutta systemd: Starting Session 230 of user root. Mar 9 22:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 22:50:01 jutta systemd: Stopping user-0.slice. Mar 9 23:00:01 jutta systemd: Created slice user-0.slice. Mar 9 23:00:01 jutta systemd: Starting user-0.slice. Mar 9 23:00:01 jutta systemd: Started Session 231 of user root. Mar 9 23:00:01 jutta systemd: Starting Session 231 of user root. Mar 9 23:00:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:00:01 jutta systemd: Stopping user-0.slice. Mar 9 23:01:01 jutta systemd: Created slice user-0.slice. Mar 9 23:01:01 jutta systemd: Starting user-0.slice. Mar 9 23:01:01 jutta systemd: Started Session 232 of user root. Mar 9 23:01:01 jutta systemd: Starting Session 232 of user root. Mar 9 23:01:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:01:01 jutta systemd: Stopping user-0.slice. Mar 9 23:10:01 jutta systemd: Created slice user-0.slice. Mar 9 23:10:01 jutta systemd: Starting user-0.slice. Mar 9 23:10:01 jutta systemd: Started Session 233 of user root. Mar 9 23:10:01 jutta systemd: Starting Session 233 of user root. Mar 9 23:10:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:10:01 jutta systemd: Stopping user-0.slice. Mar 9 23:20:01 jutta systemd: Created slice user-0.slice. Mar 9 23:20:01 jutta systemd: Starting user-0.slice. Mar 9 23:20:01 jutta systemd: Started Session 234 of user root. Mar 9 23:20:01 jutta systemd: Starting Session 234 of user root. Mar 9 23:20:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:20:01 jutta systemd: Stopping user-0.slice. Mar 9 23:30:01 jutta systemd: Created slice user-0.slice. Mar 9 23:30:01 jutta systemd: Starting user-0.slice. Mar 9 23:30:01 jutta systemd: Started Session 235 of user root. Mar 9 23:30:01 jutta systemd: Starting Session 235 of user root. Mar 9 23:30:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:30:01 jutta systemd: Stopping user-0.slice. Mar 9 23:40:01 jutta systemd: Created slice user-0.slice. Mar 9 23:40:01 jutta systemd: Starting user-0.slice. Mar 9 23:40:01 jutta systemd: Started Session 236 of user root. Mar 9 23:40:01 jutta systemd: Starting Session 236 of user root. Mar 9 23:40:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:40:01 jutta systemd: Stopping user-0.slice. Mar 9 23:50:01 jutta systemd: Created slice user-0.slice. Mar 9 23:50:01 jutta systemd: Starting user-0.slice. Mar 9 23:50:01 jutta systemd: Started Session 237 of user root. Mar 9 23:50:01 jutta systemd: Starting Session 237 of user root. Mar 9 23:50:01 jutta systemd: Removed slice user-0.slice. Mar 9 23:50:01 jutta systemd: Stopping user-0.slice. Mar 9 23:53:01 jutta systemd: Created slice user-0.slice. Mar 9 23:53:01 jutta systemd: Starting user-0.slice. Mar 9 23:53:01 jutta systemd: Started Session 238 of user root. Mar 9 23:53:01 jutta systemd: Starting Session 238 of user root. Mar 9 23:53:02 jutta systemd: Removed slice user-0.slice. Mar 9 23:53:02 jutta systemd: Stopping user-0.slice. Mar 10 00:00:01 jutta systemd: Created slice user-0.slice. Mar 10 00:00:01 jutta systemd: Starting user-0.slice. Mar 10 00:00:01 jutta systemd: Started Session 239 of user root. Mar 10 00:00:01 jutta systemd: Starting Session 239 of user root. Mar 10 00:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:00:01 jutta systemd: Stopping user-0.slice. Mar 10 00:01:01 jutta systemd: Created slice user-0.slice. Mar 10 00:01:01 jutta systemd: Starting user-0.slice. Mar 10 00:01:01 jutta systemd: Started Session 240 of user root. Mar 10 00:01:01 jutta systemd: Starting Session 240 of user root. Mar 10 00:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:01:01 jutta systemd: Stopping user-0.slice. Mar 10 00:10:01 jutta systemd: Created slice user-0.slice. Mar 10 00:10:01 jutta systemd: Starting user-0.slice. Mar 10 00:10:01 jutta systemd: Started Session 241 of user root. Mar 10 00:10:01 jutta systemd: Starting Session 241 of user root. Mar 10 00:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:10:01 jutta systemd: Stopping user-0.slice. Mar 10 00:20:01 jutta systemd: Created slice user-0.slice. Mar 10 00:20:01 jutta systemd: Starting user-0.slice. Mar 10 00:20:01 jutta systemd: Started Session 242 of user root. Mar 10 00:20:01 jutta systemd: Starting Session 242 of user root. Mar 10 00:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:20:01 jutta systemd: Stopping user-0.slice. Mar 10 00:30:01 jutta systemd: Created slice user-0.slice. Mar 10 00:30:01 jutta systemd: Starting user-0.slice. Mar 10 00:30:01 jutta systemd: Started Session 243 of user root. Mar 10 00:30:01 jutta systemd: Starting Session 243 of user root. Mar 10 00:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:30:01 jutta systemd: Stopping user-0.slice. Mar 10 00:40:01 jutta systemd: Created slice user-0.slice. Mar 10 00:40:01 jutta systemd: Starting user-0.slice. Mar 10 00:40:01 jutta systemd: Started Session 244 of user root. Mar 10 00:40:01 jutta systemd: Starting Session 244 of user root. Mar 10 00:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:40:01 jutta systemd: Stopping user-0.slice. Mar 10 00:50:01 jutta systemd: Created slice user-0.slice. Mar 10 00:50:01 jutta systemd: Starting user-0.slice. Mar 10 00:50:01 jutta systemd: Started Session 245 of user root. Mar 10 00:50:01 jutta systemd: Starting Session 245 of user root. Mar 10 00:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 00:50:01 jutta systemd: Stopping user-0.slice. Mar 10 01:00:01 jutta systemd: Created slice user-0.slice. Mar 10 01:00:01 jutta systemd: Starting user-0.slice. Mar 10 01:00:01 jutta systemd: Started Session 246 of user root. Mar 10 01:00:01 jutta systemd: Starting Session 246 of user root. Mar 10 01:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:00:01 jutta systemd: Stopping user-0.slice. Mar 10 01:01:01 jutta systemd: Created slice user-0.slice. Mar 10 01:01:01 jutta systemd: Starting user-0.slice. Mar 10 01:01:01 jutta systemd: Started Session 247 of user root. Mar 10 01:01:01 jutta systemd: Starting Session 247 of user root. Mar 10 01:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:01:01 jutta systemd: Stopping user-0.slice. Mar 10 01:10:01 jutta systemd: Created slice user-0.slice. Mar 10 01:10:01 jutta systemd: Starting user-0.slice. Mar 10 01:10:01 jutta systemd: Started Session 248 of user root. Mar 10 01:10:01 jutta systemd: Starting Session 248 of user root. Mar 10 01:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:10:01 jutta systemd: Stopping user-0.slice. Mar 10 01:20:01 jutta systemd: Created slice user-0.slice. Mar 10 01:20:01 jutta systemd: Starting user-0.slice. Mar 10 01:20:01 jutta systemd: Started Session 249 of user root. Mar 10 01:20:01 jutta systemd: Starting Session 249 of user root. Mar 10 01:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:20:01 jutta systemd: Stopping user-0.slice. Mar 10 01:30:01 jutta systemd: Created slice user-0.slice. Mar 10 01:30:01 jutta systemd: Starting user-0.slice. Mar 10 01:30:01 jutta systemd: Started Session 250 of user root. Mar 10 01:30:01 jutta systemd: Starting Session 250 of user root. Mar 10 01:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:30:01 jutta systemd: Stopping user-0.slice. Mar 10 01:40:01 jutta systemd: Created slice user-0.slice. Mar 10 01:40:01 jutta systemd: Starting user-0.slice. Mar 10 01:40:01 jutta systemd: Started Session 251 of user root. Mar 10 01:40:01 jutta systemd: Starting Session 251 of user root. Mar 10 01:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:40:01 jutta systemd: Stopping user-0.slice. Mar 10 01:50:01 jutta systemd: Created slice user-0.slice. Mar 10 01:50:01 jutta systemd: Starting user-0.slice. Mar 10 01:50:01 jutta systemd: Started Session 252 of user root. Mar 10 01:50:01 jutta systemd: Starting Session 252 of user root. Mar 10 01:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 01:50:01 jutta systemd: Stopping user-0.slice. Mar 10 02:00:01 jutta systemd: Created slice user-0.slice. Mar 10 02:00:01 jutta systemd: Starting user-0.slice. Mar 10 02:00:01 jutta systemd: Started Session 253 of user root. Mar 10 02:00:01 jutta systemd: Starting Session 253 of user root. Mar 10 02:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:00:01 jutta systemd: Stopping user-0.slice. Mar 10 02:01:01 jutta systemd: Created slice user-0.slice. Mar 10 02:01:01 jutta systemd: Starting user-0.slice. Mar 10 02:01:01 jutta systemd: Started Session 254 of user root. Mar 10 02:01:01 jutta systemd: Starting Session 254 of user root. Mar 10 02:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:01:01 jutta systemd: Stopping user-0.slice. Mar 10 02:10:01 jutta systemd: Created slice user-0.slice. Mar 10 02:10:01 jutta systemd: Starting user-0.slice. Mar 10 02:10:01 jutta systemd: Started Session 255 of user root. Mar 10 02:10:01 jutta systemd: Starting Session 255 of user root. Mar 10 02:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:10:01 jutta systemd: Stopping user-0.slice. Mar 10 02:20:01 jutta systemd: Created slice user-0.slice. Mar 10 02:20:01 jutta systemd: Starting user-0.slice. Mar 10 02:20:01 jutta systemd: Started Session 256 of user root. Mar 10 02:20:01 jutta systemd: Starting Session 256 of user root. Mar 10 02:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:20:01 jutta systemd: Stopping user-0.slice. Mar 10 02:30:01 jutta systemd: Created slice user-0.slice. Mar 10 02:30:01 jutta systemd: Starting user-0.slice. Mar 10 02:30:01 jutta systemd: Started Session 257 of user root. Mar 10 02:30:01 jutta systemd: Starting Session 257 of user root. Mar 10 02:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:30:01 jutta systemd: Stopping user-0.slice. Mar 10 02:40:01 jutta systemd: Created slice user-0.slice. Mar 10 02:40:01 jutta systemd: Starting user-0.slice. Mar 10 02:40:01 jutta systemd: Started Session 258 of user root. Mar 10 02:40:01 jutta systemd: Starting Session 258 of user root. Mar 10 02:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:40:01 jutta systemd: Stopping user-0.slice. Mar 10 02:50:01 jutta systemd: Created slice user-0.slice. Mar 10 02:50:01 jutta systemd: Starting user-0.slice. Mar 10 02:50:01 jutta systemd: Started Session 259 of user root. Mar 10 02:50:01 jutta systemd: Starting Session 259 of user root. Mar 10 02:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 02:50:01 jutta systemd: Stopping user-0.slice. Mar 10 03:00:01 jutta systemd: Created slice user-0.slice. Mar 10 03:00:01 jutta systemd: Starting user-0.slice. Mar 10 03:00:01 jutta systemd: Started Session 260 of user root. Mar 10 03:00:01 jutta systemd: Starting Session 260 of user root. Mar 10 03:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 03:00:01 jutta systemd: Stopping user-0.slice. Mar 10 03:01:01 jutta systemd: Created slice user-0.slice. Mar 10 03:01:01 jutta systemd: Starting user-0.slice. Mar 10 03:01:01 jutta systemd: Started Session 261 of user root. Mar 10 03:01:01 jutta systemd: Starting Session 261 of user root. Mar 10 03:10:01 jutta systemd: Started Session 262 of user root. Mar 10 03:10:01 jutta systemd: Starting Session 262 of user root. Mar 10 03:20:01 jutta systemd: Started Session 263 of user root. Mar 10 03:20:01 jutta systemd: Starting Session 263 of user root. Mar 10 03:21:02 jutta rhsmd: This system is registered to RHN Classic. Mar 10 03:21:02 jutta systemd: Removed slice user-0.slice. Mar 10 03:21:02 jutta systemd: Stopping user-0.slice. Mar 10 03:30:01 jutta systemd: Created slice user-0.slice. Mar 10 03:30:01 jutta systemd: Starting user-0.slice. Mar 10 03:30:01 jutta systemd: Started Session 264 of user root. Mar 10 03:30:01 jutta systemd: Starting Session 264 of user root. Mar 10 03:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 03:30:01 jutta systemd: Stopping user-0.slice. Mar 10 03:40:01 jutta systemd: Created slice user-0.slice. Mar 10 03:40:01 jutta systemd: Starting user-0.slice. Mar 10 03:40:01 jutta systemd: Started Session 265 of user root. Mar 10 03:40:01 jutta systemd: Starting Session 265 of user root. Mar 10 03:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 03:40:01 jutta systemd: Stopping user-0.slice. Mar 10 03:50:01 jutta systemd: Created slice user-0.slice. Mar 10 03:50:01 jutta systemd: Starting user-0.slice. Mar 10 03:50:01 jutta systemd: Started Session 266 of user root. Mar 10 03:50:01 jutta systemd: Starting Session 266 of user root. Mar 10 03:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 03:50:01 jutta systemd: Stopping user-0.slice. Mar 10 04:00:01 jutta systemd: Created slice user-0.slice. Mar 10 04:00:01 jutta systemd: Starting user-0.slice. Mar 10 04:00:01 jutta systemd: Started Session 267 of user root. Mar 10 04:00:01 jutta systemd: Starting Session 267 of user root. Mar 10 04:00:02 jutta systemd: Removed slice user-0.slice. Mar 10 04:00:02 jutta systemd: Stopping user-0.slice. Mar 10 04:01:01 jutta systemd: Created slice user-0.slice. Mar 10 04:01:01 jutta systemd: Starting user-0.slice. Mar 10 04:01:01 jutta systemd: Started Session 268 of user root. Mar 10 04:01:01 jutta systemd: Starting Session 268 of user root. Mar 10 04:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:01:01 jutta systemd: Stopping user-0.slice. Mar 10 04:10:01 jutta systemd: Created slice user-0.slice. Mar 10 04:10:01 jutta systemd: Starting user-0.slice. Mar 10 04:10:01 jutta systemd: Started Session 269 of user root. Mar 10 04:10:01 jutta systemd: Starting Session 269 of user root. Mar 10 04:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:10:01 jutta systemd: Stopping user-0.slice. Mar 10 04:20:01 jutta systemd: Created slice user-0.slice. Mar 10 04:20:01 jutta systemd: Starting user-0.slice. Mar 10 04:20:01 jutta systemd: Started Session 270 of user root. Mar 10 04:20:01 jutta systemd: Starting Session 270 of user root. Mar 10 04:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:20:01 jutta systemd: Stopping user-0.slice. Mar 10 04:30:01 jutta systemd: Created slice user-0.slice. Mar 10 04:30:01 jutta systemd: Starting user-0.slice. Mar 10 04:30:01 jutta systemd: Started Session 271 of user root. Mar 10 04:30:01 jutta systemd: Starting Session 271 of user root. Mar 10 04:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:30:01 jutta systemd: Stopping user-0.slice. Mar 10 04:40:01 jutta systemd: Created slice user-0.slice. Mar 10 04:40:01 jutta systemd: Starting user-0.slice. Mar 10 04:40:01 jutta systemd: Started Session 272 of user root. Mar 10 04:40:01 jutta systemd: Starting Session 272 of user root. Mar 10 04:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:40:01 jutta systemd: Stopping user-0.slice. Mar 10 04:50:01 jutta systemd: Created slice user-0.slice. Mar 10 04:50:01 jutta systemd: Starting user-0.slice. Mar 10 04:50:01 jutta systemd: Started Session 273 of user root. Mar 10 04:50:01 jutta systemd: Starting Session 273 of user root. Mar 10 04:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 04:50:01 jutta systemd: Stopping user-0.slice. Mar 10 05:00:01 jutta systemd: Created slice user-0.slice. Mar 10 05:00:01 jutta systemd: Starting user-0.slice. Mar 10 05:00:01 jutta systemd: Started Session 274 of user root. Mar 10 05:00:01 jutta systemd: Starting Session 274 of user root. Mar 10 05:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:00:01 jutta systemd: Stopping user-0.slice. Mar 10 05:01:01 jutta systemd: Created slice user-0.slice. Mar 10 05:01:01 jutta systemd: Starting user-0.slice. Mar 10 05:01:01 jutta systemd: Started Session 275 of user root. Mar 10 05:01:01 jutta systemd: Starting Session 275 of user root. Mar 10 05:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:01:01 jutta systemd: Stopping user-0.slice. Mar 10 05:10:01 jutta systemd: Created slice user-0.slice. Mar 10 05:10:01 jutta systemd: Starting user-0.slice. Mar 10 05:10:01 jutta systemd: Started Session 276 of user root. Mar 10 05:10:01 jutta systemd: Starting Session 276 of user root. Mar 10 05:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:10:01 jutta systemd: Stopping user-0.slice. Mar 10 05:20:01 jutta systemd: Created slice user-0.slice. Mar 10 05:20:01 jutta systemd: Starting user-0.slice. Mar 10 05:20:01 jutta systemd: Started Session 277 of user root. Mar 10 05:20:01 jutta systemd: Starting Session 277 of user root. Mar 10 05:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:20:01 jutta systemd: Stopping user-0.slice. Mar 10 05:30:01 jutta systemd: Created slice user-0.slice. Mar 10 05:30:01 jutta systemd: Starting user-0.slice. Mar 10 05:30:01 jutta systemd: Started Session 278 of user root. Mar 10 05:30:01 jutta systemd: Starting Session 278 of user root. Mar 10 05:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:30:01 jutta systemd: Stopping user-0.slice. Mar 10 05:40:01 jutta systemd: Created slice user-0.slice. Mar 10 05:40:01 jutta systemd: Starting user-0.slice. Mar 10 05:40:01 jutta systemd: Started Session 279 of user root. Mar 10 05:40:01 jutta systemd: Starting Session 279 of user root. Mar 10 05:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:40:01 jutta systemd: Stopping user-0.slice. Mar 10 05:50:01 jutta systemd: Created slice user-0.slice. Mar 10 05:50:01 jutta systemd: Starting user-0.slice. Mar 10 05:50:01 jutta systemd: Started Session 280 of user root. Mar 10 05:50:01 jutta systemd: Starting Session 280 of user root. Mar 10 05:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 05:50:01 jutta systemd: Stopping user-0.slice. Mar 10 06:00:01 jutta systemd: Created slice user-0.slice. Mar 10 06:00:01 jutta systemd: Starting user-0.slice. Mar 10 06:00:01 jutta systemd: Started Session 281 of user root. Mar 10 06:00:01 jutta systemd: Starting Session 281 of user root. Mar 10 06:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:00:01 jutta systemd: Stopping user-0.slice. Mar 10 06:01:01 jutta systemd: Created slice user-0.slice. Mar 10 06:01:01 jutta systemd: Starting user-0.slice. Mar 10 06:01:01 jutta systemd: Started Session 282 of user root. Mar 10 06:01:01 jutta systemd: Starting Session 282 of user root. Mar 10 06:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:01:01 jutta systemd: Stopping user-0.slice. Mar 10 06:10:01 jutta systemd: Created slice user-0.slice. Mar 10 06:10:01 jutta systemd: Starting user-0.slice. Mar 10 06:10:01 jutta systemd: Started Session 283 of user root. Mar 10 06:10:01 jutta systemd: Starting Session 283 of user root. Mar 10 06:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:10:01 jutta systemd: Stopping user-0.slice. Mar 10 06:20:01 jutta systemd: Created slice user-0.slice. Mar 10 06:20:01 jutta systemd: Starting user-0.slice. Mar 10 06:20:01 jutta systemd: Started Session 284 of user root. Mar 10 06:20:01 jutta systemd: Starting Session 284 of user root. Mar 10 06:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:20:01 jutta systemd: Stopping user-0.slice. Mar 10 06:30:01 jutta systemd: Created slice user-0.slice. Mar 10 06:30:01 jutta systemd: Starting user-0.slice. Mar 10 06:30:01 jutta systemd: Started Session 285 of user root. Mar 10 06:30:01 jutta systemd: Starting Session 285 of user root. Mar 10 06:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:30:01 jutta systemd: Stopping user-0.slice. Mar 10 06:40:01 jutta systemd: Created slice user-0.slice. Mar 10 06:40:01 jutta systemd: Starting user-0.slice. Mar 10 06:40:01 jutta systemd: Started Session 286 of user root. Mar 10 06:40:01 jutta systemd: Starting Session 286 of user root. Mar 10 06:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:40:01 jutta systemd: Stopping user-0.slice. Mar 10 06:50:01 jutta systemd: Created slice user-0.slice. Mar 10 06:50:01 jutta systemd: Starting user-0.slice. Mar 10 06:50:01 jutta systemd: Started Session 287 of user root. Mar 10 06:50:01 jutta systemd: Starting Session 287 of user root. Mar 10 06:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 06:50:01 jutta systemd: Stopping user-0.slice. Mar 10 07:00:01 jutta systemd: Created slice user-0.slice. Mar 10 07:00:01 jutta systemd: Starting user-0.slice. Mar 10 07:00:01 jutta systemd: Started Session 288 of user root. Mar 10 07:00:01 jutta systemd: Starting Session 288 of user root. Mar 10 07:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:00:01 jutta systemd: Stopping user-0.slice. Mar 10 07:01:01 jutta systemd: Created slice user-0.slice. Mar 10 07:01:01 jutta systemd: Starting user-0.slice. Mar 10 07:01:01 jutta systemd: Started Session 289 of user root. Mar 10 07:01:01 jutta systemd: Starting Session 289 of user root. Mar 10 07:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:01:01 jutta systemd: Stopping user-0.slice. Mar 10 07:10:01 jutta systemd: Created slice user-0.slice. Mar 10 07:10:01 jutta systemd: Starting user-0.slice. Mar 10 07:10:01 jutta systemd: Started Session 290 of user root. Mar 10 07:10:01 jutta systemd: Starting Session 290 of user root. Mar 10 07:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:10:01 jutta systemd: Stopping user-0.slice. Mar 10 07:20:01 jutta systemd: Created slice user-0.slice. Mar 10 07:20:01 jutta systemd: Starting user-0.slice. Mar 10 07:20:01 jutta systemd: Started Session 291 of user root. Mar 10 07:20:01 jutta systemd: Starting Session 291 of user root. Mar 10 07:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:20:01 jutta systemd: Stopping user-0.slice. Mar 10 07:30:01 jutta systemd: Created slice user-0.slice. Mar 10 07:30:01 jutta systemd: Starting user-0.slice. Mar 10 07:30:01 jutta systemd: Started Session 292 of user root. Mar 10 07:30:01 jutta systemd: Starting Session 292 of user root. Mar 10 07:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:30:01 jutta systemd: Stopping user-0.slice. Mar 10 07:40:01 jutta systemd: Created slice user-0.slice. Mar 10 07:40:01 jutta systemd: Starting user-0.slice. Mar 10 07:40:01 jutta systemd: Started Session 293 of user root. Mar 10 07:40:01 jutta systemd: Starting Session 293 of user root. Mar 10 07:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:40:01 jutta systemd: Stopping user-0.slice. Mar 10 07:50:01 jutta systemd: Created slice user-0.slice. Mar 10 07:50:01 jutta systemd: Starting user-0.slice. Mar 10 07:50:01 jutta systemd: Started Session 294 of user root. Mar 10 07:50:01 jutta systemd: Starting Session 294 of user root. Mar 10 07:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 07:50:01 jutta systemd: Stopping user-0.slice. Mar 10 08:00:01 jutta systemd: Created slice user-0.slice. Mar 10 08:00:01 jutta systemd: Starting user-0.slice. Mar 10 08:00:01 jutta systemd: Started Session 295 of user root. Mar 10 08:00:01 jutta systemd: Starting Session 295 of user root. Mar 10 08:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:00:01 jutta systemd: Stopping user-0.slice. Mar 10 08:01:01 jutta systemd: Created slice user-0.slice. Mar 10 08:01:01 jutta systemd: Starting user-0.slice. Mar 10 08:01:01 jutta systemd: Started Session 296 of user root. Mar 10 08:01:01 jutta systemd: Starting Session 296 of user root. Mar 10 08:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:01:01 jutta systemd: Stopping user-0.slice. Mar 10 08:10:01 jutta systemd: Created slice user-0.slice. Mar 10 08:10:01 jutta systemd: Starting user-0.slice. Mar 10 08:10:01 jutta systemd: Started Session 297 of user root. Mar 10 08:10:01 jutta systemd: Starting Session 297 of user root. Mar 10 08:10:02 jutta systemd: Removed slice user-0.slice. Mar 10 08:10:02 jutta systemd: Stopping user-0.slice. Mar 10 08:20:01 jutta systemd: Created slice user-0.slice. Mar 10 08:20:01 jutta systemd: Starting user-0.slice. Mar 10 08:20:01 jutta systemd: Started Session 298 of user root. Mar 10 08:20:01 jutta systemd: Starting Session 298 of user root. Mar 10 08:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:20:01 jutta systemd: Stopping user-0.slice. Mar 10 08:30:01 jutta systemd: Created slice user-0.slice. Mar 10 08:30:01 jutta systemd: Starting user-0.slice. Mar 10 08:30:01 jutta systemd: Started Session 299 of user root. Mar 10 08:30:01 jutta systemd: Starting Session 299 of user root. Mar 10 08:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:30:01 jutta systemd: Stopping user-0.slice. Mar 10 08:40:01 jutta systemd: Created slice user-0.slice. Mar 10 08:40:01 jutta systemd: Starting user-0.slice. Mar 10 08:40:01 jutta systemd: Started Session 300 of user root. Mar 10 08:40:01 jutta systemd: Starting Session 300 of user root. Mar 10 08:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:40:01 jutta systemd: Stopping user-0.slice. Mar 10 08:50:01 jutta systemd: Created slice user-0.slice. Mar 10 08:50:01 jutta systemd: Starting user-0.slice. Mar 10 08:50:01 jutta systemd: Started Session 301 of user root. Mar 10 08:50:01 jutta systemd: Starting Session 301 of user root. Mar 10 08:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 08:50:01 jutta systemd: Stopping user-0.slice. Mar 10 09:00:01 jutta systemd: Created slice user-0.slice. Mar 10 09:00:01 jutta systemd: Starting user-0.slice. Mar 10 09:00:01 jutta systemd: Started Session 302 of user root. Mar 10 09:00:01 jutta systemd: Starting Session 302 of user root. Mar 10 09:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:00:01 jutta systemd: Stopping user-0.slice. Mar 10 09:01:01 jutta systemd: Created slice user-0.slice. Mar 10 09:01:01 jutta systemd: Starting user-0.slice. Mar 10 09:01:01 jutta systemd: Started Session 303 of user root. Mar 10 09:01:01 jutta systemd: Starting Session 303 of user root. Mar 10 09:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:01:01 jutta systemd: Stopping user-0.slice. Mar 10 09:10:01 jutta systemd: Created slice user-0.slice. Mar 10 09:10:01 jutta systemd: Starting user-0.slice. Mar 10 09:10:01 jutta systemd: Started Session 304 of user root. Mar 10 09:10:01 jutta systemd: Starting Session 304 of user root. Mar 10 09:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:10:01 jutta systemd: Stopping user-0.slice. Mar 10 09:20:01 jutta systemd: Created slice user-0.slice. Mar 10 09:20:01 jutta systemd: Starting user-0.slice. Mar 10 09:20:01 jutta systemd: Started Session 305 of user root. Mar 10 09:20:01 jutta systemd: Starting Session 305 of user root. Mar 10 09:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:20:01 jutta systemd: Stopping user-0.slice. Mar 10 09:25:04 jutta systemd: Created slice user-49273.slice. Mar 10 09:25:04 jutta systemd: Starting user-49273.slice. Mar 10 09:25:04 jutta systemd-logind: New session 306 of user fonsecah. Mar 10 09:25:04 jutta systemd: Started Session 306 of user fonsecah. Mar 10 09:25:04 jutta systemd: Starting Session 306 of user fonsecah. Mar 10 09:25:26 jutta su: (to root) fonsecah on pts/0 Mar 10 09:30:01 jutta systemd: Created slice user-0.slice. Mar 10 09:30:01 jutta systemd: Starting user-0.slice. Mar 10 09:30:01 jutta systemd: Started Session 307 of user root. Mar 10 09:30:01 jutta systemd: Starting Session 307 of user root. Mar 10 09:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:30:01 jutta systemd: Stopping user-0.slice. Mar 10 09:40:01 jutta systemd: Created slice user-0.slice. Mar 10 09:40:01 jutta systemd: Starting user-0.slice. Mar 10 09:40:01 jutta systemd: Started Session 308 of user root. Mar 10 09:40:01 jutta systemd: Starting Session 308 of user root. Mar 10 09:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:40:01 jutta systemd: Stopping user-0.slice. Mar 10 09:50:01 jutta systemd: Created slice user-0.slice. Mar 10 09:50:01 jutta systemd: Starting user-0.slice. Mar 10 09:50:01 jutta systemd: Started Session 309 of user root. Mar 10 09:50:01 jutta systemd: Starting Session 309 of user root. Mar 10 09:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 09:50:01 jutta systemd: Stopping user-0.slice. Mar 10 10:00:01 jutta systemd: Created slice user-0.slice. Mar 10 10:00:01 jutta systemd: Starting user-0.slice. Mar 10 10:00:01 jutta systemd: Started Session 310 of user root. Mar 10 10:00:01 jutta systemd: Starting Session 310 of user root. Mar 10 10:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:00:01 jutta systemd: Stopping user-0.slice. Mar 10 10:01:01 jutta systemd: Created slice user-0.slice. Mar 10 10:01:01 jutta systemd: Starting user-0.slice. Mar 10 10:01:01 jutta systemd: Started Session 311 of user root. Mar 10 10:01:01 jutta systemd: Starting Session 311 of user root. Mar 10 10:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:01:01 jutta systemd: Stopping user-0.slice. Mar 10 10:10:01 jutta systemd: Created slice user-0.slice. Mar 10 10:10:01 jutta systemd: Starting user-0.slice. Mar 10 10:10:01 jutta systemd: Started Session 312 of user root. Mar 10 10:10:01 jutta systemd: Starting Session 312 of user root. Mar 10 10:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:10:01 jutta systemd: Stopping user-0.slice. Mar 10 10:20:01 jutta systemd: Created slice user-0.slice. Mar 10 10:20:01 jutta systemd: Starting user-0.slice. Mar 10 10:20:01 jutta systemd: Started Session 313 of user root. Mar 10 10:20:01 jutta systemd: Starting Session 313 of user root. Mar 10 10:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:20:01 jutta systemd: Stopping user-0.slice. Mar 10 10:30:01 jutta systemd: Created slice user-0.slice. Mar 10 10:30:01 jutta systemd: Starting user-0.slice. Mar 10 10:30:01 jutta systemd: Started Session 314 of user root. Mar 10 10:30:01 jutta systemd: Starting Session 314 of user root. Mar 10 10:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:30:01 jutta systemd: Stopping user-0.slice. Mar 10 10:40:01 jutta systemd: Created slice user-0.slice. Mar 10 10:40:01 jutta systemd: Starting user-0.slice. Mar 10 10:40:01 jutta systemd: Started Session 315 of user root. Mar 10 10:40:01 jutta systemd: Starting Session 315 of user root. Mar 10 10:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:40:01 jutta systemd: Stopping user-0.slice. Mar 10 10:50:01 jutta systemd: Created slice user-0.slice. Mar 10 10:50:01 jutta systemd: Starting user-0.slice. Mar 10 10:50:01 jutta systemd: Started Session 316 of user root. Mar 10 10:50:01 jutta systemd: Starting Session 316 of user root. Mar 10 10:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 10:50:01 jutta systemd: Stopping user-0.slice. Mar 10 11:00:01 jutta systemd: Created slice user-0.slice. Mar 10 11:00:01 jutta systemd: Starting user-0.slice. Mar 10 11:00:01 jutta systemd: Started Session 317 of user root. Mar 10 11:00:01 jutta systemd: Starting Session 317 of user root. Mar 10 11:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:00:01 jutta systemd: Stopping user-0.slice. Mar 10 11:01:01 jutta systemd: Created slice user-0.slice. Mar 10 11:01:01 jutta systemd: Starting user-0.slice. Mar 10 11:01:01 jutta systemd: Started Session 318 of user root. Mar 10 11:01:01 jutta systemd: Starting Session 318 of user root. Mar 10 11:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:01:01 jutta systemd: Stopping user-0.slice. Mar 10 11:10:01 jutta systemd: Created slice user-0.slice. Mar 10 11:10:01 jutta systemd: Starting user-0.slice. Mar 10 11:10:01 jutta systemd: Started Session 319 of user root. Mar 10 11:10:01 jutta systemd: Starting Session 319 of user root. Mar 10 11:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:10:01 jutta systemd: Stopping user-0.slice. Mar 10 11:20:01 jutta systemd: Created slice user-0.slice. Mar 10 11:20:01 jutta systemd: Starting user-0.slice. Mar 10 11:20:01 jutta systemd: Started Session 320 of user root. Mar 10 11:20:01 jutta systemd: Starting Session 320 of user root. Mar 10 11:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:20:01 jutta systemd: Stopping user-0.slice. Mar 10 11:30:01 jutta systemd: Created slice user-0.slice. Mar 10 11:30:01 jutta systemd: Starting user-0.slice. Mar 10 11:30:01 jutta systemd: Started Session 321 of user root. Mar 10 11:30:01 jutta systemd: Starting Session 321 of user root. Mar 10 11:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:30:01 jutta systemd: Stopping user-0.slice. Mar 10 11:40:01 jutta systemd: Created slice user-0.slice. Mar 10 11:40:01 jutta systemd: Starting user-0.slice. Mar 10 11:40:01 jutta systemd: Started Session 322 of user root. Mar 10 11:40:01 jutta systemd: Starting Session 322 of user root. Mar 10 11:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:40:01 jutta systemd: Stopping user-0.slice. Mar 10 11:50:01 jutta systemd: Created slice user-0.slice. Mar 10 11:50:01 jutta systemd: Starting user-0.slice. Mar 10 11:50:01 jutta systemd: Started Session 323 of user root. Mar 10 11:50:01 jutta systemd: Starting Session 323 of user root. Mar 10 11:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 11:50:01 jutta systemd: Stopping user-0.slice. Mar 10 12:00:01 jutta systemd: Created slice user-0.slice. Mar 10 12:00:01 jutta systemd: Starting user-0.slice. Mar 10 12:00:01 jutta systemd: Started Session 324 of user root. Mar 10 12:00:01 jutta systemd: Starting Session 324 of user root. Mar 10 12:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:00:01 jutta systemd: Stopping user-0.slice. Mar 10 12:01:01 jutta systemd: Created slice user-0.slice. Mar 10 12:01:01 jutta systemd: Starting user-0.slice. Mar 10 12:01:01 jutta systemd: Started Session 325 of user root. Mar 10 12:01:01 jutta systemd: Starting Session 325 of user root. Mar 10 12:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:01:01 jutta systemd: Stopping user-0.slice. Mar 10 12:10:01 jutta systemd: Created slice user-0.slice. Mar 10 12:10:01 jutta systemd: Starting user-0.slice. Mar 10 12:10:01 jutta systemd: Started Session 326 of user root. Mar 10 12:10:01 jutta systemd: Starting Session 326 of user root. Mar 10 12:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:10:01 jutta systemd: Stopping user-0.slice. Mar 10 12:20:01 jutta systemd: Created slice user-0.slice. Mar 10 12:20:01 jutta systemd: Starting user-0.slice. Mar 10 12:20:01 jutta systemd: Started Session 327 of user root. Mar 10 12:20:01 jutta systemd: Starting Session 327 of user root. Mar 10 12:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:20:01 jutta systemd: Stopping user-0.slice. Mar 10 12:30:02 jutta systemd: Created slice user-0.slice. Mar 10 12:30:02 jutta systemd: Starting user-0.slice. Mar 10 12:30:02 jutta systemd: Started Session 328 of user root. Mar 10 12:30:02 jutta systemd: Starting Session 328 of user root. Mar 10 12:30:02 jutta systemd: Removed slice user-0.slice. Mar 10 12:30:02 jutta systemd: Stopping user-0.slice. Mar 10 12:40:01 jutta systemd: Created slice user-0.slice. Mar 10 12:40:01 jutta systemd: Starting user-0.slice. Mar 10 12:40:01 jutta systemd: Started Session 329 of user root. Mar 10 12:40:01 jutta systemd: Starting Session 329 of user root. Mar 10 12:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:40:01 jutta systemd: Stopping user-0.slice. Mar 10 12:50:01 jutta systemd: Created slice user-0.slice. Mar 10 12:50:01 jutta systemd: Starting user-0.slice. Mar 10 12:50:01 jutta systemd: Started Session 330 of user root. Mar 10 12:50:01 jutta systemd: Starting Session 330 of user root. Mar 10 12:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 12:50:01 jutta systemd: Stopping user-0.slice. Mar 10 13:00:01 jutta systemd: Created slice user-0.slice. Mar 10 13:00:01 jutta systemd: Starting user-0.slice. Mar 10 13:00:01 jutta systemd: Started Session 331 of user root. Mar 10 13:00:01 jutta systemd: Starting Session 331 of user root. Mar 10 13:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:00:01 jutta systemd: Stopping user-0.slice. Mar 10 13:01:01 jutta systemd: Created slice user-0.slice. Mar 10 13:01:01 jutta systemd: Starting user-0.slice. Mar 10 13:01:01 jutta systemd: Started Session 332 of user root. Mar 10 13:01:01 jutta systemd: Starting Session 332 of user root. Mar 10 13:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:01:01 jutta systemd: Stopping user-0.slice. Mar 10 13:10:01 jutta systemd: Created slice user-0.slice. Mar 10 13:10:01 jutta systemd: Starting user-0.slice. Mar 10 13:10:01 jutta systemd: Started Session 333 of user root. Mar 10 13:10:01 jutta systemd: Starting Session 333 of user root. Mar 10 13:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:10:01 jutta systemd: Stopping user-0.slice. Mar 10 13:20:01 jutta systemd: Created slice user-0.slice. Mar 10 13:20:01 jutta systemd: Starting user-0.slice. Mar 10 13:20:01 jutta systemd: Started Session 334 of user root. Mar 10 13:20:01 jutta systemd: Starting Session 334 of user root. Mar 10 13:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:20:01 jutta systemd: Stopping user-0.slice. Mar 10 13:24:18 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:24:18 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:24:18 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:24:18 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:24:18 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:24:18 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.675" (uid=0 pid=22346 comm="/usr/bin/python -Es /bin/firewall-cmd --permanent ") Mar 10 13:26:00 jutta dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.676" (uid=0 pid=22355 comm="/usr/bin/python -Es /bin/firewall-cmd --reload ") Mar 10 13:26:00 jutta dbus-daemon: dbus[1459]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.3" (uid=0 pid=1433 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.676" (uid=0 pid=22355 comm="/usr/bin/python -Es /bin/firewall-cmd --reload ") Mar 10 13:26:20 jutta systemd-logind: New session 335 of user fonsecah. Mar 10 13:26:20 jutta systemd: Started Session 335 of user fonsecah. Mar 10 13:26:20 jutta systemd: Starting Session 335 of user fonsecah. Mar 10 13:26:37 jutta su: (to root) fonsecah on pts/1 Mar 10 13:28:50 jutta systemd-logind: Removed session 335. Mar 10 13:30:01 jutta systemd: Created slice user-0.slice. Mar 10 13:30:01 jutta systemd: Starting user-0.slice. Mar 10 13:30:01 jutta systemd: Started Session 336 of user root. Mar 10 13:30:01 jutta systemd: Starting Session 336 of user root. Mar 10 13:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:30:01 jutta systemd: Stopping user-0.slice. Mar 10 13:36:50 jutta systemd-logind: Removed session 306. Mar 10 13:36:50 jutta systemd: Removed slice user-49273.slice. Mar 10 13:36:50 jutta systemd: Stopping user-49273.slice. Mar 10 13:36:57 jutta systemd: Created slice user-49273.slice. Mar 10 13:36:57 jutta systemd: Starting user-49273.slice. Mar 10 13:36:57 jutta systemd-logind: New session 337 of user fonsecah. Mar 10 13:36:57 jutta systemd: Started Session 337 of user fonsecah. Mar 10 13:36:57 jutta systemd: Starting Session 337 of user fonsecah. Mar 10 13:37:29 jutta systemd: Created slice user-0.slice. Mar 10 13:37:29 jutta systemd: Starting user-0.slice. Mar 10 13:37:29 jutta systemd-logind: New session 338 of user root. Mar 10 13:37:29 jutta systemd: Started Session 338 of user root. Mar 10 13:37:29 jutta systemd: Starting Session 338 of user root. Mar 10 13:37:30 jutta systemd-logind: Removed session 338. Mar 10 13:37:30 jutta systemd: Removed slice user-0.slice. Mar 10 13:37:30 jutta systemd: Stopping user-0.slice. Mar 10 13:40:01 jutta systemd: Created slice user-0.slice. Mar 10 13:40:01 jutta systemd: Starting user-0.slice. Mar 10 13:40:01 jutta systemd: Started Session 339 of user root. Mar 10 13:40:01 jutta systemd: Starting Session 339 of user root. Mar 10 13:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:40:01 jutta systemd: Stopping user-0.slice. Mar 10 13:50:01 jutta systemd: Created slice user-0.slice. Mar 10 13:50:01 jutta systemd: Starting user-0.slice. Mar 10 13:50:01 jutta systemd: Started Session 340 of user root. Mar 10 13:50:01 jutta systemd: Starting Session 340 of user root. Mar 10 13:50:01 jutta systemd: Removed slice user-0.slice. Mar 10 13:50:01 jutta systemd: Stopping user-0.slice. Mar 10 14:00:01 jutta systemd: Created slice user-0.slice. Mar 10 14:00:01 jutta systemd: Starting user-0.slice. Mar 10 14:00:01 jutta systemd: Started Session 341 of user root. Mar 10 14:00:01 jutta systemd: Starting Session 341 of user root. Mar 10 14:00:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:00:01 jutta systemd: Stopping user-0.slice. Mar 10 14:01:01 jutta systemd: Created slice user-0.slice. Mar 10 14:01:01 jutta systemd: Starting user-0.slice. Mar 10 14:01:01 jutta systemd: Started Session 342 of user root. Mar 10 14:01:01 jutta systemd: Starting Session 342 of user root. Mar 10 14:01:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:01:01 jutta systemd: Stopping user-0.slice. Mar 10 14:06:56 jutta systemd: Created slice user-0.slice. Mar 10 14:06:56 jutta systemd: Starting user-0.slice. Mar 10 14:06:56 jutta systemd-logind: New session 343 of user root. Mar 10 14:06:56 jutta systemd: Started Session 343 of user root. Mar 10 14:06:56 jutta systemd: Starting Session 343 of user root. Mar 10 14:06:56 jutta systemd-logind: Removed session 343. Mar 10 14:06:56 jutta systemd: Removed slice user-0.slice. Mar 10 14:06:56 jutta systemd: Stopping user-0.slice. Mar 10 14:08:42 jutta su: (to root) fonsecah on pts/0 Mar 10 14:09:54 jutta systemd: Reloading. Mar 10 14:09:54 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:09:54 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:09:54 jutta systemd: Created slice system-dirsrv.slice. Mar 10 14:09:54 jutta systemd: Starting system-dirsrv.slice. Mar 10 14:09:54 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:09:54 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:09:56 jutta systemd: Reloading. Mar 10 14:09:56 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:09:56 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:09:56 jutta systemd: Stopping 389 Directory Server UOFMT1.... Mar 10 14:09:58 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:09:58 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:10:00 jutta systemd: Starting Certificate monitoring and PKI enrollment... Mar 10 14:10:00 jutta systemd: Started Certificate monitoring and PKI enrollment. Mar 10 14:10:01 jutta systemd: Reloading. Mar 10 14:10:01 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:10:01 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:10:01 jutta systemd: Stopping 389 Directory Server UOFMT1.... Mar 10 14:10:01 jutta systemd: Created slice user-0.slice. Mar 10 14:10:01 jutta systemd: Starting user-0.slice. Mar 10 14:10:01 jutta systemd: Started Session 344 of user root. Mar 10 14:10:01 jutta systemd: Starting Session 344 of user root. Mar 10 14:10:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:10:01 jutta systemd: Stopping user-0.slice. Mar 10 14:10:02 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:10:02 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: Configured NSS Ciphers Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:02 jutta ns-slapd: [10/Mar/2016:14:10:02 -0600] - SSL alert: #011TLS_RSA_WITH_SEED_CBC_SHA: enabled Mar 10 14:10:03 jutta ns-slapd: [10/Mar/2016:14:10:03 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Mar 10 14:10:04 jutta systemd: Reloading. Mar 10 14:10:04 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:10:04 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:10:04 jutta systemd: Stopping 389 Directory Server UOFMT1.... Mar 10 14:10:05 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:10:05 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: Configured NSS Ciphers Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] - SSL alert: #011TLS_RSA_WITH_SEED_CBC_SHA: enabled Mar 10 14:10:05 jutta ns-slapd: [10/Mar/2016:14:10:05 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Mar 10 14:11:49 jutta systemd: Reloading. Mar 10 14:11:49 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:11:49 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:11:49 jutta systemd: Reloading. Mar 10 14:11:49 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:11:49 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:11:49 jutta systemd: Stopping 389 Directory Server UOFMT1.... Mar 10 14:11:50 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:11:50 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: Configured NSS Ciphers Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:50 jutta ns-slapd: [10/Mar/2016:14:11:50 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] - SSL alert: #011TLS_RSA_WITH_SEED_CBC_SHA: enabled Mar 10 14:11:51 jutta ns-slapd: [10/Mar/2016:14:11:51 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Mar 10 14:12:38 jutta kernel: perf interrupt took too long (2514 > 2500), lowering kernel.perf_event_max_sample_rate to 50000 Mar 10 14:13:01 jutta systemd: Reloading. Mar 10 14:13:01 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:13:01 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:13:06 jutta systemd: Reloading. Mar 10 14:13:06 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:13:06 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:13:06 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:13:06 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:13:06 jutta systemd: Created slice system-pki\x2dtomcatd.slice. Mar 10 14:13:06 jutta systemd: Starting system-pki\x2dtomcatd.slice. Mar 10 14:13:06 jutta systemd: Starting PKI Tomcat Server pki-tomcat... Mar 10 14:13:07 jutta pkidaemon: 'pki-tomcat' must still be CONFIGURED! Mar 10 14:13:07 jutta pkidaemon: (see /var/log/pki-tomcat-install.log) Mar 10 14:13:07 jutta systemd: Started PKI Tomcat Server pki-tomcat. Mar 10 14:13:07 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:13:07 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:13:07 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:13:07 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:13:07 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 10 14:13:07 jutta server: arguments used: start Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://jutta.cc.umanitoba.ca:9080/ca/ocsp' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Mar 10 14:13:07 jutta server: Mar 10, 2016 2:13:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:13:07 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Mar 10 14:13:07 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.coyote.AbstractProtocol init Mar 10 14:13:08 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.coyote.AbstractProtocol init Mar 10 14:13:08 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:13:08 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.coyote.AbstractProtocol init Mar 10 14:13:08 jutta server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:13:08 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.catalina.startup.Catalina load Mar 10 14:13:08 jutta server: INFO: Initialization processed in 802 ms Mar 10 14:13:08 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Mar 10 14:13:08 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Mar 10 14:13:08 jutta server: PKIListener: org.apache.catalina.core.StandardServer[start] Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.catalina.core.StandardService startInternal Mar 10 14:13:08 jutta server: INFO: Starting service Catalina Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.catalina.core.StandardEngine startInternal Mar 10 14:13:08 jutta server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Mar 10 14:13:08 jutta server: Mar 10, 2016 2:13:08 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:08 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Mar 10 14:13:10 jutta server: Mar 10, 2016 2:13:09 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:10 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,654 ms Mar 10 14:13:10 jutta server: Mar 10, 2016 2:13:10 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:10 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Mar 10 14:13:11 jutta server: Mar 10, 2016 2:13:11 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:11 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 1,267 ms Mar 10 14:13:11 jutta server: Mar 10, 2016 2:13:11 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:11 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Mar 10 14:13:12 jutta server: Mar 10, 2016 2:13:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:12 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 898 ms Mar 10 14:13:12 jutta server: Mar 10, 2016 2:13:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:12 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Mar 10 14:13:12 jutta server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Mar 10 14:13:12 jutta server: SSLAuthenticatorWithFallback: Setting container Mar 10 14:13:13 jutta server: SSLAuthenticatorWithFallback: Initializing authenticators Mar 10 14:13:13 jutta server: SSLAuthenticatorWithFallback: Starting authenticators Mar 10 14:13:14 jutta server: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Mar 10 14:13:14 jutta server: CA is started. Mar 10 14:13:14 jutta server: Mar 10, 2016 2:13:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:13:14 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 2,624 ms Mar 10 14:13:14 jutta server: Mar 10, 2016 2:13:14 PM org.apache.coyote.AbstractProtocol start Mar 10 14:13:14 jutta server: INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10 14:13:14 jutta server: Mar 10, 2016 2:13:14 PM org.apache.coyote.AbstractProtocol start Mar 10 14:13:14 jutta server: INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10 14:13:14 jutta server: Mar 10, 2016 2:13:14 PM org.apache.coyote.AbstractProtocol start Mar 10 14:13:14 jutta server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:13:14 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Mar 10 14:13:14 jutta server: PKIListener: Subsystem CA is running. Mar 10 14:13:14 jutta server: Mar 10, 2016 2:13:14 PM org.apache.catalina.startup.Catalina start Mar 10 14:13:14 jutta server: INFO: Server startup in 6532 ms Mar 10 14:13:16 jutta server: 14:13:16,064 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Deploying javax.ws.rs.core.Application: class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,072 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.AccountService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,074 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.AuditService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,074 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CAInstallerService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,074 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CertService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,075 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CertRequestService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,075 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.ProfileService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,075 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.SelfTestService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,076 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.GroupService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,076 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.UserService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,076 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.SystemCertService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,077 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.KRAConnectorService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,077 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding provider class org.dogtagpki.server.rest.PKIExceptionMapper from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,077 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.SessionContextInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,078 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.AuthMethodInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,078 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.ACLInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,079 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.MessageFormatInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:13:16 jutta server: 14:13:16,313 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /installer/configure Mar 10 14:15:03 jutta systemd-logind: New session 345 of user fonsecah. Mar 10 14:15:03 jutta systemd: Started Session 345 of user fonsecah. Mar 10 14:15:03 jutta systemd: Starting Session 345 of user fonsecah. Mar 10 14:16:28 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Reloading. Mar 10 14:16:28 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Configuration file /lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:28 jutta systemd: Stopping PKI Tomcat Server pki-tomcat... Mar 10 14:16:28 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:16:28 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:16:28 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:16:28 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:16:28 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Mar 10 14:16:28 jutta server: arguments used: stop Mar 10 14:16:28 jutta server: Mar 10, 2016 2:16:28 PM org.apache.catalina.core.StandardServer await Mar 10 14:16:28 jutta server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Mar 10 14:16:28 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Mar 10 14:16:28 jutta server: PKIListener: org.apache.catalina.core.StandardServer[stop] Mar 10 14:16:28 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Mar 10 14:16:28 jutta server: Mar 10, 2016 2:16:28 PM org.apache.coyote.AbstractProtocol pause Mar 10 14:16:28 jutta server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Mar 10 14:16:29 jutta systemd: Stopped PKI Tomcat Server pki-tomcat. Mar 10 14:16:29 jutta systemd: Starting PKI Tomcat Server pki-tomcat... Mar 10 14:16:29 jutta pkidaemon: SUCCESS: Successfully archived '/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20160310141629' Mar 10 14:16:29 jutta pkidaemon: SUCCESS: Successfully backed up '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak' Mar 10 14:16:29 jutta systemd: Started PKI Tomcat Server pki-tomcat. Mar 10 14:16:29 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:16:29 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:16:29 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:16:29 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:16:29 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 10 14:16:29 jutta server: arguments used: start Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://jutta.cc.umanitoba.ca:9080/ca/ocsp' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:16:30 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Mar 10 14:16:30 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:30 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:30 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:16:30 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:30 jutta server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:16:30 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.Catalina load Mar 10 14:16:30 jutta server: INFO: Initialization processed in 832 ms Mar 10 14:16:30 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Mar 10 14:16:30 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Mar 10 14:16:30 jutta server: PKIListener: org.apache.catalina.core.StandardServer[start] Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.core.StandardService startInternal Mar 10 14:16:30 jutta server: INFO: Starting service Catalina Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.core.StandardEngine startInternal Mar 10 14:16:30 jutta server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Mar 10 14:16:30 jutta server: Mar 10, 2016 2:16:30 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:30 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Mar 10 14:16:32 jutta server: Mar 10, 2016 2:16:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:32 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,688 ms Mar 10 14:16:32 jutta server: Mar 10, 2016 2:16:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:32 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Mar 10 14:16:33 jutta server: Mar 10, 2016 2:16:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:33 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 1,303 ms Mar 10 14:16:33 jutta server: Mar 10, 2016 2:16:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:33 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Mar 10 14:16:34 jutta server: Mar 10, 2016 2:16:34 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:34 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 935 ms Mar 10 14:16:34 jutta server: Mar 10, 2016 2:16:34 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:34 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Mar 10 14:16:34 jutta server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Mar 10 14:16:34 jutta server: SSLAuthenticatorWithFallback: Setting container Mar 10 14:16:36 jutta server: SSLAuthenticatorWithFallback: Initializing authenticators Mar 10 14:16:36 jutta server: SSLAuthenticatorWithFallback: Starting authenticators Mar 10 14:16:37 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:16:37 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:16:37 jutta server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-jutta.cc.umanitoba.ca-pki-tomcat,cn=config does not exist Mar 10 14:16:37 jutta server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Mar 10 14:16:38 jutta server: CA is started. Mar 10 14:16:38 jutta server: Mar 10, 2016 2:16:38 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:38 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 4,064 ms Mar 10 14:16:38 jutta server: Mar 10, 2016 2:16:38 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:38 jutta server: INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10 14:16:39 jutta server: Mar 10, 2016 2:16:39 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:39 jutta server: INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10 14:16:39 jutta server: Mar 10, 2016 2:16:39 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:39 jutta server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:16:39 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Mar 10 14:16:39 jutta server: PKIListener: Subsystem CA is running. Mar 10 14:16:39 jutta server: Mar 10, 2016 2:16:39 PM org.apache.catalina.startup.Catalina start Mar 10 14:16:39 jutta server: INFO: Server startup in 8088 ms Mar 10 14:16:42 jutta systemd: Reloading. Mar 10 14:16:42 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:42 jutta systemd: Configuration file /lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:42 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:16:42 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:16:42 jutta systemd: Started D-Bus System Message Bus. Mar 10 14:16:42 jutta systemd: Started Certificate monitoring and PKI enrollment. Mar 10 14:16:46 jutta systemd: Stopping PKI Tomcat Server pki-tomcat... Mar 10 14:16:46 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:16:46 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:16:46 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:16:46 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:16:46 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Mar 10 14:16:46 jutta server: arguments used: stop Mar 10 14:16:46 jutta server: Mar 10, 2016 2:16:46 PM org.apache.catalina.core.StandardServer await Mar 10 14:16:46 jutta server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Mar 10 14:16:46 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Mar 10 14:16:46 jutta server: PKIListener: org.apache.catalina.core.StandardServer[stop] Mar 10 14:16:46 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Mar 10 14:16:46 jutta server: Mar 10, 2016 2:16:46 PM org.apache.coyote.AbstractProtocol pause Mar 10 14:16:46 jutta server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Mar 10 14:16:47 jutta systemd: Starting PKI Tomcat Server pki-tomcat... Mar 10 14:16:47 jutta pkidaemon: SUCCESS: Successfully archived '/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20160310141647' Mar 10 14:16:47 jutta pkidaemon: SUCCESS: Successfully backed up '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak' Mar 10 14:16:47 jutta systemd: Started PKI Tomcat Server pki-tomcat. Mar 10 14:16:47 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:16:47 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:16:47 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:16:47 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:16:47 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 10 14:16:47 jutta server: arguments used: start Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://jutta.cc.umanitoba.ca:9080/ca/ocsp' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:16:48 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Mar 10 14:16:48 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:48 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:48 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:16:48 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.coyote.AbstractProtocol init Mar 10 14:16:48 jutta server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:16:48 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.Catalina load Mar 10 14:16:48 jutta server: INFO: Initialization processed in 795 ms Mar 10 14:16:48 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Mar 10 14:16:48 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Mar 10 14:16:48 jutta server: PKIListener: org.apache.catalina.core.StandardServer[start] Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.core.StandardService startInternal Mar 10 14:16:48 jutta server: INFO: Starting service Catalina Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.core.StandardEngine startInternal Mar 10 14:16:48 jutta server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Mar 10 14:16:48 jutta server: Mar 10, 2016 2:16:48 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:48 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Mar 10 14:16:50 jutta server: Mar 10, 2016 2:16:50 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:50 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,660 ms Mar 10 14:16:50 jutta server: Mar 10, 2016 2:16:50 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:50 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Mar 10 14:16:51 jutta server: Mar 10, 2016 2:16:51 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:51 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 1,276 ms Mar 10 14:16:51 jutta server: Mar 10, 2016 2:16:51 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:51 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Mar 10 14:16:52 jutta server: Mar 10, 2016 2:16:52 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:52 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 906 ms Mar 10 14:16:52 jutta server: Mar 10, 2016 2:16:52 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:52 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Mar 10 14:16:52 jutta server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Mar 10 14:16:52 jutta server: SSLAuthenticatorWithFallback: Setting container Mar 10 14:16:54 jutta server: SSLAuthenticatorWithFallback: Initializing authenticators Mar 10 14:16:54 jutta server: SSLAuthenticatorWithFallback: Starting authenticators Mar 10 14:16:54 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:16:54 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:16:54 jutta server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-jutta.cc.umanitoba.ca-pki-tomcat,cn=config does not exist Mar 10 14:16:54 jutta server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Mar 10 14:16:55 jutta server: CA is started. Mar 10 14:16:55 jutta server: Mar 10, 2016 2:16:55 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:16:55 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 3,049 ms Mar 10 14:16:55 jutta server: Mar 10, 2016 2:16:55 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:55 jutta server: INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10 14:16:55 jutta server: Mar 10, 2016 2:16:55 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:55 jutta server: INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10 14:16:55 jutta server: Mar 10, 2016 2:16:55 PM org.apache.coyote.AbstractProtocol start Mar 10 14:16:55 jutta server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:16:55 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Mar 10 14:16:55 jutta server: PKIListener: Subsystem CA is running. Mar 10 14:16:55 jutta server: Mar 10, 2016 2:16:55 PM org.apache.catalina.startup.Catalina start Mar 10 14:16:55 jutta server: INFO: Server startup in 6979 ms Mar 10 14:16:57 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:16:57 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:16:57 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:16:57 jutta server: PKIRealm: User ID: ipara Mar 10 14:16:57 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:16:57 jutta server: PKIRealm: Roles: Mar 10 14:16:57 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:16:57 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:16:57 jutta server: 14:16:57,594 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Deploying javax.ws.rs.core.Application: class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,601 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.AccountService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,603 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.AuditService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,603 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CAInstallerService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,603 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CertService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,604 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.CertRequestService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,604 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.ProfileService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,604 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.SelfTestService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,605 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.GroupService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,605 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.UserService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,605 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.SystemCertService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,606 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.ca.rest.KRAConnectorService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,606 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding class resource org.dogtagpki.server.rest.SecurityDomainService from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,606 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding provider class org.dogtagpki.server.rest.PKIExceptionMapper from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,606 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.SessionContextInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,607 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.AuthMethodInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,608 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.ACLInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,608 INFO (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) - Adding singleton provider org.dogtagpki.server.rest.MessageFormatInterceptor from Application class org.dogtagpki.server.ca.rest.CAApplication Mar 10 14:16:57 jutta server: 14:16:57,851 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:16:57 jutta server: Creating session AB255C61B563D1E461496A9103C30776 Mar 10 14:16:57 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:16:57 jutta server: 14:16:57,998 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:16:58 jutta server: 14:16:58,300 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserCert Mar 10 14:16:58 jutta server: 14:16:58,354 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserCert/raw Mar 10 14:16:58 jutta server: 14:16:58,448 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserCert Mar 10 14:16:58 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:16:58 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:16:58 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:16:58 jutta server: PKIRealm: User ID: ipara Mar 10 14:16:58 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:16:58 jutta server: PKIRealm: Roles: Mar 10 14:16:58 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:16:58 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:16:58 jutta server: 14:16:58,946 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:16:58 jutta server: Destroying session 73BE0FCF1C8AA7D8D9A89C2DAA054A8F Mar 10 14:16:58 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:16:58 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:16:58 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:16:58 jutta server: PKIRealm: User ID: ipara Mar 10 14:16:59 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:16:59 jutta server: PKIRealm: Roles: Mar 10 14:16:59 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:16:59 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:16:59 jutta server: 14:16:59,955 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:16:59 jutta server: Creating session 76481E037371FE4F5D68C9F7D2153225 Mar 10 14:16:59 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:16:59 jutta server: 14:16:59,989 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:00 jutta server: 14:17:00,022 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECUserCert Mar 10 14:17:00 jutta server: 14:17:00,068 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECUserCert/raw Mar 10 14:17:00 jutta server: 14:17:00,151 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECUserCert Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,195 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:00 jutta server: Destroying session 49F6356396D507D42418F26869AEDBCA Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,231 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:00 jutta server: Creating session FF2123E92145EA21751FD932D7258C49 Mar 10 14:17:00 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:00 jutta server: 14:17:00,254 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:00 jutta server: 14:17:00,281 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserSMIMEcapCert Mar 10 14:17:00 jutta server: 14:17:00,318 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserSMIMEcapCert/raw Mar 10 14:17:00 jutta server: 14:17:00,401 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUserSMIMEcapCert Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,444 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:00 jutta server: Destroying session F5A124D5398F80373E767B2D1C04410B Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,473 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:00 jutta server: Creating session 30C48D5AC595BAAFC6BB581602C24759 Mar 10 14:17:00 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:00 jutta server: 14:17:00,497 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:00 jutta server: 14:17:00,523 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualCert Mar 10 14:17:00 jutta server: 14:17:00,557 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualCert/raw Mar 10 14:17:00 jutta server: 14:17:00,618 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualCert Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,670 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:00 jutta server: Destroying session 1F7A7BC6731D402BA54E0C34025349EB Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,700 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:00 jutta server: Creating session 3FABCC7A615013BC9912FF6CB09AC1EF Mar 10 14:17:00 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:00 jutta server: 14:17:00,723 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:00 jutta server: 14:17:00,747 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDualCert Mar 10 14:17:00 jutta server: 14:17:00,783 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDualCert/raw Mar 10 14:17:00 jutta server: 14:17:00,843 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDualCert Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,891 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:00 jutta server: Destroying session 3563B7367D1F8AD4DA25479926FD80F9 Mar 10 14:17:00 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:00 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:00 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:00 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:00 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:00 jutta server: PKIRealm: Roles: Mar 10 14:17:00 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:00 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:00 jutta server: 14:17:00,921 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:00 jutta server: Creating session 4D27559AC2EEBBD4626A00A0B8497765 Mar 10 14:17:00 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:00 jutta server: 14:17:00,943 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:00 jutta server: 14:17:00,967 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/AdminCert Mar 10 14:17:01 jutta server: 14:17:01,004 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/AdminCert/raw Mar 10 14:17:01 jutta server: 14:17:01,092 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/AdminCert Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,142 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:01 jutta server: Destroying session DCC3C4E3D2656D1512619B2358626DB9 Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,171 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:01 jutta server: Creating session B725D825AEE199B17D05EE48565A1967 Mar 10 14:17:01 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:01 jutta server: 14:17:01,194 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:01 jutta server: 14:17:01,218 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSignedLogCert Mar 10 14:17:01 jutta server: 14:17:01,257 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSignedLogCert/raw Mar 10 14:17:01 jutta server: 14:17:01,344 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSignedLogCert Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,388 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:01 jutta server: Destroying session BF33885CDFE6B1182B52AD8AC98C8F8B Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,417 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:01 jutta server: Creating session D88F9B2CF60710C113954527ABFCB3B0 Mar 10 14:17:01 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:01 jutta server: 14:17:01,439 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:01 jutta server: 14:17:01,462 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTPSCert Mar 10 14:17:01 jutta server: 14:17:01,641 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTPSCert/raw Mar 10 14:17:01 jutta server: 14:17:01,721 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTPSCert Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,763 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:01 jutta server: Destroying session 0E4304CD210B79AE7E3D6820E689126F Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:01 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:01 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:01 jutta server: PKIRealm: Roles: Mar 10 14:17:01 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:01 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:01 jutta server: 14:17:01,791 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:01 jutta server: Creating session 5AE9DCB089E55C872B2C8A4C04D32C5C Mar 10 14:17:01 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:01 jutta server: 14:17:01,812 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:01 jutta server: 14:17:01,838 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRARouterCert Mar 10 14:17:01 jutta server: 14:17:01,876 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRARouterCert/raw Mar 10 14:17:01 jutta server: 14:17:01,962 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRARouterCert Mar 10 14:17:01 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:01 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:01 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,002 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:02 jutta server: Destroying session 555E877C9ECAB5F22691A027D602B3FA Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,032 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:02 jutta server: Creating session 3DA7F6904BF4A86C752768D1B14BEE74 Mar 10 14:17:02 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:02 jutta server: 14:17:02,053 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:02 jutta server: 14:17:02,078 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRouterCert Mar 10 14:17:02 jutta server: 14:17:02,113 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRouterCert/raw Mar 10 14:17:02 jutta server: 14:17:02,195 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRouterCert Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,237 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:02 jutta server: Destroying session 1134C4128DF014C6EE7CB177BCEA1213 Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,266 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:02 jutta server: Creating session AE62C34AA7B80BE1A609B788587BAFB5 Mar 10 14:17:02 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:02 jutta server: 14:17:02,289 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:02 jutta server: 14:17:02,312 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caServerCert Mar 10 14:17:02 jutta server: 14:17:02,346 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caServerCert/raw Mar 10 14:17:02 jutta server: 14:17:02,427 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caServerCert Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,465 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:02 jutta server: Destroying session 1B55B7F00DC837586C4F58CBBE75B4E1 Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,494 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:02 jutta server: Creating session 1F8583A4A165CAB5534371D28ED92490 Mar 10 14:17:02 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:02 jutta server: 14:17:02,519 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:02 jutta server: 14:17:02,544 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSubsystemCert Mar 10 14:17:02 jutta server: 14:17:02,579 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSubsystemCert/raw Mar 10 14:17:02 jutta server: 14:17:02,655 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSubsystemCert Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,691 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:02 jutta server: Destroying session A9FACDC87E6DBDBEE38A7BAD8C9AB943 Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,719 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:02 jutta server: Creating session 1D55E1C3F900C4F670D0B03171733094 Mar 10 14:17:02 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:02 jutta server: 14:17:02,739 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:02 jutta server: 14:17:02,762 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOtherCert Mar 10 14:17:02 jutta server: 14:17:02,794 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOtherCert/raw Mar 10 14:17:02 jutta server: 14:17:02,872 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOtherCert Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,918 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:02 jutta server: Destroying session FF36242B640A0420B9EB7330C6FCFA48 Mar 10 14:17:02 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:02 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:02 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:02 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:02 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:02 jutta server: PKIRealm: Roles: Mar 10 14:17:02 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:02 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:02 jutta server: 14:17:02,946 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:02 jutta server: Creating session 56CA4311EEF7DB64629545A5BB0AD144 Mar 10 14:17:02 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:02 jutta server: 14:17:02,968 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:02 jutta server: 14:17:02,991 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCACert Mar 10 14:17:03 jutta server: 14:17:03,027 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCACert/raw Mar 10 14:17:03 jutta server: 14:17:03,118 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCACert Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,174 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:03 jutta server: Destroying session 216DCA8F67AE1E01DAAA03D97D0A9D57 Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,205 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:03 jutta server: Creating session 094359A9BCE011AA14CBD221CF79625A Mar 10 14:17:03 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:03 jutta server: 14:17:03,227 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:03 jutta server: 14:17:03,250 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCrossSignedCACert Mar 10 14:17:03 jutta server: 14:17:03,290 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCrossSignedCACert/raw Mar 10 14:17:03 jutta server: 14:17:03,387 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCrossSignedCACert Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,445 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:03 jutta server: Destroying session 20A6169D86F5817645D96F1ACA3C9D4A Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,472 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:03 jutta server: Creating session 9FFAE52C7FD1D0346B630525A4B3D95E Mar 10 14:17:03 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:03 jutta server: 14:17:03,493 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:03 jutta server: 14:17:03,517 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInstallCACert Mar 10 14:17:03 jutta server: 14:17:03,561 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInstallCACert/raw Mar 10 14:17:03 jutta server: 14:17:03,642 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInstallCACert Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,686 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:03 jutta server: Destroying session 181F810A8211D9F9A6F6BBD152901D8F Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,722 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:03 jutta server: Creating session 3615FE3607BB80E4E2005C6E7655E673 Mar 10 14:17:03 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:03 jutta server: 14:17:03,744 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:03 jutta server: 14:17:03,768 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRACert Mar 10 14:17:03 jutta server: 14:17:03,806 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRACert/raw Mar 10 14:17:03 jutta server: 14:17:03,888 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRACert Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,931 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:03 jutta server: Destroying session 1E4F3CB9B6F567F702145BE88FC52BB7 Mar 10 14:17:03 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:03 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:03 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:03 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:03 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:03 jutta server: PKIRealm: Roles: Mar 10 14:17:03 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:03 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:03 jutta server: 14:17:03,961 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:03 jutta server: Creating session C57DEC343A8DC7130EC4628C50D3FFCB Mar 10 14:17:03 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:03 jutta server: 14:17:03,982 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:04 jutta server: 14:17:04,006 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOCSPCert Mar 10 14:17:04 jutta server: 14:17:04,045 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOCSPCert/raw Mar 10 14:17:04 jutta server: 14:17:04,121 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caOCSPCert Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,163 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:04 jutta server: Destroying session 0BD17750D83D67F6C23AE45B63E12449 Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,191 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:04 jutta server: Creating session 6CFE5231DA40BDF1D7FB3BD0C69046DE Mar 10 14:17:04 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:04 jutta server: 14:17:04,212 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:04 jutta server: 14:17:04,235 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caStorageCert Mar 10 14:17:04 jutta server: 14:17:04,272 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caStorageCert/raw Mar 10 14:17:04 jutta server: 14:17:04,360 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caStorageCert Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,414 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:04 jutta server: Destroying session 9D1A0E4A5BAEC3061D8D4570514CEE1F Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,446 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:04 jutta server: Creating session A1F6673CCD8C2CB174DAEF2BFC7A4255 Mar 10 14:17:04 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:04 jutta server: 14:17:04,469 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:04 jutta server: 14:17:04,492 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTransportCert Mar 10 14:17:04 jutta server: 14:17:04,530 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTransportCert/raw Mar 10 14:17:04 jutta server: 14:17:04,607 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTransportCert Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,648 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:04 jutta server: Destroying session F4D03385CF5CFFAC8AECE8D5FC625FD4 Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,675 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:04 jutta server: Creating session 1EFC3FE33D1562AA0E8568B34A6A96D6 Mar 10 14:17:04 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:04 jutta server: 14:17:04,697 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:04 jutta server: 14:17:04,720 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirPinUserCert Mar 10 14:17:04 jutta server: 14:17:04,757 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirPinUserCert/raw Mar 10 14:17:04 jutta server: 14:17:04,833 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirPinUserCert Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,875 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:04 jutta server: Destroying session 5C134F2FD9C13A6F5B153C4D53A36B8B Mar 10 14:17:04 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:04 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:04 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:04 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:04 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:04 jutta server: PKIRealm: Roles: Mar 10 14:17:04 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:04 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:04 jutta server: 14:17:04,909 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:04 jutta server: Creating session BE390BF3BEA705732C04DE546EF1DE7C Mar 10 14:17:04 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:04 jutta server: 14:17:04,933 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:04 jutta server: 14:17:04,960 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserCert Mar 10 14:17:04 jutta server: 14:17:04,996 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserCert/raw Mar 10 14:17:05 jutta server: 14:17:05,072 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserCert Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,108 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:05 jutta server: Destroying session 36931D1AFA25805C92278A1D37EFCB0C Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,136 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:05 jutta server: Creating session A8F1AA7F7DD567BFC7D8FA50BFC078A9 Mar 10 14:17:05 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:05 jutta server: 14:17:05,156 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:05 jutta server: 14:17:05,178 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDirUserCert Mar 10 14:17:05 jutta server: 14:17:05,211 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDirUserCert/raw Mar 10 14:17:05 jutta server: 14:17:05,288 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caECDirUserCert Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,325 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:05 jutta server: Destroying session 46B52D106CF70DE714934C388B34631A Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,353 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:05 jutta server: Creating session D808B1919A26A901C4C62C2D9DF12158 Mar 10 14:17:05 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:05 jutta server: 14:17:05,374 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:05 jutta server: 14:17:05,397 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentServerCert Mar 10 14:17:05 jutta server: 14:17:05,433 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentServerCert/raw Mar 10 14:17:05 jutta server: 14:17:05,516 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentServerCert Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,560 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:05 jutta server: Destroying session 3D235AA6C653C1B80E4FA771AD767B18 Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,586 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:05 jutta server: Creating session 9E9C403F1482EE1174F0FEDC4718632A Mar 10 14:17:05 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:05 jutta server: 14:17:05,616 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:05 jutta server: 14:17:05,647 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentFileSigning Mar 10 14:17:05 jutta server: 14:17:05,680 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentFileSigning/raw Mar 10 14:17:05 jutta server: 14:17:05,755 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAgentFileSigning Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,792 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:05 jutta server: Destroying session 93B188805FC8157221E2EC5505F3E817 Mar 10 14:17:05 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:05 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:05 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:05 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:05 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:05 jutta server: PKIRealm: Roles: Mar 10 14:17:05 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:05 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:05 jutta server: 14:17:05,821 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:05 jutta server: Creating session 9BF513D4B6774B7A0427A55C34BBDC11 Mar 10 14:17:05 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:05 jutta server: 14:17:05,843 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:05 jutta server: 14:17:05,868 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCMCUserCert Mar 10 14:17:05 jutta server: 14:17:05,901 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCMCUserCert/raw Mar 10 14:17:05 jutta server: 14:17:05,976 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caCMCUserCert Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,012 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:06 jutta server: Destroying session AC08108710C17A38FAC6D71EBBE37D54 Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,039 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:06 jutta server: Creating session 149A8242F9F5F0AB926A6451BF1E77F6 Mar 10 14:17:06 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:06 jutta server: 14:17:06,059 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:06 jutta server: 14:17:06,081 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caFullCMCUserCert Mar 10 14:17:06 jutta server: 14:17:06,115 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caFullCMCUserCert/raw Mar 10 14:17:06 jutta server: 14:17:06,198 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caFullCMCUserCert Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,239 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:06 jutta server: Destroying session 1A3B8761DF6B032A1286140857945EDB Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,265 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:06 jutta server: Creating session EA1A0B9C20737BC692B5DE07B9865C86 Mar 10 14:17:06 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:06 jutta server: 14:17:06,288 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:06 jutta server: 14:17:06,312 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSimpleCMCUserCert Mar 10 14:17:06 jutta server: 14:17:06,355 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSimpleCMCUserCert/raw Mar 10 14:17:06 jutta server: 14:17:06,437 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSimpleCMCUserCert Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,479 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:06 jutta server: Destroying session 164553884AA15484CFF987B8CC1599EC Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,506 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:06 jutta server: Creating session 484921892F892939C8A8198D8E8791AA Mar 10 14:17:06 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:06 jutta server: 14:17:06,526 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:06 jutta server: 14:17:06,548 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenDeviceKeyEnrollment Mar 10 14:17:06 jutta server: 14:17:06,600 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenDeviceKeyEnrollment/raw Mar 10 14:17:06 jutta server: 14:17:06,653 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenDeviceKeyEnrollment Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,694 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:06 jutta server: Destroying session 427390C51CACC3D9EEB6020403C8A308 Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,721 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:06 jutta server: Creating session 26353569E1FA2194BC51AE53716EE067 Mar 10 14:17:06 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:06 jutta server: 14:17:06,741 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:06 jutta server: 14:17:06,763 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyEnrollment Mar 10 14:17:06 jutta server: 14:17:06,799 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyEnrollment/raw Mar 10 14:17:06 jutta server: 14:17:06,853 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyEnrollment Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,891 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:06 jutta server: Destroying session E1CD6A1F568290DB1326A17FD29E3BC7 Mar 10 14:17:06 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:06 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:06 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:06 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:06 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:06 jutta server: PKIRealm: Roles: Mar 10 14:17:06 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:06 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:06 jutta server: 14:17:06,917 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:06 jutta server: Creating session 5491685D254FFB75CAFA15BEC3DF27A2 Mar 10 14:17:06 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:06 jutta server: 14:17:06,937 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:06 jutta server: 14:17:06,959 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyEnrollment Mar 10 14:17:06 jutta server: 14:17:06,996 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyEnrollment/raw Mar 10 14:17:07 jutta server: 14:17:07,043 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyEnrollment Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,082 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:07 jutta server: Destroying session 3E70C45AD57BD1BC0B54BE11E008EB45 Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,109 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:07 jutta server: Creating session 602423BF334F13C22ECE6F011D726D2D Mar 10 14:17:07 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:07 jutta server: 14:17:07,129 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:07 jutta server: 14:17:07,151 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenDeviceKeyEnrollment Mar 10 14:17:07 jutta server: 14:17:07,187 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenDeviceKeyEnrollment/raw Mar 10 14:17:07 jutta server: 14:17:07,234 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenDeviceKeyEnrollment Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,278 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:07 jutta server: Destroying session 34F66871F8AB91EB98E1A80210921633 Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,309 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:07 jutta server: Creating session 9C86DD4D8C70DA5F13018FBACF3F8ACC Mar 10 14:17:07 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:07 jutta server: 14:17:07,335 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:07 jutta server: 14:17:07,361 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserEncryptionKeyEnrollment Mar 10 14:17:07 jutta server: 14:17:07,397 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserEncryptionKeyEnrollment/raw Mar 10 14:17:07 jutta server: 14:17:07,446 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserEncryptionKeyEnrollment Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,485 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:07 jutta server: Destroying session A05F668CD0DA751247EC7B0F688BFE1F Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,513 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:07 jutta server: Creating session F79B0E5400D411D809D6A93C316ADB04 Mar 10 14:17:07 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:07 jutta server: 14:17:07,535 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:07 jutta server: 14:17:07,559 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserSigningKeyEnrollment Mar 10 14:17:07 jutta server: 14:17:07,596 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserSigningKeyEnrollment/raw Mar 10 14:17:07 jutta server: 14:17:07,642 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTempTokenUserSigningKeyEnrollment Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,688 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:07 jutta server: Destroying session 14A7C056A604CFAFF0427B2F35D13FE8 Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,715 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:07 jutta server: Creating session 998DA9775293F08FF1BD0EF07E5D6A9E Mar 10 14:17:07 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:07 jutta server: 14:17:07,737 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:07 jutta server: 14:17:07,763 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAdminCert Mar 10 14:17:07 jutta server: 14:17:07,804 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAdminCert/raw Mar 10 14:17:07 jutta server: 14:17:07,898 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caAdminCert Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,950 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:07 jutta server: Destroying session 2BF284FBBF6F27D01B125E4A4A2123EA Mar 10 14:17:07 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:07 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:07 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:07 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:07 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:07 jutta server: PKIRealm: Roles: Mar 10 14:17:07 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:07 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:07 jutta server: 14:17:07,976 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:07 jutta server: Creating session E331BDE4B724E3FE560DA35D9651A159 Mar 10 14:17:07 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:07 jutta server: 14:17:07,997 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:08 jutta server: 14:17:08,025 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthServerCert Mar 10 14:17:08 jutta server: 14:17:08,069 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthServerCert/raw Mar 10 14:17:08 jutta server: 14:17:08,149 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthServerCert Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,190 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:08 jutta server: Destroying session D6052CE167504401E1918839A6A2F2FF Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,216 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:08 jutta server: Creating session AF22807F42C5C3BDC7F14011FB96948B Mar 10 14:17:08 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:08 jutta server: 14:17:08,236 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:08 jutta server: 14:17:08,259 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthTransportCert Mar 10 14:17:08 jutta server: 14:17:08,300 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthTransportCert/raw Mar 10 14:17:08 jutta server: 14:17:08,383 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthTransportCert Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,423 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:08 jutta server: Destroying session 8C04D63D44D575613F38FFFBAFD37E5A Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,450 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:08 jutta server: Creating session 150B502FE17CCA7F39377BECD87288CA Mar 10 14:17:08 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:08 jutta server: 14:17:08,471 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:08 jutta server: 14:17:08,492 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthDRMstorageCert Mar 10 14:17:08 jutta server: 14:17:08,526 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthDRMstorageCert/raw Mar 10 14:17:08 jutta server: 14:17:08,604 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthDRMstorageCert Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,645 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:08 jutta server: Destroying session 2563D823C272E289E14D3F2024B5DE5F Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,672 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:08 jutta server: Creating session 15719D3892656275813D0F5E479008C1 Mar 10 14:17:08 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:08 jutta server: 14:17:08,692 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:08 jutta server: 14:17:08,714 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthSubsystemCert Mar 10 14:17:08 jutta server: 14:17:08,749 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthSubsystemCert/raw Mar 10 14:17:08 jutta server: 14:17:08,837 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthSubsystemCert Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,894 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:08 jutta server: Destroying session 89C245BFFD993C694099643ED3F2AE54 Mar 10 14:17:08 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:08 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:08 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:08 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:08 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:08 jutta server: PKIRealm: Roles: Mar 10 14:17:08 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:08 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:08 jutta server: 14:17:08,922 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:08 jutta server: Creating session D2264F266785768C1248C45A564E6721 Mar 10 14:17:08 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:08 jutta server: 14:17:08,943 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:08 jutta server: 14:17:08,968 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthOCSPCert Mar 10 14:17:09 jutta server: 14:17:09,006 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthOCSPCert/raw Mar 10 14:17:09 jutta server: 14:17:09,081 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthOCSPCert Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,123 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:09 jutta server: Destroying session BC17537B58E5FCE4A499AADECA144693 Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,150 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:09 jutta server: Creating session 4765C2F6E6937EF742484AABCD1E314F Mar 10 14:17:09 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:09 jutta server: 14:17:09,171 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:09 jutta server: 14:17:09,193 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthAuditSigningCert Mar 10 14:17:09 jutta server: 14:17:09,231 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthAuditSigningCert/raw Mar 10 14:17:09 jutta server: 14:17:09,313 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caInternalAuthAuditSigningCert Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,351 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:09 jutta server: Destroying session 9872E70DE1E7685D0004BA92D3DCE474 Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,381 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:09 jutta server: Creating session 410334AA179F0A73743614FBF68ED4C0 Mar 10 14:17:09 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:09 jutta server: 14:17:09,402 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:09 jutta server: 14:17:09,425 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/DomainController Mar 10 14:17:09 jutta server: 14:17:09,462 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/DomainController/raw Mar 10 14:17:09 jutta server: 14:17:09,538 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/DomainController Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,579 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:09 jutta server: Destroying session 7E19CAE11B15DEF3ADDDE957538C3E1E Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,606 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:09 jutta server: Creating session F40CE41AC056DF90F84156FFE1609B9B Mar 10 14:17:09 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:09 jutta server: 14:17:09,628 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:09 jutta server: 14:17:09,652 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualRAuserCert Mar 10 14:17:09 jutta server: 14:17:09,690 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualRAuserCert/raw Mar 10 14:17:09 jutta server: 14:17:09,771 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDualRAuserCert Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,813 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:09 jutta server: Destroying session F7A1A82F2E048937AC1F22D88A76C45C Mar 10 14:17:09 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:09 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:09 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:09 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:09 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:09 jutta server: PKIRealm: Roles: Mar 10 14:17:09 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:09 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:09 jutta server: 14:17:09,844 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:09 jutta server: Creating session C82B4863EAB331093E9D1E42B4EC786D Mar 10 14:17:09 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:09 jutta server: 14:17:09,867 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:09 jutta server: 14:17:09,895 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAagentCert Mar 10 14:17:09 jutta server: 14:17:09,928 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAagentCert/raw Mar 10 14:17:10 jutta server: 14:17:10,004 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAagentCert Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,039 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:10 jutta server: Destroying session 81D4B9242201A43F344B130F672D2CC6 Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,066 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:10 jutta server: Creating session B91C9E7164ED5AE8CDCD15F3DFBBC137 Mar 10 14:17:10 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:10 jutta server: 14:17:10,086 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:10 jutta server: 14:17:10,108 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAserverCert Mar 10 14:17:10 jutta server: 14:17:10,143 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAserverCert/raw Mar 10 14:17:10 jutta server: 14:17:10,222 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caRAserverCert Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,268 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:10 jutta server: Destroying session A9A7562D5B3BEF142F4DC9D3C0053927 Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,294 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:10 jutta server: Creating session 24B51B6703CEA79A626EEC4575E984ED Mar 10 14:17:10 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:10 jutta server: 14:17:10,315 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:10 jutta server: 14:17:10,337 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUUIDdeviceCert Mar 10 14:17:10 jutta server: 14:17:10,371 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUUIDdeviceCert/raw Mar 10 14:17:10 jutta server: 14:17:10,447 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caUUIDdeviceCert Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,487 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:10 jutta server: Destroying session 7F615A9698DDB02B6D0FC2E291C8350E Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,514 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:10 jutta server: Creating session 04C95A2EB8C912983FD74B04833E611C Mar 10 14:17:10 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:10 jutta server: 14:17:10,534 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:10 jutta server: 14:17:10,556 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSSLClientSelfRenewal Mar 10 14:17:10 jutta server: 14:17:10,592 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSSLClientSelfRenewal/raw Mar 10 14:17:10 jutta server: 14:17:10,668 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caSSLClientSelfRenewal Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,709 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:10 jutta server: Destroying session 6EAFCBE23688C6BE31EAB21A83553CCD Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,736 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:10 jutta server: Creating session E3EB65DB70AC798CEF16A61405AB145E Mar 10 14:17:10 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:10 jutta server: 14:17:10,762 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:10 jutta server: 14:17:10,788 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserRenewal Mar 10 14:17:10 jutta server: 14:17:10,826 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserRenewal/raw Mar 10 14:17:10 jutta server: 14:17:10,909 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caDirUserRenewal Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,956 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:10 jutta server: Destroying session 3B7BEB93AB61A2DD4FE2965A54D16C5A Mar 10 14:17:10 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:10 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:10 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:10 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:10 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:10 jutta server: PKIRealm: Roles: Mar 10 14:17:10 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:10 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:10 jutta server: 14:17:10,985 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:10 jutta server: Creating session 8A35097595097512B7D24AA28EDFDDE4 Mar 10 14:17:10 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:11 jutta server: 14:17:11,006 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:11 jutta server: 14:17:11,033 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caManualRenewal Mar 10 14:17:11 jutta server: 14:17:11,072 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caManualRenewal/raw Mar 10 14:17:11 jutta server: 14:17:11,147 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caManualRenewal Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,188 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:11 jutta server: Destroying session 2122BE5AF3AE5634F77549A31898105D Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,217 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:11 jutta server: Creating session 4253227ABF43830CB794AD98C3F4B3FF Mar 10 14:17:11 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:11 jutta server: 14:17:11,237 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:11 jutta server: 14:17:11,261 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenMSLoginEnrollment Mar 10 14:17:11 jutta server: 14:17:11,307 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenMSLoginEnrollment/raw Mar 10 14:17:11 jutta server: 14:17:11,365 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenMSLoginEnrollment Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,404 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:11 jutta server: Destroying session 11A7F9B981B15A865479A77048165F28 Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,432 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:11 jutta server: Creating session FE0700F3B3B9E7246EA649EDF75E692A Mar 10 14:17:11 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:11 jutta server: 14:17:11,452 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:11 jutta server: 14:17:11,473 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyRenewal Mar 10 14:17:11 jutta server: 14:17:11,513 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyRenewal/raw Mar 10 14:17:11 jutta server: 14:17:11,596 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserSigningKeyRenewal Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,702 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:11 jutta server: Destroying session 888409153ACA19F21236636A7D34DC70 Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,734 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:11 jutta server: Creating session A3346BF25CBA1AD82F3D8B9BD5478D89 Mar 10 14:17:11 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:11 jutta server: 14:17:11,754 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:11 jutta server: 14:17:11,776 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyRenewal Mar 10 14:17:11 jutta server: 14:17:11,813 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyRenewal/raw Mar 10 14:17:11 jutta server: 14:17:11,888 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserEncryptionKeyRenewal Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,930 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:11 jutta server: Destroying session 5AE071AF3DE3759DFE2FE960558255F0 Mar 10 14:17:11 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:11 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:11 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:11 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:11 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:11 jutta server: PKIRealm: Roles: Mar 10 14:17:11 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:11 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:11 jutta server: 14:17:11,955 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:11 jutta server: Creating session 725871DD813451A28C9C888B63173456 Mar 10 14:17:11 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:11 jutta server: 14:17:11,975 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:11 jutta server: 14:17:11,997 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserAuthKeyRenewal Mar 10 14:17:12 jutta server: 14:17:12,106 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserAuthKeyRenewal/raw Mar 10 14:17:12 jutta server: 14:17:12,185 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserAuthKeyRenewal Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,226 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:12 jutta server: Destroying session F7666E645236258DB2C962BCD245380F Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,252 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:12 jutta server: Creating session C7C7B5099E44C2D66487546B556CA874 Mar 10 14:17:12 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:12 jutta server: 14:17:12,271 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:12 jutta server: 14:17:12,295 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caJarSigningCert Mar 10 14:17:12 jutta server: 14:17:12,340 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caJarSigningCert/raw Mar 10 14:17:12 jutta server: 14:17:12,433 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caJarSigningCert Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,479 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:12 jutta server: Destroying session 064FA8F1F894E9CCBF8C4B763D07AB64 Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,509 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:12 jutta server: Creating session 89FCA6BF71E30A21C02DA07E35211959 Mar 10 14:17:12 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:12 jutta server: 14:17:12,530 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:12 jutta server: 14:17:12,554 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caIPAserviceCert Mar 10 14:17:12 jutta server: 14:17:12,593 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caIPAserviceCert/raw Mar 10 14:17:12 jutta server: 14:17:12,669 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caIPAserviceCert Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,708 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:12 jutta server: Destroying session A5B75DF32A8929CE69A33F32A91F234D Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,736 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:12 jutta server: Creating session 9447034AD7C41FEEC679CFC48D7C4C24 Mar 10 14:17:12 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:12 jutta server: 14:17:12,756 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:12 jutta server: 14:17:12,778 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncUserCert Mar 10 14:17:12 jutta server: 14:17:12,812 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncUserCert/raw Mar 10 14:17:12 jutta server: 14:17:12,890 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncUserCert Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,930 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:12 jutta server: Destroying session 91E5CBDF172ABA76E4A8F7F461DECA2B Mar 10 14:17:12 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:12 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:12 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:12 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:12 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:12 jutta server: PKIRealm: Roles: Mar 10 14:17:12 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:12 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:12 jutta server: 14:17:12,957 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:12 jutta server: Creating session CB58EFA7EFA0EE52A358C3A27F0F7F04 Mar 10 14:17:12 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:12 jutta server: 14:17:12,977 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:13 jutta server: 14:17:12,999 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncECUserCert Mar 10 14:17:13 jutta server: 14:17:13,034 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncECUserCert/raw Mar 10 14:17:13 jutta server: 14:17:13,110 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caEncECUserCert Mar 10 14:17:13 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:13 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:13 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:13 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:13 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:13 jutta server: PKIRealm: Roles: Mar 10 14:17:13 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:13 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:13 jutta server: 14:17:13,145 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:13 jutta server: Destroying session 2A96E7B7C7D076841010736733AFD21F Mar 10 14:17:13 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:13 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:13 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:13 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:13 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:13 jutta server: PKIRealm: Roles: Mar 10 14:17:13 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:13 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:13 jutta server: 14:17:13,171 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:13 jutta server: Creating session B85181BA28D913D8FC5BEB427481D1D1 Mar 10 14:17:13 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:13 jutta server: 14:17:13,191 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:13 jutta server: 14:17:13,213 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateAuthKeyEnrollment Mar 10 14:17:13 jutta server: 14:17:13,249 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateAuthKeyEnrollment/raw Mar 10 14:17:13 jutta server: 14:17:13,297 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateAuthKeyEnrollment Mar 10 14:17:13 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:13 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:13 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:13 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:13 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:13 jutta server: PKIRealm: Roles: Mar 10 14:17:13 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:13 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:13 jutta server: 14:17:13,335 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:13 jutta server: Destroying session 5BBE905B6D17D7291B96780BC8CF7364 Mar 10 14:17:13 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:13 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:13 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:13 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:13 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:13 jutta server: PKIRealm: Roles: Mar 10 14:17:13 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:13 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:13 jutta server: 14:17:13,362 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/login Mar 10 14:17:13 jutta server: Creating session 86BF8CD843ECAFCD5D1AEEFAF017FD78 Mar 10 14:17:13 jutta server: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Mar 10 14:17:13 jutta server: 14:17:13,383 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/raw Mar 10 14:17:13 jutta server: 14:17:13,408 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateSigningKeyEnrollment Mar 10 14:17:13 jutta server: 14:17:13,445 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateSigningKeyEnrollment/raw Mar 10 14:17:13 jutta server: 14:17:13,502 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /profiles/caTokenUserDelegateSigningKeyEnrollment Mar 10 14:17:13 jutta server: SSLAuthenticatorWithFallback: Authenticate with client certificate authentication Mar 10 14:17:13 jutta server: PKIRealm: Authenticating certificate chain: Mar 10 14:17:13 jutta server: PKIRealm: CN=IPA RA, O=UOFMT1 Mar 10 14:17:13 jutta server: PKIRealm: User ID: ipara Mar 10 14:17:13 jutta server: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca Mar 10 14:17:13 jutta server: PKIRealm: Roles: Mar 10 14:17:13 jutta server: PKIRealm: Certificate Manager Agents Mar 10 14:17:13 jutta server: PKIRealm: Registration Manager Agents Mar 10 14:17:13 jutta server: 14:17:13,548 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) - PathInfo: /account/logout Mar 10 14:17:13 jutta server: Destroying session 7057586FD73FB468B2EAC3922C913E98 Mar 10 14:17:22 jutta systemd: Stopping PKI Tomcat Server pki-tomcat... Mar 10 14:17:22 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:17:22 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:17:22 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:17:22 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:17:22 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Mar 10 14:17:22 jutta server: arguments used: stop Mar 10 14:17:22 jutta server: Mar 10, 2016 2:17:22 PM org.apache.catalina.core.StandardServer await Mar 10 14:17:22 jutta server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Mar 10 14:17:22 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Mar 10 14:17:22 jutta server: PKIListener: org.apache.catalina.core.StandardServer[stop] Mar 10 14:17:22 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Mar 10 14:17:22 jutta server: Mar 10, 2016 2:17:22 PM org.apache.coyote.AbstractProtocol pause Mar 10 14:17:22 jutta server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Mar 10 14:17:22 jutta systemd: Stopped PKI Tomcat Server pki-tomcat. Mar 10 14:17:23 jutta systemd: Stopping 389 Directory Server UOFMT1.... Mar 10 14:17:31 jutta systemd: Starting 389 Directory Server UOFMT1.... Mar 10 14:17:32 jutta systemd: Started 389 Directory Server UOFMT1.. Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: Configured NSS Ciphers Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] - SSL alert: #011TLS_RSA_WITH_SEED_CBC_SHA: enabled Mar 10 14:17:32 jutta ns-slapd: [10/Mar/2016:14:17:32 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Mar 10 14:18:10 jutta su: (to root) fonsecah on pts/2 Mar 10 14:18:15 jutta kernel: DCCP: Activated CCID 2 (TCP-like) Mar 10 14:18:15 jutta kernel: DCCP: Activated CCID 3 (TCP-Friendly Rate Control) Mar 10 14:18:42 jutta systemd: Starting PKI Tomcat Server pki-tomcat... Mar 10 14:18:42 jutta systemd: Started PKI Tomcat Server pki-tomcat. Mar 10 14:18:42 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:18:42 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:18:42 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:18:42 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:18:42 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 10 14:18:42 jutta server: arguments used: start Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://jutta.cc.umanitoba.ca:9080/ca/ocsp' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:18:43 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Mar 10 14:18:43 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:43 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:43 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:18:43 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:43 jutta server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:18:43 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.Catalina load Mar 10 14:18:43 jutta server: INFO: Initialization processed in 788 ms Mar 10 14:18:43 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Mar 10 14:18:43 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Mar 10 14:18:43 jutta server: PKIListener: org.apache.catalina.core.StandardServer[start] Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.core.StandardService startInternal Mar 10 14:18:43 jutta server: INFO: Starting service Catalina Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.core.StandardEngine startInternal Mar 10 14:18:43 jutta server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Mar 10 14:18:43 jutta server: Mar 10, 2016 2:18:43 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:43 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Mar 10 14:18:45 jutta server: Mar 10, 2016 2:18:45 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:45 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,651 ms Mar 10 14:18:45 jutta server: Mar 10, 2016 2:18:45 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:45 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Mar 10 14:18:46 jutta server: Mar 10, 2016 2:18:46 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:46 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 1,264 ms Mar 10 14:18:46 jutta server: Mar 10, 2016 2:18:46 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:46 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Mar 10 14:18:47 jutta server: Mar 10, 2016 2:18:47 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:47 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 907 ms Mar 10 14:18:47 jutta server: Mar 10, 2016 2:18:47 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:47 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Mar 10 14:18:47 jutta server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Mar 10 14:18:47 jutta server: SSLAuthenticatorWithFallback: Setting container Mar 10 14:18:49 jutta server: SSLAuthenticatorWithFallback: Initializing authenticators Mar 10 14:18:49 jutta server: SSLAuthenticatorWithFallback: Starting authenticators Mar 10 14:18:49 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:18:49 jutta server: testLDAPConnection connecting to jutta.cc.umanitoba.ca:389 Mar 10 14:18:49 jutta server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-jutta.cc.umanitoba.ca-pki-tomcat,cn=config does not exist Mar 10 14:18:50 jutta server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Mar 10 14:18:52 jutta server: CA is started. Mar 10 14:18:52 jutta server: Mar 10, 2016 2:18:52 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:52 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 4,735 ms Mar 10 14:18:52 jutta server: Mar 10, 2016 2:18:52 PM org.apache.coyote.AbstractProtocol start Mar 10 14:18:52 jutta server: INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10 14:18:52 jutta server: Mar 10, 2016 2:18:52 PM org.apache.coyote.AbstractProtocol start Mar 10 14:18:52 jutta server: INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10 14:18:52 jutta server: Mar 10, 2016 2:18:52 PM org.apache.coyote.AbstractProtocol start Mar 10 14:18:52 jutta server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:18:52 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Mar 10 14:18:52 jutta server: PKIListener: Subsystem CA is running. Mar 10 14:18:52 jutta server: Mar 10, 2016 2:18:52 PM org.apache.catalina.startup.Catalina start Mar 10 14:18:52 jutta server: INFO: Server startup in 8646 ms Mar 10 14:18:52 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:52 jutta systemd: Reloading. Mar 10 14:18:52 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:18:52 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:52 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:52 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:53 jutta systemd: Stopping PKI Tomcat Server pki-tomcat... Mar 10 14:18:53 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:18:53 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:18:53 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:18:53 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:18:53 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Mar 10 14:18:53 jutta server: arguments used: stop Mar 10 14:18:54 jutta server: Mar 10, 2016 2:18:54 PM org.apache.catalina.core.StandardServer await Mar 10 14:18:54 jutta server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Mar 10 14:18:54 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Mar 10 14:18:54 jutta server: PKIListener: org.apache.catalina.core.StandardServer[stop] Mar 10 14:18:54 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Mar 10 14:18:54 jutta server: Mar 10, 2016 2:18:54 PM org.apache.coyote.AbstractProtocol pause Mar 10 14:18:54 jutta server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Mar 10 14:18:54 jutta systemd: Stopped PKI Tomcat Server pki-tomcat. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:18:54 jutta systemd: Starting PKI Tomcat Server pki-tomcat... Mar 10 14:18:55 jutta pkidaemon: SUCCESS: Successfully archived '/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20160310141855' Mar 10 14:18:55 jutta pkidaemon: SUCCESS: Successfully backed up '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak' Mar 10 14:18:55 jutta systemd: Started PKI Tomcat Server pki-tomcat. Mar 10 14:18:55 jutta server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Mar 10 14:18:55 jutta server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Mar 10 14:18:55 jutta server: main class used: org.apache.catalina.startup.Bootstrap Mar 10 14:18:55 jutta server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Mar 10 14:18:55 jutta server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 10 14:18:55 jutta server: arguments used: start Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://jutta.cc.umanitoba.ca:9080/ca/ocsp' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:55 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Mar 10 14:18:55 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:55 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.SetAllPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Mar 10 14:18:56 jutta server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Mar 10 14:18:56 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:56 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:56 jutta server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:18:56 jutta server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.coyote.AbstractProtocol init Mar 10 14:18:56 jutta server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:18:56 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.Catalina load Mar 10 14:18:56 jutta server: INFO: Initialization processed in 841 ms Mar 10 14:18:56 jutta server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Mar 10 14:18:56 jutta server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Mar 10 14:18:56 jutta server: PKIListener: org.apache.catalina.core.StandardServer[start] Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.core.StandardService startInternal Mar 10 14:18:56 jutta server: INFO: Starting service Catalina Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.core.StandardEngine startInternal Mar 10 14:18:56 jutta server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Mar 10 14:18:56 jutta server: Mar 10, 2016 2:18:56 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:56 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Mar 10 14:18:58 jutta server: Mar 10, 2016 2:18:58 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:58 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,615 ms Mar 10 14:18:58 jutta server: Mar 10, 2016 2:18:58 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:58 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Mar 10 14:18:59 jutta server: Mar 10, 2016 2:18:59 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:59 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 1,261 ms Mar 10 14:18:59 jutta server: Mar 10, 2016 2:18:59 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:18:59 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Mar 10 14:19:00 jutta server: Mar 10, 2016 2:19:00 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:19:00 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 904 ms Mar 10 14:19:00 jutta server: Mar 10, 2016 2:19:00 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:19:00 jutta server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Mar 10 14:19:00 jutta server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Mar 10 14:19:00 jutta server: SSLAuthenticatorWithFallback: Setting container Mar 10 14:19:02 jutta server: SSLAuthenticatorWithFallback: Initializing authenticators Mar 10 14:19:02 jutta server: SSLAuthenticatorWithFallback: Starting authenticators Mar 10 14:19:12 jutta server: CA is started. Mar 10 14:19:12 jutta server: Mar 10, 2016 2:19:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Mar 10 14:19:12 jutta server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 12,388 ms Mar 10 14:19:12 jutta server: Mar 10, 2016 2:19:12 PM org.apache.coyote.AbstractProtocol start Mar 10 14:19:12 jutta server: INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10 14:19:12 jutta server: Mar 10, 2016 2:19:12 PM org.apache.coyote.AbstractProtocol start Mar 10 14:19:12 jutta server: INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10 14:19:12 jutta server: Mar 10, 2016 2:19:12 PM org.apache.coyote.AbstractProtocol start Mar 10 14:19:12 jutta server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Mar 10 14:19:12 jutta server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Mar 10 14:19:12 jutta server: PKIListener: Subsystem CA is running. Mar 10 14:19:12 jutta server: Mar 10, 2016 2:19:12 PM org.apache.catalina.startup.Catalina start Mar 10 14:19:12 jutta server: INFO: Server startup in 16257 ms Mar 10 14:19:13 jutta systemd: Stopped Kerberos 5 KDC. Mar 10 14:20:01 jutta systemd: Created slice user-0.slice. Mar 10 14:20:01 jutta systemd: Starting user-0.slice. Mar 10 14:20:01 jutta systemd: Started Session 346 of user root. Mar 10 14:20:01 jutta systemd: Starting Session 346 of user root. Mar 10 14:20:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:20:01 jutta systemd: Stopping user-0.slice. Mar 10 14:20:34 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:20:36 jutta systemd: Starting Kerberos 5 KDC... Mar 10 14:20:38 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:20:39 jutta systemd: Started Kerberos 5 KDC. Mar 10 14:20:39 jutta systemd: Reloading. Mar 10 14:20:40 jutta systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Mar 10 14:20:40 jutta systemd: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:20:40 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:20:40 jutta systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Mar 10 14:20:43 jutta systemd: Starting Kerberos 5 Password-changing and Administration... Mar 10 14:20:53 jutta _kadmind: kadmind: kadmind: Server error while initializing, aborting Mar 10 14:20:53 jutta systemd: kadmin.service: control process exited, code=exited status=1 Mar 10 14:20:53 jutta systemd: Failed to start Kerberos 5 Password-changing and Administration. Mar 10 14:20:53 jutta systemd: Unit kadmin.service entered failed state. Mar 10 14:20:53 jutta systemd: kadmin.service failed. Mar 10 14:20:54 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:20:56 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:21:20 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:22:07 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:23:43 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:26:55 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:30:01 jutta systemd: Created slice user-0.slice. Mar 10 14:30:01 jutta systemd: Starting user-0.slice. Mar 10 14:30:01 jutta systemd: Started Session 347 of user root. Mar 10 14:30:01 jutta systemd: Starting Session 347 of user root. Mar 10 14:30:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:30:01 jutta systemd: Stopping user-0.slice. Mar 10 14:31:55 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:36:55 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Mar 10 14:37:49 jutta systemd: Starting Cleanup of Temporary Directories... Mar 10 14:37:49 jutta systemd: Started Cleanup of Temporary Directories. Mar 10 14:40:01 jutta systemd: Created slice user-0.slice. Mar 10 14:40:01 jutta systemd: Starting user-0.slice. Mar 10 14:40:01 jutta systemd: Started Session 348 of user root. Mar 10 14:40:01 jutta systemd: Starting Session 348 of user root. Mar 10 14:40:01 jutta systemd: Removed slice user-0.slice. Mar 10 14:40:01 jutta systemd: Stopping user-0.slice. Mar 10 14:41:55 jutta ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) From mkosek at redhat.com Fri Mar 11 08:20:06 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Mar 2016 09:20:06 +0100 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> Message-ID: <56E27FB6.80003@redhat.com> On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card login > feature. To date the smart card login feature is working very well. However, > my group has been trying to implement locking the screen when the smart card is > removed, but have not been successful at making it work. Does anyone have any > suggestions as to what it would take to enable locking the screen when the > smart card is removed. > > Thank you in advance. Hi Michal, What system are you using? For Fedora/RHEL like systems, there is authconfig that can set this up in PAM (--smartcardaction=0): https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards-cmd HTH, Martin From sbose at redhat.com Fri Mar 11 08:32:23 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 11 Mar 2016 09:32:23 +0100 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> Message-ID: <20160311083222.GF3059@p.redhat.com> On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card > login feature. To date the smart card login feature is working very well. > However, my group has been trying to implement locking the screen when the > smart card is removed, but have not been successful at making it work. Does > anyone have any suggestions as to what it would take to enable locking the > screen when the smart card is removed. This requires a better integration with gdm which is currently WIP (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please ping me in about a week about this again, then I might have done some more testing. bye, Sumit > > Thank you in advance. > -- > *Michael Rainey* > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Fri Mar 11 08:35:10 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 11 Mar 2016 09:35:10 +0100 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <56E27FB6.80003@redhat.com> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <56E27FB6.80003@redhat.com> Message-ID: <20160311083510.GG3059@p.redhat.com> On Fri, Mar 11, 2016 at 09:20:06AM +0100, Martin Kosek wrote: > On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > > Greetings, > > > > I have been adding systems to my new domain and utilizing the smart card login > > feature. To date the smart card login feature is working very well. However, > > my group has been trying to implement locking the screen when the smart card is > > removed, but have not been successful at making it work. Does anyone have any > > suggestions as to what it would take to enable locking the screen when the > > smart card is removed. > > > > Thank you in advance. > > Hi Michal, > > What system are you using? For Fedora/RHEL like systems, there is authconfig > that can set this up in PAM (--smartcardaction=0): > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards-cmd authconfig will currently configure Smartcard authentication based on pam_pkcs11 and pam_krb5. It is not recommended to use it if you want to use Smartcard authentication with SSSD. bye, Sumit > > HTH, > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From tbordaz at redhat.com Fri Mar 11 08:40:48 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 11 Mar 2016 09:40:48 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E1F0E4.9080605@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> Message-ID: <56E28490.6030406@redhat.com> Hello Deryl, My understanding is that ns-slapd is first slow to startup. Then when krb5kdc is starting it may load ns-slapd. We identified krb5kdc may be impacted by the number of users accounts. From the ns-slapd errors log it is not clear why it is so slow to start. Would you provide the ns-slapd access logs from that period. Also in order to know where ns-slapd is spending time, it would really help if you can get regular (each 5s) pstacks (with 389-ds-debuginfo), during DS startup and then later during krb5kdc startup. best regards thierry On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: > Environment: > RHEL 7.2 > IPA 4.2.0-15 > nss 3.19.1-19 > 389-ds-base 1.3.4.0-26 > sssd 1.13.0-40 > > > I've encountered this problem in IPA 3.0.0 but hoped it was addressed > in 4.2.0. > > Trying to set up a replica of a master with 150,000+ user accounts, > NIS and Schema Compatability enabled on the master. > > During ipa-replica-install it attempts to start IPA. dirsrv starts, > krb5kdc starts, but then kadmind fails because krb5kdc has gone missing. > > This happens during restart of IPA in version 3.0.0 too. There it can > be overcome by manually starting each component of IPA _but_ waiting > until ns-slapd- has settled down (as seen from top) before > starting krb5kdc. I also think that the startup of krb5kdc loads the > LDAP instance quite a bit. > > There is a problem in the startup logic where dirsrv is so busy that > even though krb5kdc successfully starts and allows the kadmin to begin > kdb5kdc is not really able to do its duties. > > I'm reporting this since there must be some way to delay the start of > krb5kdc and then kadmind until ns-slapd- is really open for > business. > > # systemctl status krb5kdc.service > ? krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > Active: inactive (dead) > > Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 KDC. > Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 > KDC... > Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 KDC. > > # systemctl status krb5kdc.service > ? krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > Active: inactive (dead) > > Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 KDC. > Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 > KDC... > Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 KDC. > > journalctl -xe was stale by the time I got to it so I've attached > /var/log/messages instead. > > The log from ipa-replica-install (with -d) is at > http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log > The console script (mostly the same as the log but with my entries) is > at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console > The /var/log/dirsrv/ns-slapd- access log is at > http://home.cc.umanitoba.ca/~fonsecah/ipa/access > > Regards, Daryl > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Mar 11 08:48:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Mar 2016 09:48:23 +0100 Subject: [Freeipa-users] devconf.cz talks about FreeIPA In-Reply-To: <20160207185648.GD12787@redhat.com> References: <20160207185648.GD12787@redhat.com> Message-ID: <56E28657.2030502@redhat.com> On 02/07/2016 07:56 PM, Alexander Bokovoy wrote: ... > FreeIPA workshop by Torsted Scherf and German Parente > Part1: https://youtu.be/cxRK1MExMsc?t=4m57s > Part2: https://www.youtube.com/watch?v=RBzL1_3nKH4 Just for the record, the workshop was acknowledged as one of the best sessions on Devconf! Which says a lot, given there was 200+ sessions! http://devconf.cz/3-best-presentations Martin From Daryl.Fonseca-Holt at umanitoba.ca Fri Mar 11 13:52:12 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Fri, 11 Mar 2016 07:52:12 -0600 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E28490.6030406@redhat.com> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> Message-ID: <56E2CD8C.9000808@umanitoba.ca> On 03/11/16 02:40, thierry bordaz wrote: > Hello Deryl, > > My understanding is that ns-slapd is first slow to startup. Then > when krb5kdc is starting it may load ns-slapd. > > We identified krb5kdc may be impacted by the number of users accounts. > From the ns-slapd errors log it is not clear why it is so slow to > start. > > Would you provide the ns-slapd access logs from that period. > I provided the one from the instance at the link below because it was too large to attach to the e-mail. Or is their some other log showing what's needed? Or some debug option I need to turn up? > > Also in order to know where ns-slapd is spending time, it would > really help if you can get regular (each 5s) pstacks (with > 389-ds-debuginfo), during DS startup and then later during krb5kdc > startup. > Will do but it will be next week before I can get it. I have an all-day first aid and safety training course today. > best regards > thierry > > > On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >> Environment: >> RHEL 7.2 >> IPA 4.2.0-15 >> nss 3.19.1-19 >> 389-ds-base 1.3.4.0-26 >> sssd 1.13.0-40 >> >> >> I've encountered this problem in IPA 3.0.0 but hoped it was addressed >> in 4.2.0. >> >> Trying to set up a replica of a master with 150,000+ user accounts, >> NIS and Schema Compatability enabled on the master. >> >> During ipa-replica-install it attempts to start IPA. dirsrv starts, >> krb5kdc starts, but then kadmind fails because krb5kdc has gone missing. >> >> This happens during restart of IPA in version 3.0.0 too. There it can >> be overcome by manually starting each component of IPA _but_ waiting >> until ns-slapd- has settled down (as seen from top) before >> starting krb5kdc. I also think that the startup of krb5kdc loads the >> LDAP instance quite a bit. >> >> There is a problem in the startup logic where dirsrv is so busy that >> even though krb5kdc successfully starts and allows the kadmin to >> begin kdb5kdc is not really able to do its duties. >> >> I'm reporting this since there must be some way to delay the start of >> krb5kdc and then kadmind until ns-slapd- is really open for >> business. >> >> # systemctl status krb5kdc.service >> ? krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >> vendor preset: disabled) >> Active: inactive (dead) >> >> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >> KDC. >> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >> KDC... >> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >> KDC. >> >> # systemctl status krb5kdc.service >> ? krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >> vendor preset: disabled) >> Active: inactive (dead) >> >> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >> KDC. >> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >> KDC... >> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >> KDC. >> >> journalctl -xe was stale by the time I got to it so I've attached >> /var/log/messages instead. >> >> The log from ipa-replica-install (with -d) is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >> The console script (mostly the same as the log but with my entries) >> is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >> The /var/log/dirsrv/ns-slapd- access log is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >> >> Regards, Daryl >> >> >> > -- -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Fri Mar 11 16:05:27 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 11 Mar 2016 17:05:27 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E2CD8C.9000808@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E2CD8C.9000808@umanitoba.ca> Message-ID: <56E2ECC7.1080302@redhat.com> Daryl, Thanks for your help for grabbing additional data. I am afraid any debug option at DS level would make it worse. Also there are several debug options so first we need to know what is the potential culprit to turn one only the right level. I will look at the errors/access (sorry I missed the link) and will be back to you. have a good week end thierry On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote: > > > On 03/11/16 02:40, thierry bordaz wrote: >> Hello Deryl, >> >> My understanding is that ns-slapd is first slow to startup. Then >> when krb5kdc is starting it may load ns-slapd. >> >> We identified krb5kdc may be impacted by the number of users >> accounts. >> From the ns-slapd errors log it is not clear why it is so slow to >> start. >> >> Would you provide the ns-slapd access logs from that period. >> > > I provided the one from the instance at the link below because it was > too large to attach to the e-mail. Or is their some other log showing > what's needed? Or some debug option I need to turn up? >> >> Also in order to know where ns-slapd is spending time, it would >> really help if you can get regular (each 5s) pstacks (with >> 389-ds-debuginfo), during DS startup and then later during >> krb5kdc startup. >> > Will do but it will be next week before I can get it. I have an > all-day first aid and safety training course today. > >> best regards >> thierry >> >> >> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>> Environment: >>> RHEL 7.2 >>> IPA 4.2.0-15 >>> nss 3.19.1-19 >>> 389-ds-base 1.3.4.0-26 >>> sssd 1.13.0-40 >>> >>> >>> I've encountered this problem in IPA 3.0.0 but hoped it was >>> addressed in 4.2.0. >>> >>> Trying to set up a replica of a master with 150,000+ user accounts, >>> NIS and Schema Compatability enabled on the master. >>> >>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>> missing. >>> >>> This happens during restart of IPA in version 3.0.0 too. There it >>> can be overcome by manually starting each component of IPA _but_ >>> waiting until ns-slapd- has settled down (as seen from >>> top) before starting krb5kdc. I also think that the startup of >>> krb5kdc loads the LDAP instance quite a bit. >>> >>> There is a problem in the startup logic where dirsrv is so busy that >>> even though krb5kdc successfully starts and allows the kadmin to >>> begin kdb5kdc is not really able to do its duties. >>> >>> I'm reporting this since there must be some way to delay the start >>> of krb5kdc and then kadmind until ns-slapd- is really open >>> for business. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> journalctl -xe was stale by the time I got to it so I've attached >>> /var/log/messages instead. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The /var/log/dirsrv/ns-slapd- access log is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>> >>> Regards, Daryl >>> >>> >>> >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Fri Mar 11 16:42:49 2016 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 11 Mar 2016 22:12:49 +0530 Subject: [Freeipa-users] read-only service account - aci Message-ID: Hi, I'm trying to use IPA's LDAP server as the user data base for an external application. I have created a service account from ldif below. dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: changeme! passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 This works fine. My question is whats the ACI associated with this new user? Does this user have read-only access to everything in LDAP ? Or should I add/tune the ACI. Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Sat Mar 12 15:02:02 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Sat, 12 Mar 2016 10:02:02 -0500 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <56E05874.5020907@redhat.com> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> <20160309165139.GD24736@dead.ccr.buffalo.edu> <56E05874.5020907@redhat.com> Message-ID: <20160312150202.GA13162@dead.ccr.buffalo.edu> On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: > > On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: > >On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: > > > >[09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 > if ds is cleanly shutdown this file should be removed, if ds is killed it > remains and should be recreated at restart, which fails. could you try > another stop, remove the file manually and start again ? > > > > We had our replicas crash again. Curious if it's safe to delete the other db files as well: ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ 30 DBVERSION 6.8G ed35d212-2cb811e5-af63d574-de3f6355_55a95591000000040000.db 0 ed35d212-2cb811e5-af63d574-de3f6355.sema 18M f32bb356-2cb811e5-af63d574-de3f6355_55a955ca000000600000.db 0 f32bb356-2cb811e5-af63d574-de3f6355.sema Should all these files be deleted if the ds is cleanly shutdown? or should we only remove the *.sema files. Thanks, --Andrew From brad.bendy at gmail.com Sat Mar 12 15:47:08 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Sat, 12 Mar 2016 08:47:08 -0700 Subject: [Freeipa-users] YUbiKey for HOTP auth Message-ID: Hi, YubiKey supports HOTP it appears, but im having a heck of a time getting the token to add FreeIPA. The YubiKey tool gives me the OATH Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered the secret key and OATH token into the "key" field, ive tried all algorithms and get the error of "invalid 'ipatokenotpkey': Non-base32 digit found" Am I missing something? Or is this just not possible at all? I can't find any documentation on Google saying how to set these up. Thanks! From brad.bendy at gmail.com Sat Mar 12 16:23:40 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Sat, 12 Mar 2016 09:23:40 -0700 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: References: Message-ID: After doing some more trial and error I got it it to work. Take the 20 byte secret key, remove the spaces and convert to base 32. Also disable OATH Token Identifier in the YubiKey tool. I used this tool to convert it http://tomeko.net/online_tools/hex_to_base32.php?lang=en Then take that base32 value and insert into the secret field on FreeIPA add token screen and your good to go, I used sha1 for algorithm. On Sat, Mar 12, 2016 at 8:47 AM, Brad Bendy wrote: > Hi, > > YubiKey supports HOTP it appears, but im having a heck of a time > getting the token to add FreeIPA. The YubiKey tool gives me the OATH > Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered > the secret key and OATH token into the "key" field, ive tried all > algorithms and get the error of "invalid 'ipatokenotpkey': Non-base32 > digit found" > > Am I missing something? Or is this just not possible at all? I can't > find any documentation on Google saying how to set these up. > > Thanks! From mexigabacho at gmail.com Sun Mar 13 01:16:54 2016 From: mexigabacho at gmail.com (Christopher Young) Date: Sat, 12 Mar 2016 20:16:54 -0500 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: References: Message-ID: This is great work. Could you perhaps write up a Howto of some sort? I could definitely use this! On Mar 12, 2016 11:27 AM, "Brad Bendy" wrote: > After doing some more trial and error I got it it to work. > > Take the 20 byte secret key, remove the spaces and convert to base 32. > Also disable OATH Token Identifier in the YubiKey tool. > > I used this tool to convert it > http://tomeko.net/online_tools/hex_to_base32.php?lang=en > > Then take that base32 value and insert into the secret field on > FreeIPA add token screen and your good to go, I used sha1 for > algorithm. > > On Sat, Mar 12, 2016 at 8:47 AM, Brad Bendy wrote: > > Hi, > > > > YubiKey supports HOTP it appears, but im having a heck of a time > > getting the token to add FreeIPA. The YubiKey tool gives me the OATH > > Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered > > the secret key and OATH token into the "key" field, ive tried all > > algorithms and get the error of "invalid 'ipatokenotpkey': Non-base32 > > digit found" > > > > Am I missing something? Or is this just not possible at all? I can't > > find any documentation on Google saying how to set these up. > > > > Thanks! > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Sun Mar 13 11:00:33 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Sun, 13 Mar 2016 11:00:33 +0000 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install Message-ID: <56E54851.8000904@yahoo.co.uk> hi everybody I've newly installed IPA and install process configured krb5_server, put it in already existing domain which was ldap backend. But that domain (default) is not included in [sssd] domains, install process it, and I wonder what's the impact of it and what's the meaning of krb5_server. I did not find anything in man pages. regards L. From abokovoy at redhat.com Sun Mar 13 11:05:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 13 Mar 2016 13:05:39 +0200 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <56E54851.8000904@yahoo.co.uk> References: <56E54851.8000904@yahoo.co.uk> Message-ID: <20160313110539.GU4492@redhat.com> On Sun, 13 Mar 2016, lejeczek wrote: >hi everybody > >I've newly installed IPA and install process configured krb5_server, >put it in already existing domain which was ldap backend. >But that domain (default) is not included in [sssd] domains, install >process it, and I wonder what's the impact of it and what's the >meaning of krb5_server. I did not find anything in man pages. Can you show your config files to explain what you tried to say? Frankly, I didn't understand a word. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Sun Mar 13 11:27:28 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Sun, 13 Mar 2016 11:27:28 +0000 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160313110539.GU4492@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> Message-ID: <56E54EA0.9050101@yahoo.co.uk> IPA install process configured in sssd.conf: [domain/new.Domain] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = newDomain id_provider = ipa ... ... [domain/default] # < this is ldap that existed before, kbr5 related options are new additions autofs_provider = ldap cache_credentials = True krb5_realm = new.Domain ldap_search_base = dc=old,dc=domain id_provider = ldap krb5_server = a.host [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains =new.Domain so here I wonder, what's the meaning of kbr5 related options and why install process put it into default domain which it did not include later in sssd section. thanks On 13/03/16 11:05, Alexander Bokovoy wrote: > On Sun, 13 Mar 2016, lejeczek wrote: >> hi everybody >> >> I've newly installed IPA and install process configured >> krb5_server, put it in already existing domain which was >> ldap backend. >> But that domain (default) is not included in [sssd] >> domains, install process it, and I wonder what's the >> impact of it and what's the meaning of krb5_server. I did >> not find anything in man pages. > Can you show your config files to explain what you tried > to say? > Frankly, I didn't understand a word. From abokovoy at redhat.com Sun Mar 13 13:34:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 13 Mar 2016 15:34:27 +0200 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <56E54EA0.9050101@yahoo.co.uk> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> Message-ID: <20160313133427.GV4492@redhat.com> On Sun, 13 Mar 2016, lejeczek wrote: >IPA install process configured in sssd.conf: >[domain/new.Domain] >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = newDomain >id_provider = ipa >... >... >[domain/default] # < this is ldap that existed before, kbr5 related >options are new additions >autofs_provider = ldap >cache_credentials = True >krb5_realm = new.Domain >ldap_search_base = dc=old,dc=domain >id_provider = ldap >krb5_server = a.host > >[sssd] >services = nss, sudo, pam, autofs, ssh >config_file_version = 2 >domains =new.Domain > >so here I wonder, what's the meaning of kbr5 related options and why >install process put it into default domain which it did not include >later in sssd section. FreeIPA installer doesn't touch 'default' domain section at all. It always operates on the section named 'domain/'. It also adds 'krb5_realm' line only in case your and realm are different. For example, if you have DNS domain example.com and Kerberos realm EXAMPLE.NET, then [domain/example.com] will get krb5_realm = EXAMPLE.NET added to the section. Looks like you had something previously on this machine using SSSD and configuring it with [domain/default] section. -- / Alexander Bokovoy From jhrozek at redhat.com Sun Mar 13 16:33:40 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 13 Mar 2016 17:33:40 +0100 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160313133427.GV4492@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> Message-ID: <20160313163340.GA3327@hendrix> On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: > On Sun, 13 Mar 2016, lejeczek wrote: > >IPA install process configured in sssd.conf: > >[domain/new.Domain] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = newDomain > >id_provider = ipa > >... > >... > >[domain/default] # < this is ldap that existed before, kbr5 related > >options are new additions > >autofs_provider = ldap > >cache_credentials = True > >krb5_realm = new.Domain > >ldap_search_base = dc=old,dc=domain > >id_provider = ldap > >krb5_server = a.host > > > >[sssd] > >services = nss, sudo, pam, autofs, ssh > >config_file_version = 2 > >domains =new.Domain > > > >so here I wonder, what's the meaning of kbr5 related options and why > >install process put it into default domain which it did not include later > >in sssd section. > FreeIPA installer doesn't touch 'default' domain section at all. It > always operates on the section named 'domain/'. 'default' is the reserved name that authconfig uses. I also wonder why does the domain use id_provider=ldap.. From peljasz at yahoo.co.uk Sun Mar 13 17:26:36 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Sun, 13 Mar 2016 17:26:36 +0000 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160313133427.GV4492@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> Message-ID: <56E5A2CC.5010605@yahoo.co.uk> On 13/03/16 13:34, Alexander Bokovoy wrote: > On Sun, 13 Mar 2016, lejeczek wrote: >> IPA install process configured in sssd.conf: >> [domain/new.Domain] >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = newDomain >> id_provider = ipa >> ... >> ... >> [domain/default] # < this is ldap that existed before, >> kbr5 related options are new additions >> autofs_provider = ldap >> cache_credentials = True >> krb5_realm = new.Domain >> ldap_search_base = dc=old,dc=domain >> id_provider = ldap >> krb5_server = a.host >> >> [sssd] >> services = nss, sudo, pam, autofs, ssh >> config_file_version = 2 >> domains =new.Domain >> >> so here I wonder, what's the meaning of kbr5 related >> options and why install process put it into default >> domain which it did not include later in sssd section. > FreeIPA installer doesn't touch 'default' domain section > at all. It > always operates on the section named 'domain/'. > > It also adds 'krb5_realm' line only in case your name> and realm > are different. For example, if you have DNS domain > example.com and > Kerberos realm EXAMPLE.NET, then [domain/example.com] will > get > yes, FQDN/DNS was different, but both krb5_realm & krb5_server was put into domain/default, I'm certain of that cause I'm just looking at the backup copy of the config. should these be in the domain/new.Domain which installer created/added? > krb5_realm = EXAMPLE.NET > > added to the section. > > Looks like you had something previously on this machine > using SSSD and > configuring it with [domain/default] section. > From abokovoy at redhat.com Sun Mar 13 20:01:21 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 13 Mar 2016 22:01:21 +0200 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <56E5A2CC.5010605@yahoo.co.uk> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> <56E5A2CC.5010605@yahoo.co.uk> Message-ID: <20160313200121.GW4492@redhat.com> On Sun, 13 Mar 2016, lejeczek wrote: > > >On 13/03/16 13:34, Alexander Bokovoy wrote: >>On Sun, 13 Mar 2016, lejeczek wrote: >>>IPA install process configured in sssd.conf: >>>[domain/new.Domain] >>>cache_credentials = True >>>krb5_store_password_if_offline = True >>>ipa_domain = newDomain >>>id_provider = ipa >>>... >>>... >>>[domain/default] # < this is ldap that existed before, kbr5 >>>related options are new additions >>>autofs_provider = ldap >>>cache_credentials = True >>>krb5_realm = new.Domain >>>ldap_search_base = dc=old,dc=domain >>>id_provider = ldap >>>krb5_server = a.host >>> >>>[sssd] >>>services = nss, sudo, pam, autofs, ssh >>>config_file_version = 2 >>>domains =new.Domain >>> >>>so here I wonder, what's the meaning of kbr5 related options and >>>why install process put it into default domain which it did not >>>include later in sssd section. >>FreeIPA installer doesn't touch 'default' domain section at all. It >>always operates on the section named 'domain/'. >> >>It also adds 'krb5_realm' line only in case your and >>realm >>are different. For example, if you have DNS domain example.com and >>Kerberos realm EXAMPLE.NET, then [domain/example.com] will get >> >yes, FQDN/DNS was different, but both krb5_realm & krb5_server was put >into domain/default, I'm certain of that cause I'm just looking at the >backup copy of the config. >should these be in the domain/new.Domain which installer >created/added? Yes. Before answering I did check the code and it only modified the new section with krb5_realm, not anything else. -- / Alexander Bokovoy From david.goudet at lyra-network.com Sun Mar 13 20:32:01 2016 From: david.goudet at lyra-network.com (David Goudet) Date: Sun, 13 Mar 2016 21:32:01 +0100 (CET) Subject: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file In-Reply-To: <5679482A.3060303@redhat.com> References: <951477293.2060162.1450781004914.JavaMail.zimbra@lyra-network.com> <5679482A.3060303@redhat.com> Message-ID: <1588667946.12217238.1457901121188.JavaMail.zimbra@lyra-network.com> Hi, After more investigation i found a solution to fix my problem. Hereafter some details. I think i had two linked problems: Problem 1: In /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 there was some old entry about ~five months old, it was probably some Tombstone entry. (Replication state between two dirvsrv master/master was good and stable). Problem 2: purge attribute "nsslapd-changelogmaxage" had default value 30 day but the volume of data stored in db4 database was greater than ~4 Go which is space available on /var/lib/ partition. So partition was filled with entry which are prior to 30 days. Problem 1 was solved by removing db4 database (be carreful of impacts, dirsrv replication should work and db well synchronised before do this): service dirsrv stop && mv /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4-old && service dirsrv start Problem 2 was solved by decreasing purge attribute "nsslapd-changelogmaxage" from 30d to 10d (i don't need more data and want to increase partition space). To know: purge seems to be run every five minutes, so freeing entry is not instantaneous, it occurs after ~6 minutes. I agree, you are right: > Also trimming removes changelog records and frees space internally ro the db4 file to be reused, but it will not shrink the file size I think it is not mandatory but i set default value of following purge parameters: nsDS5ReplicaPurgeDelay: 604800 nsDS5ReplicaTombstonePurgeInterval: 86400 I follwed the good documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html Thanks for your help! David ----- Original Message ----- From: "Ludwig Krispenz" To: "freeipa-users" Sent: Tuesday, December 22, 2015 1:55:06 PM Subject: Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file Hi, On 12/22/2015 11:43 AM, David Goudet wrote: > Hi, > > I have multimaster replication environment. On each replica, folder /var/lib/dirsrv/slapd-xxxx/cldb/ has big size (3~GB) and old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: > > sudo dbscan -f /var/lib/dirsrv/slapd-xxxx/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xxxxxx000.db4 | less > dbid: 56239e5e000000040000 > replgen: 1445174777 Sun Oct 18 15:26:17 2015 > csn: 56239e5e000000040000 > uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706 > dn: xxxx > operation: modify > krbLastSuccessfulAuth: 20151018132617Z > modifiersname: cn=Directory Manager > modifytimestamp: 20151018132617Z > entryusn: 68030946 > > My questions are: > > a) How to purge old entries in file /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? (what is the procedure) > b) What is the right configuration to limit increase of this file? setting changelog maxage should be sufficient to trim changes, but the age is not the only condition deciding if a recored in the changelog can be deleted. - for each replicaID the last record will never be deleted, independent of its age, so if you have replicas in your topology which are not (or not frequently) updated directly there will be old changes in the changelog - if the replica where the trimming is run and if it has replication agreements to other replicas, changes which were not yet replicated to the other replica will not be purged. So, if you have some stale agreements to other replicas this could prevent trimming as well. Also trimming removes changelog records and frees space internally ro th edb4 file to be reused, but it will not shrink the file size > > > > This topic has been already talk on https://www.redhat.com/archives/freeipa-users/2013-February/msg00433.html or https://www.redhat.com/archives/freeipa-users/2015-April/msg00573.html but no response work for me. > Response here seems to be not applicable https://bugzilla.redhat.com/show_bug.cgi?id=1181341 (Centos 7, Fixed In Version: 389-ds-base-1.3.4.0-1.el7) > > I used some attributes from the docuementation: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogdir. Old entries are not purged and file increase even after restart service (service dirvsrv start and service dirvsrv stop). > > (This test environment values) > dn: cn=changelog5,cn=config > objectClass: top > objectClass: extensibleobject > cn: changelog5 > ... > nsslapd-changelogmaxentries: 100 > nsslapd-changelogmaxage: 4m > > dn: cn=replica,cn=xxxxx,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > objectClass: top > objectClass: nsds5replica > objectClass: extensibleobject > nsDS5ReplicaType: 3 > nsDS5ReplicaRoot: dc=xxxxx > nsds5ReplicaLegacyConsumer: off > nsDS5ReplicaId: 6 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsDS5ReplicaBindDN: krbprincipalname=ldap/xxxxxx > .LYRA,cn=services,cn=accounts,dc=xxxxx > nsState:: xxxxx > nsDS5ReplicaName: d9663d08-a80f11e5-aa48d241-0b88f012 > nsds5ReplicaTombstonePurgeInterval: 200 > nsds5ReplicaPurgeDelay: 200 > nsds5ReplicaChangeCount: 3091 > nsds5replicareapactive: 0 > > Hereafter some informations about my environment: > CentOS release 6.5 (Final) > 389-ds-base-libs-1.2.11.15-65.el6_7.x86_64 > 389-ds-base-1.2.11.15-65.el6_7.x86_64 > ipa-client-3.0.0-47.el6.centos.1.x86_64 > ipa-server-3.0.0-47.el6.centos.1.x86_64 > > Thanks for your help! > > David > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From brad.bendy at gmail.com Sun Mar 13 21:38:16 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Sun, 13 Mar 2016 14:38:16 -0700 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: References: Message-ID: Yeah I can do that, also some settings in the Yubico software you need to leave default or the token will never match with what the server says. I have not done any digging yet, but im guessing once I make a account I can post it to the main docs/howto section. On Sat, Mar 12, 2016 at 6:16 PM, Christopher Young wrote: > This is great work. Could you perhaps write up a Howto of some sort? I > could definitely use this! > > On Mar 12, 2016 11:27 AM, "Brad Bendy" wrote: >> >> After doing some more trial and error I got it it to work. >> >> Take the 20 byte secret key, remove the spaces and convert to base 32. >> Also disable OATH Token Identifier in the YubiKey tool. >> >> I used this tool to convert it >> http://tomeko.net/online_tools/hex_to_base32.php?lang=en >> >> Then take that base32 value and insert into the secret field on >> FreeIPA add token screen and your good to go, I used sha1 for >> algorithm. >> >> On Sat, Mar 12, 2016 at 8:47 AM, Brad Bendy wrote: >> > Hi, >> > >> > YubiKey supports HOTP it appears, but im having a heck of a time >> > getting the token to add FreeIPA. The YubiKey tool gives me the OATH >> > Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered >> > the secret key and OATH token into the "key" field, ive tried all >> > algorithms and get the error of "invalid 'ipatokenotpkey': Non-base32 >> > digit found" >> > >> > Am I missing something? Or is this just not possible at all? I can't >> > find any documentation on Google saying how to set these up. >> > >> > Thanks! >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From thomas.raehalme at aitiofinland.com Mon Mar 14 08:12:29 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Mon, 14 Mar 2016 10:12:29 +0200 Subject: [Freeipa-users] ipa-getcert and SELinux In-Reply-To: <56DDF081.7030807@redhat.com> References: <56DDF081.7030807@redhat.com> Message-ID: Hi! On Mon, Mar 7, 2016 at 11:20 PM, Rob Crittenden wrote: > It may be preferable to label the /var/lib/puppet/ssl/* directories as > certmonger_var_lib_t but I don't know what would do to puppet. You could > trade one problem for another. A BZ against selinux might be warranted > to see what they think. > Thanks for the detailed instructions! I found the issue https://bugzilla.redhat.com/show_bug.cgi?id=1062470 where certmonger was granted READ access to Puppet libs. I wonder why WRITE access was not added? Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Mon Mar 14 08:35:15 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 14 Mar 2016 09:35:15 +0100 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160312150202.GA13162@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> <20160309165139.GD24736@dead.ccr.buffalo.edu> <56E05874.5020907@redhat.com> <20160312150202.GA13162@dead.ccr.buffalo.edu> Message-ID: <56E677C3.6050708@redhat.com> On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: > On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: >> On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: >>> On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: >>> >>> [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 >> if ds is cleanly shutdown this file should be removed, if ds is killed it >> remains and should be recreated at restart, which fails. could you try >> another stop, remove the file manually and start again ? >>> > We had our replicas crash again. Curious if it's safe to delete the > other db files as well: > > ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ > 30 DBVERSION > 6.8G ed35d212-2cb811e5-af63d574-de3f6355_55a95591000000040000.db > 0 ed35d212-2cb811e5-af63d574-de3f6355.sema > 18M f32bb356-2cb811e5-af63d574-de3f6355_55a955ca000000600000.db > 0 f32bb356-2cb811e5-af63d574-de3f6355.sema > > > Should all these files be deleted if the ds is cleanly shutdown? or should we > only remove the *.sema files. the *.db file contains the data of the changelog, if you delete them you start with a new cl and could get into replication problems requiring reinitialization. you normally shoul not delete them. The .sema is used to control how many threads can concurrently access the cl, it should be recreated at restart, so it is safe to delete them after a crash. If you getting frequent crashes, we shoul try to find the reason for the crashes, could you try to get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes > > Thanks, > > --Andrew -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From peljasz at yahoo.co.uk Mon Mar 14 09:58:15 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 14 Mar 2016 09:58:15 +0000 Subject: [Freeipa-users] is error: sss_ssh_authorizedkeys returned status 1 ... Message-ID: <56E68B37.7070801@yahoo.co.uk> ... expected when a non-member ssh connect to a domain member? hi everybody. or I missed something, I probably have, right? I see these in the logs and just after a successful ssh: sshd[17245]: Accepted publickey for root from..... do I need to add non-member keys to IPA? Is this normal practice? bw. L. From tbordaz at redhat.com Mon Mar 14 10:56:08 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 14 Mar 2016 11:56:08 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E2CD8C.9000808@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E2CD8C.9000808@umanitoba.ca> Message-ID: <56E698C8.7050808@redhat.com> Hi Daryl, As soon as initialized with +150000 users, DS instance starts in more than a minute. I guess a plugin startup may delay the DS startup itself and some pstack during that minute will give us some info. Regarding the krb authentication this is difficult to say if they are delayed by the number of users. You may issue something like 'ipa user-find ' and the access log should show if the authentication phase is really slow. thanks theirry On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote: > > > On 03/11/16 02:40, thierry bordaz wrote: >> Hello Deryl, >> >> My understanding is that ns-slapd is first slow to startup. Then >> when krb5kdc is starting it may load ns-slapd. >> >> We identified krb5kdc may be impacted by the number of users >> accounts. >> From the ns-slapd errors log it is not clear why it is so slow to >> start. >> >> Would you provide the ns-slapd access logs from that period. >> > > I provided the one from the instance at the link below because it was > too large to attach to the e-mail. Or is their some other log showing > what's needed? Or some debug option I need to turn up? >> >> Also in order to know where ns-slapd is spending time, it would >> really help if you can get regular (each 5s) pstacks (with >> 389-ds-debuginfo), during DS startup and then later during >> krb5kdc startup. >> > Will do but it will be next week before I can get it. I have an > all-day first aid and safety training course today. > >> best regards >> thierry >> >> >> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>> Environment: >>> RHEL 7.2 >>> IPA 4.2.0-15 >>> nss 3.19.1-19 >>> 389-ds-base 1.3.4.0-26 >>> sssd 1.13.0-40 >>> >>> >>> I've encountered this problem in IPA 3.0.0 but hoped it was >>> addressed in 4.2.0. >>> >>> Trying to set up a replica of a master with 150,000+ user accounts, >>> NIS and Schema Compatability enabled on the master. >>> >>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>> missing. >>> >>> This happens during restart of IPA in version 3.0.0 too. There it >>> can be overcome by manually starting each component of IPA _but_ >>> waiting until ns-slapd- has settled down (as seen from >>> top) before starting krb5kdc. I also think that the startup of >>> krb5kdc loads the LDAP instance quite a bit. >>> >>> There is a problem in the startup logic where dirsrv is so busy that >>> even though krb5kdc successfully starts and allows the kadmin to >>> begin kdb5kdc is not really able to do its duties. >>> >>> I'm reporting this since there must be some way to delay the start >>> of krb5kdc and then kadmind until ns-slapd- is really open >>> for business. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> journalctl -xe was stale by the time I got to it so I've attached >>> /var/log/messages instead. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The /var/log/dirsrv/ns-slapd- access log is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>> >>> Regards, Daryl >>> >>> >>> >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Mar 14 11:08:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Mar 2016 13:08:27 +0200 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E698C8.7050808@redhat.com> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E2CD8C.9000808@umanitoba.ca> <56E698C8.7050808@redhat.com> Message-ID: <20160314110827.GY4492@redhat.com> On Mon, 14 Mar 2016, thierry bordaz wrote: >Hi Daryl, > >As soon as initialized with +150000 users, DS instance starts in more >than a minute. >I guess a plugin startup may delay the DS startup itself and some >pstack during that minute will give us some info. >Regarding the krb authentication this is difficult to say if they are >delayed by the number of users. You may issue something like 'ipa >user-find ' and the access log should show if the authentication >phase is really slow. If slapi-nis is active, it populates its tree on startup, delaying actual start of 389-ds. This is fixed in slapi-nis 0.55 (in Fedora) and will be available in RHEL 7 in next update. You can check if it is a culprit by disabling compat tree. However, currently compat tree is used by SUDO in SSSD. -- / Alexander Bokovoy From jpazdziora at redhat.com Mon Mar 14 12:18:29 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 14 Mar 2016 13:18:29 +0100 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160313133427.GV4492@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> Message-ID: <20160314121829.GW1689@redhat.com> On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: > On Sun, 13 Mar 2016, lejeczek wrote: > >IPA install process configured in sssd.conf: > >[domain/new.Domain] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = newDomain > >id_provider = ipa > >... > >... > >[domain/default] # < this is ldap that existed before, kbr5 related > >options are new additions > >autofs_provider = ldap > >cache_credentials = True > >krb5_realm = new.Domain > >ldap_search_base = dc=old,dc=domain > >id_provider = ldap > >krb5_server = a.host > > > >[sssd] > >services = nss, sudo, pam, autofs, ssh > >config_file_version = 2 > >domains =new.Domain > > > >so here I wonder, what's the meaning of kbr5 related options and why > >install process put it into default domain which it did not include later > >in sssd section. > FreeIPA installer doesn't touch 'default' domain section at all. It > always operates on the section named 'domain/'. Actually, that does not seem what I experience. On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf containing [domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = dc=old,dc=domain id_provider = ldap I tried ipa-server-install and I tried ipa-client-install. In both cases, the resulting sssd.conf had the [domain/default] section removed. So something in the process seems to care about that section -- maybe not the installer, maybe authconfig or something else. On the other hand, I was not able to reproduce the chaneg to the content of the domain/default section that lejeczek reports. I guess we will need more detailed steps to reproduce, including the exact original sssd.conf and versions of relevant packages. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From rakesh.rajasekharan at gmail.com Mon Mar 14 12:20:34 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 14 Mar 2016 17:50:34 +0530 Subject: [Freeipa-users] unable to authenticate using freeipa client Message-ID: I set up freeipa in my environment and works perfectly. But just on one host , I am not able to authenticate. I get a permission denied eror. The sssd version I have is 1.12 the krb5_child log does point to some error, krb5_child.log (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] (0x2000): No old ccache (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1.1.1 at TEST.COM] (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ 1.1.1.1 at TEST.COM in keytab. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [match_principal] (0x1000): Principal matched to the sample (host/1.1.1.1 at TEST.COM). (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [get_tgt_times] (0x1000): FAST ccache must be recreated (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] (0x0200): Trying to become user [0][0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] (0x0200): Already user [0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [check_fast_ccache] (0x2000): Running as [0][0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [check_fast_ccache] (0x0200): FAST TGT was successfully recreated! (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [become_user] (0x0200): Trying to become user [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x2000): Running as [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [k5c_setup] (0x2000): Running as [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x0400): Will perform online auth (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [TEST.COM] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting initial credentials for q-tempuser at TEST.COM (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving host/1.1.1.1 at TEST.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM \@TEST.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM with result: -1765328243/Matching credential not found (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending request (189 bytes) to TEST.COM (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating TCP connection to stre (END) And here are the contents from sssd_domain.log sssd_test.com (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): domain: test.com (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): user: q-tempuser (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): service: sshd (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): ruser: (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): cli_pid: 11794 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x69e690 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x69e7b0 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Running timer event 0x69e690 "ltdb_callback" (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Destroying timer event 0x69e7b0 "ltdb_timeout" (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Ending timer event 0x69e690 "ltdb_callback" (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [q-tempuser] found. (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] (0x1000): Status of server 'ipa-test-master.test.com' is 'working' (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-test-master.test.com' is 'working' (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] (0x1000): Status of server 'ipa-test-master.test.com' is 'working' (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-test-master.test.com: [10.1.6.56] TTL 183 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [11797] (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [11797] (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] (0x1000): Waiting for child [11797]. (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] (0x0100): child [11797] finished successfully. (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success] (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][test.com] (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][test.com] (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x678710 (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] Not sure what could be wrong here, I think thisused to work fine earlier . Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Mar 14 12:21:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Mar 2016 14:21:36 +0200 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160314121829.GW1689@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> <20160314121829.GW1689@redhat.com> Message-ID: <20160314122136.GZ4492@redhat.com> On Mon, 14 Mar 2016, Jan Pazdziora wrote: >On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: >> On Sun, 13 Mar 2016, lejeczek wrote: >> >IPA install process configured in sssd.conf: >> >[domain/new.Domain] >> >cache_credentials = True >> >krb5_store_password_if_offline = True >> >ipa_domain = newDomain >> >id_provider = ipa >> >... >> >... >> >[domain/default] # < this is ldap that existed before, kbr5 related >> >options are new additions >> >autofs_provider = ldap >> >cache_credentials = True >> >krb5_realm = new.Domain >> >ldap_search_base = dc=old,dc=domain >> >id_provider = ldap >> >krb5_server = a.host >> > >> >[sssd] >> >services = nss, sudo, pam, autofs, ssh >> >config_file_version = 2 >> >domains =new.Domain >> > >> >so here I wonder, what's the meaning of kbr5 related options and why >> >install process put it into default domain which it did not include later >> >in sssd section. >> FreeIPA installer doesn't touch 'default' domain section at all. It >> always operates on the section named 'domain/'. > >Actually, that does not seem what I experience. > >On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf >containing > > [domain/default] > autofs_provider = ldap > cache_credentials = True > ldap_search_base = dc=old,dc=domain > id_provider = ldap > >I tried ipa-server-install and I tried ipa-client-install. In both >cases, the resulting sssd.conf had the [domain/default] section >removed. So something in the process seems to care about that section >-- maybe not the installer, maybe authconfig or something else. If sssd.conf exists, IPA installer (ipa-client-install) will back the file up. If there is a clash in config, it will start a fresh because you anyway have a backup copy. >On the other hand, I was not able to reproduce the chaneg to the >content of the domain/default section that lejeczek reports. I guess >we will need more detailed steps to reproduce, including the exact >original sssd.conf and versions of relevant packages. I suspect somebody ran authconfig separately to configure some options and it ruined sssd.conf. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Mon Mar 14 13:44:43 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 14 Mar 2016 13:44:43 +0000 Subject: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install In-Reply-To: <20160314122136.GZ4492@redhat.com> References: <56E54851.8000904@yahoo.co.uk> <20160313110539.GU4492@redhat.com> <56E54EA0.9050101@yahoo.co.uk> <20160313133427.GV4492@redhat.com> <20160314121829.GW1689@redhat.com> <20160314122136.GZ4492@redhat.com> Message-ID: <56E6C04B.1060709@yahoo.co.uk> On 14/03/16 12:21, Alexander Bokovoy wrote: > On Mon, 14 Mar 2016, Jan Pazdziora wrote: >> On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander >> Bokovoy wrote: >>> On Sun, 13 Mar 2016, lejeczek wrote: >>> >IPA install process configured in sssd.conf: >>> >[domain/new.Domain] >>> >cache_credentials = True >>> >krb5_store_password_if_offline = True >>> >ipa_domain = newDomain >>> >id_provider = ipa >>> >... >>> >... >>> >[domain/default] # < this is ldap that existed before, >>> kbr5 related >>> >options are new additions >>> >autofs_provider = ldap >>> >cache_credentials = True >>> >krb5_realm = new.Domain >>> >ldap_search_base = dc=old,dc=domain >>> >id_provider = ldap >>> >krb5_server = a.host >>> > >>> >[sssd] >>> >services = nss, sudo, pam, autofs, ssh >>> >config_file_version = 2 >>> >domains =new.Domain >>> > >>> >so here I wonder, what's the meaning of kbr5 related >>> options and why >>> >install process put it into default domain which it did >>> not include later >>> >in sssd section. >>> FreeIPA installer doesn't touch 'default' domain section >>> at all. It >>> always operates on the section named 'domain/>> name>'. >> >> Actually, that does not seem what I experience. >> >> On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf >> containing >> >> [domain/default] >> autofs_provider = ldap >> cache_credentials = True >> ldap_search_base = dc=old,dc=domain >> id_provider = ldap >> >> I tried ipa-server-install and I tried >> ipa-client-install. In both >> cases, the resulting sssd.conf had the [domain/default] >> section >> removed. So something in the process seems to care about >> that section >> -- maybe not the installer, maybe authconfig or something >> else. > If sssd.conf exists, IPA installer (ipa-client-install) > will back the > file up. If there is a clash in config, it will start a > fresh because > you anyway have a backup copy. > >> On the other hand, I was not able to reproduce the chaneg >> to the >> content of the domain/default section that lejeczek >> reports. I guess >> we will need more detailed steps to reproduce, including >> the exact >> original sssd.conf and versions of relevant packages. > I suspect somebody ran authconfig separately to configure > some options > and it ruined sssd.conf. yes, I've asked around and it's quite probably someone before tried/used non-IPA kerberos before. One thing to me looks like a certain - if krb5_realm & & krb5_server (or at least krb5_realm) installer (in my case left it there in /default) I guess a quick test would be to put krb5_realm is sssd.conf default and try, I'll do that once I've set up some VMs. Also my ldap_search_base = dc=old,dc=domain was different from FQDN/realm which during, for the installation was new.quite.different.domain.local - in case it mattered. Most important is that both params are now in the newly (IPA created) section, thought just yet I did notice anything, it seemed ok before and it does so now. many thanks getns From Daryl.Fonseca-Holt at umanitoba.ca Mon Mar 14 14:06:53 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Mon, 14 Mar 2016 09:06:53 -0500 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E28490.6030406@redhat.com> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> Message-ID: <56E6C57D.3010203@umanitoba.ca> Hi Thierry, I moved the old logs into a subdirectory called try1. I did the recommended ipa-server-install --uninstall. Tried the replica install again. Failed during kadmind start like the previous time. The log from ipa-replica-install (with -d) is at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log The console script (mostly the same as the log but with my entries) is at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console The 5 second pstacks are at http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console Thanks, Daryl On 03/11/16 02:40, thierry bordaz wrote: > Hello Deryl, > > My understanding is that ns-slapd is first slow to startup. Then > when krb5kdc is starting it may load ns-slapd. > > We identified krb5kdc may be impacted by the number of users accounts. > From the ns-slapd errors log it is not clear why it is so slow to > start. > > Would you provide the ns-slapd access logs from that period. > Also in order to know where ns-slapd is spending time, it would > really help if you can get regular (each 5s) pstacks (with > 389-ds-debuginfo), during DS startup and then later during krb5kdc > startup. > > best regards > thierry > > > On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >> Environment: >> RHEL 7.2 >> IPA 4.2.0-15 >> nss 3.19.1-19 >> 389-ds-base 1.3.4.0-26 >> sssd 1.13.0-40 >> >> >> I've encountered this problem in IPA 3.0.0 but hoped it was addressed >> in 4.2.0. >> >> Trying to set up a replica of a master with 150,000+ user accounts, >> NIS and Schema Compatability enabled on the master. >> >> During ipa-replica-install it attempts to start IPA. dirsrv starts, >> krb5kdc starts, but then kadmind fails because krb5kdc has gone missing. >> >> This happens during restart of IPA in version 3.0.0 too. There it can >> be overcome by manually starting each component of IPA _but_ waiting >> until ns-slapd- has settled down (as seen from top) before >> starting krb5kdc. I also think that the startup of krb5kdc loads the >> LDAP instance quite a bit. >> >> There is a problem in the startup logic where dirsrv is so busy that >> even though krb5kdc successfully starts and allows the kadmin to >> begin kdb5kdc is not really able to do its duties. >> >> I'm reporting this since there must be some way to delay the start of >> krb5kdc and then kadmind until ns-slapd- is really open for >> business. >> >> # systemctl status krb5kdc.service >> ? krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >> vendor preset: disabled) >> Active: inactive (dead) >> >> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >> KDC. >> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >> KDC... >> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >> KDC. >> >> # systemctl status krb5kdc.service >> ? krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >> vendor preset: disabled) >> Active: inactive (dead) >> >> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >> KDC. >> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >> KDC... >> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >> KDC. >> >> journalctl -xe was stale by the time I got to it so I've attached >> /var/log/messages instead. >> >> The log from ipa-replica-install (with -d) is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >> The console script (mostly the same as the log but with my entries) >> is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >> The /var/log/dirsrv/ns-slapd- access log is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >> >> Regards, Daryl >> >> >> > -- -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Mar 14 14:20:58 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 14 Mar 2016 15:20:58 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E6C57D.3010203@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> Message-ID: <56E6C8CA.6020800@redhat.com> Hi Daryl, Thanks for all the data. I will look at the pstacks. A first look shows that you capture import, bind... so may be a complete ipa-replica-install session. I will try to retrieve the specific startup time to see what was going on at that time. If you have the time to monitor only startup, it will help me shrinking the set of pstacks. Startup of DS last > 1min. If you may start DS and as soon as the ns-slapd process is launched, do regular pstacks. Then when you are able to send a simple ldapsearch (ldapsearch -x -b "" -s base), you may stop taking pstacks. thanks thierry On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: > Hi Thierry, > > I moved the old logs into a subdirectory called try1. I did the > recommended ipa-server-install --uninstall. Tried the replica install > again. Failed during kadmind start like the previous time. > > The log from ipa-replica-install (with -d) is at > http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log > The console script (mostly the same as the log but with my entries) is > at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console > The 5 second pstacks are at > http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console > > Thanks, Daryl > > > On 03/11/16 02:40, thierry bordaz wrote: >> Hello Deryl, >> >> My understanding is that ns-slapd is first slow to startup. Then >> when krb5kdc is starting it may load ns-slapd. >> >> We identified krb5kdc may be impacted by the number of users >> accounts. >> From the ns-slapd errors log it is not clear why it is so slow to >> start. >> >> Would you provide the ns-slapd access logs from that period. >> Also in order to know where ns-slapd is spending time, it would >> really help if you can get regular (each 5s) pstacks (with >> 389-ds-debuginfo), during DS startup and then later during >> krb5kdc startup. >> >> best regards >> thierry >> >> >> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>> Environment: >>> RHEL 7.2 >>> IPA 4.2.0-15 >>> nss 3.19.1-19 >>> 389-ds-base 1.3.4.0-26 >>> sssd 1.13.0-40 >>> >>> >>> I've encountered this problem in IPA 3.0.0 but hoped it was >>> addressed in 4.2.0. >>> >>> Trying to set up a replica of a master with 150,000+ user accounts, >>> NIS and Schema Compatability enabled on the master. >>> >>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>> missing. >>> >>> This happens during restart of IPA in version 3.0.0 too. There it >>> can be overcome by manually starting each component of IPA _but_ >>> waiting until ns-slapd- has settled down (as seen from >>> top) before starting krb5kdc. I also think that the startup of >>> krb5kdc loads the LDAP instance quite a bit. >>> >>> There is a problem in the startup logic where dirsrv is so busy that >>> even though krb5kdc successfully starts and allows the kadmin to >>> begin kdb5kdc is not really able to do its duties. >>> >>> I'm reporting this since there must be some way to delay the start >>> of krb5kdc and then kadmind until ns-slapd- is really open >>> for business. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> journalctl -xe was stale by the time I got to it so I've attached >>> /var/log/messages instead. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The /var/log/dirsrv/ns-slapd- access log is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>> >>> Regards, Daryl >>> >>> >>> >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From brad.bendy at gmail.com Mon Mar 14 14:28:01 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Mon, 14 Mar 2016 07:28:01 -0700 Subject: [Freeipa-users] sudo with OTP Message-ID: HI, I have OTP setup and working just fine for logging into any servers, when attempting to run any command with sudo I get a "First factor:" prompt, I have entered my normal password but it fails. This only happens when OTP is on, with OTP off sudo works like you would think. The logs on the machine im trying to sudo show: Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=1818600003 auid=1818600003 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="myusername" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed' Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=1818600003 auid=1818600003 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/" cmd="su" terminal=pts/0 res=failed' Which it not being much help at all, on the IPA server itself im seeing nothing in the log when I run sudo, I do though when I login as my normal user. Google appears to have zero results on this, any clues what else I can check? Seems odd to me! Thanks From tbordaz at redhat.com Mon Mar 14 14:44:59 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 14 Mar 2016 15:44:59 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E6C57D.3010203@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> Message-ID: <56E6CE6B.7050007@redhat.com> Hi Daryl, In fact the slow DS startup is due to slapi-nis priming: #0 0x00007f189a2689fc in strcmpi_fast #1 oc_find_nolock #2 0x00007f189a2699bd in va_expand_one_oc #3 0x00007f189a269d70 in schema_expand_objectclasses_ext #4 0x00007f189a26cbea in slapi_schema_expand_objectclasses #5 0x00007f189a2124a5 in slapi_str2entry #6 0x00007f188c38037d in backend_set_entry_from #7 0x00007f188c383316 in backend_shr_set_entry_cb #8 0x00007f189a26358d in send_ldap_search_entry_ext #9 0x00007f189a263dcc in send_ldap_search_entry #10 0x00007f189a240ad3 in iterate #11 0x00007f189a240c7a in send_results_ext #12 0x00007f189a24265e in op_shared_search #13 0x00007f189a2528de in search_internal_callback_pb #14 0x00007f188c387628 in backend_shr_set_config_entry_add #15 0x00007f188c3827ad in backend_set_config_entry_add_cb #16 0x00007f189a26358d in send_ldap_search_entry_ext #17 0x00007f189a263dcc in send_ldap_search_entry #18 0x00007f189a240ad3 in iterate #19 0x00007f189a240c7a in send_results_ext #20 0x00007f189a24265e in op_shared_search #21 0x00007f189a2528de in search_internal_callback_pb #22 0x00007f188c387cbb in backend_shr_startup #23 0x00007f188c394135 in plugin_startup #24 0x00007f189a24d847 in plugin_call_func #25 0x00007f189a24df78 in plugin_call_one #26 plugin_dependency_startall #27 0x00007f189a24e381 in plugin_startall #28 0x00007f189a716bc2 in main It lasts from Mon Mar 14 08:50:21 -> Mon Mar 14 08:51:17 CDT kadmin.service failed to start but the console log does not contain the exact time of the failure. Would you check if the failure occurred while DS was starting up ? If that is the case, like Alexander mentioned, it is already fixed in slapi-nis 0.55. thanks thierry On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: > Hi Thierry, > > I moved the old logs into a subdirectory called try1. I did the > recommended ipa-server-install --uninstall. Tried the replica install > again. Failed during kadmind start like the previous time. > > The log from ipa-replica-install (with -d) is at > http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log > The console script (mostly the same as the log but with my entries) is > at http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console > The 5 second pstacks are at > http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console > > Thanks, Daryl > > > On 03/11/16 02:40, thierry bordaz wrote: >> Hello Deryl, >> >> My understanding is that ns-slapd is first slow to startup. Then >> when krb5kdc is starting it may load ns-slapd. >> >> We identified krb5kdc may be impacted by the number of users >> accounts. >> From the ns-slapd errors log it is not clear why it is so slow to >> start. >> >> Would you provide the ns-slapd access logs from that period. >> Also in order to know where ns-slapd is spending time, it would >> really help if you can get regular (each 5s) pstacks (with >> 389-ds-debuginfo), during DS startup and then later during >> krb5kdc startup. >> >> best regards >> thierry >> >> >> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>> Environment: >>> RHEL 7.2 >>> IPA 4.2.0-15 >>> nss 3.19.1-19 >>> 389-ds-base 1.3.4.0-26 >>> sssd 1.13.0-40 >>> >>> >>> I've encountered this problem in IPA 3.0.0 but hoped it was >>> addressed in 4.2.0. >>> >>> Trying to set up a replica of a master with 150,000+ user accounts, >>> NIS and Schema Compatability enabled on the master. >>> >>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>> missing. >>> >>> This happens during restart of IPA in version 3.0.0 too. There it >>> can be overcome by manually starting each component of IPA _but_ >>> waiting until ns-slapd- has settled down (as seen from >>> top) before starting krb5kdc. I also think that the startup of >>> krb5kdc loads the LDAP instance quite a bit. >>> >>> There is a problem in the startup logic where dirsrv is so busy that >>> even though krb5kdc successfully starts and allows the kadmin to >>> begin kdb5kdc is not really able to do its duties. >>> >>> I'm reporting this since there must be some way to delay the start >>> of krb5kdc and then kadmind until ns-slapd- is really open >>> for business. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> # systemctl status krb5kdc.service >>> ? krb5kdc.service - Kerberos 5 KDC >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> Active: inactive (dead) >>> >>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>> KDC. >>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>> 5 KDC... >>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>> KDC. >>> >>> journalctl -xe was stale by the time I got to it so I've attached >>> /var/log/messages instead. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The /var/log/dirsrv/ns-slapd- access log is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>> >>> Regards, Daryl >>> >>> >>> >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Mar 14 14:49:54 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 14 Mar 2016 15:49:54 +0100 Subject: [Freeipa-users] sudo with OTP In-Reply-To: References: Message-ID: <20160314144954.GY3059@p.redhat.com> On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: > HI, > > I have OTP setup and working just fine for logging into any servers, > when attempting to run any command with sudo I get a "First factor:" > prompt, I have entered my normal password but it fails. This only > happens when OTP is on, with OTP off sudo works like you would think. This is a know issue, please see https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case you use CentOS/RHEL7 you can find a test build at http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 . bye, Sumit > > The logs on the machine im trying to sudo show: > > Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=1818600003 > auid=1818600003 ses=8 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:authentication grantors=? acct="myusername" > exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed' > > Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=1818600003 > auid=1818600003 ses=8 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/" cmd="su" terminal=pts/0 res=failed' > > Which it not being much help at all, on the IPA server itself im > seeing nothing in the log when I run sudo, I do though when I login as > my normal user. > > Google appears to have zero results on this, any clues what else I can > check? Seems odd to me! > > Thanks > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From brad.bendy at gmail.com Mon Mar 14 15:54:52 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Mon, 14 Mar 2016 08:54:52 -0700 Subject: [Freeipa-users] sudo with OTP In-Reply-To: <20160314144954.GY3059@p.redhat.com> References: <20160314144954.GY3059@p.redhat.com> Message-ID: I see that now, thanks for the link. Ill give those patches a whirl. On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose wrote: > On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: >> HI, >> >> I have OTP setup and working just fine for logging into any servers, >> when attempting to run any command with sudo I get a "First factor:" >> prompt, I have entered my normal password but it fails. This only >> happens when OTP is on, with OTP off sudo works like you would think. > > This is a know issue, please see > https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case > you use CentOS/RHEL7 you can find a test build at > http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 . > > bye, > Sumit >> >> The logs on the machine im trying to sudo show: >> >> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=1818600003 >> auid=1818600003 ses=8 >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> msg='op=PAM:authentication grantors=? acct="myusername" >> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed' >> >> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=1818600003 >> auid=1818600003 ses=8 >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> msg='cwd="/" cmd="su" terminal=pts/0 res=failed' >> >> Which it not being much help at all, on the IPA server itself im >> seeing nothing in the log when I run sudo, I do though when I login as >> my normal user. >> >> Google appears to have zero results on this, any clues what else I can >> check? Seems odd to me! >> >> Thanks >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From aebruno2 at buffalo.edu Mon Mar 14 16:33:23 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Mon, 14 Mar 2016 12:33:23 -0400 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <56E677C3.6050708@redhat.com> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> <20160309165139.GD24736@dead.ccr.buffalo.edu> <56E05874.5020907@redhat.com> <20160312150202.GA13162@dead.ccr.buffalo.edu> <56E677C3.6050708@redhat.com> Message-ID: <20160314163323.GA19874@dead.ccr.buffalo.edu> On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote: > > On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: > >On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: > >>On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: > >>>On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: > >>> > >>>[09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 > >>if ds is cleanly shutdown this file should be removed, if ds is killed it > >>remains and should be recreated at restart, which fails. could you try > >>another stop, remove the file manually and start again ? > >>> > >We had our replicas crash again. Curious if it's safe to delete the > >other db files as well: > > > >ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ > > 30 DBVERSION > >6.8G ed35d212-2cb811e5-af63d574-de3f6355_55a95591000000040000.db > > 0 ed35d212-2cb811e5-af63d574-de3f6355.sema > > 18M f32bb356-2cb811e5-af63d574-de3f6355_55a955ca000000600000.db > > 0 f32bb356-2cb811e5-af63d574-de3f6355.sema > > > > > >Should all these files be deleted if the ds is cleanly shutdown? or should we > >only remove the *.sema files. > the *.db file contains the data of the changelog, if you delete them you > start with a new cl and could get into replication problems requiring > reinitialization. you normally shoul not delete them. > The .sema is used to control how many threads can concurrently access the > cl, it should be recreated at restart, so it is safe to delete them after a > crash. Sounds good..thanks. We deleted the .sema files after the crash and the replicas came back up ok. > > If you getting frequent crashes, we shoul try to find the reason for the > crashes, could you try to get a core file ? This time we had two replicas crash and ns-slapd wasn't running so we couldn't grab a pstack. Here's a snip from the error logs right before the crash (not sure if this is related or not): [11/Mar/2016:09:57:56 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11573832,cn=changelog!! [11/Mar/2016:09:57:57 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11575824,cn=changelog!! [11/Mar/2016:09:57:58 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11575851,cn=changelog!! [11/Mar/2016:10:00:28 -0500] - libdb: BDB2055 Lock table is out of available lock entries [11/Mar/2016:10:00:28 -0500] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact 986efe12-71b811e5-9d33a516-e778e883; db error - 12 Cannot allocate memory [11/Mar/2016:10:02:07 -0500] - libdb: BDB2055 Lock table is out of available lock entries [11/Mar/2016:10:02:07 -0500] - compactdb: failed to compact changelog; db error - 12 Cannot allocate memory [11/Mar/2016:12:36:18 -0500] - slapd_poll(377) timed out [11/Mar/2016:13:06:17 -0500] - slapd_poll(377) timed out We just upgraded to ipa 4.2 centos 7.2 and if we see anymore crashes we'll try and get more info. Thanks again. --Andrew From marc.boorshtein at tremolosecurity.com Mon Mar 14 16:41:58 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Mon, 14 Mar 2016 12:41:58 -0400 Subject: [Freeipa-users] S4U2Self not working for multiple allowed targets Message-ID: All, I am trying to setup delegation from OpenUnison to both the IPAWeb application and to Cockpit. I'm using a single reverse proxy for both and the same SPN and keytab for both. The integration with ipaweb went perfectly using these instructions I built: https://github.com/TremoloSecurity/Unison-LastMile-Kerberos. Trying to integrate cockpit is giving me a very odd error from freeipa when I try to get my s4u2self ticket: unknown encryption. I'm running RH IDM on RHEL 7.2 on Azure. Here's my delegation tree in LDAP: # s4u2proxy, etc, azure.cloud dn: cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: nsContainer objectClass: top cn: s4u2proxy # ipa-http-delegation, s4u2proxy, etc, azure.cloud dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top cn: ipa-http-delegation memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure, dc=cloud ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure, dc=cloud # ipa-ldap-delegation-targets, s4u2proxy, etc, azure.cloud dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: groupOfPrincipals objectClass: top cn: ipa-ldap-delegation-targets memberPrincipal: ldap/ipa.azure.cloud at AZURE.CLOUD # ipa-cifs-delegation-targets, s4u2proxy, etc, azure.cloud dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: groupOfPrincipals objectClass: top cn: ipa-cifs-delegation-targets # app-http-delegation-targets, s4u2proxy, etc, azure.cloud dn: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: groupOfPrincipals objectClass: top cn: app-http-delegation-targets memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD # unison-http-delegation, s4u2proxy, etc, azure.cloud dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top cn: unison-http-delegation memberPrincipal: HTTP/openunison.azure.cloud at AZURE.CLOUD ipaAllowedTarget: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure, dc=cloud ipaAllowedTarget: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc= azure,dc=cloud # ipaclient-http-delegation-targets, s4u2proxy, etc, azure.cloud dn: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud objectClass: groupOfPrincipals objectClass: top cn: ipaclient-http-delegation-targets memberPrincipal: HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD Here's the log output from OpenUnison when I try to access ipaweb (success): Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC 2016 Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC 2016 >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794 >>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794 >>> KrbKdcReq send: #bytes read=670 >>> KdcAccessibility: remove ipa.azure.cloud.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1059 >>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1059 >>> KrbKdcReq send: #bytes read=722 >>> KdcAccessibility: remove ipa.azure.cloud.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Subject is readOnly;Kerberos Service ticket not stored >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Krb5Context setting mySeqNumber to: 1032726940 Created InitSecContextToken: 0000: 01 00 6E 82 02 8A 30 82 02 86 A0 03 02 01 05 A1 ..n...0......... 0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ...... 0020: 9C 61 82 01 98 30 82 01 94 A0 03 02 01 05 A1 0D .a...0.......... 0030: 1B 0B 41 5A 55 52 45 2E 43 4C 4F 55 44 A2 22 30 ..AZURE.CLOUD."0 0040: 20 A0 03 02 01 00 A1 19 30 17 1B 04 48 54 54 50 .......0...HTTP 0050: 1B 0F 69 70 61 2E 61 7A 75 72 65 2E 63 6C 6F 75 ..ipa.azure.clou 0060: 64 A3 82 01 58 30 82 01 54 A0 03 02 01 12 A1 03 d...X0..T....... 0070: 02 01 02 A2 82 01 46 04 82 01 42 21 AC 61 34 33 ......F...B!.a43 0080: 0B A4 1B F2 03 3C 93 43 B8 33 7A 11 66 6D BF 14 .....<.C.3z.fm.. 0090: 17 10 5E 3F 58 DA AE 02 FC F0 6A 32 F2 E1 49 56 ..^?X.....j2..IV 00A0: F8 AD 8F D6 B0 9A 76 92 C2 35 CF 26 10 40 68 E6 ......v..5.&. at h. 00B0: 00 38 D6 A8 A0 52 D9 F8 E6 10 D5 41 B1 E3 1E 95 .8...R.....A.... 00C0: FF EC CD B3 6D 0B 2E 72 38 8C 7E 0B 53 FE 37 3B ....m..r8...S.7; 00D0: 1F 06 2E 9B 0E 7B CC 38 9A F1 83 C7 1A 6C 0B 9A .......8.....l.. 00E0: 41 A6 E0 4C A8 64 75 70 D8 B6 2F 91 31 9D 34 21 A..L.dup../.1.4! 00F0: D4 64 01 F7 9B 39 E3 73 18 80 94 EC E2 4A 13 B1 .d...9.s.....J.. 0100: C1 72 F4 C3 F6 A5 53 70 C0 FF E0 30 34 2D 4E 6D .r....Sp...04-Nm 0110: 07 42 F3 08 E9 91 6C C0 76 4B 1C B0 BF 79 E7 03 .B....l.vK...y.. 0120: 24 5E 4D 7E A3 0E 3F FF AF 09 FA 81 68 1D C8 B2 $^M...?.....h... 0130: DB 51 B9 86 4C 95 CC 75 CD 8C C8 2C 6D 35 90 3B .Q..L..u...,m5.; 0140: 26 9D B3 A2 DB 88 04 6F 7D 1F 6A 48 D3 8F F7 D2 &......o..jH.... 0150: A9 37 29 6D 50 3B AB 2A FE 76 EF 05 11 B2 4B 59 .7)mP;.*.v....KY 0160: 2E 75 35 E2 93 BB 59 8C AD E6 F3 FE A5 70 0F 73 .u5...Y......p.s 0170: A5 18 B5 D9 48 34 9A 1D BD 33 76 D9 04 E6 CF 6D ....H4...3v....m 0180: D1 6C 17 B6 4F 2B 36 C9 FE 67 50 B7 2F E8 39 9B .l..O+6..gP./.9. 0190: BA EC 49 55 AE FD 2C CB D3 60 FC D4 33 E5 E4 B1 ..IU..,..`..3... 01A0: 23 DF 10 50 48 45 B9 75 F3 AC ED ED B3 FD 9E C6 #..PHE.u........ 01B0: 04 60 07 15 A3 6A 7C 8B 69 EC BD 5D 08 A4 81 D0 .`...j..i..].... 01C0: 30 81 CD A0 03 02 01 12 A2 81 C5 04 81 C2 B3 AE 0............... 01D0: D4 E9 30 E9 68 F9 37 37 11 76 A9 05 A2 65 26 41 ..0.h.77.v...e&A 01E0: 9D EF CF 4B 0B 83 1D 99 C3 E5 50 3A B3 5D 2A 09 ...K......P:.]*. 01F0: C8 9C 46 F9 0C 4D E4 F0 10 3F D4 2F 17 36 7A 72 ..F..M...?./.6zr 0200: 25 B6 37 FE 6F ED D1 1E 22 B7 79 97 6C 1D A0 BF %.7.o...".y.l... 0210: 09 02 43 E9 F3 EE 82 F8 8B 6D B3 AE BB 1C 7B C7 ..C......m...... 0220: 50 02 B9 34 49 04 87 BA 31 4F 23 A7 C0 75 68 46 P..4I...1O#..uhF 0230: AF 5A F9 CA 86 B0 F5 DA D0 1B D0 B0 FB E7 2C A7 .Z............,. 0240: 0A 7F DE 27 C3 C4 B1 DB 42 76 83 42 37 81 22 B6 ...'....Bv.B7.". 0250: 28 61 23 E4 DF 69 18 0E B7 2C 60 D1 E2 31 96 05 (a#..i...,`..1.. 0260: B7 ED 16 F3 60 F2 9F 6E 16 AD 55 28 10 6C 41 55 ....`..n..U(.lAU 0270: 9E 3A 97 CD 0D 99 7A AF 29 96 04 ED EA 7D 1B F8 .:....z.)....... 0280: 30 D6 42 6A 9B F6 01 02 80 30 76 8A AD 80 E3 3D 0.Bj.....0v....= and here are the log entries from kerberos: Mar 14 16:36:45 ipa krb5kdc[11351](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.4: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa.azure.cloud at AZURE.CLOUD for ldap/ipa.azure.cloud at AZURE.CLOUD Mar 14 16:36:45 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION s4u-client=mmosley at AZURE.CLOUD Mar 14 16:36:45 ipa krb5kdc[11351](info): closing down fd 12 Now, here's the request when trying to access cockpit: >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794 >>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794 >>> KrbKdcReq send: #bytes read=670 >>> KdcAccessibility: remove ipa.azure.cloud.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1072 >>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1072 >>> KrbKdcReq send: #bytes read=211 >>> KdcAccessibility: remove ipa.azure.cloud.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: cTime is Mon Dec 16 18:12:24 UTC 2013 1387217544000 sTime is Mon Mar 14 16:37:55 UTC 2016 1457973475000 suSec is 144678 error code is 14 error Message is KDC has no support for encryption type cname is HTTP/openunison.azure.cloud at AZURE.CLOUD sname is HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD msgType is 30 and here's whats in the kerberos logs: 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.0.6: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18 ses=18}, HTTP/openunison.azure.cloud at AZURE.CLOUD for HTTP/openunison.azure.cloud at AZURE.CLOUD Mar 14 16:37:55 ipa krb5kdc[11351](info): ... PROTOCOL-TRANSITION s4u-client=mmosley at AZURE.CLOUD Mar 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.0.6: BAD_ENCRYPTION_TYPE: authtime 0, HTTP/openunison.azure.cloud at AZURE.CLOUD for HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD, KDC has no support for encryption type Mar 14 16:37:55 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION s4u-client= Any thoughts? Nothing really stands out to me. Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From peljasz at yahoo.co.uk Mon Mar 14 16:59:13 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 14 Mar 2016 16:59:13 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... Message-ID: <56E6EDE1.6060103@yahoo.co.uk> with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? many thanks L. From rcritten at redhat.com Mon Mar 14 17:06:46 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Mar 2016 13:06:46 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E6EDE1.6060103@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> Message-ID: <56E6EFA6.2050203@redhat.com> lejeczek wrote: > with... > > ipa: ERROR: group LDAP search did not return any result (search base: > ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, > groupofnames) > > I see users went in but later I realized that current samba's ou was > "group" not groups. > Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. rob From Daryl.Fonseca-Holt at umanitoba.ca Mon Mar 14 19:46:03 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Mon, 14 Mar 2016 14:46:03 -0500 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E6C8CA.6020800@redhat.com> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> Message-ID: <56E714FB.10603@umanitoba.ca> Hello Thierry, Attached is the pstacks from only the final DS restart. I don't think they will show the whole picture. According to the debug log /var/log/ipareplica-install.log (attached) the start of the krb5kdc.service (19:13:16Z) is successful, but the krb5kdc log (attach) shows it is unable to fetch the master K/M at 14:31:31CDT (-5hour offset). This is when the install log shows kadmind failing. In my experience with the master observing top there are two intense times for ns-slapd-. The first when it start, of course, and the second when krb5kdc starts. I assume this is because krb5kdc must get it's configuration and data from the same DS. krb5kdc fails but the ipareplica-install script isn't aware of it. Finally kadmin.service tries to access krb5kdc and finds that it is dead. Please note these logs are with Schema Compatability and NIS plugins turned off per the other e-mail from Alexander. I've noticed on a running master I can prevent this type of failure by manually starting dirsrv (systemctl start dirsrv@.service), watch top until all threads of ns-slapd have settled, then systemctl start krb5kdc.service, again watching top until ns-slapd threads have settled down before systemctl start kadmin.service. This kind of manual intervention is is not possible when running the ipareplica-install script. I will look into introducing a delay at the completion of the dirsrv and krb5kdc systemd units and see if I can accommodate ipareplica-install. Just as an experiment for now. I need to advance the project into High Availability testing but cannot do so without a functioning replica. Regards, Daryl On 03/14/16 09:20, thierry bordaz wrote: > Hi Daryl, > > Thanks for all the data. I will look at the pstacks. A first look > shows that you capture import, bind... so may be a complete > ipa-replica-install session. > I will try to retrieve the specific startup time to see what was going > on at that time. > If you have the time to monitor only startup, it will help me > shrinking the set of pstacks. > Startup of DS last > 1min. If you may start DS and as soon as the > ns-slapd process is launched, do regular pstacks. Then when you are > able to send a simple ldapsearch (ldapsearch -x -b "" -s base), you > may stop taking pstacks. > > thanks > thierry > > On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: >> Hi Thierry, >> >> I moved the old logs into a subdirectory called try1. I did the >> recommended ipa-server-install --uninstall. Tried the replica install >> again. Failed during kadmind start like the previous time. >> >> The log from ipa-replica-install (with -d) is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >> The console script (mostly the same as the log but with my entries) >> is at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >> The 5 second pstacks are at >> http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console >> >> Thanks, Daryl >> >> >> On 03/11/16 02:40, thierry bordaz wrote: >>> Hello Deryl, >>> >>> My understanding is that ns-slapd is first slow to startup. Then >>> when krb5kdc is starting it may load ns-slapd. >>> >>> We identified krb5kdc may be impacted by the number of users >>> accounts. >>> From the ns-slapd errors log it is not clear why it is so slow >>> to start. >>> >>> Would you provide the ns-slapd access logs from that period. >>> Also in order to know where ns-slapd is spending time, it would >>> really help if you can get regular (each 5s) pstacks (with >>> 389-ds-debuginfo), during DS startup and then later during >>> krb5kdc startup. >>> >>> best regards >>> thierry >>> >>> >>> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>>> Environment: >>>> RHEL 7.2 >>>> IPA 4.2.0-15 >>>> nss 3.19.1-19 >>>> 389-ds-base 1.3.4.0-26 >>>> sssd 1.13.0-40 >>>> >>>> >>>> I've encountered this problem in IPA 3.0.0 but hoped it was >>>> addressed in 4.2.0. >>>> >>>> Trying to set up a replica of a master with 150,000+ user accounts, >>>> NIS and Schema Compatability enabled on the master. >>>> >>>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>>> missing. >>>> >>>> This happens during restart of IPA in version 3.0.0 too. There it >>>> can be overcome by manually starting each component of IPA _but_ >>>> waiting until ns-slapd- has settled down (as seen from >>>> top) before starting krb5kdc. I also think that the startup of >>>> krb5kdc loads the LDAP instance quite a bit. >>>> >>>> There is a problem in the startup logic where dirsrv is so busy >>>> that even though krb5kdc successfully starts and allows the kadmin >>>> to begin kdb5kdc is not really able to do its duties. >>>> >>>> I'm reporting this since there must be some way to delay the start >>>> of krb5kdc and then kadmind until ns-slapd- is really >>>> open for business. >>>> >>>> # systemctl status krb5kdc.service >>>> ? krb5kdc.service - Kerberos 5 KDC >>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>> disabled; vendor preset: disabled) >>>> Active: inactive (dead) >>>> >>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>> 5 KDC. >>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>>> 5 KDC... >>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>> 5 KDC. >>>> >>>> # systemctl status krb5kdc.service >>>> ? krb5kdc.service - Kerberos 5 KDC >>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>> disabled; vendor preset: disabled) >>>> Active: inactive (dead) >>>> >>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>> 5 KDC. >>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos >>>> 5 KDC... >>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>> 5 KDC. >>>> >>>> journalctl -xe was stale by the time I got to it so I've attached >>>> /var/log/messages instead. >>>> >>>> The log from ipa-replica-install (with -d) is at >>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>>> The console script (mostly the same as the log but with my entries) >>>> is at >>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>>> The /var/log/dirsrv/ns-slapd- access log is at >>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>>> >>>> Regards, Daryl >>>> >>>> >>>> >>> >> >> -- >> -- >> Daryl Fonseca-Holt >> IST/CNS/Unix Server Team >> University of Manitoba >> 204.480.1079 > -- -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: slapd-short-pstacks.console Type: application/octet-stream Size: 288656 bytes Desc: not available URL: -------------- next part -------------- 2016-03-14T19:02:32Z DEBUG Logging to /var/log/ipareplica-install.log 2016-03-14T19:02:32Z DEBUG ipa-replica-install was invoked with arguments ['/var/lib/ipa/replica-info-jutta.cc.umanitoba.ca.gpg'] and options: {'no_dns_sshfp': None, 'skip_schema_check': None, 'no_ntp': True, 'setup_kra': None, 'ip_addresses': None, 'mkhomedir': None, 'setup_ca': True, 'no_pkinit': None, 'verbose': True, 'no_forwarders': None, 'ssh_trust_dns': None, 'setup_dns': None, 'no_reverse': None, 'reverse_zones': None, 'unattended': False, 'no_host_dns': None, 'no_sshd': True, 'no_ui_redirect': None, 'forwarders': None, 'skip_conncheck': None, 'no_ssh': True, 'quiet': False, 'no_dnssec_validation': None, 'log_file': None} 2016-03-14T19:02:32Z DEBUG IPA version 4.2.0-15.el7_2.6 2016-03-14T19:02:32Z DEBUG Starting external process 2016-03-14T19:02:32Z DEBUG args='/usr/sbin/selinuxenabled' 2016-03-14T19:02:32Z DEBUG Process finished, return code=1 2016-03-14T19:02:32Z DEBUG stdout= 2016-03-14T19:02:32Z DEBUG stderr= 2016-03-14T19:02:32Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-03-14T19:02:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:02:32Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:02:32Z DEBUG Starting external process 2016-03-14T19:02:32Z DEBUG args='/usr/sbin/httpd' '-t' '-D' 'DUMP_VHOSTS' 2016-03-14T19:02:33Z DEBUG Process finished, return code=0 2016-03-14T19:02:33Z DEBUG stdout=VirtualHost configuration: *:8443 jutta.cc.umanitoba.ca (/etc/httpd/conf.d/nss.conf:83) 2016-03-14T19:02:33Z DEBUG stderr= 2016-03-14T19:02:33Z DEBUG Starting external process 2016-03-14T19:02:33Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmpCOFxLUipa/ipa-JUd2hX/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmpCOFxLUipa/ipa-JUd2hX/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmpCOFxLUipa/files.tar' '-d' '/var/lib/ipa/replica-info-jutta.cc.umanitoba.ca.gpg' 2016-03-14T19:02:33Z DEBUG Process finished, return code=0 2016-03-14T19:02:33Z DEBUG Starting external process 2016-03-14T19:02:33Z DEBUG args='tar' 'xf' '/tmp/tmpCOFxLUipa/files.tar' '-C' '/tmp/tmpCOFxLUipa' 2016-03-14T19:02:33Z DEBUG Process finished, return code=0 2016-03-14T19:02:33Z DEBUG stdout= 2016-03-14T19:02:33Z DEBUG stderr= 2016-03-14T19:02:33Z DEBUG Installing replica file with version 40200 (0 means no version in prepared file). 2016-03-14T19:02:33Z DEBUG Check if jutta.cc.umanitoba.ca is a primary hostname for localhost 2016-03-14T19:02:33Z DEBUG Primary hostname for localhost: jutta.cc.umanitoba.ca 2016-03-14T19:02:33Z DEBUG Search DNS for jutta.cc.umanitoba.ca 2016-03-14T19:02:33Z DEBUG Check if jutta.cc.umanitoba.ca is not a CNAME 2016-03-14T19:02:33Z DEBUG Check reverse address of 130.179.19.176 2016-03-14T19:02:33Z DEBUG Found reverse name: jutta.cc.umanitoba.ca 2016-03-14T19:02:33Z DEBUG importing all plugin modules in ipalib.plugins... 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.aci 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.automember 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.automount 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.batch 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.caacl 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.cert 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.config 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.delegation 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.dns 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.group 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.host 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.idrange 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.idviews 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.internal 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.migration 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.misc 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.passwd 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.permission 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.ping 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.privilege 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-03-14T19:02:33Z DEBUG Starting external process 2016-03-14T19:02:33Z DEBUG args='klist' '-V' 2016-03-14T19:02:33Z DEBUG Process finished, return code=0 2016-03-14T19:02:33Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-03-14T19:02:33Z DEBUG stderr= 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.role 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.server 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.service 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.session 2016-03-14T19:02:33Z WARNING session memcached servers not running 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.topology 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.trust 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.user 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.vault 2016-03-14T19:02:33Z DEBUG importing plugin module ipalib.plugins.virtual 2016-03-14T19:02:33Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.plugins.join 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-03-14T19:02:33Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-03-14T19:02:33Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-03-14T19:02:33Z DEBUG SessionAuthManager.register: name=jsonserver_session_66948368 2016-03-14T19:02:33Z DEBUG SessionAuthManager.register: name=xmlserver_session_66967248 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-03-14T19:02:34Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-03-14T19:02:34Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-03-14T19:02:35Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-03-14T19:02:35Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:35Z DEBUG Check if mork.cc.umanitoba.ca is a primary hostname for localhost 2016-03-14T19:02:35Z DEBUG Primary hostname for localhost: mork.cc.umanitoba.ca 2016-03-14T19:02:35Z DEBUG Search DNS for mork.cc.umanitoba.ca 2016-03-14T19:02:35Z DEBUG Check if mork.cc.umanitoba.ca is not a CNAME 2016-03-14T19:02:35Z DEBUG Check reverse address of 130.179.19.177 2016-03-14T19:02:35Z DEBUG Found reverse name: mork.cc.umanitoba.ca 2016-03-14T19:02:35Z DEBUG importing all plugin modules in ipalib.plugins... 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.aci 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.automember 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.automount 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.batch 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.caacl 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.cert 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.config 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.delegation 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.dns 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.group 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.host 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.idrange 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.idviews 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.internal 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.migration 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.misc 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.passwd 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.permission 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.ping 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.privilege 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.role 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.server 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.service 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.session 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.topology 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.trust 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.user 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.vault 2016-03-14T19:02:35Z DEBUG importing plugin module ipalib.plugins.virtual 2016-03-14T19:02:35Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.plugins.join 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-03-14T19:02:35Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-03-14T19:02:35Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-03-14T19:02:35Z DEBUG SessionAuthManager.register: name=jsonserver_session_97499152 2016-03-14T19:02:35Z DEBUG SessionAuthManager.register: name=xmlserver_session_97501008 2016-03-14T19:02:35Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-03-14T19:02:35Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:35Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-03-14T19:02:35Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:35Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-03-14T19:02:35Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:35Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:36Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-03-14T19:02:36Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:36Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-03-14T19:02:36Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:36Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-03-14T19:02:36Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-03-14T19:02:36Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-03-14T19:02:36Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:02:37Z DEBUG Created connection context.ldap2_97498768 2016-03-14T19:02:37Z DEBUG raw: domainlevel_get(version=u'2.156') 2016-03-14T19:02:37Z DEBUG domainlevel_get(version=u'2.156') 2016-03-14T19:02:37Z DEBUG flushing ldaps://mork.cc.umanitoba.ca from SchemaCache 2016-03-14T19:02:37Z DEBUG retrieving schema for SchemaCache url=ldaps://mork.cc.umanitoba.ca conn= 2016-03-14T19:02:37Z DEBUG No IPA DNS servers, skipping forward/reverse resolution check 2016-03-14T19:02:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:02:37Z DEBUG Installing CA Replica from master with a merged database 2016-03-14T19:02:37Z DEBUG Destroyed connection context.ldap2_97498768 2016-03-14T19:02:37Z DEBUG Starting external process 2016-03-14T19:02:37Z DEBUG args='/sbin/ip' '-family' 'inet' '-oneline' 'address' 'show' 2016-03-14T19:02:37Z DEBUG Process finished, return code=0 2016-03-14T19:02:37Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: eth0 inet 130.179.19.176/22 brd 130.179.19.255 scope global dynamic eth0\ valid_lft 696063sec preferred_lft 696063sec 2016-03-14T19:02:37Z DEBUG stderr= 2016-03-14T19:02:37Z DEBUG Starting external process 2016-03-14T19:02:37Z DEBUG args='/usr/sbin/ipa-replica-conncheck' '--master' 'mork.cc.umanitoba.ca' '--auto-master-check' '--realm' 'UOFMT1' '--principal' 'admin' '--hostname' 'jutta.cc.umanitoba.ca' '--password' XXXXXXXX 2016-03-14T19:02:40Z DEBUG Process finished, return code=0 2016-03-14T19:02:40Z DEBUG group dirsrv exists 2016-03-14T19:02:40Z DEBUG user dirsrv exists 2016-03-14T19:02:40Z DEBUG Created connection context.ldap2_97498768 2016-03-14T19:02:40Z DEBUG flushing ldaps://mork.cc.umanitoba.ca from SchemaCache 2016-03-14T19:02:40Z DEBUG retrieving schema for SchemaCache url=ldaps://mork.cc.umanitoba.ca conn= 2016-03-14T19:02:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:02:41Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:02:41Z DEBUG Configuring directory server (dirsrv). Estimated time: 1 minute 2016-03-14T19:02:41Z DEBUG [1/38]: creating directory server user 2016-03-14T19:02:41Z DEBUG group dirsrv exists 2016-03-14T19:02:41Z DEBUG user dirsrv exists 2016-03-14T19:02:41Z DEBUG duration: 0 seconds 2016-03-14T19:02:41Z DEBUG [2/38]: creating directory server instance 2016-03-14T19:02:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:02:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:02:41Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2016-03-14T19:02:41Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:02:41Z DEBUG dn: dc=uofmt1 objectClass: top objectClass: domain objectClass: pilotObject dc: uofmt1 info: IPA V2.0 2016-03-14T19:02:41Z DEBUG writing inf template 2016-03-14T19:02:41Z DEBUG [General] FullMachineName= jutta.cc.umanitoba.ca SuiteSpotUserID= dirsrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= UOFMT1 Suffix= dc=uofmt1 RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif inst_dir= /var/lib/dirsrv/scripts-UOFMT1 2016-03-14T19:02:41Z DEBUG calling setup-ds.pl 2016-03-14T19:02:41Z DEBUG Starting external process 2016-03-14T19:02:41Z DEBUG args='/usr/sbin/setup-ds.pl' '--silent' '--logfile' '-' '-f' '/tmp/tmp4rM8Y0' 2016-03-14T19:02:50Z DEBUG Process finished, return code=0 2016-03-14T19:02:50Z DEBUG stdout=[16/03/14:14:02:50] - [Setup] Info Your new DS instance 'UOFMT1' was successfully created. Your new DS instance 'UOFMT1' was successfully created. [16/03/14:14:02:50] - [Setup] Success Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2016-03-14T19:02:50Z DEBUG stderr= 2016-03-14T19:02:50Z DEBUG completed creating ds instance 2016-03-14T19:02:50Z DEBUG restarting ds instance 2016-03-14T19:02:50Z DEBUG Starting external process 2016-03-14T19:02:50Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-03-14T19:02:50Z DEBUG Process finished, return code=0 2016-03-14T19:02:50Z DEBUG stdout= 2016-03-14T19:02:50Z DEBUG stderr= 2016-03-14T19:02:50Z DEBUG Starting external process 2016-03-14T19:02:50Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:52Z DEBUG Process finished, return code=0 2016-03-14T19:02:52Z DEBUG stdout= 2016-03-14T19:02:52Z DEBUG stderr= 2016-03-14T19:02:52Z DEBUG Starting external process 2016-03-14T19:02:52Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:52Z DEBUG Process finished, return code=0 2016-03-14T19:02:52Z DEBUG stdout=active 2016-03-14T19:02:52Z DEBUG stderr= 2016-03-14T19:02:52Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=active 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG done restarting ds instance 2016-03-14T19:02:53Z DEBUG duration: 11 seconds 2016-03-14T19:02:53Z DEBUG [3/38]: adding default schema 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [4/38]: enabling memberof plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/memberof-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpRr603D' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=replace nsslapd-pluginenabled: on add memberofgroupattr: memberUser add memberofgroupattr: memberHost modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [5/38]: enabling winsync plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/ipa-winsync-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpk33ox8' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa-winsync add nsslapd-pluginpath: libipa_winsync add nsslapd-plugininitfunc: ipa_winsync_plugin_init add nsslapd-pluginDescription: Allows IPA to work with the DS windows sync feature add nsslapd-pluginid: ipa-winsync add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-plugin-depends-on-type: database add ipaWinSyncRealmFilter: (objectclass=krbRealmContainer) add ipaWinSyncRealmAttr: cn add ipaWinSyncNewEntryFilter: (cn=ipaConfig) add ipaWinSyncNewUserOCAttr: ipauserobjectclasses add ipaWinSyncUserFlatten: true add ipaWinsyncHomeDirAttr: ipaHomesRootDir add ipaWinsyncLoginShellAttr: ipaDefaultLoginShell add ipaWinSyncDefaultGroupAttr: ipaDefaultPrimaryGroup add ipaWinSyncDefaultGroupFilter: (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) add ipaWinSyncAcctDisable: both add ipaWinSyncForceSync: true add ipaWinSyncUserAttr: uidNumber -1 gidNumber -1 adding new entry "cn=ipa-winsync,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [6/38]: configuring replication version plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/version-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp8_d7c6' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA Version Replication add nsslapd-pluginpath: libipa_repl_version add nsslapd-plugininitfunc: repl_version_plugin_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: off add nsslapd-pluginid: ipa_repl_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA Replication version plugin add nsslapd-plugin-depends-on-type: database add nsslapd-plugin-depends-on-named: Multimaster Replication Plugin adding new entry "cn=IPA Version Replication,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [7/38]: enabling IPA enrollment plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpvoZMl6' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpJw4PXC' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_enrollment_extop add nsslapd-pluginpath: libipa_enrollment_extop add nsslapd-plugininitfunc: ipaenrollment_init add nsslapd-plugintype: extendedop add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_enrollment_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Enroll hosts into the IPA domain add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=uofmt1 adding new entry "cn=ipa_enrollment_extop,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [8/38]: enabling ldapi 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpUhp7GY' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpLvl60n' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=replace nsslapd-ldapilisten: on modifying entry "cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [9/38]: configuring uniqueness plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpp8PywA' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpATzitJ' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectClass: top nsSlapdPlugin extensibleObject add cn: krbPrincipalName uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: krbPrincipalName add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=uofmt1 add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=uofmt1 add uniqueness-across-all-subtrees: on adding new entry "cn=krbPrincipalName uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: krbCanonicalName uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: krbCanonicalName add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=uofmt1 add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=uofmt1 add uniqueness-across-all-subtrees: on adding new entry "cn=krbCanonicalName uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: netgroup uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: cn add uniqueness-subtrees: cn=ng,cn=alt,dc=uofmt1 add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values adding new entry "cn=netgroup uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: ipaUniqueID uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: ipaUniqueID add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=uofmt1 add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=uofmt1 add uniqueness-across-all-subtrees: on adding new entry "cn=ipaUniqueID uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: sudorule name uniqueness add nsslapd-pluginDescription: Enforce unique attribute values add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: cn add uniqueness-subtrees: cn=sudorules,cn=sudo,dc=uofmt1 add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project adding new entry "cn=sudorule name uniqueness,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [10/38]: configuring uuid plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/uuid-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpna2RHp' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA UUID add nsslapd-pluginpath: libipa_uuid add nsslapd-plugininitfunc: ipauuid_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipauuid_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA UUID plugin add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA UUID,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpP0E7KH' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmplYhiqW' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top extensibleObject add cn: IPA Unique IDs add ipaUuidAttr: ipaUniqueID add ipaUuidMagicRegen: autogenerate add ipaUuidFilter: (|(objectclass=ipaObject)(objectclass=ipaAssociation)) add ipaUuidScope: dc=uofmt1 add ipaUuidEnforce: TRUE adding new entry "cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" modify complete add objectclass: top extensibleObject add cn: IPK11 Unique IDs add ipaUuidAttr: ipk11UniqueID add ipaUuidMagicRegen: autogenerate add ipaUuidFilter: (objectclass=ipk11Object) add ipaUuidScope: dc=uofmt1 add ipaUuidEnforce: FALSE adding new entry "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [11/38]: configuring modrdn plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/modrdn-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp48MoCT' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA MODRDN add nsslapd-pluginpath: libipa_modrdn add nsslapd-plugininitfunc: ipamodrdn_init add nsslapd-plugintype: betxnpostoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipamodrdn_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA MODRDN plugin add nsslapd-plugin-depends-on-type: database add nsslapd-pluginPrecedence: 60 adding new entry "cn=IPA MODRDN,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpbdUiqu' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpJb2O4n' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top extensibleObject add cn: Kerberos Principal Name add ipaModRDNsourceAttr: uid add ipaModRDNtargetAttr: krbPrincipalName add ipaModRDNsuffix: @UOFMT1 add ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux)) add ipaModRDNscope: dc=uofmt1 adding new entry "cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [12/38]: configuring DNS plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/ipa-dns-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpZ_w9Gf' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsslapdPlugin extensibleObject add cn: IPA DNS add nsslapd-plugindescription: IPA DNS support plugin add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_dns add nsslapd-plugininitfunc: ipadns_init add nsslapd-pluginpath: libipa_dns.so add nsslapd-plugintype: preoperation add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-pluginversion: 1.0 add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA DNS,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [13/38]: enabling entryUSN plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/entryusn.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpkBwK9N' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=replace nsslapd-entryusn-global: on modifying entry "cn=config" modify complete replace nsslapd-entryusn-import-initval: next modifying entry "cn=config" modify complete replace nsslapd-pluginenabled: on modifying entry "cn=USN,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [14/38]: configuring lockout plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/lockout-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpiUGaAy' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA Lockout add nsslapd-pluginpath: libipa_lockout add nsslapd-plugininitfunc: ipalockout_init add nsslapd-plugintype: object add nsslapd-pluginenabled: on add nsslapd-pluginid: ipalockout_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA Lockout plugin add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA Lockout,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [15/38]: creating indices 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/indices.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpHty1Us' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=add objectClass: top nsIndex add cn: krbPrincipalName add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: ou add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: carLicense add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: title add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: manager add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: secretary add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: displayname add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add nsIndexType: sub modifying entry "cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: uidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: gidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete replace nsIndexType: eq pres modifying entry "cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete replace nsIndexType: eq pres modifying entry "cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add ObjectClass: top nsIndex add cn: fqdn add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add ObjectClass: top nsIndex add cn: macAddress add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberHost add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberUser add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: sourcehost add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberservice add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: managedby add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberallowcmd add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberdenycmd add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipasudorunas add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipasudorunasgroup add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: automountkey add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipakrbprincipalalias add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipauniqueid add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipaMemberCa add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipaMemberCertProfile add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: userCertificate add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [16/38]: enabling referential integrity plugin 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/referint-conf.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpLOyHan' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=replace nsslapd-pluginenabled: on modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" modify complete 2016-03-14T19:02:53Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:53Z DEBUG duration: 0 seconds 2016-03-14T19:02:53Z DEBUG [17/38]: configuring ssl for ds instance 2016-03-14T19:02:53Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-N' '-f' '/etc/dirsrv/slapd-UOFMT1//pwdfile.txt' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout= 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/pk12util' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-i' '/tmp/tmpCOFxLUipa/realm_info/dscert.p12' '-k' '/etc/dirsrv/slapd-UOFMT1//pwdfile.txt' '-v' '-w' '/dev/stdin' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-L' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u UOFMT1 IPA CA ,, 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-A' '-n' 'CA 1' '-t' ',,' '-a' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout= 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-O' '-n' 'Server-Cert' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout="UOFMT1 IPA CA" [CN=Certificate Authority,O=UOFMT1] "Server-Cert" [CN=jutta.cc.umanitoba.ca,OU=pki-ipa,O=IPA] 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-M' '-n' 'UOFMT1 IPA CA' '-t' 'CT,C,C' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout= 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-O' '-n' 'Server-Cert' 2016-03-14T19:02:53Z DEBUG Process finished, return code=0 2016-03-14T19:02:53Z DEBUG stdout="UOFMT1 IPA CA" [CN=Certificate Authority,O=UOFMT1] "Server-Cert" [CN=jutta.cc.umanitoba.ca,OU=pki-ipa,O=IPA] 2016-03-14T19:02:53Z DEBUG stderr= 2016-03-14T19:02:53Z DEBUG Starting external process 2016-03-14T19:02:53Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-L' '-n' 'UOFMT1 IPA CA' '-a' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDhjCCAm6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZVT0ZN VDExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjAyMTIxMzQ3 MDdaFw0zNjAyMTIxMzQ3MDdaMDExDzANBgNVBAoMBlVPRk1UMTEeMBwGA1UEAwwV Q2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxyrEHq/FMY5OV7bh0MM+JItSh/PDDcbcp2Q793vtnTFfFX1oEJTu5A6S 1ATshlPfq9vbjkph0WuLZetbivBodLevCFCfIxBp+PJqPk+FpahowmT8lheFOXs/ Tu/IthqL9ykXOc8HBUK6WU83ICNYwDjFD95ShbWy9oM//kkRJvdC4dRZU6g5UDav 0/bWol76UauFHLRiDPSri0G5eIP0YDUkrFtXhezVZJZX4y/FNYhXRFqLPVplV6dY izoCIOABMpuiNiFFSvP5S4qjcpPGBqF5mfAnuzYfgHLM+xr7nutDLZXfcAclX6ep lN7RMCpZEVve9AKU7geigBzV//sT6wIDAQABo4GoMIGlMB8GA1UdIwQYMBaAFOsQ UcQthYZk+osgO4FcNl7KI4oEMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD AgHGMB0GA1UdDgQWBBTrEFHELYWGZPqLIDuBXDZeyiOKBDBCBggrBgEFBQcBAQQ2 MDQwMgYIKwYBBQUHMAGGJmh0dHA6Ly9tb3JrLmNjLnVtYW5pdG9iYS5jYTo4MC9j YS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCteJIO2uwNp7H/4yyG80VU8iGO9yn8 rj8wQM6lE0RGC0iNjzV/p+KltUxbuE2xJKoiqEFScXFQ6suQtco3MQAn6ZunCYLY vlDosNsrgeA9ZsJzODP/y1WD+swB8ELWArAQQVxcFKSMmITEywO0x+dzM+1KCP4R siTzN3uiiGjm3r3Zh1kWZhW44ArLD/e170df3rGP4m6U85a7ZfUXiRaOYj7D5M8p VAHgx/zVZq8hPpIlqQvT0+HdD3Veh5vrZFkTzMSFCHqygKY3Bl+DWZ1mz/+X8KCi yulmoyrUa5zGKDvahj1rM6hrYmrCnEExG3d7gBbt673UaKSdtWSkCY54 -----END CERTIFICATE----- 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-L' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u UOFMT1 IPA CA CT,C,C 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-L' '-n' 'Server-Cert' '-a' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDhDCCAmygAwIBAgIBGTANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZVT0ZN VDExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjAzMTQxODU5 MjhaFw0xODAzMTUxODU5MjhaMEAxDDAKBgNVBAoMA0lQQTEQMA4GA1UECwwHcGtp LWlwYTEeMBwGA1UEAwwVanV0dGEuY2MudW1hbml0b2JhLmNhMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/gCKz2M9oh4xryJ395DCM2xWzMv2ZOkgeIp HnHIrlwIYF5nq+cuSnW/uO0QrXQQ3T7GEx6F/aN1zrfKeqLWI2ksqQlV6lsCEL9j iycy7B7eqUh1HmoLNYxODPoso1YsBBZ2XIkOJvPdVJtH22BmAgf6TRBjo1rAUHls al7sjYRkgIP/i2AdgmlwNTrgbNKQf7HF93E3gr/BRvx5FGo2A/e47l8o0fo5K4sS k6j5dnD/SBxoYpjG9GI4yKP74GUcf5KLWxNOfA9fQp8NjhNvj9AN24/zzqABDP2a LYPspB7KQu7hNUroHXVYycWDH9u8l34czNJA54IHsQ0pubBKHQIDAQABo4GXMIGU MB8GA1UdIwQYMBaAFOsQUcQthYZk+osgO4FcNl7KI4oEMEIGCCsGAQUFBwEBBDYw NDAyBggrBgEFBQcwAYYmaHR0cDovL21vcmsuY2MudW1hbml0b2JhLmNhOjgwL2Nh L29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjANBgkqhkiG9w0BAQsFAAOCAQEApe9SdM0Vwd4txSVDr5We2hTmqRBKK0A3 i1vz7KxVGXUTib9SaXsgjq+NGOHPMDDyVXj81KFg+gwIzD7YRRf9z0zxOMTSthfD dEb2pH8x12b1/Qkhwc7uUlVYWEhqivglGqbDn71vWQcRqk5Q0fDCA4GkXsMYzYnS nCSv1FrjlhLZCUptkbjHmg+2RWMguNC/VbyIxVFPSmS29dj6eoxZ4zCigB+iq17E zYvamQLgpcCXtO9ZKPZVCq+oO2OWv/VjxemhrRNDAwwowtwrCCAarQosbi33sgU7 +GsohIUghNpaM9ZAk9X7Awjlh0QpbZXkNDzNY2qnFT/+WgkkKqcx7w== -----END CERTIFICATE----- 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-L' '-n' 'Server-Cert' '-a' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDhDCCAmygAwIBAgIBGTANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZVT0ZN VDExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjAzMTQxODU5 MjhaFw0xODAzMTUxODU5MjhaMEAxDDAKBgNVBAoMA0lQQTEQMA4GA1UECwwHcGtp LWlwYTEeMBwGA1UEAwwVanV0dGEuY2MudW1hbml0b2JhLmNhMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/gCKz2M9oh4xryJ395DCM2xWzMv2ZOkgeIp HnHIrlwIYF5nq+cuSnW/uO0QrXQQ3T7GEx6F/aN1zrfKeqLWI2ksqQlV6lsCEL9j iycy7B7eqUh1HmoLNYxODPoso1YsBBZ2XIkOJvPdVJtH22BmAgf6TRBjo1rAUHls al7sjYRkgIP/i2AdgmlwNTrgbNKQf7HF93E3gr/BRvx5FGo2A/e47l8o0fo5K4sS k6j5dnD/SBxoYpjG9GI4yKP74GUcf5KLWxNOfA9fQp8NjhNvj9AN24/zzqABDP2a LYPspB7KQu7hNUroHXVYycWDH9u8l34czNJA54IHsQ0pubBKHQIDAQABo4GXMIGU MB8GA1UdIwQYMBaAFOsQUcQthYZk+osgO4FcNl7KI4oEMEIGCCsGAQUFBwEBBDYw NDAyBggrBgEFBQcwAYYmaHR0cDovL21vcmsuY2MudW1hbml0b2JhLmNhOjgwL2Nh L29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjANBgkqhkiG9w0BAQsFAAOCAQEApe9SdM0Vwd4txSVDr5We2hTmqRBKK0A3 i1vz7KxVGXUTib9SaXsgjq+NGOHPMDDyVXj81KFg+gwIzD7YRRf9z0zxOMTSthfD dEb2pH8x12b1/Qkhwc7uUlVYWEhqivglGqbDn71vWQcRqk5Q0fDCA4GkXsMYzYnS nCSv1FrjlhLZCUptkbjHmg+2RWMguNC/VbyIxVFPSmS29dj6eoxZ4zCigB+iq17E zYvamQLgpcCXtO9ZKPZVCq+oO2OWv/VjxemhrRNDAwwowtwrCCAarQosbi33sgU7 +GsohIUghNpaM9ZAk9X7Awjlh0QpbZXkNDzNY2qnFT/+WgkkKqcx7w== -----END CERTIFICATE----- 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG flushing ldap://jutta.cc.umanitoba.ca:389 from SchemaCache 2016-03-14T19:02:54Z DEBUG retrieving schema for SchemaCache url=ldap://jutta.cc.umanitoba.ca:389 conn= 2016-03-14T19:02:54Z DEBUG duration: 1 seconds 2016-03-14T19:02:54Z DEBUG [18/38]: configuring certmap.conf 2016-03-14T19:02:54Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-03-14T19:02:54Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-03-14T19:02:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-03-14T19:02:54Z DEBUG duration: 0 seconds 2016-03-14T19:02:54Z DEBUG [19/38]: configure autobind for root 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/root-autobind.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpB1jALG' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=add objectClass: extensibleObject top add cn: root-autobind add uidNumber: 0 add gidNumber: 0 adding new entry "cn=root-autobind,cn=config" modify complete replace nsslapd-ldapiautobind: on modifying entry "cn=config" modify complete replace nsslapd-ldapimaptoentries: on modifying entry "cn=config" modify complete 2016-03-14T19:02:54Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:54Z DEBUG duration: 0 seconds 2016-03-14T19:02:54Z DEBUG [20/38]: configure new location for managed entries 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpH5iyl7' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpTorcIV' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=add nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,dc=uofmt1 modifying entry "cn=Managed Entries,cn=plugins,cn=config" modify complete 2016-03-14T19:02:54Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:54Z DEBUG duration: 0 seconds 2016-03-14T19:02:54Z DEBUG [21/38]: configure dirsrv ccache 2016-03-14T19:02:54Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2016-03-14T19:02:54Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/sbin/selinuxenabled' 2016-03-14T19:02:54Z DEBUG Process finished, return code=1 2016-03-14T19:02:54Z DEBUG stdout= 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG duration: 0 seconds 2016-03-14T19:02:54Z DEBUG [22/38]: enable SASL mapping fallback 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmp9X5f6l' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpFCR62l' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout=replace nsslapd-sasl-mapping-fallback: on modifying entry "cn=config" modify complete 2016-03-14T19:02:54Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:02:54Z DEBUG duration: 0 seconds 2016-03-14T19:02:54Z DEBUG [23/38]: restarting directory server 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-03-14T19:02:54Z DEBUG Process finished, return code=0 2016-03-14T19:02:54Z DEBUG stdout= 2016-03-14T19:02:54Z DEBUG stderr= 2016-03-14T19:02:54Z DEBUG Starting external process 2016-03-14T19:02:54Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:56Z DEBUG Process finished, return code=0 2016-03-14T19:02:56Z DEBUG stdout= 2016-03-14T19:02:56Z DEBUG stderr= 2016-03-14T19:02:56Z DEBUG Starting external process 2016-03-14T19:02:56Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:56Z DEBUG Process finished, return code=0 2016-03-14T19:02:56Z DEBUG stdout=active 2016-03-14T19:02:56Z DEBUG stderr= 2016-03-14T19:02:56Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-03-14T19:02:57Z DEBUG Starting external process 2016-03-14T19:02:57Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:57Z DEBUG Process finished, return code=0 2016-03-14T19:02:57Z DEBUG stdout=active 2016-03-14T19:02:57Z DEBUG stderr= 2016-03-14T19:02:57Z DEBUG duration: 2 seconds 2016-03-14T19:02:57Z DEBUG [24/38]: setting up initial replication 2016-03-14T19:02:57Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:02:57Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:02:57Z DEBUG Starting external process 2016-03-14T19:02:57Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-03-14T19:02:57Z DEBUG Process finished, return code=0 2016-03-14T19:02:57Z DEBUG stdout= 2016-03-14T19:02:57Z DEBUG stderr= 2016-03-14T19:02:57Z DEBUG Starting external process 2016-03-14T19:02:57Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:59Z DEBUG Process finished, return code=0 2016-03-14T19:02:59Z DEBUG stdout= 2016-03-14T19:02:59Z DEBUG stderr= 2016-03-14T19:02:59Z DEBUG Starting external process 2016-03-14T19:02:59Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:02:59Z DEBUG Process finished, return code=0 2016-03-14T19:02:59Z DEBUG stdout=active 2016-03-14T19:02:59Z DEBUG stderr= 2016-03-14T19:02:59Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-03-14T19:03:00Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2016-03-14T19:03:00Z DEBUG flushing ldap://mork.cc.umanitoba.ca:389 from SchemaCache 2016-03-14T19:03:00Z DEBUG retrieving schema for SchemaCache url=ldap://mork.cc.umanitoba.ca:389 conn= 2016-03-14T19:03:01Z DEBUG Successfully updated nsDS5ReplicaId. 2016-03-14T19:03:01Z DEBUG flushing ldaps://jutta.cc.umanitoba.ca:636 from SchemaCache 2016-03-14T19:03:01Z DEBUG retrieving schema for SchemaCache url=ldaps://jutta.cc.umanitoba.ca:636 conn= 2016-03-14T19:04:27Z DEBUG duration: 89 seconds 2016-03-14T19:04:27Z DEBUG [25/38]: updating schema 2016-03-14T19:04:27Z DEBUG Starting external process 2016-03-14T19:04:27Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/schema-update.ldif' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp4FSAvh' 2016-03-14T19:04:27Z DEBUG Process finished, return code=0 2016-03-14T19:04:27Z DEBUG stdout=add objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' ) ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' ) modifying entry "cn=schema" modify complete 2016-03-14T19:04:27Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:27Z DEBUG duration: 0 seconds 2016-03-14T19:04:27Z DEBUG [26/38]: setting Auto Member configuration 2016-03-14T19:04:27Z DEBUG Starting external process 2016-03-14T19:04:27Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmppPfsY8' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp8dCgrQ' 2016-03-14T19:04:27Z DEBUG Process finished, return code=0 2016-03-14T19:04:27Z DEBUG stdout=add nsslapd-pluginConfigArea: cn=automember,cn=etc,dc=uofmt1 modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" modify complete 2016-03-14T19:04:27Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:27Z DEBUG duration: 0 seconds 2016-03-14T19:04:27Z DEBUG [27/38]: enabling S4U2Proxy delegation 2016-03-14T19:04:27Z DEBUG Starting external process 2016-03-14T19:04:27Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpjcs44D' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpGkBbVI' 2016-03-14T19:04:27Z DEBUG Process finished, return code=0 2016-03-14T19:04:27Z DEBUG stdout=add memberPrincipal: HTTP/jutta.cc.umanitoba.ca at UOFMT1 modifying entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=uofmt1" modify complete add memberPrincipal: ldap/jutta.cc.umanitoba.ca at UOFMT1 modifying entry "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=uofmt1" modify complete 2016-03-14T19:04:27Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:27Z DEBUG duration: 0 seconds 2016-03-14T19:04:27Z DEBUG [28/38]: importing CA certificates from LDAP 2016-03-14T19:04:27Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:04:27Z DEBUG flushing ldap://jutta.cc.umanitoba.ca:389 from SchemaCache 2016-03-14T19:04:27Z DEBUG retrieving schema for SchemaCache url=ldap://jutta.cc.umanitoba.ca:389 conn= 2016-03-14T19:04:28Z DEBUG Starting external process 2016-03-14T19:04:28Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-UOFMT1/' '-A' '-n' 'UOFMT1 IPA CA' '-t' 'CT,C,C' 2016-03-14T19:04:28Z DEBUG Process finished, return code=0 2016-03-14T19:04:28Z DEBUG stdout= 2016-03-14T19:04:28Z DEBUG stderr= 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [29/38]: initializing group membership 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [30/38]: adding master entry 2016-03-14T19:04:28Z DEBUG Starting external process 2016-03-14T19:04:28Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpJrjtBl' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpdRaaAA' 2016-03-14T19:04:28Z DEBUG Process finished, return code=0 2016-03-14T19:04:28Z DEBUG stdout=add objectclass: top nsContainer ipaReplTopoManagedServer ipaConfigObject ipaSupportedDomainLevelConfig add cn: jutta.cc.umanitoba.ca add ipaReplTopoManagedSuffix: dc=uofmt1 add ipaMinDomainLevel: 0 add ipaMaxDomainLevel: 0 adding new entry "cn=jutta.cc.umanitoba.ca,cn=masters,cn=ipa,cn=etc,dc=uofmt1" modify complete 2016-03-14T19:04:28Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [31/38]: initializing domain level 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [32/38]: configuring Posix uid/gid generation 2016-03-14T19:04:28Z DEBUG Starting external process 2016-03-14T19:04:28Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmps2cRll' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpx5LpDm' 2016-03-14T19:04:28Z DEBUG Process finished, return code=0 2016-03-14T19:04:28Z DEBUG stdout=add objectclass: top extensibleObject add cn: Posix IDs add dnaType: uidNumber gidNumber add dnaNextValue: 1101 add dnaMaxValue: 1100 add dnaMagicRegen: -1 add dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) add dnaScope: dc=uofmt1 add dnaThreshold: 500 add dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=uofmt1 adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete 2016-03-14T19:04:28Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [33/38]: adding replication acis 2016-03-14T19:04:28Z DEBUG Starting external process 2016-03-14T19:04:28Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpouAg7i' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpGY7lZG' 2016-03-14T19:04:28Z DEBUG Process finished, return code=0 2016-03-14T19:04:28Z DEBUG stdout=add aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn="dc=uofmt1",cn=mapping tree,cn=config" modify complete add aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn="dc=uofmt1",cn=mapping tree,cn=config" modify complete add aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn="dc=uofmt1",cn=mapping tree,cn=config" modify complete add aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete add aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=uofmt1";) modifying entry "cn=tasks,cn=config" modify complete 2016-03-14T19:04:28Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:28Z DEBUG duration: 0 seconds 2016-03-14T19:04:28Z DEBUG [34/38]: enabling compatibility plugin 2016-03-14T19:04:28Z DEBUG importing all plugin modules in ipalib.plugins... 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.aci 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.automember 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.automount 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.batch 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.caacl 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.cert 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.config 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.delegation 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.dns 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.group 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.host 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.idrange 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.idviews 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.internal 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.migration 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.misc 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.passwd 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.permission 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.ping 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.privilege 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.role 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.server 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.service 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.session 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.topology 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.trust 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.user 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.vault 2016-03-14T19:04:28Z DEBUG importing plugin module ipalib.plugins.virtual 2016-03-14T19:04:28Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.plugins.join 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-03-14T19:04:28Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-03-14T19:04:28Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-03-14T19:04:28Z DEBUG SessionAuthManager.register: name=jsonserver_session_153210384 2016-03-14T19:04:28Z DEBUG SessionAuthManager.register: name=xmlserver_session_153236816 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-03-14T19:04:29Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:29Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-03-14T19:04:30Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-03-14T19:04:30Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-03-14T19:04:30Z DEBUG session_auth_duration: 0:20:00 2016-03-14T19:04:30Z DEBUG Created connection context.ldap2_153210000 2016-03-14T19:04:30Z DEBUG Destroyed connection context.ldap2_153210000 2016-03-14T19:04:30Z DEBUG Created connection context.ldap2_153210000 2016-03-14T19:04:30Z DEBUG Parsing update file '/usr/share/ipa/schema_compat.uldif' 2016-03-14T19:04:30Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:04:30Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:04:30Z DEBUG New entry: cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG nsslapd-pluginid: 2016-03-14T19:04:30Z DEBUG schema-compat-plugin 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG Schema Compatibility 2016-03-14T19:04:30Z DEBUG nsslapd-pluginbetxn: 2016-03-14T19:04:30Z DEBUG on 2016-03-14T19:04:30Z DEBUG objectclass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG nsSlapdPlugin 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG nsslapd-plugindescription: 2016-03-14T19:04:30Z DEBUG Schema Compatibility Plugin 2016-03-14T19:04:30Z DEBUG nsslapd-pluginenabled: 2016-03-14T19:04:30Z DEBUG on 2016-03-14T19:04:30Z DEBUG nsslapd-pluginpath: 2016-03-14T19:04:30Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so 2016-03-14T19:04:30Z DEBUG nsslapd-pluginversion: 2016-03-14T19:04:30Z DEBUG 0.8 2016-03-14T19:04:30Z DEBUG nsslapd-pluginvendor: 2016-03-14T19:04:30Z DEBUG redhat.com 2016-03-14T19:04:30Z DEBUG nsslapd-pluginprecedence: 2016-03-14T19:04:30Z DEBUG 49 2016-03-14T19:04:30Z DEBUG nsslapd-plugintype: 2016-03-14T19:04:30Z DEBUG object 2016-03-14T19:04:30Z DEBUG nsslapd-plugininitfunc: 2016-03-14T19:04:30Z DEBUG schema_compat_plugin_init 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG nsslapd-pluginid: 2016-03-14T19:04:30Z DEBUG schema-compat-plugin 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG Schema Compatibility 2016-03-14T19:04:30Z DEBUG nsslapd-pluginbetxn: 2016-03-14T19:04:30Z DEBUG on 2016-03-14T19:04:30Z DEBUG objectclass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG nsSlapdPlugin 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG nsslapd-plugindescription: 2016-03-14T19:04:30Z DEBUG Schema Compatibility Plugin 2016-03-14T19:04:30Z DEBUG nsslapd-pluginenabled: 2016-03-14T19:04:30Z DEBUG on 2016-03-14T19:04:30Z DEBUG nsslapd-pluginpath: 2016-03-14T19:04:30Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so 2016-03-14T19:04:30Z DEBUG nsslapd-pluginversion: 2016-03-14T19:04:30Z DEBUG 0.8 2016-03-14T19:04:30Z DEBUG nsslapd-pluginvendor: 2016-03-14T19:04:30Z DEBUG redhat.com 2016-03-14T19:04:30Z DEBUG nsslapd-pluginprecedence: 2016-03-14T19:04:30Z DEBUG 49 2016-03-14T19:04:30Z DEBUG nsslapd-plugintype: 2016-03-14T19:04:30Z DEBUG object 2016-03-14T19:04:30Z DEBUG nsslapd-plugininitfunc: 2016-03-14T19:04:30Z DEBUG schema_compat_plugin_init 2016-03-14T19:04:30Z DEBUG New entry: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG cn=%{cn} 2016-03-14T19:04:30Z DEBUG objectclass=posixAccount 2016-03-14T19:04:30Z DEBUG gidNumber=%{gidNumber} 2016-03-14T19:04:30Z DEBUG gecos=%{cn} 2016-03-14T19:04:30Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-03-14T19:04:30Z DEBUG uidNumber=%{uidNumber} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG loginShell=%{loginShell} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:uofmt1:%{ipauniqueid}","") 2016-03-14T19:04:30Z DEBUG homeDirectory=%{homeDirectory} 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG users 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG objectclass=posixAccount 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=users 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG uid=%{uid} 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=users, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG cn=%{cn} 2016-03-14T19:04:30Z DEBUG objectclass=posixAccount 2016-03-14T19:04:30Z DEBUG gidNumber=%{gidNumber} 2016-03-14T19:04:30Z DEBUG gecos=%{cn} 2016-03-14T19:04:30Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-03-14T19:04:30Z DEBUG uidNumber=%{uidNumber} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG loginShell=%{loginShell} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:uofmt1:%{ipauniqueid}","") 2016-03-14T19:04:30Z DEBUG homeDirectory=%{homeDirectory} 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG users 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG objectclass=posixAccount 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=users 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG uid=%{uid} 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=users, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG New entry: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG gidNumber=%{gidNumber} 2016-03-14T19:04:30Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG memberUid=%deref_r("member","uid") 2016-03-14T19:04:30Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-03-14T19:04:30Z DEBUG objectclass=posixGroup 2016-03-14T19:04:30Z DEBUG memberUid=%{memberUid} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:uofmt1:%{ipauniqueid}","") 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG groups 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG objectclass=posixGroup 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=groups 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG cn=%{cn} 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=groups, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG gidNumber=%{gidNumber} 2016-03-14T19:04:30Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG memberUid=%deref_r("member","uid") 2016-03-14T19:04:30Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-03-14T19:04:30Z DEBUG objectclass=posixGroup 2016-03-14T19:04:30Z DEBUG memberUid=%{memberUid} 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-03-14T19:04:30Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:uofmt1:%{ipauniqueid}","") 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG groups 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG objectclass=posixGroup 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=groups 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG cn=%{cn} 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=groups, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG New entry: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG add: 'top' to objectClass, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['top'] 2016-03-14T19:04:30Z DEBUG add: 'extensibleObject' to objectClass, current value ['top'] 2016-03-14T19:04:30Z DEBUG add: updated value ['top', 'extensibleObject'] 2016-03-14T19:04:30Z DEBUG add: 'ng' to cn, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['ng'] 2016-03-14T19:04:30Z DEBUG add: 'cn=compat, dc=uofmt1' to schema-compat-container-group, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['cn=compat, dc=uofmt1'] 2016-03-14T19:04:30Z DEBUG add: 'cn=ng' to schema-compat-container-rdn, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['cn=ng'] 2016-03-14T19:04:30Z DEBUG add: 'yes' to schema-compat-check-access, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['yes'] 2016-03-14T19:04:30Z DEBUG add: 'cn=ng, cn=alt, dc=uofmt1' to schema-compat-search-base, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['cn=ng, cn=alt, dc=uofmt1'] 2016-03-14T19:04:30Z DEBUG add: '(objectclass=ipaNisNetgroup)' to schema-compat-search-filter, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['(objectclass=ipaNisNetgroup)'] 2016-03-14T19:04:30Z DEBUG add: 'cn=%{cn}' to schema-compat-entry-rdn, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['cn=%{cn}'] 2016-03-14T19:04:30Z DEBUG add: 'objectclass=nisNetgroup' to schema-compat-entry-attribute, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=nisNetgroup'] 2016-03-14T19:04:30Z DEBUG add: 'memberNisNetgroup=%deref_r("member","cn")' to schema-compat-entry-attribute, current value ['objectclass=nisNetgroup'] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=nisNetgroup', 'memberNisNetgroup=%deref_r("member","cn")'] 2016-03-14T19:04:30Z DEBUG add: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' to schema-compat-entry-attribute, current value ['memberNisNetgroup=%deref_r("member","cn")', 'objectclass=nisNetgroup'] 2016-03-14T19:04:30Z DEBUG add: updated value ['memberNisNetgroup=%deref_r("member","cn")', 'objectclass=nisNetgroup', 'nisNetgroupTriple=(%link("%ifeq(\\"hostCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%{externalHost}\\\\\\",\\\\\\"%deref(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\")\\")","-",",","%ifeq(\\"userCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%deref(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\")\\")","-"),%{nisDomainName:-})'] 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG memberNisNetgroup=%deref_r("member","cn") 2016-03-14T19:04:30Z DEBUG objectclass=nisNetgroup 2016-03-14T19:04:30Z DEBUG nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) 2016-03-14T19:04:30Z DEBUG schema-compat-check-access: 2016-03-14T19:04:30Z DEBUG yes 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG ng 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG (objectclass=ipaNisNetgroup) 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=ng 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG cn=%{cn} 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=ng, cn=alt, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG New entry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG add: 'top' to objectClass, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['top'] 2016-03-14T19:04:30Z DEBUG add: 'extensibleObject' to objectClass, current value ['top'] 2016-03-14T19:04:30Z DEBUG add: updated value ['top', 'extensibleObject'] 2016-03-14T19:04:30Z DEBUG add: 'sudoers' to cn, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoers'] 2016-03-14T19:04:30Z DEBUG add: 'ou=SUDOers, dc=uofmt1' to schema-compat-container-group, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['ou=SUDOers, dc=uofmt1'] 2016-03-14T19:04:30Z DEBUG add: 'cn=sudorules, cn=sudo, dc=uofmt1' to schema-compat-search-base, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['cn=sudorules, cn=sudo, dc=uofmt1'] 2016-03-14T19:04:30Z DEBUG add: '(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))' to schema-compat-search-filter, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))'] 2016-03-14T19:04:30Z DEBUG add: '%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")' to schema-compat-entry-rdn, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'] 2016-03-14T19:04:30Z DEBUG add: 'objectclass=sudoRole' to schema-compat-entry-attribute, current value [] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: 'sudoOption=%{ipaSudoOpt}' to schema-compat-entry-attribute, current value ['sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-03-14T19:04:30Z DEBUG add: updated value ['sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoOption=%{ipaSudoOpt}'] 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") 2016-03-14T19:04:30Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") 2016-03-14T19:04:30Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") 2016-03-14T19:04:30Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") 2016-03-14T19:04:30Z DEBUG objectclass=sudoRole 2016-03-14T19:04:30Z DEBUG sudoOption=%{ipaSudoOpt} 2016-03-14T19:04:30Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") 2016-03-14T19:04:30Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") 2016-03-14T19:04:30Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") 2016-03-14T19:04:30Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") 2016-03-14T19:04:30Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") 2016-03-14T19:04:30Z DEBUG sudoCommand=!%deref("memberDenyCmd","sudoCmd") 2016-03-14T19:04:30Z DEBUG sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") 2016-03-14T19:04:30Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") 2016-03-14T19:04:30Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG sudoers 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=sudorules, cn=sudo, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG ou=SUDOers, dc=uofmt1 2016-03-14T19:04:30Z DEBUG New entry: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Initial value 2016-03-14T19:04:30Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG objectclass=device 2016-03-14T19:04:30Z DEBUG cn=%{fqdn} 2016-03-14T19:04:30Z DEBUG macAddress=%{macAddress} 2016-03-14T19:04:30Z DEBUG objectclass=ieee802Device 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG computers 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=computers 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG cn=%first("%{fqdn}") 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=computers, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:30Z DEBUG --------------------------------------------- 2016-03-14T19:04:30Z DEBUG Final value after applying updates 2016-03-14T19:04:30Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-03-14T19:04:30Z DEBUG schema-compat-entry-attribute: 2016-03-14T19:04:30Z DEBUG objectclass=device 2016-03-14T19:04:30Z DEBUG cn=%{fqdn} 2016-03-14T19:04:30Z DEBUG macAddress=%{macAddress} 2016-03-14T19:04:30Z DEBUG objectclass=ieee802Device 2016-03-14T19:04:30Z DEBUG cn: 2016-03-14T19:04:30Z DEBUG computers 2016-03-14T19:04:30Z DEBUG objectClass: 2016-03-14T19:04:30Z DEBUG top 2016-03-14T19:04:30Z DEBUG extensibleObject 2016-03-14T19:04:30Z DEBUG schema-compat-search-filter: 2016-03-14T19:04:30Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) 2016-03-14T19:04:30Z DEBUG schema-compat-container-rdn: 2016-03-14T19:04:30Z DEBUG cn=computers 2016-03-14T19:04:30Z DEBUG schema-compat-entry-rdn: 2016-03-14T19:04:30Z DEBUG cn=%first("%{fqdn}") 2016-03-14T19:04:30Z DEBUG schema-compat-search-base: 2016-03-14T19:04:30Z DEBUG cn=computers, cn=accounts, dc=uofmt1 2016-03-14T19:04:30Z DEBUG schema-compat-container-group: 2016-03-14T19:04:30Z DEBUG cn=compat, dc=uofmt1 2016-03-14T19:04:31Z DEBUG Updating existing entry: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-03-14T19:04:31Z DEBUG --------------------------------------------- 2016-03-14T19:04:31Z DEBUG Initial value 2016-03-14T19:04:31Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-03-14T19:04:31Z DEBUG objectClass: 2016-03-14T19:04:31Z DEBUG top 2016-03-14T19:04:31Z DEBUG directoryServerFeature 2016-03-14T19:04:31Z DEBUG aci: 2016-03-14T19:04:31Z DEBUG (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";) 2016-03-14T19:04:31Z DEBUG oid: 2016-03-14T19:04:31Z DEBUG 2.16.840.1.113730.3.4.9 2016-03-14T19:04:31Z DEBUG cn: 2016-03-14T19:04:31Z DEBUG VLV Request Control 2016-03-14T19:04:31Z DEBUG only: set aci to '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )', current value ['(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'] 2016-03-14T19:04:31Z DEBUG only: updated value ['(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'] 2016-03-14T19:04:31Z DEBUG --------------------------------------------- 2016-03-14T19:04:31Z DEBUG Final value after applying updates 2016-03-14T19:04:31Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-03-14T19:04:31Z DEBUG objectClass: 2016-03-14T19:04:31Z DEBUG top 2016-03-14T19:04:31Z DEBUG directoryServerFeature 2016-03-14T19:04:31Z DEBUG aci: 2016-03-14T19:04:31Z DEBUG (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) 2016-03-14T19:04:31Z DEBUG oid: 2016-03-14T19:04:31Z DEBUG 2.16.840.1.113730.3.4.9 2016-03-14T19:04:31Z DEBUG cn: 2016-03-14T19:04:31Z DEBUG VLV Request Control 2016-03-14T19:04:31Z DEBUG [(0, u'aci', ['(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )']), (1, u'aci', ['(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'])] 2016-03-14T19:04:31Z DEBUG Updated 1 2016-03-14T19:04:31Z DEBUG Done 2016-03-14T19:04:31Z DEBUG Destroyed connection context.ldap2_153210000 2016-03-14T19:04:31Z DEBUG duration: 2 seconds 2016-03-14T19:04:31Z DEBUG [35/38]: activating sidgen plugin 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpALrjvG' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpB0DItQ' 2016-03-14T19:04:31Z DEBUG Process finished, return code=0 2016-03-14T19:04:31Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA SIDGEN add nsslapd-pluginpath: libipa_sidgen add nsslapd-plugininitfunc: ipa_sidgen_init add nsslapd-plugintype: postoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_sidgen_postop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA SIDGEN post operation add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=uofmt1 adding new entry "cn=IPA SIDGEN,cn=plugins,cn=config" modify complete 2016-03-14T19:04:31Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:31Z DEBUG duration: 0 seconds 2016-03-14T19:04:31Z DEBUG [36/38]: activating extdom plugin 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpUHeKKl' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpVKuXdM' 2016-03-14T19:04:31Z DEBUG Process finished, return code=0 2016-03-14T19:04:31Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_extdom_extop add nsslapd-pluginpath: libipa_extdom_extop add nsslapd-plugininitfunc: ipa_extdom_init add nsslapd-plugintype: extendedop add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_extdom_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=uofmt1 adding new entry "cn=ipa_extdom_extop,cn=plugins,cn=config" modify complete 2016-03-14T19:04:31Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:04:31Z DEBUG duration: 0 seconds 2016-03-14T19:04:31Z DEBUG [37/38]: tuning directory server 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/usr/sbin/selinuxenabled' 2016-03-14T19:04:31Z DEBUG Process finished, return code=1 2016-03-14T19:04:31Z DEBUG stdout= 2016-03-14T19:04:31Z DEBUG stderr= 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-03-14T19:04:31Z DEBUG Process finished, return code=0 2016-03-14T19:04:31Z DEBUG stdout= 2016-03-14T19:04:31Z DEBUG stderr= 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-03-14T19:04:31Z DEBUG Process finished, return code=0 2016-03-14T19:04:31Z DEBUG stdout= 2016-03-14T19:04:31Z DEBUG stderr= 2016-03-14T19:04:31Z DEBUG Starting external process 2016-03-14T19:04:31Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at UOFMT1.service' 2016-03-14T19:04:33Z DEBUG Process finished, return code=0 2016-03-14T19:04:33Z DEBUG stdout= 2016-03-14T19:04:33Z DEBUG stderr= 2016-03-14T19:04:33Z DEBUG Starting external process 2016-03-14T19:04:33Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:04:33Z DEBUG Process finished, return code=0 2016-03-14T19:04:33Z DEBUG stdout=active 2016-03-14T19:04:33Z DEBUG stderr= 2016-03-14T19:04:33Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-03-14T19:05:49Z DEBUG Starting external process 2016-03-14T19:05:49Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:05:49Z DEBUG Process finished, return code=0 2016-03-14T19:05:49Z DEBUG stdout=active 2016-03-14T19:05:49Z DEBUG stderr= 2016-03-14T19:05:49Z DEBUG Starting external process 2016-03-14T19:05:49Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpOL5ONg' '-H' 'ldap://jutta.cc.umanitoba.ca:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpOCGeA9' 2016-03-14T19:05:49Z DEBUG Process finished, return code=0 2016-03-14T19:05:49Z DEBUG stdout=replace nsslapd-maxdescriptors: 8192 replace nsslapd-reservedescriptors: 64 modifying entry "cn=config" modify complete 2016-03-14T19:05:49Z DEBUG stderr=ldap_initialize( ldap://jutta.cc.umanitoba.ca:389/??base ) 2016-03-14T19:05:49Z DEBUG duration: 78 seconds 2016-03-14T19:05:49Z DEBUG [38/38]: configuring directory to start on boot 2016-03-14T19:05:49Z DEBUG Starting external process 2016-03-14T19:05:49Z DEBUG args='/bin/systemctl' 'is-enabled' 'dirsrv at UOFMT1.service' 2016-03-14T19:05:49Z DEBUG Process finished, return code=0 2016-03-14T19:05:49Z DEBUG stdout=enabled 2016-03-14T19:05:49Z DEBUG stderr= 2016-03-14T19:05:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Starting external process 2016-03-14T19:05:49Z DEBUG args='/bin/systemctl' 'disable' 'dirsrv at UOFMT1.service' 2016-03-14T19:05:49Z DEBUG Process finished, return code=0 2016-03-14T19:05:49Z DEBUG stdout= 2016-03-14T19:05:49Z DEBUG stderr=Removed symlink /etc/systemd/system/dirsrv.target.wants/dirsrv at UOFMT1.service. 2016-03-14T19:05:49Z DEBUG duration: 0 seconds 2016-03-14T19:05:49Z DEBUG Done configuring directory server (dirsrv). 2016-03-14T19:05:49Z DEBUG Destroyed connection context.ldap2_97498768 2016-03-14T19:05:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds 2016-03-14T19:05:49Z DEBUG [1/23]: creating certificate server user 2016-03-14T19:05:49Z DEBUG group pkiuser exists 2016-03-14T19:05:49Z DEBUG user pkiuser exists 2016-03-14T19:05:49Z DEBUG duration: 0 seconds 2016-03-14T19:05:49Z DEBUG [2/23]: configuring certificate server instance 2016-03-14T19:05:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:05:49Z DEBUG Contents of pkispawn configuration file (/tmp/tmpxQAXLl): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_client_database_dir = /tmp/tmp-OVm7fY pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root at localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=UOFMT1 pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=UOFMT1 pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=UOFMT1 pki_ssl_server_subject_dn = cn=jutta.cc.umanitoba.ca,O=UOFMT1 pki_audit_signing_subject_dn = cn=CA Audit,O=UOFMT1 pki_ca_signing_subject_dn = cn=Certificate Authority,O=UOFMT1 pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = mork.cc.umanitoba.ca pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://mork.cc.umanitoba.ca:443 2016-03-14T19:05:49Z DEBUG Starting external process 2016-03-14T19:05:49Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpxQAXLl' 2016-03-14T19:09:06Z DEBUG Process finished, return code=0 2016-03-14T19:09:06Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160314140549.log Loading deployment configuration from /tmp/tmpxQAXLl. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: admin Administrator's certificate nickname: ipa-ca-agent Administrator's certificate database: /tmp/tmp-OVm7fY To check the status of the subsystem: systemctl status pki-tomcatd at pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd at pki-tomcat.service The URL for the subsystem is: https://jutta.cc.umanitoba.ca:8443/ca PKI instances will be enabled upon system boot ========================================================================== 2016-03-14T19:09:06Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target. 2016-03-14T19:09:06Z DEBUG completed creating ca instance 2016-03-14T19:09:06Z DEBUG duration: 197 seconds 2016-03-14T19:09:06Z DEBUG [3/23]: stopping certificate server instance to update CS.cfg 2016-03-14T19:09:06Z DEBUG Starting external process 2016-03-14T19:09:06Z DEBUG args='/bin/systemctl' 'stop' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:07Z DEBUG Process finished, return code=0 2016-03-14T19:09:07Z DEBUG stdout= 2016-03-14T19:09:07Z DEBUG stderr= 2016-03-14T19:09:07Z DEBUG duration: 0 seconds 2016-03-14T19:09:07Z DEBUG [4/23]: backing up CS.cfg 2016-03-14T19:09:07Z DEBUG Starting external process 2016-03-14T19:09:07Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:07Z DEBUG Process finished, return code=3 2016-03-14T19:09:07Z DEBUG stdout=inactive 2016-03-14T19:09:07Z DEBUG stderr= 2016-03-14T19:09:07Z DEBUG duration: 0 seconds 2016-03-14T19:09:07Z DEBUG [5/23]: disabling nonces 2016-03-14T19:09:07Z DEBUG duration: 0 seconds 2016-03-14T19:09:07Z DEBUG [6/23]: set up CRL publishing 2016-03-14T19:09:07Z DEBUG Starting external process 2016-03-14T19:09:07Z DEBUG args='/usr/sbin/selinuxenabled' 2016-03-14T19:09:07Z DEBUG Process finished, return code=1 2016-03-14T19:09:07Z DEBUG stdout= 2016-03-14T19:09:07Z DEBUG stderr= 2016-03-14T19:09:07Z DEBUG duration: 0 seconds 2016-03-14T19:09:07Z DEBUG [7/23]: enable PKIX certificate path discovery and validation 2016-03-14T19:09:07Z DEBUG duration: 0 seconds 2016-03-14T19:09:07Z DEBUG [8/23]: starting certificate server instance 2016-03-14T19:09:07Z DEBUG Starting external process 2016-03-14T19:09:07Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:08Z DEBUG Process finished, return code=0 2016-03-14T19:09:08Z DEBUG stdout= 2016-03-14T19:09:08Z DEBUG stderr= 2016-03-14T19:09:08Z DEBUG Starting external process 2016-03-14T19:09:08Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:08Z DEBUG Process finished, return code=0 2016-03-14T19:09:08Z DEBUG stdout=active 2016-03-14T19:09:08Z DEBUG stderr= 2016-03-14T19:09:08Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2016-03-14T19:09:10Z DEBUG Waiting until the CA is running 2016-03-14T19:09:10Z DEBUG Starting external process 2016-03-14T19:09:10Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus' 2016-03-14T19:09:17Z DEBUG Process finished, return code=0 2016-03-14T19:09:17Z DEBUG stdout=1CArunning10.2.5-6.el7 2016-03-14T19:09:17Z DEBUG stderr=--2016-03-14 14:09:10-- https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus Resolving jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)... 130.179.19.176 Connecting to jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)|130.179.19.176|:8443... connected. WARNING: cannot verify jutta.cc.umanitoba.ca's certificate, issued by ?/O=UOFMT1/CN=Certificate Authority?: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 167 Date: Mon, 14 Mar 2016 19:09:17 GMT Length: 167 [application/xml] Saving to: ?STDOUT? 0K 100% 26.8M=0s 2016-03-14 14:09:17 (26.8 MB/s) - written to stdout [167/167] 2016-03-14T19:09:17Z DEBUG The CA status is: running 2016-03-14T19:09:17Z DEBUG duration: 9 seconds 2016-03-14T19:09:17Z DEBUG [9/23]: creating RA agent certificate database 2016-03-14T19:09:17Z DEBUG Starting external process 2016-03-14T19:09:17Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-f' XXXXXXXX '-N' 2016-03-14T19:09:17Z DEBUG Process finished, return code=0 2016-03-14T19:09:17Z DEBUG stdout= 2016-03-14T19:09:17Z DEBUG stderr= 2016-03-14T19:09:17Z DEBUG duration: 0 seconds 2016-03-14T19:09:17Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-03-14T19:09:17Z DEBUG Starting external process 2016-03-14T19:09:17Z DEBUG args='/usr/bin/openssl' 'pkcs7' '-inform' 'DER' '-print_certs' 2016-03-14T19:09:17Z DEBUG Process finished, return code=0 2016-03-14T19:09:17Z DEBUG stdout=subject=/O=UOFMT1/CN=Certificate Authority issuer=/O=UOFMT1/CN=Certificate Authority -----BEGIN CERTIFICATE----- MIIDhjCCAm6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZVT0ZN VDExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjAyMTIxMzQ3 MDdaFw0zNjAyMTIxMzQ3MDdaMDExDzANBgNVBAoMBlVPRk1UMTEeMBwGA1UEAwwV Q2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxyrEHq/FMY5OV7bh0MM+JItSh/PDDcbcp2Q793vtnTFfFX1oEJTu5A6S 1ATshlPfq9vbjkph0WuLZetbivBodLevCFCfIxBp+PJqPk+FpahowmT8lheFOXs/ Tu/IthqL9ykXOc8HBUK6WU83ICNYwDjFD95ShbWy9oM//kkRJvdC4dRZU6g5UDav 0/bWol76UauFHLRiDPSri0G5eIP0YDUkrFtXhezVZJZX4y/FNYhXRFqLPVplV6dY izoCIOABMpuiNiFFSvP5S4qjcpPGBqF5mfAnuzYfgHLM+xr7nutDLZXfcAclX6ep lN7RMCpZEVve9AKU7geigBzV//sT6wIDAQABo4GoMIGlMB8GA1UdIwQYMBaAFOsQ UcQthYZk+osgO4FcNl7KI4oEMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD AgHGMB0GA1UdDgQWBBTrEFHELYWGZPqLIDuBXDZeyiOKBDBCBggrBgEFBQcBAQQ2 MDQwMgYIKwYBBQUHMAGGJmh0dHA6Ly9tb3JrLmNjLnVtYW5pdG9iYS5jYTo4MC9j YS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCteJIO2uwNp7H/4yyG80VU8iGO9yn8 rj8wQM6lE0RGC0iNjzV/p+KltUxbuE2xJKoiqEFScXFQ6suQtco3MQAn6ZunCYLY vlDosNsrgeA9ZsJzODP/y1WD+swB8ELWArAQQVxcFKSMmITEywO0x+dzM+1KCP4R siTzN3uiiGjm3r3Zh1kWZhW44ArLD/e170df3rGP4m6U85a7ZfUXiRaOYj7D5M8p VAHgx/zVZq8hPpIlqQvT0+HdD3Veh5vrZFkTzMSFCHqygKY3Bl+DWZ1mz/+X8KCi yulmoyrUa5zGKDvahj1rM6hrYmrCnEExG3d7gBbt673UaKSdtWSkCY54 -----END CERTIFICATE----- 2016-03-14T19:09:17Z DEBUG stderr= 2016-03-14T19:09:17Z DEBUG Starting external process 2016-03-14T19:09:17Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-f' XXXXXXXX '-A' '-t' 'CT,C,C' '-n' 'UOFMT1 IPA CA' '-a' '-i' '/tmp/tmp5p55LP' 2016-03-14T19:09:18Z DEBUG Process finished, return code=0 2016-03-14T19:09:18Z DEBUG stdout= 2016-03-14T19:09:18Z DEBUG stderr= 2016-03-14T19:09:18Z DEBUG duration: 0 seconds 2016-03-14T19:09:18Z DEBUG [11/23]: fixing RA database permissions 2016-03-14T19:09:18Z DEBUG duration: 0 seconds 2016-03-14T19:09:18Z DEBUG [12/23]: setting up signing cert profile 2016-03-14T19:09:18Z DEBUG duration: 0 seconds 2016-03-14T19:09:18Z DEBUG [13/23]: setting audit signing renewal to 2 years 2016-03-14T19:09:18Z DEBUG caSignedLogCert.cfg profile validity range is 720 2016-03-14T19:09:18Z DEBUG duration: 0 seconds 2016-03-14T19:09:18Z DEBUG [14/23]: importing RA certificate from PKCS #12 file 2016-03-14T19:09:18Z DEBUG Starting external process 2016-03-14T19:09:18Z DEBUG args='/usr/bin/pk12util' '-d' '/etc/httpd/alias' '-i' '/tmp/tmpCOFxLUipa/realm_info/ra.p12' '-k' '/etc/httpd/alias/pwdfile.txt' '-w' '/tmp/tmp0xGNvO' 2016-03-14T19:09:18Z DEBUG Process finished, return code=0 2016-03-14T19:09:18Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2016-03-14T19:09:18Z DEBUG stderr= 2016-03-14T19:09:18Z DEBUG Starting external process 2016-03-14T19:09:18Z DEBUG args='/usr/bin/pki' '-d' '/etc/httpd/alias' '-C' '/etc/httpd/alias/pwdfile.txt' 'client-cert-show' 'ipaCert' '--client-cert' '/etc/httpd/alias/tmpwrOm3Z' 2016-03-14T19:09:19Z DEBUG Process finished, return code=0 2016-03-14T19:09:19Z DEBUG stdout= 2016-03-14T19:09:19Z DEBUG stderr= 2016-03-14T19:09:19Z DEBUG duration: 1 seconds 2016-03-14T19:09:19Z DEBUG [15/23]: authorizing RA to modify profiles 2016-03-14T19:09:20Z DEBUG Created connection context.ldap2_181018832 2016-03-14T19:09:20Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:20Z DEBUG Destroyed connection context.ldap2_181018832 2016-03-14T19:09:20Z DEBUG duration: 1 seconds 2016-03-14T19:09:20Z DEBUG [16/23]: configure certmonger for renewals 2016-03-14T19:09:20Z DEBUG Starting external process 2016-03-14T19:09:20Z DEBUG args='/bin/systemctl' 'enable' 'certmonger.service' 2016-03-14T19:09:20Z DEBUG Process finished, return code=0 2016-03-14T19:09:20Z DEBUG stdout= 2016-03-14T19:09:20Z DEBUG stderr=Created symlink from /etc/systemd/system/multi-user.target.wants/certmonger.service to /usr/lib/systemd/system/certmonger.service. 2016-03-14T19:09:20Z DEBUG Starting external process 2016-03-14T19:09:20Z DEBUG args='/bin/systemctl' 'start' 'messagebus.service' 2016-03-14T19:09:20Z DEBUG Process finished, return code=0 2016-03-14T19:09:20Z DEBUG stdout= 2016-03-14T19:09:20Z DEBUG stderr= 2016-03-14T19:09:20Z DEBUG Starting external process 2016-03-14T19:09:20Z DEBUG args='/bin/systemctl' 'is-active' 'messagebus.service' 2016-03-14T19:09:20Z DEBUG Process finished, return code=0 2016-03-14T19:09:20Z DEBUG stdout=active 2016-03-14T19:09:20Z DEBUG stderr= 2016-03-14T19:09:20Z DEBUG Starting external process 2016-03-14T19:09:20Z DEBUG args='/bin/systemctl' 'start' 'certmonger.service' 2016-03-14T19:09:20Z DEBUG Process finished, return code=0 2016-03-14T19:09:20Z DEBUG stdout= 2016-03-14T19:09:20Z DEBUG stderr= 2016-03-14T19:09:20Z DEBUG Starting external process 2016-03-14T19:09:20Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' 2016-03-14T19:09:20Z DEBUG Process finished, return code=0 2016-03-14T19:09:20Z DEBUG stdout=active 2016-03-14T19:09:20Z DEBUG stderr= 2016-03-14T19:09:21Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:09:21Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:09:21Z DEBUG duration: 0 seconds 2016-03-14T19:09:21Z DEBUG [17/23]: configure certificate renewals 2016-03-14T19:09:24Z DEBUG duration: 2 seconds 2016-03-14T19:09:24Z DEBUG [18/23]: configure Server-Cert certificate renewal 2016-03-14T19:09:25Z DEBUG duration: 0 seconds 2016-03-14T19:09:25Z DEBUG [19/23]: Configure HTTP to proxy connections 2016-03-14T19:09:25Z DEBUG duration: 0 seconds 2016-03-14T19:09:25Z DEBUG [20/23]: restarting certificate server 2016-03-14T19:09:25Z DEBUG Starting external process 2016-03-14T19:09:25Z DEBUG args='/bin/systemctl' 'restart' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:26Z DEBUG Process finished, return code=0 2016-03-14T19:09:26Z DEBUG stdout= 2016-03-14T19:09:26Z DEBUG stderr= 2016-03-14T19:09:26Z DEBUG Starting external process 2016-03-14T19:09:26Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:09:26Z DEBUG Process finished, return code=0 2016-03-14T19:09:26Z DEBUG stdout=active 2016-03-14T19:09:26Z DEBUG stderr= 2016-03-14T19:09:26Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2016-03-14T19:09:28Z DEBUG Waiting until the CA is running 2016-03-14T19:09:28Z DEBUG Starting external process 2016-03-14T19:09:28Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus' 2016-03-14T19:09:34Z DEBUG Process finished, return code=0 2016-03-14T19:09:34Z DEBUG stdout=1CArunning10.2.5-6.el7 2016-03-14T19:09:34Z DEBUG stderr=--2016-03-14 14:09:28-- https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus Resolving jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)... 130.179.19.176 Connecting to jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)|130.179.19.176|:8443... connected. WARNING: cannot verify jutta.cc.umanitoba.ca's certificate, issued by ?/O=UOFMT1/CN=Certificate Authority?: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 167 Date: Mon, 14 Mar 2016 19:09:34 GMT Length: 167 [application/xml] Saving to: ?STDOUT? 0K 100% 41.6M=0s 2016-03-14 14:09:34 (41.6 MB/s) - written to stdout [167/167] 2016-03-14T19:09:34Z DEBUG The CA status is: running 2016-03-14T19:09:34Z DEBUG duration: 9 seconds 2016-03-14T19:09:34Z DEBUG [21/23]: migrating certificate profiles to LDAP 2016-03-14T19:09:35Z DEBUG Created connection context.ldap2_182082512 2016-03-14T19:09:35Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:36Z DEBUG Destroyed connection context.ldap2_182082512 2016-03-14T19:09:36Z INFO Migrating profile 'caUserCert' to LDAP 2016-03-14T19:09:36Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:36Z DEBUG request body '' 2016-03-14T19:09:36Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:36Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:36Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:36Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:36Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:36Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:36Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:36Z DEBUG response status 200 OK 2016-03-14T19:09:36Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=2BB49E6BD78CB463934714800E3BAC08; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:36 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:36Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:36Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:36Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates.\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Dual-Use Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:36Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:36Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:36Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:36Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:36Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:36Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:36Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:36Z DEBUG response status 400 Bad Request 2016-03-14T19:09:36Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:36 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:36Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:36Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserCert?action=disable 2016-03-14T19:09:36Z DEBUG request body '' 2016-03-14T19:09:36Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:36Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:36Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:36Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:36Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:36Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:36Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:36Z DEBUG response status 204 No Content 2016-03-14T19:09:36Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:36 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:36Z DEBUG response body '' 2016-03-14T19:09:36Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserCert/raw 2016-03-14T19:09:36Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates.\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Dual-Use Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:36Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:36Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:36Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:36Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:36Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:36Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:36Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:36Z DEBUG response status 200 OK 2016-03-14T19:09:36Z DEBUG response headers {'content-length': '6170', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:36 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:36Z DEBUG response body '#Mon Mar 14 14:09:36 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=-\ninput.i2.class_id=subjectNameInputImpl\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2,i3\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\nauth.class_id=\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Manual User Dual-Use Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:36Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserCert?action=enable 2016-03-14T19:09:36Z DEBUG request body '' 2016-03-14T19:09:36Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:36Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:36Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:36Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:36Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:36Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:36Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:37Z DEBUG response status 204 No Content 2016-03-14T19:09:37Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:36 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:37Z DEBUG response body '' 2016-03-14T19:09:37Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:37Z DEBUG request body '' 2016-03-14T19:09:37Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:37Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:37Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:37Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:37Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:37Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:37Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'set-cookie': 'JSESSIONID=4D00384B2F64BF62BD14FE6A4E5500B2; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z INFO Migrating profile 'caECUserCert' to LDAP 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=F728E25827F574EDAFBC6401C1687931; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling user ECC certificates.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Dual-Use ECC Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=EC\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caECUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 400 Bad Request 2016-03-14T19:09:38Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECUserCert?action=disable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECUserCert/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling user ECC certificates.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Dual-Use ECC Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=EC\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caECUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '6160', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:38Z DEBUG response body '#Mon Mar 14 14:09:38 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=EC\ninput.i2.class_id=subjectNameInputImpl\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2,i3\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user ECC certificates.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\nauth.class_id=\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Manual User Dual-Use ECC Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECUserCert?action=enable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'set-cookie': 'JSESSIONID=7ADB905812C12D8E1B397E49EAE0D57B; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z INFO Migrating profile 'caUserSMIMEcapCert' to LDAP 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=362D2E418A46894A67BC07D9626AE959; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Dual-Use S/MIME capabilities Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.11.constraint.name=No Constraint\npolicyset.userCertSet.11.default.class_id=genericExtDefaultImpl\npolicyset.userCertSet.11.default.name=Generic Extension\npolicyset.userCertSet.11.default.params.genericExtOID=1.2.840.113549.1.9.15\npolicyset.userCertSet.11.default.params.genericExtData=3067300B06092A864886F70D010105300B06092A864886F70D01010B300B06092A864886F70D01010C300B06092A864886F70D01010D300A06082A864886F70D0307300B0609608648016503040102300B060960864801650304012A300B06092A864886F70D010101\nprofileId=caUserSMIMEcapCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 400 Bad Request 2016-03-14T19:09:38Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserSMIMEcapCert?action=disable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserSMIMEcapCert/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Dual-Use S/MIME capabilities Certificate Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.11.constraint.name=No Constraint\npolicyset.userCertSet.11.default.class_id=genericExtDefaultImpl\npolicyset.userCertSet.11.default.name=Generic Extension\npolicyset.userCertSet.11.default.params.genericExtOID=1.2.840.113549.1.9.15\npolicyset.userCertSet.11.default.params.genericExtData=3067300B06092A864886F70D010105300B06092A864886F70D01010B300B06092A864886F70D01010C300B06092A864886F70D01010D300A06082A864886F70D0307300B0609608648016503040102300B060960864801650304012A300B06092A864886F70D010101\nprofileId=caUserSMIMEcapCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '6835', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:38Z DEBUG response body '#Mon Mar 14 14:09:38 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=-\ninput.i2.class_id=subjectNameInputImpl\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2,i3\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates with S/MIME capabilities extension - OID: 1.2.840.113549.1.9.15\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.11.default.name=Generic Extension\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\nauth.class_id=\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.11.default.class_id=genericExtDefaultImpl\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.11.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Manual User Dual-Use S/MIME capabilities Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.11.default.params.genericExtOID=1.2.840.113549.1.9.15\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.11.default.params.genericExtData=3067300B06092A864886F70D010105300B06092A864886F70D01010B300B06092A864886F70D01010C300B06092A864886F70D01010D300A06082A864886F70D0307300B0609608648016503040102300B060960864801650304012A300B06092A864886F70D010101\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUserSMIMEcapCert?action=enable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'set-cookie': 'JSESSIONID=68E85FA9F6E0C8837D1B31D3EFDE5FB7; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z INFO Migrating profile 'caDualCert' to LDAP 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=5A7BD7E79D0EBDD6D81B7F1FC6838FBF; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Signing & Encryption Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=dualKeyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.signingCertSet.1.default.params.name=\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.3.constraint.params.keyType=RSA\npolicyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\nprofileId=caDualCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 400 Bad Request 2016-03-14T19:09:38Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualCert?action=disable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualCert/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.\nvisible=true\nenable=true\nenableBy=admin\nname=Manual User Signing & Encryption Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=dualKeyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.signingCertSet.1.default.params.name=\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.3.constraint.params.keyType=RSA\npolicyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\nprofileId=caDualCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:38Z DEBUG response body '#Mon Mar 14 14:09:38 CDT 2016\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\nenable=true\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\noutput.o1.class_id=certOutputImpl\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\noutput.list=o1\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\nname=Manual User Signing & Encryption Certificates Enrollment\npolicyset.signingCertSet.3.constraint.params.keyType=RSA\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\ninput.list=i1,i2,i3\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.1.default.params.name=\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\nenableBy=admin\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ndesc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\ninput.i1.class_id=dualKeyGenInputImpl\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\nvisible=true\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\ninput.i2.class_id=subjectNameInputImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\nauth.class_id=\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\n' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualCert?action=enable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 204 No Content 2016-03-14T19:09:38Z DEBUG response headers {'set-cookie': 'JSESSIONID=93435B41B79198259BBFCAD5B88DE61F; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body '' 2016-03-14T19:09:38Z INFO Migrating profile 'caECDualCert' to LDAP 2016-03-14T19:09:38Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 200 OK 2016-03-14T19:09:38Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=0D3C658D864651D2DA35F784050BD668; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:38Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:38Z DEBUG request body 'desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Signing & Encryption ECC Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=dualKeyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.signingCertSet.1.default.params.name=\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.3.constraint.params.keyType=EC\npolicyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\nprofileId=caECDualCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:38Z DEBUG response status 400 Bad Request 2016-03-14T19:09:38Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:38Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:38Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDualCert?action=disable 2016-03-14T19:09:38Z DEBUG request body '' 2016-03-14T19:09:38Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:38Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:38Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:38Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:38Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:38Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:38Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:38 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDualCert/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Signing & Encryption ECC Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=dualKeyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.signingCertSet.1.default.params.name=\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.3.constraint.params.keyType=EC\npolicyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\nprofileId=caECDualCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:39Z DEBUG response body '#Mon Mar 14 14:09:39 CDT 2016\npolicyset.signingCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.signingCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\nenable=true\npolicyset.signingCertSet.4.default.name=Authority Key Identifier Default\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.signingCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\noutput.o1.class_id=certOutputImpl\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.9.default.params.signingAlg=-\npolicyset.signingCertSet.4.constraint.name=No Constraint\npolicyset.signingCertSet.8.constraint.name=No Constraint\npolicyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.9.default.name=Signing Alg\npolicyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.signingCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\noutput.list=o1\npolicyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\nname=Manual User Signing & Encryption ECC Certificates Enrollment\npolicyset.signingCertSet.3.constraint.params.keyType=EC\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.signingCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.signingCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.signingCertSet.2.default.params.startTime=60\npolicyset.signingCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.1.constraint.params.pattern=UID=.*\npolicyset.signingCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.signingCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.signingCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\ninput.list=i1,i2,i3\npolicyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.signingCertSet.1.default.params.name=\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false\nenableBy=admin\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ndesc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later.\npolicyset.signingCertSet.list=1,2,3,4,6,7,8,9\npolicyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.signingCertSet.2.constraint.name=Validity Constraint\npolicyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.signingCertSet.6.default.params.keyUsageCritical=true\npolicyset.signingCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\ninput.i1.class_id=dualKeyGenInputImpl\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.signingCertSet.1.constraint.params.pattern=UID=.*\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.list=encryptionCertSet,signingCertSet\npolicyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\nvisible=false\npolicyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.signingCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\ninput.i2.class_id=subjectNameInputImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.signingCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.signingCertSet.3.constraint.name=Key Constraint\npolicyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.signingCertSet.2.default.params.range=180\npolicyset.signingCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\nauth.class_id=\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\n' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDualCert?action=enable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'set-cookie': 'JSESSIONID=C804A1E8761CECE2DC82D206F4C1541E; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z INFO Migrating profile 'AdminCert' to LDAP 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=58C2F2F8544474D62F4223D1F6C632A0; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:39Z DEBUG request body "desc=This certificate profile is for enrolling Administrator's certificates suitable for use by clients such as browsers.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=\nname=Manual Administrator Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=adminCertSet\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.2.default.params.range=365\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.8.default.params.signingAlg=-\nprofileId=AdminCert\nclassId=caEnrollImpl\n" 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 400 Bad Request 2016-03-14T19:09:39Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/AdminCert?action=disable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/AdminCert/raw 2016-03-14T19:09:39Z DEBUG request body "desc=This certificate profile is for enrolling Administrator's certificates suitable for use by clients such as browsers.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=\nname=Manual Administrator Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=adminCertSet\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.2.default.params.range=365\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.8.default.params.signingAlg=-\nprofileId=AdminCert\nclassId=caEnrollImpl\n" 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '5299', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:39Z DEBUG response body "#Mon Mar 14 14:09:39 CDT 2016\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\nauth.instance_id=\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\noutput.o1.class_id=certOutputImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\noutput.list=o1\npolicyset.adminCertSet.2.default.params.range=365\ninput.list=i1,i2,i3\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.8.default.params.signingAlg=-\nvisible=true\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\ndesc=This certificate profile is for enrolling Administrator's certificates suitable for use by clients such as browsers.\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\nenable=true\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\ninput.i1.class_id=certReqInputImpl\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\nenableBy=admin\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\ninput.i3.class_id=subjectDNInputImpl\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\nname=Manual Administrator Certificate Enrollment\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.list=adminCertSet\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\n" 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/AdminCert?action=enable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'set-cookie': 'JSESSIONID=E4D0075648385CB4879F342DDCC039C3; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z INFO Migrating profile 'caSignedLogCert' to LDAP 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=4514197732B6242B1934C3B4A4E30F50; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This profile is for enrolling audit log signing certificates\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Log Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caLogSigningSet\npolicyset.caLogSigningSet.list=1,2,3,4,6,8,9\npolicyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caLogSigningSet.1.constraint.name=Subject Name Constraint\npolicyset.caLogSigningSet.1.constraint.params.pattern=CN=.*\npolicyset.caLogSigningSet.1.constraint.params.accept=true\npolicyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caLogSigningSet.1.default.name=Subject Name Default\npolicyset.caLogSigningSet.1.default.params.name=\npolicyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caLogSigningSet.2.constraint.name=Validity Constraint\npolicyset.caLogSigningSet.2.constraint.params.range=720\npolicyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caLogSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caLogSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caLogSigningSet.2.default.name=Validity Default\npolicyset.caLogSigningSet.2.default.params.range=720\npolicyset.caLogSigningSet.2.default.params.startTime=60\npolicyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caLogSigningSet.3.constraint.name=Key Constraint\npolicyset.caLogSigningSet.3.constraint.params.keyType=RSA\npolicyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caLogSigningSet.3.default.name=Key Default\npolicyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.4.constraint.name=No Constraint\npolicyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.4.default.name=Authority Key Identifier Default\npolicyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caLogSigningSet.6.default.name=Key Usage Default\npolicyset.caLogSigningSet.6.default.params.keyUsageCritical=true\npolicyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.8.constraint.name=No Constraint\npolicyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caLogSigningSet.8.default.params.critical=false\npolicyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caLogSigningSet.9.constraint.name=No Constraint\npolicyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caLogSigningSet.9.default.name=Signing Alg\npolicyset.caLogSigningSet.9.default.params.signingAlg=-\nprofileId=caSignedLogCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 400 Bad Request 2016-03-14T19:09:39Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSignedLogCert?action=disable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSignedLogCert/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This profile is for enrolling audit log signing certificates\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Log Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caLogSigningSet\npolicyset.caLogSigningSet.list=1,2,3,4,6,8,9\npolicyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caLogSigningSet.1.constraint.name=Subject Name Constraint\npolicyset.caLogSigningSet.1.constraint.params.pattern=CN=.*\npolicyset.caLogSigningSet.1.constraint.params.accept=true\npolicyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caLogSigningSet.1.default.name=Subject Name Default\npolicyset.caLogSigningSet.1.default.params.name=\npolicyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caLogSigningSet.2.constraint.name=Validity Constraint\npolicyset.caLogSigningSet.2.constraint.params.range=720\npolicyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caLogSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caLogSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caLogSigningSet.2.default.name=Validity Default\npolicyset.caLogSigningSet.2.default.params.range=720\npolicyset.caLogSigningSet.2.default.params.startTime=60\npolicyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caLogSigningSet.3.constraint.name=Key Constraint\npolicyset.caLogSigningSet.3.constraint.params.keyType=RSA\npolicyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caLogSigningSet.3.default.name=Key Default\npolicyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.4.constraint.name=No Constraint\npolicyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.4.default.name=Authority Key Identifier Default\npolicyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caLogSigningSet.6.default.name=Key Usage Default\npolicyset.caLogSigningSet.6.default.params.keyUsageCritical=true\npolicyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.8.constraint.name=No Constraint\npolicyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caLogSigningSet.8.default.params.critical=false\npolicyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caLogSigningSet.9.constraint.name=No Constraint\npolicyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caLogSigningSet.9.default.name=Signing Alg\npolicyset.caLogSigningSet.9.default.params.signingAlg=-\nprofileId=caSignedLogCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '4619', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:39Z DEBUG response body '#Mon Mar 14 14:09:39 CDT 2016\ninput.i2.class_id=submitterInfoInputImpl\noutput.o1.class_id=certOutputImpl\npolicyset.caLogSigningSet.9.default.params.signingAlg=-\npolicyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caLogSigningSet.3.constraint.name=Key Constraint\npolicyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caLogSigningSet.1.constraint.params.pattern=CN=.*\npolicyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.9.constraint.name=No Constraint\npolicyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.caLogSigningSet.2.default.params.range=720\ninput.list=i1,i2\npolicyset.caLogSigningSet.4.default.name=Authority Key Identifier Default\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false\nvisible=true\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.2.constraint.name=Validity Constraint\ndesc=This profile is for enrolling audit log signing certificates\npolicyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caLogSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caLogSigningSet.8.constraint.name=No Constraint\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.9.default.name=Signing Alg\npolicyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.caLogSigningSet.2.constraint.params.range=720\npolicyset.caLogSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caLogSigningSet.1.constraint.name=Subject Name Constraint\nauth.class_id=\npolicyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.8.default.params.critical=false\npolicyset.caLogSigningSet.list=1,2,3,4,6,8,9\npolicyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl\nenable=true\npolicyset.caLogSigningSet.3.default.name=Key Default\npolicyset.caLogSigningSet.2.default.name=Validity Default\npolicyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.2.default.params.startTime=60\npolicyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false\npolicyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false\nname=Manual Log Signing Certificate Enrollment\npolicyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caLogSigningSet.6.default.params.keyUsageCritical=true\npolicyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.1.default.name=Subject Name Default\npolicyset.caLogSigningSet.3.constraint.params.keyType=RSA\npolicyset.caLogSigningSet.1.constraint.params.accept=true\npolicyset.list=caLogSigningSet\npolicyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.caLogSigningSet.6.default.name=Key Usage Default\npolicyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true\npolicyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl\npolicyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caLogSigningSet.4.constraint.name=No Constraint\npolicyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caLogSigningSet.1.default.params.name=\n' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSignedLogCert?action=enable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'set-cookie': 'JSESSIONID=BA0A163C9020D36A3AB0FCE45E6E03A6; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z INFO Migrating profile 'caTPSCert' to LDAP 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=263575B84018FB82F951D34D3998B0A3; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This certificate profile is for enrolling TPS server certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual TPS Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caTPSCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 400 Bad Request 2016-03-14T19:09:39Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTPSCert?action=disable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTPSCert/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This certificate profile is for enrolling TPS server certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual TPS Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caTPSCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '5323', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:39Z DEBUG response body '#Mon Mar 14 14:09:39 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling TPS server certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\nauth.class_id=\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Manual TPS Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTPSCert?action=enable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'set-cookie': 'JSESSIONID=5035245D22A324392928EE4EEC7C8592; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z INFO Migrating profile 'caRARouterCert' to LDAP 2016-03-14T19:09:39Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 200 OK 2016-03-14T19:09:39Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=3BED34D6204D5BED1A3A8DD4DBB4C396; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:39Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This certificate profile is for enrolling router certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Router Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRARouterCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 400 Bad Request 2016-03-14T19:09:39Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:39Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRARouterCert?action=disable 2016-03-14T19:09:39Z DEBUG request body '' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:39Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:39Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:39Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:39Z DEBUG response status 204 No Content 2016-03-14T19:09:39Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:39Z DEBUG response body '' 2016-03-14T19:09:39Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRARouterCert/raw 2016-03-14T19:09:39Z DEBUG request body 'desc=This certificate profile is for enrolling router certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Router Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRARouterCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:39Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:39Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:39Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:39Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '5301', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:39 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:40Z DEBUG response body '#Mon Mar 14 14:09:40 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=raCertAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling router certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=RA Agent-Authenticated Router Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRARouterCert?action=enable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'set-cookie': 'JSESSIONID=AE2F0C3EFDC7441CBC33785C6C2AD524; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z INFO Migrating profile 'caRouterCert' to LDAP 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=4F1E3DDE232F22C77F4D81BE2D817D47; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling router certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=flatFileAuth\nname=One Time Pin Router Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRouterCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 400 Bad Request 2016-03-14T19:09:40Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRouterCert?action=disable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRouterCert/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling router certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=flatFileAuth\nname=One Time Pin Router Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRouterCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '5293', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:40Z DEBUG response body '#Mon Mar 14 14:09:40 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=flatFileAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling router certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=One Time Pin Router Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRouterCert?action=enable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'set-cookie': 'JSESSIONID=4371FA3239504064D9784E3F4C6CD03F; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z INFO Migrating profile 'caServerCert' to LDAP 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=02C4208C06E218A19CCEBE1E390D64B2; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 400 Bad Request 2016-03-14T19:09:40Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caServerCert?action=disable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caServerCert/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=.*CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '5299', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:40Z DEBUG response body '#Mon Mar 14 14:09:40 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling server certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\nauth.class_id=\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=.*CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Manual Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caServerCert?action=enable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'set-cookie': 'JSESSIONID=9B5B7864D23A20CD224EE17EB3AD37CD; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z INFO Migrating profile 'caSubsystemCert' to LDAP 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=F0B5C2EC5E09E218AC964211DF296EF3; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling subsystem certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Subsystem Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caSubsystemCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 400 Bad Request 2016-03-14T19:09:40Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSubsystemCert?action=disable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSubsystemCert/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling subsystem certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Subsystem Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caSubsystemCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '5285', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:40Z DEBUG response body '#Mon Mar 14 14:09:40 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling subsystem certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\nauth.class_id=\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Manual Subsystem Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSubsystemCert?action=enable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'set-cookie': 'JSESSIONID=74837A55B84F3915EC4FFADE58C8809A; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z INFO Migrating profile 'caOtherCert' to LDAP 2016-03-14T19:09:40Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 200 OK 2016-03-14T19:09:40Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=693B8A972A115A6BDB57B6103212B28A; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:40Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling other certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Other Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=otherCertSet\npolicyset.otherCertSet.list=1,2,3,4,5,6,7,8\npolicyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.otherCertSet.1.constraint.name=Subject Name Constraint\npolicyset.otherCertSet.1.constraint.params.pattern=CN=.*\npolicyset.otherCertSet.1.constraint.params.accept=true\npolicyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.otherCertSet.1.default.name=Subject Name Default\npolicyset.otherCertSet.1.default.params.name=\npolicyset.otherCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.otherCertSet.2.constraint.name=Validity Constraint\npolicyset.otherCertSet.2.constraint.params.range=720\npolicyset.otherCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.otherCertSet.2.constraint.params.notAfterCheck=false\npolicyset.otherCertSet.2.default.class_id=validityDefaultImpl\npolicyset.otherCertSet.2.default.name=Validity Default\npolicyset.otherCertSet.2.default.params.range=720\npolicyset.otherCertSet.2.default.params.startTime=0\npolicyset.otherCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.otherCertSet.3.constraint.name=Key Constraint\npolicyset.otherCertSet.3.constraint.params.keyType=-\npolicyset.otherCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.otherCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.otherCertSet.3.default.name=Key Default\npolicyset.otherCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.4.constraint.name=No Constraint\npolicyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.otherCertSet.4.default.name=Authority Key Identifier Default\npolicyset.otherCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.5.constraint.name=No Constraint\npolicyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.otherCertSet.5.default.name=AIA Extension Default\npolicyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.otherCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.otherCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.otherCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.otherCertSet.6.default.name=Key Usage Default\npolicyset.otherCertSet.6.default.params.keyUsageCritical=true\npolicyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.otherCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.7.constraint.name=No Constraint\npolicyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.otherCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.otherCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.otherCertSet.8.constraint.name=No Constraint\npolicyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.otherCertSet.8.default.name=Signing Alg\npolicyset.otherCertSet.8.default.params.signingAlg=-\nprofileId=caOtherCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 400 Bad Request 2016-03-14T19:09:40Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:40Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOtherCert?action=disable 2016-03-14T19:09:40Z DEBUG request body '' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:40Z DEBUG response status 204 No Content 2016-03-14T19:09:40Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:40Z DEBUG response body '' 2016-03-14T19:09:40Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOtherCert/raw 2016-03-14T19:09:40Z DEBUG request body 'desc=This certificate profile is for enrolling other certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Other Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=otherCertSet\npolicyset.otherCertSet.list=1,2,3,4,5,6,7,8\npolicyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.otherCertSet.1.constraint.name=Subject Name Constraint\npolicyset.otherCertSet.1.constraint.params.pattern=CN=.*\npolicyset.otherCertSet.1.constraint.params.accept=true\npolicyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.otherCertSet.1.default.name=Subject Name Default\npolicyset.otherCertSet.1.default.params.name=\npolicyset.otherCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.otherCertSet.2.constraint.name=Validity Constraint\npolicyset.otherCertSet.2.constraint.params.range=720\npolicyset.otherCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.otherCertSet.2.constraint.params.notAfterCheck=false\npolicyset.otherCertSet.2.default.class_id=validityDefaultImpl\npolicyset.otherCertSet.2.default.name=Validity Default\npolicyset.otherCertSet.2.default.params.range=720\npolicyset.otherCertSet.2.default.params.startTime=0\npolicyset.otherCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.otherCertSet.3.constraint.name=Key Constraint\npolicyset.otherCertSet.3.constraint.params.keyType=-\npolicyset.otherCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.otherCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.otherCertSet.3.default.name=Key Default\npolicyset.otherCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.4.constraint.name=No Constraint\npolicyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.otherCertSet.4.default.name=Authority Key Identifier Default\npolicyset.otherCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.5.constraint.name=No Constraint\npolicyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.otherCertSet.5.default.name=AIA Extension Default\npolicyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.otherCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.otherCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.otherCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.otherCertSet.6.default.name=Key Usage Default\npolicyset.otherCertSet.6.default.params.keyUsageCritical=true\npolicyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.otherCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.7.constraint.name=No Constraint\npolicyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.otherCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.otherCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.otherCertSet.8.constraint.name=No Constraint\npolicyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.otherCertSet.8.default.name=Signing Alg\npolicyset.otherCertSet.8.default.params.signingAlg=-\nprofileId=caOtherCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:40Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:40Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:40Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:40Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:40Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:40Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '5214', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:41Z DEBUG response body '#Mon Mar 14 14:09:40 CDT 2016\npolicyset.otherCertSet.3.default.name=Key Default\npolicyset.otherCertSet.1.constraint.params.pattern=CN=.*\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.otherCertSet.2.constraint.params.range=720\npolicyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl\noutput.o1.class_id=certOutputImpl\npolicyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.otherCertSet.8.default.name=Signing Alg\npolicyset.otherCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.otherCertSet.2.constraint.name=Validity Constraint\npolicyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.otherCertSet.2.default.class_id=validityDefaultImpl\noutput.list=o1\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.otherCertSet.8.constraint.name=No Constraint\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true\ninput.list=i1,i2\npolicyset.otherCertSet.2.default.name=Validity Default\nvisible=true\npolicyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.otherCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\ndesc=This certificate profile is for enrolling other certificates.\npolicyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.otherCertSet.2.constraint.params.notAfterCheck=false\npolicyset.otherCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.otherCertSet.list=1,2,3,4,5,6,7,8\npolicyset.otherCertSet.1.constraint.name=Subject Name Constraint\npolicyset.otherCertSet.8.default.params.signingAlg=-\nauth.class_id=\npolicyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.otherCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.otherCertSet.7.constraint.name=No Constraint\npolicyset.otherCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.otherCertSet.1.default.name=Subject Name Default\nenable=true\npolicyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.otherCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.6.default.name=Key Usage Default\npolicyset.otherCertSet.6.default.params.keyUsageCritical=true\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.otherCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true\nname=Other Certificate Enrollment\npolicyset.otherCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.otherCertSet.5.constraint.name=No Constraint\npolicyset.otherCertSet.3.constraint.params.keyType=-\npolicyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.otherCertSet.5.default.name=AIA Extension Default\npolicyset.otherCertSet.2.default.params.startTime=0\npolicyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.otherCertSet.4.default.name=Authority Key Identifier Default\npolicyset.list=otherCertSet\npolicyset.otherCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.otherCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.otherCertSet.4.constraint.name=No Constraint\npolicyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.otherCertSet.2.default.params.range=720\npolicyset.otherCertSet.3.constraint.name=Key Constraint\npolicyset.otherCertSet.1.default.params.name=\npolicyset.otherCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.otherCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.otherCertSet.1.constraint.params.accept=true\npolicyset.otherCertSet.7.constraint.class_id=noConstraintImpl\n' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOtherCert?action=enable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'set-cookie': 'JSESSIONID=8A9990212EF7D10927D83DC35731371F; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:40 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z INFO Migrating profile 'caCACert' to LDAP 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=290D2B2E721B4DC8ACE4960696CABCA6; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Certificate Authority certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Certificate Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.1.constraint.params.accept=true\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=Subject Name Default\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 400 Bad Request 2016-03-14T19:09:41Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCACert?action=disable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCACert/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Certificate Authority certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Certificate Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.1.constraint.params.accept=true\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=Subject Name Default\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '5742', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:41Z DEBUG response body '#Mon Mar 14 14:09:41 CDT 2016\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\ninput.i2.class_id=submitterInfoInputImpl\noutput.o1.class_id=certOutputImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\noutput.list=o1\npolicyset.caCertSet.1.constraint.params.accept=true\ninput.list=i1,i2\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\nvisible=true\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\ndesc=This certificate profile is for enrolling Certificate Authority certificates.\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\nauth.class_id=\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.1.default.name=Subject Name Default\nenable=true\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.8.default.params.critical=false\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.9.constraint.name=No Constraint\nname=Manual Certificate Manager Signing Certificate Enrollment\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.list=caCertSet\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.9.default.name=Signing Alg\n' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCACert?action=enable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'set-cookie': 'JSESSIONID=2B9B7EA65306843C2657A5656E8B19CA; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z INFO Migrating profile 'caCrossSignedCACert' to LDAP 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=996C296CC1C23C85EF2ECE6EFA614F43; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Cross Signed Certificate Authority certificates.\nvisible=false\nenable=false\nenableBy=admin\nauth.class_id=\nname=Manual Cross Signed Certificate Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=User Subject Name Constraint\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=User Supplied Subject Name Default\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caCrossSignedCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 400 Bad Request 2016-03-14T19:09:41Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCrossSignedCACert?action=disable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCrossSignedCACert/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Cross Signed Certificate Authority certificates.\nvisible=false\nenable=false\nenableBy=admin\nauth.class_id=\nname=Manual Cross Signed Certificate Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=User Subject Name Constraint\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=User Supplied Subject Name Default\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caCrossSignedCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '5644', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:41Z DEBUG response body '#Mon Mar 14 14:09:41 CDT 2016\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\ninput.i2.class_id=submitterInfoInputImpl\noutput.o1.class_id=certOutputImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\noutput.list=o1\ninput.list=i1,i2\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.2.default.name=CA Certificate Validity Default\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\nvisible=false\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\ndesc=This certificate profile is for enrolling Cross Signed Certificate Authority certificates.\npolicyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.2.default.class_id=caValidityDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\nauth.class_id=\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.1.default.name=User Supplied Subject Name Default\nenable=false\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.2.constraint.params.range=7305\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.8.default.params.critical=false\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.9.constraint.name=No Constraint\nname=Manual Cross Signed Certificate Manager Signing Certificate Enrollment\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.2.default.params.range=7305\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.list=caCertSet\npolicyset.caCertSet.1.constraint.name=User Subject Name Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.9.default.name=Signing Alg\n' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCrossSignedCACert?action=enable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'set-cookie': 'JSESSIONID=A2F0EAC4118A770C19E4917D98FB6D52; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z INFO Migrating profile 'caInstallCACert' to LDAP 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=E6E27D3433097C2CDB448CAE73035A4A; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain Certificate Authority certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Manual Security Domain Certificate Authority Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.1.constraint.params.accept=true\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=Subject Name Default\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=720\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=validityDefaultImpl\npolicyset.caCertSet.2.default.name=Validity Default\npolicyset.caCertSet.2.default.params.range=720\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caInstallCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 400 Bad Request 2016-03-14T19:09:41Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInstallCACert?action=disable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInstallCACert/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain Certificate Authority certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Manual Security Domain Certificate Authority Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caCertSet\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.1.constraint.params.accept=true\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caCertSet.1.default.name=Subject Name Default\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.2.constraint.params.range=720\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.2.default.class_id=validityDefaultImpl\npolicyset.caCertSet.2.default.name=Validity Default\npolicyset.caCertSet.2.default.params.range=720\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.8.default.params.critical=false\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.9.constraint.name=No Constraint\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.9.default.name=Signing Alg\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\nprofileId=caInstallCACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '5981', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:41Z DEBUG response body '#Mon Mar 14 14:09:41 CDT 2016\npolicyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.caCertSet.5.default.params.basicConstraintsCritical=true\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\noutput.o1.class_id=certOutputImpl\npolicyset.caCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.caCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.caCertSet.8.default.name=Subject Key Identifier Extension Default\npolicyset.caCertSet.10.default.params.authInfoAccessNumADs=1\npolicyset.caCertSet.2.constraint.params.notAfterCheck=false\npolicyset.caCertSet.3.constraint.params.keyType=-\npolicyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\noutput.list=o1\npolicyset.caCertSet.1.constraint.params.accept=true\ninput.list=i1,i2\npolicyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true\npolicyset.caCertSet.2.default.name=Validity Default\npolicyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl\nvisible=true\npolicyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint\npolicyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl\ndesc=This certificate profile is for enrolling Security Domain Certificate Authority certificates.\npolicyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.caCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.2.default.class_id=validityDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsCritical=true\npolicyset.caCertSet.4.constraint.name=No Constraint\npolicyset.caCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.caCertSet.5.default.params.basicConstraintsIsCA=true\npolicyset.caCertSet.10.default.params.authInfoAccessCritical=false\npolicyset.caCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.caCertSet.1.default.name=Subject Name Default\nenable=true\npolicyset.caCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.caCertSet.6.default.params.keyUsageCritical=true\npolicyset.caCertSet.9.default.params.signingAlg=-\npolicyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.caCertSet.2.constraint.params.range=720\npolicyset.caCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.caCertSet.1.constraint.params.pattern=CN=.*\npolicyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.caCertSet.6.default.name=Key Usage Default\npolicyset.caCertSet.8.default.params.critical=false\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.caCertSet.6.default.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true\npolicyset.caCertSet.3.constraint.name=Key Constraint\npolicyset.caCertSet.1.default.params.name=\npolicyset.caCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.9.constraint.name=No Constraint\nname=Manual Security Domain Certificate Authority Signing Certificate Enrollment\npolicyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.caCertSet.5.default.params.basicConstraintsPathLen=-1\npolicyset.caCertSet.6.default.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.5.default.name=Basic Constraints Extension Default\npolicyset.caCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caCertSet.2.constraint.name=Validity Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.caCertSet.10.constraint.name=No Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true\npolicyset.caCertSet.2.default.params.range=720\npolicyset.caCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.caCertSet.8.constraint.name=No Constraint\npolicyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.caCertSet.4.default.name=Authority Key Identifier Default\npolicyset.list=caCertSet\npolicyset.caCertSet.1.constraint.name=Subject Name Constraint\npolicyset.caCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.caCertSet.list=1,2,3,4,5,6,8,9,10\npolicyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caCertSet.10.default.params.authInfoAccessADLocation_0=\npolicyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.caCertSet.6.constraint.params.keyUsageCrlSign=true\npolicyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.caCertSet.10.default.name=AIA Extension Default\npolicyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.caCertSet.2.default.params.startTime=0\npolicyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caCertSet.3.default.name=Key Default\npolicyset.caCertSet.9.default.name=Signing Alg\n' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInstallCACert?action=enable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'set-cookie': 'JSESSIONID=016EF8AABF3F0DFC923DC6BD1C02FD73; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z INFO Migrating profile 'caRACert' to LDAP 2016-03-14T19:09:41Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 200 OK 2016-03-14T19:09:41Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=C574DE56803C5C90241533F7D49CD0D8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:41Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Registration Manager certificates.\nvisible=false\nenable=false\nenableBy=admin\nauth.class_id=\nname=Manual Registration Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=raCertSet\npolicyset.raCertSet.list=1,2,3,4,5,6,7,8\npolicyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.raCertSet.1.constraint.name=Subject Name Constraint\npolicyset.raCertSet.1.constraint.params.pattern=CN=.*\npolicyset.raCertSet.1.constraint.params.accept=true\npolicyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.raCertSet.1.default.name=Subject Name Default\npolicyset.raCertSet.1.default.params.name=\npolicyset.raCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.raCertSet.2.constraint.name=Validity Constraint\npolicyset.raCertSet.2.constraint.params.range=720\npolicyset.raCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.raCertSet.2.constraint.params.notAfterCheck=false\npolicyset.raCertSet.2.default.class_id=validityDefaultImpl\npolicyset.raCertSet.2.default.name=Validity Default\npolicyset.raCertSet.2.default.params.range=720\npolicyset.raCertSet.2.default.params.startTime=0\npolicyset.raCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.raCertSet.3.constraint.name=Key Constraint\npolicyset.raCertSet.3.constraint.params.keyType=RSA\npolicyset.raCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.raCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.raCertSet.3.default.name=Key Default\npolicyset.raCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.4.constraint.name=No Constraint\npolicyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.raCertSet.4.default.name=Authority Key Identifier Default\npolicyset.raCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.5.constraint.name=No Constraint\npolicyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.raCertSet.5.default.name=AIA Extension Default\npolicyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.raCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.raCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.raCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.raCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.raCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.raCertSet.6.default.name=Key Usage Default\npolicyset.raCertSet.6.default.params.keyUsageCritical=true\npolicyset.raCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.raCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.7.constraint.name=No Constraint\npolicyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.raCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.raCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.raCertSet.8.constraint.name=No Constraint\npolicyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.raCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.raCertSet.8.default.name=Signing Alg\npolicyset.raCertSet.8.default.params.signingAlg=-\nprofileId=caRACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 400 Bad Request 2016-03-14T19:09:41Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:41Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRACert?action=disable 2016-03-14T19:09:41Z DEBUG request body '' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:41Z DEBUG response status 204 No Content 2016-03-14T19:09:41Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:41Z DEBUG response body '' 2016-03-14T19:09:41Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRACert/raw 2016-03-14T19:09:41Z DEBUG request body 'desc=This certificate profile is for enrolling Registration Manager certificates.\nvisible=false\nenable=false\nenableBy=admin\nauth.class_id=\nname=Manual Registration Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=raCertSet\npolicyset.raCertSet.list=1,2,3,4,5,6,7,8\npolicyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.raCertSet.1.constraint.name=Subject Name Constraint\npolicyset.raCertSet.1.constraint.params.pattern=CN=.*\npolicyset.raCertSet.1.constraint.params.accept=true\npolicyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.raCertSet.1.default.name=Subject Name Default\npolicyset.raCertSet.1.default.params.name=\npolicyset.raCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.raCertSet.2.constraint.name=Validity Constraint\npolicyset.raCertSet.2.constraint.params.range=720\npolicyset.raCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.raCertSet.2.constraint.params.notAfterCheck=false\npolicyset.raCertSet.2.default.class_id=validityDefaultImpl\npolicyset.raCertSet.2.default.name=Validity Default\npolicyset.raCertSet.2.default.params.range=720\npolicyset.raCertSet.2.default.params.startTime=0\npolicyset.raCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.raCertSet.3.constraint.name=Key Constraint\npolicyset.raCertSet.3.constraint.params.keyType=RSA\npolicyset.raCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.raCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.raCertSet.3.default.name=Key Default\npolicyset.raCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.4.constraint.name=No Constraint\npolicyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.raCertSet.4.default.name=Authority Key Identifier Default\npolicyset.raCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.5.constraint.name=No Constraint\npolicyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.raCertSet.5.default.name=AIA Extension Default\npolicyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.raCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.raCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.raCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.raCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.raCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.raCertSet.6.default.name=Key Usage Default\npolicyset.raCertSet.6.default.params.keyUsageCritical=true\npolicyset.raCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.raCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.7.constraint.name=No Constraint\npolicyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.raCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.raCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.raCertSet.8.constraint.name=No Constraint\npolicyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.raCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.raCertSet.8.default.name=Signing Alg\npolicyset.raCertSet.8.default.params.signingAlg=-\nprofileId=caRACert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:41Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:41Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:41Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:41Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:41Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:41Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:41Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '5000', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:42Z DEBUG response body '#Mon Mar 14 14:09:41 CDT 2016\npolicyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.5.constraint.name=No Constraint\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.raCertSet.1.default.params.name=\noutput.o1.class_id=certOutputImpl\npolicyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.raCertSet.2.constraint.params.range=720\npolicyset.raCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.raCertSet.list=1,2,3,4,5,6,7,8\npolicyset.raCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.raCertSet.5.default.name=AIA Extension Default\noutput.list=o1\npolicyset.raCertSet.1.constraint.params.accept=true\ninput.list=i1,i2\npolicyset.raCertSet.3.constraint.class_id=keyConstraintImpl\nvisible=false\npolicyset.raCertSet.4.constraint.name=No Constraint\npolicyset.raCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\ndesc=This certificate profile is for enrolling Registration Manager certificates.\npolicyset.raCertSet.3.constraint.params.keyType=RSA\npolicyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.raCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.raCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.raCertSet.3.constraint.name=Key Constraint\npolicyset.raCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.raCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.raCertSet.4.default.name=Authority Key Identifier Default\nauth.class_id=\npolicyset.raCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.raCertSet.2.default.class_id=validityDefaultImpl\npolicyset.raCertSet.2.constraint.params.notAfterCheck=false\nenable=false\npolicyset.raCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.raCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.raCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.2.constraint.name=Validity Constraint\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.raCertSet.8.constraint.name=No Constraint\npolicyset.raCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.raCertSet.2.default.params.range=720\npolicyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.raCertSet.3.default.name=Key Default\npolicyset.raCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.raCertSet.1.constraint.name=Subject Name Constraint\npolicyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\nname=Manual Registration Manager Signing Certificate Enrollment\npolicyset.raCertSet.1.constraint.params.pattern=CN=.*\npolicyset.raCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.2.default.name=Validity Default\npolicyset.raCertSet.8.default.name=Signing Alg\npolicyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.raCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.7.constraint.name=No Constraint\npolicyset.raCertSet.6.default.params.keyUsageCritical=true\npolicyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.list=raCertSet\npolicyset.raCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.raCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.1.default.name=Subject Name Default\npolicyset.raCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.raCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.raCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.raCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.6.default.name=Key Usage Default\npolicyset.raCertSet.8.default.params.signingAlg=-\npolicyset.raCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.raCertSet.2.default.params.startTime=0\npolicyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl\n' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRACert?action=enable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'set-cookie': 'JSESSIONID=2CB67761B1D2AD5AC2D5CFB56A4B8B14; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z INFO Migrating profile 'caOCSPCert' to LDAP 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=3BF4BE9620078732E5DCF023094ADB71; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling OCSP Manager certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual OCSP Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.3.constraint.params.keyType=-\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.9.default.params.signingAlg=-\nprofileId=caOCSPCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 400 Bad Request 2016-03-14T19:09:42Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:41 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOCSPCert?action=disable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOCSPCert/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling OCSP Manager certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual OCSP Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.3.constraint.params.keyType=-\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.9.default.params.signingAlg=-\nprofileId=caOCSPCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '4154', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:42Z DEBUG response body '#Mon Mar 14 14:09:42 CDT 2016\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.9.default.params.signingAlg=-\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\nenable=true\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\nenableBy=admin\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\nname=Manual OCSP Manager Signing Certificate Enrollment\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\nauth.class_id=\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\ninput.list=i1,i2\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nvisible=true\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\ninput.i1.class_id=certReqInputImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\ndesc=This certificate profile is for enrolling OCSP Manager certificates.\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.3.constraint.params.keyType=-\noutput.list=o1\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\noutput.o1.class_id=certOutputImpl\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\n' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caOCSPCert?action=enable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'set-cookie': 'JSESSIONID=63A2F9A0ADC6709787059696975EA6FE; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z INFO Migrating profile 'caStorageCert' to LDAP 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=3083AD2982A0D495D8EABF1A2E9527DC; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling Data Recovery Manager storage certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class.id=\nname=Manual Data Recovery Manager Storage Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.1.default.params.name=\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.constraint.params.keyType=RSA\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\nprofileId=caStorageCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 400 Bad Request 2016-03-14T19:09:42Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caStorageCert?action=disable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caStorageCert/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling Data Recovery Manager storage certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class.id=\nname=Manual Data Recovery Manager Storage Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.1.default.params.name=\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.constraint.params.keyType=RSA\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\nprofileId=caStorageCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '5596', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:42Z DEBUG response body '#Mon Mar 14 14:09:42 CDT 2016\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\noutput.o1.class_id=certOutputImpl\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\noutput.list=o1\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\ninput.list=i1,i2\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\nvisible=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\ndesc=This certificate profile is for enrolling Data Recovery Manager storage certificates.\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\nenable=true\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.3.constraint.params.keyType=RSA\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.1.default.params.name=\nname=Manual Data Recovery Manager Storage Certificate Enrollment\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\nauth.class.id=\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\n' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caStorageCert?action=enable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'set-cookie': 'JSESSIONID=60775D32E546613CFAD4FC84509F8BEA; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z INFO Migrating profile 'caTransportCert' to LDAP 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=DF8E447851438C1FFF34D2DA587A8DE3; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling Data Recovery Manager transport certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Data Recovery Manager Transport Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=transportCertSet\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.1.constraint.params.accept=true\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=RSA\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.constraint.name=No Constraint\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.6.default.name=Key Usage Default\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.8.default.params.signingAlg=-\nprofileId=caTransportCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 400 Bad Request 2016-03-14T19:09:42Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTransportCert?action=disable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTransportCert/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling Data Recovery Manager transport certificates.\nvisible=true\nenable=true\nenableBy=admin\nauth.class_id=\nname=Manual Data Recovery Manager Transport Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=transportCertSet\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.1.constraint.params.accept=true\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=RSA\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.constraint.name=No Constraint\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.6.default.name=Key Usage Default\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.8.default.params.signingAlg=-\nprofileId=caTransportCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '5526', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:42Z DEBUG response body '#Mon Mar 14 14:09:42 CDT 2016\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\ninput.i2.class_id=submitterInfoInputImpl\noutput.o1.class_id=certOutputImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.default.name=Key Usage Default\noutput.list=o1\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\ninput.list=i1,i2\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.8.default.params.signingAlg=-\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.1.constraint.params.accept=true\nvisible=true\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\ndesc=This certificate profile is for enrolling Data Recovery Manager transport certificates.\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\nauth.class_id=\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\nenable=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=RSA\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\ninput.i1.class_id=certReqInputImpl\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\nenableBy=admin\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\nname=Manual Data Recovery Manager Transport Certificate Enrollment\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.list=transportCertSet\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.5.constraint.name=No Constraint\n' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTransportCert?action=enable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'set-cookie': 'JSESSIONID=FC6AE3D7B7056F9F1287D4CA10DA444F; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z INFO Migrating profile 'caDirPinUserCert' to LDAP 2016-03-14T19:09:42Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=79E23AB2883928E46C91661C70C35B6D; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:42Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-pin-based authentication.\nvisible=true\nenable=false\nenableBy=admin\nname=Directory-Pin-Authenticated User Dual-Use Certificate Enrollment\nauth.instance_id=PinDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDirPinUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 400 Bad Request 2016-03-14T19:09:42Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirPinUserCert?action=disable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 204 No Content 2016-03-14T19:09:42Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:42Z DEBUG response body '' 2016-03-14T19:09:42Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirPinUserCert/raw 2016-03-14T19:09:42Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-pin-based authentication.\nvisible=true\nenable=false\nenableBy=admin\nname=Directory-Pin-Authenticated User Dual-Use Certificate Enrollment\nauth.instance_id=PinDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDirPinUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:42Z DEBUG response status 200 OK 2016-03-14T19:09:42Z DEBUG response headers {'content-length': '6162', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:42Z DEBUG response body '#Mon Mar 14 14:09:42 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=RSA\nauth.instance_id=PinDirEnrollment\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates with directory-pin-based authentication.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=false\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Directory-Pin-Authenticated User Dual-Use Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:42Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirPinUserCert?action=enable 2016-03-14T19:09:42Z DEBUG request body '' 2016-03-14T19:09:42Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:42Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:42Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:42Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:42Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:42Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:42Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'set-cookie': 'JSESSIONID=B762524B5B905C58481CCE6D30F0B4B9; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z INFO Migrating profile 'caDirUserCert' to LDAP 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=A1D89753331DA567A8076A2DF1AFFE8F; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-based authentication.\nvisible=true\nenable=true\nenableBy=admin\nname=Directory-Authenticated User Dual-Use Certificate Enrollment\nauth.instance_id=UserDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDirUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 400 Bad Request 2016-03-14T19:09:43Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserCert?action=disable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:42 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserCert/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-based authentication.\nvisible=true\nenable=true\nenableBy=admin\nname=Directory-Authenticated User Dual-Use Certificate Enrollment\nauth.instance_id=UserDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDirUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '6179', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:43Z DEBUG response body '#Mon Mar 14 14:09:43 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=-\nauth.instance_id=UserDirEnrollment\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates with directory-based authentication.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Directory-Authenticated User Dual-Use Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserCert?action=enable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'set-cookie': 'JSESSIONID=6BDFE5F01CA8276DE0F92566101BACD9; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z INFO Migrating profile 'caECDirUserCert' to LDAP 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=AABC8E174EFA28D4242E5639CB22D2B6; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-based authentication.\nvisible=true\nenable=true\nenableBy=admin\nname=Directory-Authenticated User Dual-Use ECC Certificate Enrollment\nauth.instance_id=UserDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=EC\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caECDirUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 400 Bad Request 2016-03-14T19:09:43Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDirUserCert?action=disable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDirUserCert/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with directory-based authentication.\nvisible=true\nenable=true\nenableBy=admin\nname=Directory-Authenticated User Dual-Use ECC Certificate Enrollment\nauth.instance_id=UserDirEnrollment\ninput.list=i1\ninput.i1.class_id=keyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=EC\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caECDirUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '6164', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:43Z DEBUG response body '#Mon Mar 14 14:09:43 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=EC\nauth.instance_id=UserDirEnrollment\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.10.constraint.params.renewal.graceBefore=30\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates with directory-based authentication.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.10.default.class_id=noDefaultImpl\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.10.constraint.params.renewal.graceAfter=30\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521\npolicyset.userCertSet.10.default.name=No Default\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=Directory-Authenticated User Dual-Use ECC Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caECDirUserCert?action=enable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'set-cookie': 'JSESSIONID=3DC72A73128902B012AEFD9761B2FC05; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z INFO Migrating profile 'caAgentServerCert' to LDAP 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=AD039D1BDE6C65CB3571C2F82AF2CAB2; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with agent authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=AgentCertAuth\nname=Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caAgentServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 400 Bad Request 2016-03-14T19:09:43Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentServerCert?action=disable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentServerCert/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with agent authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=AgentCertAuth\nname=Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caAgentServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '5334', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:43Z DEBUG response body '#Mon Mar 14 14:09:43 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=AgentCertAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling server certificates with agent authentication.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Agent-Authenticated Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentServerCert?action=enable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'set-cookie': 'JSESSIONID=5C3A07B3755C183F5EF50596622B865B; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z INFO Migrating profile 'caAgentFileSigning' to LDAP 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=A6E678EC490E6579936F3C728FCFB115; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for getting file signing certificate with agent authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=AgentCertAuth\nname=Agent-Authenticated File Signing\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=fileSigningInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=pkcs7OutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caAgentFileSigning\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 400 Bad Request 2016-03-14T19:09:43Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentFileSigning?action=disable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentFileSigning/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for getting file signing certificate with agent authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=AgentCertAuth\nname=Agent-Authenticated File Signing\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=fileSigningInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=pkcs7OutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caAgentFileSigning\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '5515', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:43Z DEBUG response body '#Mon Mar 14 14:09:43 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3\ninput.i2.class_id=fileSigningInputImpl\nauth.instance_id=AgentCertAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=pkcs7OutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2,i3\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for getting file signing certificate with agent authentication.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Agent-Authenticated File Signing\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAgentFileSigning?action=enable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 204 No Content 2016-03-14T19:09:43Z DEBUG response headers {'set-cookie': 'JSESSIONID=1082CC4F3D32635856CCFAC973CFD19B; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body '' 2016-03-14T19:09:43Z INFO Migrating profile 'caCMCUserCert' to LDAP 2016-03-14T19:09:43Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 200 OK 2016-03-14T19:09:43Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=FB145C953E0704FACB9813716D584588; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:43Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:43Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=CMCAuth\nauthz.acl=group="Certificate Manager Agents"\nname=Signed CMC-Authenticated User Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=cmcCertReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:43Z DEBUG response status 400 Bad Request 2016-03-14T19:09:43Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:43Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:43Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCMCUserCert?action=disable 2016-03-14T19:09:43Z DEBUG request body '' 2016-03-14T19:09:43Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:43Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:43Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:43Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:43Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:43Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:43Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCMCUserCert/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nvisible=true\nenable=true\nenableBy=admin\nauth.instance_id=CMCAuth\nauthz.acl=group="Certificate Manager Agents"\nname=Signed CMC-Authenticated User Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=cmcCertReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '5504', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:44Z DEBUG response body '#Mon Mar 14 14:09:44 CDT 2016\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=CMCAuth\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\noutput.o1.class_id=certOutputImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nauthz.acl=group="Certificate Manager Agents"\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\noutput.list=o1\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\ninput.list=i1,i2\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\nvisible=true\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\ndesc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\nenable=true\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.2.constraint.params.range=365\ninput.i1.class_id=cmcCertReqInputImpl\nenableBy=admin\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\nname=Signed CMC-Authenticated User Certificate Enrollment\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\n' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caCMCUserCert?action=enable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'set-cookie': 'JSESSIONID=276B337E1FD01B3E2680376069CE0D13; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z INFO Migrating profile 'caFullCMCUserCert' to LDAP 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=090BC476F2A7A48ABE339A108FB81E0A; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:43 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nenable=true\nenableBy=admin\nname=Signed CMC-Authenticated User Certificate Enrollment\nvisible=false\nauth.instance_id=CMCAuth\ninput.list=i1,i2\ninput.i1.class_id=cmcCertReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caFullCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 400 Bad Request 2016-03-14T19:09:44Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caFullCMCUserCert?action=disable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caFullCMCUserCert/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nenable=true\nenableBy=admin\nname=Signed CMC-Authenticated User Certificate Enrollment\nvisible=false\nauth.instance_id=CMCAuth\ninput.list=i1,i2\ninput.i1.class_id=cmcCertReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caFullCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '5460', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:44Z DEBUG response body '#Mon Mar 14 14:09:44 CDT 2016\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=CMCAuth\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\noutput.o1.class_id=certOutputImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\noutput.list=o1\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\ninput.list=i1,i2\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\nvisible=false\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\ndesc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\nenable=true\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.2.constraint.params.range=365\ninput.i1.class_id=cmcCertReqInputImpl\nenableBy=admin\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\nname=Signed CMC-Authenticated User Certificate Enrollment\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\n' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caFullCMCUserCert?action=enable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'set-cookie': 'JSESSIONID=9C372DC71A646ECA6F17ADC6069376E8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z INFO Migrating profile 'caSimpleCMCUserCert' to LDAP 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=37E418E7FA94CE983D23EC031A858647; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nenable=true\nenableBy=admin\nname=Simple CMC Enrollment Request for User Certificate\nvisible=false\nauth.instance_id=\ninput.list=i1\ninput.i1.class_id=certReqInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caSimpleCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 400 Bad Request 2016-03-14T19:09:44Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSimpleCMCUserCert?action=disable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSimpleCMCUserCert/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\nenable=true\nenableBy=admin\nname=Simple CMC Enrollment Request for User Certificate\nvisible=false\nauth.instance_id=\ninput.list=i1\ninput.i1.class_id=certReqInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.2.constraint.params.range=365\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\nprofileId=caSimpleCMCUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '5404', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:44Z DEBUG response body '#Mon Mar 14 14:09:44 CDT 2016\npolicyset.cmcUserCertSet.1.constraint.params.pattern=.*\nauth.instance_id=\npolicyset.cmcUserCertSet.1.default.params.name=\npolicyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false\noutput.o1.class_id=certOutputImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.cmcUserCertSet.3.default.name=Key Default\npolicyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.cmcUserCertSet.3.constraint.name=Key Constraint\noutput.list=o1\npolicyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8\ninput.list=i1\npolicyset.cmcUserCertSet.2.default.name=Validity Default\npolicyset.cmcUserCertSet.8.default.name=Signing Alg\npolicyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl\nvisible=false\npolicyset.cmcUserCertSet.2.constraint.name=Validity Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521\ndesc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.\npolicyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.1.default.name=Subject Name Default\npolicyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.cmcUserCertSet.8.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true\nenable=true\npolicyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.cmcUserCertSet.8.default.params.signingAlg=-\npolicyset.cmcUserCertSet.7.constraint.name=No Constraint\npolicyset.cmcUserCertSet.6.default.name=Key Usage Default\npolicyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageCritical=true\npolicyset.cmcUserCertSet.2.constraint.params.range=365\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.cmcUserCertSet.2.default.params.startTime=0\npolicyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1\nname=Simple CMC Enrollment Request for User Certificate\npolicyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.3.constraint.params.keyType=-\npolicyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.cmcUserCertSet.5.default.name=AIA Extension Default\npolicyset.cmcUserCertSet.1.constraint.params.accept=true\npolicyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl\npolicyset.cmcUserCertSet.5.constraint.name=No Constraint\npolicyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.cmcUserCertSet.2.default.params.range=180\npolicyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.list=cmcUserCertSet\npolicyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default\npolicyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.cmcUserCertSet.4.constraint.name=No Constraint\npolicyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\n' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSimpleCMCUserCert?action=enable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'set-cookie': 'JSESSIONID=26B9E204680C20E804CDE06D7E0A3FC6; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z INFO Migrating profile 'caTokenDeviceKeyEnrollment' to LDAP 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=42D945E703C758FB00637DA273C58F6E; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This profile is for enrolling token device keys\nenable=true\nenableBy=admin\nlastModified=1068835451090\nname=Token Device Key Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsHKeyCertReqInputImpl\ninput.i1.name=nsHKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\nprofileId=caTokenDeviceKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 400 Bad Request 2016-03-14T19:09:44Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenDeviceKeyEnrollment?action=disable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenDeviceKeyEnrollment/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This profile is for enrolling token device keys\nenable=true\nenableBy=admin\nlastModified=1068835451090\nname=Token Device Key Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsHKeyCertReqInputImpl\ninput.i1.name=nsHKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\nprofileId=caTokenDeviceKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:44Z DEBUG response body '#Mon Mar 14 14:09:44 CDT 2016\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\noutput.list=o1\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\ninput.list=i1\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\nvisible=false\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\ndesc=This profile is for enrolling token device keys\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\nenable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\nenableBy=admin\ninput.i1.class_id=nsHKeyCertReqInputImpl\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\ninput.i1.name=nsHKeyCertReqInputImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\nname=Token Device Key Enrollment\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\nlastModified=1068835451090\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p2.default.params.range=1825\npolicyset.list=set1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p2.default.params.startTime=0\n' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenDeviceKeyEnrollment?action=enable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'set-cookie': 'JSESSIONID=17BBB0EF29BCBCF44B020119ABFE8AF8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z INFO Migrating profile 'caTokenUserEncryptionKeyEnrollment' to LDAP 2016-03-14T19:09:44Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 200 OK 2016-03-14T19:09:44Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=D66A194158EFC27C5013E9BE2FA8766C; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:44Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This profile is for enrolling Token Encryption key\nenable=true\nenableBy=admin\nname=Token User Encryption Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserEncryptionKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 400 Bad Request 2016-03-14T19:09:44Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:44Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyEnrollment?action=disable 2016-03-14T19:09:44Z DEBUG request body '' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:44Z DEBUG response status 204 No Content 2016-03-14T19:09:44Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:44Z DEBUG response body '' 2016-03-14T19:09:44Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyEnrollment/raw 2016-03-14T19:09:44Z DEBUG request body 'desc=This profile is for enrolling Token Encryption key\nenable=true\nenableBy=admin\nname=Token User Encryption Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserEncryptionKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:44Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:44Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:44Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:44Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:44Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:44Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:44Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:45Z DEBUG response body '#Mon Mar 14 14:09:44 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\noutput.list=o1\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Token User Encryption Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=No Constraint\ninput.list=i1\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token Encryption key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyEnrollment?action=enable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'set-cookie': 'JSESSIONID=B826BA25C355B2B571A25FC02392CAAE; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z INFO Migrating profile 'caTokenUserSigningKeyEnrollment' to LDAP 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=E07E4C6AAD667B69C087383167EF3384; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Signing key\nenable=true\nenableBy=admin\nname=Token User Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 400 Bad Request 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyEnrollment?action=disable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyEnrollment/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Signing key\nenable=true\nenableBy=admin\nname=Token User Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:44 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:45Z DEBUG response body '#Mon Mar 14 14:09:45 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\noutput.list=o1\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Token User Signing Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=No Constraint\ninput.list=i1\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token Signing key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyEnrollment?action=enable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'set-cookie': 'JSESSIONID=0ACF9F4C0AC31EE7E855ECFC9B34225D; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z INFO Migrating profile 'caTempTokenDeviceKeyEnrollment' to LDAP 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=7ACA818B1BB162F4F46443D6C360A14E; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling token device keys\nenable=true\nenableBy=admin\nlastModified=1068835451090\nname=Temporary Device Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsHKeyCertReqInputImpl\ninput.i1.name=nsHKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\nprofileId=caTempTokenDeviceKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 400 Bad Request 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenDeviceKeyEnrollment?action=disable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenDeviceKeyEnrollment/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling token device keys\nenable=true\nenableBy=admin\nlastModified=1068835451090\nname=Temporary Device Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsHKeyCertReqInputImpl\ninput.i1.name=nsHKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\nprofileId=caTempTokenDeviceKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:45Z DEBUG response body '#Mon Mar 14 14:09:45 CDT 2016\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p3.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p3.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\noutput.list=o1\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\ninput.list=i1\npolicyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\nvisible=false\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\ndesc=This profile is for enrolling token device keys\npolicyset.set1.list=p2,p4,p5,p1,p8,p9,p12\npolicyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p3.constraint.name=No Constraint\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$\nenable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p3.default.params.crlDistPointsReasons_0=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p3.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\nenableBy=admin\ninput.i1.class_id=nsHKeyCertReqInputImpl\npolicyset.set1.p3.default.params.crlDistPointsPointName_0=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\ninput.i1.name=nsHKeyCertReqInputImpl\npolicyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\nname=Temporary Device Certificate Enrollment\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p3.default.params.crlDistPointsCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\nlastModified=1068835451090\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p2.default.params.range=7\npolicyset.list=set1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p3.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p3.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p3.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p2.default.params.startTime=0\n' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenDeviceKeyEnrollment?action=enable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'set-cookie': 'JSESSIONID=94064BEDCD62A7FF5E1342DBB207A649; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z INFO Migrating profile 'caTempTokenUserEncryptionKeyEnrollment' to LDAP 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=4244EED0E9DC6D77A1B35A4701463D89; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Encryption key\nenable=true\nenableBy=admin\nname=Temporary Token User Encryption Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\n#uncomment below to support SMIME\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTempTokenUserEncryptionKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 400 Bad Request 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserEncryptionKeyEnrollment?action=disable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserEncryptionKeyEnrollment/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Encryption key\nenable=true\nenableBy=admin\nname=Temporary Token User Encryption Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\n#uncomment below to support SMIME\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTempTokenUserEncryptionKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:45Z DEBUG response body '#Mon Mar 14 14:09:45 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\noutput.list=o1\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Temporary Token User Encryption Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=No Constraint\ninput.list=i1\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token Encryption key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=false\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserEncryptionKeyEnrollment?action=enable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'set-cookie': 'JSESSIONID=A214291F0DCA154BF31A52E984449BF6; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z INFO Migrating profile 'caTempTokenUserSigningKeyEnrollment' to LDAP 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=5884D251DD98AF03D15CFCC1BA5CD559; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Signing key\nenable=true\nenableBy=admin\nname=Temporary Token User Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\n#uncomment below to support SMIME\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTempTokenUserSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 400 Bad Request 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserSigningKeyEnrollment?action=disable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserSigningKeyEnrollment/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This profile is for enrolling Token Signing key\nenable=true\nenableBy=admin\nname=Temporary Token User Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\n#uncomment below to support SMIME\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTempTokenUserSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:45Z DEBUG response body '#Mon Mar 14 14:09:45 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=7\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\noutput.list=o1\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Temporary Token User Signing Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=No Constraint\ninput.list=i1\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token Signing key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTempTokenUserSigningKeyEnrollment?action=enable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'set-cookie': 'JSESSIONID=DCAC3839864A5FA4ACEA12C54D649C1D; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z INFO Migrating profile 'caAdminCert' to LDAP 2016-03-14T19:09:45Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 200 OK 2016-03-14T19:09:45Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=C0226F079735BCD76EDA5DCF451576CE; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:45Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain administrator\'s certificates with LDAP authentication against the internal LDAP database.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Administrator Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=adminCertSet\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.2.default.params.range=365\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.8.default.params.signingAlg=-\nprofileId=caAdminCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 400 Bad Request 2016-03-14T19:09:45Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:45Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAdminCert?action=disable 2016-03-14T19:09:45Z DEBUG request body '' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:45Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:45Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:45Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:45Z DEBUG response status 204 No Content 2016-03-14T19:09:45Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:45Z DEBUG response body '' 2016-03-14T19:09:45Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAdminCert/raw 2016-03-14T19:09:45Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain administrator\'s certificates with LDAP authentication against the internal LDAP database.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Administrator Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=adminCertSet\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.2.default.params.range=365\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.8.default.params.signingAlg=-\nprofileId=caAdminCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:45Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:45Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:45Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:45Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '5601', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:46Z DEBUG response body '#Mon Mar 14 14:09:46 CDT 2016\npolicyset.adminCertSet.7.constraint.class_id=noConstraintImpl\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.adminCertSet.2.constraint.name=Validity Constraint\nauth.instance_id=TokenAuth\npolicyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl\noutput.o1.class_id=certOutputImpl\npolicyset.adminCertSet.8.constraint.name=No Constraint\npolicyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.adminCertSet.1.default.params.name=\npolicyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.adminCertSet.4.default.name=Authority Key Identifier Default\noutput.list=o1\npolicyset.adminCertSet.2.default.params.range=365\ninput.list=i1,i2,i3\npolicyset.adminCertSet.2.default.params.startTime=0\npolicyset.adminCertSet.8.default.params.signingAlg=-\nvisible=false\npolicyset.adminCertSet.1.constraint.name=Subject Name Constraint\ndesc=This certificate profile is for enrolling Security Domain administrator\'s certificates with LDAP authentication against the internal LDAP database.\npolicyset.adminCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.adminCertSet.7.constraint.name=No Constraint\npolicyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.adminCertSet.3.default.name=Key Default\npolicyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.list=1,2,3,4,5,6,7,8\npolicyset.adminCertSet.1.constraint.params.accept=true\npolicyset.adminCertSet.2.default.class_id=validityDefaultImpl\nenable=true\npolicyset.adminCertSet.2.constraint.params.range=365\npolicyset.adminCertSet.8.default.name=Signing Alg\npolicyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint\ninput.i1.class_id=certReqInputImpl\npolicyset.adminCertSet.7.default.params.exKeyUsageCritical=false\nenableBy=admin\npolicyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.adminCertSet.3.constraint.params.keyType=RSA\npolicyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.2.constraint.params.notAfterCheck=false\ninput.i3.class_id=subjectDNInputImpl\npolicyset.adminCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.adminCertSet.5.constraint.name=No Constraint\npolicyset.adminCertSet.2.default.name=Validity Default\npolicyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.5.constraint.class_id=noConstraintImpl\nname=Security Domain Administrator Certificate Enrollment\npolicyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.adminCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.adminCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.adminCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.adminCertSet.4.constraint.name=No Constraint\npolicyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.adminCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.adminCertSet.1.default.name=Subject Name Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.adminCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.list=adminCertSet\npolicyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.adminCertSet.3.constraint.name=Key Constraint\npolicyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC\npolicyset.adminCertSet.6.default.name=Key Usage Default\npolicyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.adminCertSet.1.constraint.params.pattern=.*\npolicyset.adminCertSet.6.default.params.keyUsageCritical=true\npolicyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.adminCertSet.5.default.name=AIA Extension Default\npolicyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.adminCertSet.4.constraint.class_id=noConstraintImpl\n' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caAdminCert?action=enable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'set-cookie': 'JSESSIONID=D15C70AEB07DC363990E92D9C59B3BB5; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z INFO Migrating profile 'caInternalAuthServerCert' to LDAP 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=8E21CAB58C81E5181E44909E59D53111; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain server certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\n# allows SAN to be specified from client side\n# need to:\n# 1. add i3 to input.list above\n# 2. add 9 to policyset.serverCertSet.list above\n# 3. change below to reflect the number of general names, and\n# turn each corresponding subjAltExtPattern_ to true\n# policyset.serverCertSet.9.default.params.subjAltNameNumGNs\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No Constraint\npolicyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\npolicyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$\npolicyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$\npolicyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName\npolicyset.serverCertSet.9.default.params.subjAltNameExtCritical=false\npolicyset.serverCertSet.9.default.params.subjAltNameNumGNs=1\nprofileId=caInternalAuthServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 400 Bad Request 2016-03-14T19:09:46Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthServerCert?action=disable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:45 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthServerCert/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain server certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\n# allows SAN to be specified from client side\n# need to:\n# 1. add i3 to input.list above\n# 2. add 9 to policyset.serverCertSet.list above\n# 3. change below to reflect the number of general names, and\n# turn each corresponding subjAltExtPattern_ to true\n# policyset.serverCertSet.9.default.params.subjAltNameNumGNs\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No Constraint\npolicyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\npolicyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$\npolicyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$\npolicyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName\npolicyset.serverCertSet.9.default.params.subjAltNameExtCritical=false\npolicyset.serverCertSet.9.default.params.subjAltNameNumGNs=1\nprofileId=caInternalAuthServerCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '6722', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:46Z DEBUG response body '#Mon Mar 14 14:09:46 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.9.constraint.name=No Constraint\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling Security Domain server certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName\npolicyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\ninput.i3.class_id=subjectAltNameExtInputImpl\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.9.default.params.subjAltNameExtCritical=false\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Security Domain Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.default.params.subjAltNameNumGNs=1\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthServerCert?action=enable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'set-cookie': 'JSESSIONID=9A88620BFF3646B6F0B350037E7AEFDE; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z INFO Migrating profile 'caInternalAuthTransportCert' to LDAP 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=E9D3C19693736C443F11C65C039A2908; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Data Recovery Manager Transport Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=transportCertSet\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.1.constraint.params.accept=true\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=-\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.constraint.name=No Constraint\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.6.default.name=Key Usage Default\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.8.default.params.signingAlg=-\nprofileId=caInternalAuthTransportCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 400 Bad Request 2016-03-14T19:09:46Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthTransportCert?action=disable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthTransportCert/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Data Recovery Manager Transport Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=transportCertSet\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.1.constraint.params.accept=true\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=-\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.constraint.name=No Constraint\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.6.default.name=Key Usage Default\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.8.default.params.signingAlg=-\nprofileId=caInternalAuthTransportCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '5814', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:46Z DEBUG response body '#Mon Mar 14 14:09:46 CDT 2016\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.transportCertSet.2.default.params.startTime=0\npolicyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\noutput.o1.class_id=certOutputImpl\npolicyset.transportCertSet.1.default.name=Subject Name Default\npolicyset.transportCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.transportCertSet.6.default.name=Key Usage Default\noutput.list=o1\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\ninput.list=i1,i2\npolicyset.transportCertSet.4.constraint.name=No Constraint\npolicyset.transportCertSet.1.default.params.name=\npolicyset.transportCertSet.8.default.params.signingAlg=-\npolicyset.transportCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.1.constraint.params.accept=true\nvisible=false\npolicyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.transportCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true\ndesc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates.\npolicyset.transportCertSet.3.constraint.name=Key Constraint\npolicyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.transportCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.transportCertSet.2.constraint.params.range=720\npolicyset.transportCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.transportCertSet.5.default.name=AIA Extension Default\npolicyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl\nenable=true\npolicyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.transportCertSet.2.constraint.params.notAfterCheck=false\npolicyset.transportCertSet.2.constraint.name=Validity Constraint\npolicyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.transportCertSet.8.constraint.name=No Constraint\npolicyset.transportCertSet.3.constraint.params.keyType=-\npolicyset.transportCertSet.5.default.params.authInfoAccessADLocation_0=\ninput.i1.class_id=certReqInputImpl\npolicyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false\nenableBy=admin\npolicyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.transportCertSet.4.default.name=Authority Key Identifier Default\npolicyset.transportCertSet.2.default.class_id=validityDefaultImpl\nname=Security Domain Data Recovery Manager Transport Certificate Enrollment\npolicyset.transportCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.transportCertSet.3.default.name=Key Default\npolicyset.transportCertSet.1.constraint.name=Subject Name Constraint\npolicyset.transportCertSet.6.default.params.keyUsageCritical=true\npolicyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.transportCertSet.7.constraint.name=No Constraint\npolicyset.transportCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.transportCertSet.8.default.name=Signing Alg\npolicyset.transportCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.transportCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.transportCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.list=transportCertSet\npolicyset.transportCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.transportCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.transportCertSet.2.default.name=Validity Default\npolicyset.transportCertSet.1.constraint.params.pattern=CN=.*\npolicyset.transportCertSet.list=1,2,3,4,5,6,7,8\npolicyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.transportCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.transportCertSet.2.default.params.range=720\npolicyset.transportCertSet.5.constraint.name=No Constraint\n' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthTransportCert?action=enable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'set-cookie': 'JSESSIONID=D72169FBC03FD74E5371D288EC09C3BE; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z INFO Migrating profile 'caInternalAuthDRMstorageCert' to LDAP 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=DA28CB988DD7E54CB5385DA5354A7F1E; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain DRM storage certificates\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain DRM storage Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.1.default.params.name=\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.constraint.params.keyType=-\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthDRMstorageCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 400 Bad Request 2016-03-14T19:09:46Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthDRMstorageCert?action=disable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthDRMstorageCert/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain DRM storage certificates\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain DRM storage Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.1.default.params.name=\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.constraint.params.keyType=-\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthDRMstorageCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '5847', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:46Z DEBUG response body '#Mon Mar 14 14:09:46 CDT 2016\npolicyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false\noutput.o1.class_id=certOutputImpl\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.drmStorageCertSet.5.constraint.name=No Constraint\npolicyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.drmStorageCertSet.2.default.params.range=720\npolicyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.drmStorageCertSet.1.constraint.params.accept=true\noutput.list=o1\npolicyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl\ninput.list=i1,i2\npolicyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl\nvisible=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true\ndesc=This certificate profile is for enrolling Security Domain DRM storage certificates\npolicyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.drmStorageCertSet.9.default.name=Signing Alg\npolicyset.drmStorageCertSet.4.constraint.name=No Constraint\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.3.constraint.name=Key Constraint\npolicyset.drmStorageCertSet.3.default.name=Key Default\npolicyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false\nenable=true\npolicyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false\npolicyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.drmStorageCertSet.9.constraint.name=No Constraint\npolicyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.drmStorageCertSet.3.constraint.params.keyType=-\npolicyset.drmStorageCertSet.2.constraint.name=Validity Constraint\npolicyset.drmStorageCertSet.2.default.name=Validity Default\npolicyset.drmStorageCertSet.1.default.params.name=\nname=Security Domain DRM storage Certificate Enrollment\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.drmStorageCertSet.2.constraint.params.range=720\npolicyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.1.default.name=Subject Name Default\npolicyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.drmStorageCertSet.9.default.params.signingAlg=-\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.list=drmStorageCertSet\npolicyset.drmStorageCertSet.6.default.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.drmStorageCertSet.7.constraint.name=No Constraint\npolicyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.drmStorageCertSet.6.default.name=Key Usage Default\npolicyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.drmStorageCertSet.2.default.params.startTime=0\npolicyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.drmStorageCertSet.5.default.name=AIA Extension Default\n' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthDRMstorageCert?action=enable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'set-cookie': 'JSESSIONID=063AB1581EBF97B3EE76D1A7BDD8D992; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z INFO Migrating profile 'caInternalAuthSubsystemCert' to LDAP 2016-03-14T19:09:46Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 200 OK 2016-03-14T19:09:46Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=37FA7D604034FA1C3D63E1422F7A1CF2; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:46Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain subsystem certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Subsystem Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nupdater.list=u1\nupdater.u1.class_id=subsystemGroupUpdaterImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caInternalAuthSubsystemCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 400 Bad Request 2016-03-14T19:09:46Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:46Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthSubsystemCert?action=disable 2016-03-14T19:09:46Z DEBUG request body '' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:46Z DEBUG response status 204 No Content 2016-03-14T19:09:46Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:46Z DEBUG response body '' 2016-03-14T19:09:46Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthSubsystemCert/raw 2016-03-14T19:09:46Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain subsystem certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain Subsystem Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nupdater.list=u1\nupdater.u1.class_id=subsystemGroupUpdaterImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caInternalAuthSubsystemCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:46Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:46Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:46Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:46Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:46Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:46Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:46Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '5637', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:47Z DEBUG response body '#Mon Mar 14 14:09:46 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=720\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nupdater.list=u1\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=-\npolicyset.serverCertSet.2.constraint.params.range=720\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\nupdater.u1.class_id=subsystemGroupUpdaterImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling Security Domain subsystem certificates.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=Security Domain Subsystem Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthSubsystemCert?action=enable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'set-cookie': 'JSESSIONID=2F785833546A3F1907830466206B1667; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z INFO Migrating profile 'caInternalAuthOCSPCert' to LDAP 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=AFE2466EF26880CA3115C0334716E8E8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain OCSP Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.3.constraint.params.keyType=-\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthOCSPCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 400 Bad Request 2016-03-14T19:09:47Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthOCSPCert?action=disable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthOCSPCert/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Security Domain OCSP Manager Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.3.constraint.params.keyType=-\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthOCSPCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '4444', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:47Z DEBUG response body '#Mon Mar 14 14:09:47 CDT 2016\npolicyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.ocspCertSet.2.constraint.name=Validity Constraint\npolicyset.ocspCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.ocspCertSet.3.default.name=Key Default\npolicyset.ocspCertSet.1.constraint.params.accept=true\npolicyset.ocspCertSet.9.default.params.signingAlg=-\npolicyset.ocspCertSet.2.default.class_id=validityDefaultImpl\npolicyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl\nenable=true\npolicyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5\npolicyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension\npolicyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl\nenableBy=admin\npolicyset.ocspCertSet.1.constraint.name=Subject Name Constraint\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.ocspCertSet.6.default.name=Extended Key Usage Default\npolicyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false\npolicyset.ocspCertSet.4.constraint.class_id=noConstraintImpl\nname=Security Domain OCSP Manager Signing Certificate Enrollment\npolicyset.ocspCertSet.1.default.params.name=\npolicyset.ocspCertSet.2.default.name=Validity Default\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.8.constraint.params.extCritical=false\npolicyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl\npolicyset.ocspCertSet.5.constraint.name=No Constraint\ninput.list=i1,i2\npolicyset.ocspCertSet.9.default.name=Signing Alg\npolicyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nvisible=false\npolicyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl\npolicyset.ocspCertSet.2.constraint.params.notAfterCheck=false\npolicyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\npolicyset.ocspCertSet.5.default.name=AIA Extension Default\ninput.i1.class_id=certReqInputImpl\npolicyset.ocspCertSet.9.constraint.name=No Constraint\npolicyset.ocspCertSet.1.constraint.params.pattern=CN=.*\npolicyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.ocspCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.list=ocspCertSet\npolicyset.ocspCertSet.1.default.name=Subject Name Default\npolicyset.ocspCertSet.4.constraint.name=No Constraint\npolicyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.ocspCertSet.list=1,2,3,4,5,6,8,9\npolicyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.ocspCertSet.8.default.name=OCSP No Check Extension\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl\ndesc=This certificate profile is for enrolling Security Domain OCSP Manager certificates.\npolicyset.ocspCertSet.8.constraint.name=No Constraint\npolicyset.ocspCertSet.6.default.params.exKeyUsageCritical=false\npolicyset.ocspCertSet.4.default.name=Authority Key Identifier Default\npolicyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.ocspCertSet.3.constraint.name=Key Constraint\npolicyset.ocspCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.ocspCertSet.2.default.params.range=720\npolicyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1\nauth.instance_id=TokenAuth\npolicyset.ocspCertSet.2.default.params.startTime=0\npolicyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.ocspCertSet.2.constraint.params.range=720\npolicyset.ocspCertSet.3.constraint.params.keyType=-\noutput.list=o1\npolicyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\noutput.o1.class_id=certOutputImpl\npolicyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9\n' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthOCSPCert?action=enable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:46 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'set-cookie': 'JSESSIONID=44A9D7C18907B0961CAC90D5AC91A966; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z INFO Migrating profile 'caInternalAuthAuditSigningCert' to LDAP 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=8FA3F6A2D1F963533BB5E763D39F008C; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling audit signing certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Audit Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=auditSigningCertSet\npolicyset.auditSigningCertSet.list=1,2,3,4,5,6,9\npolicyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint\npolicyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*\npolicyset.auditSigningCertSet.1.constraint.params.accept=true\npolicyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.auditSigningCertSet.1.default.name=Subject Name Default\npolicyset.auditSigningCertSet.1.default.params.name=\npolicyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.auditSigningCertSet.2.constraint.name=Validity Constraint\npolicyset.auditSigningCertSet.2.constraint.params.range=720\npolicyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false\npolicyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl\npolicyset.auditSigningCertSet.2.default.name=Validity Default\npolicyset.auditSigningCertSet.2.default.params.range=720\npolicyset.auditSigningCertSet.2.default.params.startTime=0\npolicyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.auditSigningCertSet.3.constraint.name=Key Constraint\npolicyset.auditSigningCertSet.3.constraint.params.keyType=-\npolicyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.auditSigningCertSet.3.default.name=Key Default\npolicyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.auditSigningCertSet.4.constraint.name=No Constraint\npolicyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default\npolicyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.auditSigningCertSet.5.constraint.name=No Constraint\npolicyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.auditSigningCertSet.5.default.name=AIA Extension Default\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.auditSigningCertSet.6.default.name=Key Usage Default\npolicyset.auditSigningCertSet.6.default.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.auditSigningCertSet.9.constraint.name=No Constraint\npolicyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.auditSigningCertSet.9.default.name=Signing Alg\npolicyset.auditSigningCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthAuditSigningCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 400 Bad Request 2016-03-14T19:09:47Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthAuditSigningCert?action=disable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthAuditSigningCert/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling audit signing certificates.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=TokenAuth\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\nname=Audit Signing Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=auditSigningCertSet\npolicyset.auditSigningCertSet.list=1,2,3,4,5,6,9\npolicyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint\npolicyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*\npolicyset.auditSigningCertSet.1.constraint.params.accept=true\npolicyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.auditSigningCertSet.1.default.name=Subject Name Default\npolicyset.auditSigningCertSet.1.default.params.name=\npolicyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.auditSigningCertSet.2.constraint.name=Validity Constraint\npolicyset.auditSigningCertSet.2.constraint.params.range=720\npolicyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false\npolicyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl\npolicyset.auditSigningCertSet.2.default.name=Validity Default\npolicyset.auditSigningCertSet.2.default.params.range=720\npolicyset.auditSigningCertSet.2.default.params.startTime=0\npolicyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.auditSigningCertSet.3.constraint.name=Key Constraint\npolicyset.auditSigningCertSet.3.constraint.params.keyType=-\npolicyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.auditSigningCertSet.3.default.name=Key Default\npolicyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.auditSigningCertSet.4.constraint.name=No Constraint\npolicyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default\npolicyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.auditSigningCertSet.5.constraint.name=No Constraint\npolicyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.auditSigningCertSet.5.default.name=AIA Extension Default\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.auditSigningCertSet.6.default.name=Key Usage Default\npolicyset.auditSigningCertSet.6.default.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.auditSigningCertSet.9.constraint.name=No Constraint\npolicyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.auditSigningCertSet.9.default.name=Signing Alg\npolicyset.auditSigningCertSet.9.default.params.signingAlg=-\nprofileId=caInternalAuthAuditSigningCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '5525', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:47Z DEBUG response body '#Mon Mar 14 14:09:47 CDT 2016\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=TokenAuth\noutput.o1.class_id=certOutputImpl\npolicyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.auditSigningCertSet.6.default.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.4.constraint.name=No Constraint\npolicyset.auditSigningCertSet.1.default.name=Subject Name Default\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false\nauthz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"\npolicyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false\noutput.list=o1\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true\ninput.list=i1,i2\npolicyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\nvisible=false\npolicyset.auditSigningCertSet.6.default.name=Key Usage Default\npolicyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl\ndesc=This certificate profile is for enrolling audit signing certificates.\npolicyset.auditSigningCertSet.3.constraint.name=Key Constraint\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.auditSigningCertSet.9.constraint.name=No Constraint\npolicyset.auditSigningCertSet.9.default.params.signingAlg=-\npolicyset.auditSigningCertSet.2.default.params.startTime=0\npolicyset.auditSigningCertSet.1.default.params.name=\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false\npolicyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*\npolicyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false\nenable=true\npolicyset.auditSigningCertSet.5.default.name=AIA Extension Default\npolicyset.auditSigningCertSet.2.constraint.name=Validity Constraint\npolicyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.auditSigningCertSet.1.constraint.params.accept=true\npolicyset.auditSigningCertSet.2.default.params.range=720\npolicyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true\nname=Audit Signing Certificate Enrollment\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default\npolicyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false\npolicyset.auditSigningCertSet.3.default.name=Key Default\npolicyset.auditSigningCertSet.9.default.name=Signing Alg\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.list=auditSigningCertSet\npolicyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.auditSigningCertSet.2.constraint.params.range=720\npolicyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.auditSigningCertSet.2.default.name=Validity Default\npolicyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.auditSigningCertSet.5.constraint.name=No Constraint\npolicyset.auditSigningCertSet.list=1,2,3,4,5,6,9\npolicyset.auditSigningCertSet.3.constraint.params.keyType=-\n' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caInternalAuthAuditSigningCert?action=enable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'set-cookie': 'JSESSIONID=56FE0E9C507EA1BAFC9DF52A5FB90500; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z INFO Migrating profile 'DomainController' to LDAP 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=F9AE643B8923179D00FCAE1807DC4A18; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:47Z DEBUG request body "desc=This profile is for enrolling Domain Controller Certificate\nenable=true\nenableBy=admin\nname=Domain Controller\nvisible=true\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=genericInputImpl\ninput.i3.params.gi_display_name0=ccm\ninput.i3.params.gi_param_enable0=true\ninput.i3.params.gi_param_name0=ccm\ninput.i3.params.gi_display_name1=GUID\ninput.i3.params.gi_param_enable1=true\ninput.i3.params.gi_param_name1=GUID\ninput.i3.params.gi_num=2\noutput.list=o1,o2\noutput.o1.class_id=certOutputImpl\noutput.o2.class_id=pkcs7OutputImpl\npolicyset.list=set1\npolicyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp\npolicyset.set1.subj.constraint.class_id=noConstraintImpl\npolicyset.set1.subj.constraint.name=No Constraint\npolicyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\n#policyset.set1.subj.default.params.dnpattern=CN=GEMSTAR,OU=Domain Controllers,DC=test,dc=local\npolicyset.set1.subj.default.params.dnpattern=CN=$request.ccm$\npolicyset.set1.subj.default.params.ldap.enable=false\npolicyset.set1.subj.default.params.ldap.searchName=uid\npolicyset.set1.subj.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.subj.default.params.ldap.basedn=\npolicyset.set1.subj.default.params.ldap.maxConns=4\npolicyset.set1.subj.default.params.ldap.minConns=1\npolicyset.set1.subj.default.params.ldap.ldapconn.Version=2\npolicyset.set1.subj.default.params.ldap.ldapconn.host=\npolicyset.set1.subj.default.params.ldap.ldapconn.port=\npolicyset.set1.subj.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$\npolicyset.set1.p6.default.params.subjAltExtType_0=DNSName\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.5.constraint.class_id=noConstraintImpl\npolicyset.set1.5.constraint.name=No Constraint\npolicyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.5.default.name=AIA Extension Default\npolicyset.set1.5.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2\npolicyset.set1.5.default.params.authInfoAccessCritical=false\npolicyset.set1.5.default.params.authInfoAccessNumADs=1\npolicyset.set1.eku.constraint.class_id=noConstraintImpl\npolicyset.set1.eku.constraint.name=No Constraint\npolicyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.set1.eku.default.name=Extended Key Usage Extension Default\npolicyset.set1.eku.default.params.exKeyUsageCritical=false\npolicyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.crldp.constraint.class_id=noConstraintImpl\npolicyset.set1.crldp.constraint.name=No Constraint\npolicyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.crldp.default.params.crlDistPointsCritical=false\npolicyset.set1.crldp.default.params.crlDistPointsNum=1\npolicyset.set1.crldp.default.params.crlDistPointsEnable_0=true\npolicyset.set1.crldp.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.crldp.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.crldp.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.crldp.default.params.crlDistPointsReasons_0=\npolicyset.set1.gen.constraint.class_id=noConstraintImpl\npolicyset.set1.gen.constraint.name=No Constraint\npolicyset.set1.gen.default.class_id=genericExtDefaultImpl\npolicyset.set1.gen.default.name=Generic Extension\n#This is the Microsoft 'Certificate Template Name' Extensions. The Value is 'DomainController'\npolicyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2\npolicyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072\nprofileId=DomainController\nclassId=caEnrollImpl\n" 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 400 Bad Request 2016-03-14T19:09:47Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/DomainController?action=disable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/DomainController/raw 2016-03-14T19:09:47Z DEBUG request body "desc=This profile is for enrolling Domain Controller Certificate\nenable=true\nenableBy=admin\nname=Domain Controller\nvisible=true\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=genericInputImpl\ninput.i3.params.gi_display_name0=ccm\ninput.i3.params.gi_param_enable0=true\ninput.i3.params.gi_param_name0=ccm\ninput.i3.params.gi_display_name1=GUID\ninput.i3.params.gi_param_enable1=true\ninput.i3.params.gi_param_name1=GUID\ninput.i3.params.gi_num=2\noutput.list=o1,o2\noutput.o1.class_id=certOutputImpl\noutput.o2.class_id=pkcs7OutputImpl\npolicyset.list=set1\npolicyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp\npolicyset.set1.subj.constraint.class_id=noConstraintImpl\npolicyset.set1.subj.constraint.name=No Constraint\npolicyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault\n#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User\n#policyset.set1.subj.default.params.dnpattern=CN=GEMSTAR,OU=Domain Controllers,DC=test,dc=local\npolicyset.set1.subj.default.params.dnpattern=CN=$request.ccm$\npolicyset.set1.subj.default.params.ldap.enable=false\npolicyset.set1.subj.default.params.ldap.searchName=uid\npolicyset.set1.subj.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.subj.default.params.ldap.basedn=\npolicyset.set1.subj.default.params.ldap.maxConns=4\npolicyset.set1.subj.default.params.ldap.minConns=1\npolicyset.set1.subj.default.params.ldap.ldapconn.Version=2\npolicyset.set1.subj.default.params.ldap.ldapconn.host=\npolicyset.set1.subj.default.params.ldap.ldapconn.port=\npolicyset.set1.subj.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$\npolicyset.set1.p6.default.params.subjAltExtType_0=DNSName\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.5.constraint.class_id=noConstraintImpl\npolicyset.set1.5.constraint.name=No Constraint\npolicyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.5.default.name=AIA Extension Default\npolicyset.set1.5.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2\npolicyset.set1.5.default.params.authInfoAccessCritical=false\npolicyset.set1.5.default.params.authInfoAccessNumADs=1\npolicyset.set1.eku.constraint.class_id=noConstraintImpl\npolicyset.set1.eku.constraint.name=No Constraint\npolicyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.set1.eku.default.name=Extended Key Usage Extension Default\npolicyset.set1.eku.default.params.exKeyUsageCritical=false\npolicyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.crldp.constraint.class_id=noConstraintImpl\npolicyset.set1.crldp.constraint.name=No Constraint\npolicyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.crldp.default.params.crlDistPointsCritical=false\npolicyset.set1.crldp.default.params.crlDistPointsNum=1\npolicyset.set1.crldp.default.params.crlDistPointsEnable_0=true\npolicyset.set1.crldp.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.crldp.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.crldp.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.crldp.default.params.crlDistPointsReasons_0=\npolicyset.set1.gen.constraint.class_id=noConstraintImpl\npolicyset.set1.gen.constraint.name=No Constraint\npolicyset.set1.gen.default.class_id=genericExtDefaultImpl\npolicyset.set1.gen.default.name=Generic Extension\n#This is the Microsoft 'Certificate Template Name' Extensions. The Value is 'DomainController'\npolicyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2\npolicyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072\nprofileId=DomainController\nclassId=caEnrollImpl\n" 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '7334', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:47Z DEBUG response body '#Mon Mar 14 14:09:47 CDT 2016\npolicyset.set1.subj.default.params.ldap.ldapconn.host=\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=AgentCertAuth\npolicyset.set1.crldp.constraint.class_id=noConstraintImpl\noutput.o1.class_id=certOutputImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p5.constraint.name=No Constraint\ninput.i3.params.gi_param_enable1=true\ninput.i3.params.gi_param_enable0=true\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.crldp.default.params.crlDistPointsEnable_0=true\npolicyset.set1.5.default.params.authInfoAccessCritical=false\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl\noutput.list=o1,o2\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\ninput.list=i1,i2,i3\npolicyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\nvisible=true\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.gen.constraint.class_id=noConstraintImpl\npolicyset.set1.gen.constraint.name=No Constraint\ndesc=This profile is for enrolling Domain Controller Certificate\npolicyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp\npolicyset.set1.subj.constraint.class_id=noConstraintImpl\npolicyset.set1.crldp.constraint.name=No Constraint\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\ninput.i3.params.gi_num=2\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$\npolicyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$\npolicyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\ninput.i3.params.gi_display_name1=GUID\ninput.i3.params.gi_display_name0=ccm\npolicyset.set1.subj.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.subj.default.params.ldap.ldapconn.port=\npolicyset.set1.crldp.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=true\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.crldp.default.params.crlDistPointsNum=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\nenable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.set1.crldp.default.params.crlDistPointsReasons_0=\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\ninput.i3.class_id=genericInputImpl\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=false\npolicyset.set1.subj.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\noutput.o2.class_id=pkcs7OutputImpl\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.subj.default.params.ldap.basedn=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.5.default.params.authInfoAccessNumADs=1\npolicyset.set1.subj.default.params.dnpattern=CN=$request.ccm$\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.gen.default.name=Generic Extension\npolicyset.set1.crldp.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\nname=Domain Controller\npolicyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.eku.constraint.name=No Constraint\npolicyset.set1.gen.default.class_id=genericExtDefaultImpl\npolicyset.set1.eku.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.5.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.subj.default.params.ldap.maxConns=4\npolicyset.set1.crldp.default.params.crlDistPointsCritical=false\ninput.i3.params.gi_param_name1=GUID\ninput.i3.params.gi_param_name0=ccm\npolicyset.set1.subj.default.params.ldap.minConns=1\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.eku.default.name=Extended Key Usage Extension Default\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p2.default.params.range=1825\npolicyset.list=set1\npolicyset.set1.eku.default.params.exKeyUsageCritical=false\npolicyset.set1.5.default.name=AIA Extension Default\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.5.constraint.name=No Constraint\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.crldp.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_0=DNSName\npolicyset.set1.subj.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2\npolicyset.set1.subj.default.params.ldap.searchName=uid\npolicyset.set1.5.constraint.class_id=noConstraintImpl\npolicyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.set1.subj.default.params.ldap.enable=false\npolicyset.set1.subj.constraint.name=No Constraint\npolicyset.set1.p2.default.params.startTime=0\n' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/DomainController?action=enable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'set-cookie': 'JSESSIONID=0B45D279DDAC270BA724DDD3B0BC5266; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z INFO Migrating profile 'caDualRAuserCert' to LDAP 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=2E1243D6F4B2E527FA0087A0E9E9B0AA; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:47Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated User Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=.*UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDualRAuserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 400 Bad Request 2016-03-14T19:09:47Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualRAuserCert?action=disable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualRAuserCert/raw 2016-03-14T19:09:47Z DEBUG request body 'desc=This certificate profile is for enrolling user certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated User Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=.*UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caDualRAuserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 200 OK 2016-03-14T19:09:47Z DEBUG response headers {'content-length': '5768', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:47Z DEBUG response body '#Mon Mar 14 14:09:47 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=RSA\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=raCertAuth\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling user certificates with RA agent authentication.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=.*UID=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=RA Agent-Authenticated User Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:47Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDualRAuserCert?action=enable 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:47Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:47Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:47Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:47Z DEBUG response status 204 No Content 2016-03-14T19:09:47Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:47Z DEBUG response body '' 2016-03-14T19:09:47Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:47Z DEBUG request body '' 2016-03-14T19:09:47Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:47Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:47Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:47Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'set-cookie': 'JSESSIONID=4207371FE8201EF97AB634DCFE10E2C1; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z INFO Migrating profile 'caRAagentCert' to LDAP 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=0876297D1B7C523C789E116802CFF505; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Agent User Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caRAagentCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 400 Bad Request 2016-03-14T19:09:48Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAagentCert?action=disable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAagentCert/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Agent User Certificate Enrollment\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\ninput.i3.class_id=subjectDNInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=RSA\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caRAagentCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '5821', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:48Z DEBUG response body '#Mon Mar 14 14:09:48 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=RSA\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=raCertAuth\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2,i3\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication.\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=true\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\ninput.i3.class_id=subjectDNInputImpl\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\nname=RA Agent-Authenticated Agent User Certificate Enrollment\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAagentCert?action=enable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'set-cookie': 'JSESSIONID=FA9350D223D2E8DE7C2987828B9759F2; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z INFO Migrating profile 'caRAserverCert' to LDAP 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=D50D601388BEDF929D2AE970F8CE9D35; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRAserverCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 400 Bad Request 2016-03-14T19:09:48Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAserverCert?action=disable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:47 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAserverCert/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=RA Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\nprofileId=caRAserverCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '5313', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:48Z DEBUG response body '#Mon Mar 14 14:09:48 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=180\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=raCertAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.2.constraint.params.range=365\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling server certificates with RA agent authentication.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=.*\npolicyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=RA Agent-Authenticated Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caRAserverCert?action=enable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'set-cookie': 'JSESSIONID=1C09528AB1051EC38D3801D54F734A9B; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z INFO Migrating profile 'caUUIDdeviceCert' to LDAP 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=AC9DE6DE38684CC748D9C69E7DFB1747; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension\nvisible=true\nenable=false\nenableBy=admin\nname=Manual device Dual-Use Certificate Enrollment to contain UUID in SAN\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltExtType_1=OtherName\npolicyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true\npolicyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=2\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caUUIDdeviceCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 400 Bad Request 2016-03-14T19:09:48Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUUIDdeviceCert?action=disable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUUIDdeviceCert/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension\nvisible=true\nenable=false\nenableBy=admin\nname=Manual device Dual-Use Certificate Enrollment to contain UUID in SAN\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=keyGenInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=userCertSet\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.2.constraint.name=Validity Constraint\npolicyset.userCertSet.2.constraint.params.range=365\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.2.default.name=Validity Default\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.3.constraint.params.keyType=-\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.8.default.params.subjAltExtType_1=OtherName\npolicyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true\npolicyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=2\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.9.constraint.name=No Constraint\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.9.default.params.signingAlg=-\nprofileId=caUUIDdeviceCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '6156', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:48Z DEBUG response body '#Mon Mar 14 14:09:48 CDT 2016\npolicyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.constraint.params.keyType=-\ninput.i2.class_id=subjectNameInputImpl\npolicyset.userCertSet.7.default.params.exKeyUsageCritical=false\noutput.o1.class_id=certOutputImpl\npolicyset.userCertSet.3.default.name=Key Default\npolicyset.userCertSet.5.constraint.name=No Constraint\npolicyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.userCertSet.3.constraint.class_id=keyConstraintImpl\noutput.list=o1\npolicyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4\npolicyset.userCertSet.8.default.name=Subject Alt Name Constraint\ninput.list=i1,i2,i3\npolicyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.userCertSet.2.constraint.params.range=365\nvisible=true\npolicyset.userCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.2.default.class_id=validityDefaultImpl\npolicyset.userCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.userCertSet.2.default.name=Validity Default\ndesc=This certificate profile is for enrolling device certificates to contain UUID in the Subject Alternative Name extension\npolicyset.userCertSet.4.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.userCertSet.9.default.params.signingAlg=-\nauth.class_id=\npolicyset.userCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.userCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.userCertSet.1.constraint.params.pattern=UID=.*\npolicyset.userCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.userCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.userCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.userCertSet.8.default.params.subjAltNameNumGNs=2\npolicyset.userCertSet.2.default.params.range=180\npolicyset.userCertSet.6.default.params.keyUsageCrlSign=false\nenable=false\npolicyset.userCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.userCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.userCertSet.3.constraint.name=Key Constraint\npolicyset.userCertSet.1.default.name=Subject Name Default\npolicyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.userCertSet.9.constraint.name=No Constraint\ninput.i1.class_id=keyGenInputImpl\nenableBy=admin\npolicyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\npolicyset.userCertSet.2.constraint.params.notAfterCheck=false\npolicyset.userCertSet.2.constraint.name=Validity Constraint\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.userCertSet.2.default.params.startTime=0\npolicyset.userCertSet.6.default.name=Key Usage Default\npolicyset.userCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_1=true\nname=Manual device Dual-Use Certificate Enrollment to contain UUID in SAN\npolicyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.userCertSet.5.default.name=AIA Extension Default\npolicyset.userCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.userCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.userCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.userCertSet.8.constraint.name=No Constraint\npolicyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.userCertSet.1.constraint.name=Subject Name Constraint\npolicyset.userCertSet.1.constraint.params.accept=true\npolicyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.userCertSet.7.constraint.name=No Constraint\npolicyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.list=userCertSet\npolicyset.userCertSet.8.default.params.subjAltExtPattern_1=(IA5String)1.2.3.4,$server.source$\npolicyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.userCertSet.4.default.name=Authority Key Identifier Default\npolicyset.userCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.userCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.userCertSet.8.default.params.subjAltExtType_1=OtherName\npolicyset.userCertSet.6.default.params.keyUsageCritical=true\npolicyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.userCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.userCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.userCertSet.9.default.name=Signing Alg\npolicyset.userCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.userCertSet.1.default.params.name=\npolicyset.userCertSet.6.default.params.keyUsageDataEncipherment=false\n' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caUUIDdeviceCert?action=enable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'set-cookie': 'JSESSIONID=5A97EC74CA0D3AE9FD603C454BFC8394; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z INFO Migrating profile 'caSSLClientSelfRenewal' to LDAP 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=5C4F8BFBFDA9F77905E407865559ACAB; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for renewing SSL client certificates.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=SSLclientCertAuth\nname=Renewal: Self-renew user SSL client certificates\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caSSLClientSelfRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 400 Bad Request 2016-03-14T19:09:48Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSSLClientSelfRenewal?action=disable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSSLClientSelfRenewal/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for renewing SSL client certificates.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=SSLclientCertAuth\nname=Renewal: Self-renew user SSL client certificates\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caSSLClientSelfRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '292', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:48Z DEBUG response body '#Mon Mar 14 14:09:48 CDT 2016\nname=Renewal: Self-renew user SSL client certificates\nvisible=true\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing SSL client certificates.\nauth.instance_id=SSLclientCertAuth\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caSSLClientSelfRenewal?action=enable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'set-cookie': 'JSESSIONID=45000A2736DE17F854C3926E15C01A42; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z INFO Migrating profile 'caDirUserRenewal' to LDAP 2016-03-14T19:09:48Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 200 OK 2016-03-14T19:09:48Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=032BCDB8C2FBBC18FD079C1829DEFB87; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:48Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=UserDirEnrollment\nauthz.acl=user_origreq="auth_token.uid"\nname=Renewal: Directory-Authenticated User Certificate Self-Renew profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caDirUserRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 400 Bad Request 2016-03-14T19:09:48Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:48Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserRenewal?action=disable 2016-03-14T19:09:48Z DEBUG request body '' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:48Z DEBUG response status 204 No Content 2016-03-14T19:09:48Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:48Z DEBUG response body '' 2016-03-14T19:09:48Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserRenewal/raw 2016-03-14T19:09:48Z DEBUG request body 'desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=UserDirEnrollment\nauthz.acl=user_origreq="auth_token.uid"\nname=Renewal: Directory-Authenticated User Certificate Self-Renew profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caDirUserRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:48Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:48Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:48Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:48Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:48Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:48Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:48Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '455', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:49Z DEBUG response body '#Mon Mar 14 14:09:49 CDT 2016\nauthz.acl=user_origreq="auth_token.uid"\nname=Renewal: Directory-Authenticated User Certificate Self-Renew profile\nvisible=true\ninput.list=i1\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.\ninput.i1.class_id=serialNumRenewInputImpl\nauth.instance_id=UserDirEnrollment\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caDirUserRenewal?action=enable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'set-cookie': 'JSESSIONID=90C92274B92B720B3E96A5878B0CA26C; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z INFO Migrating profile 'caManualRenewal' to LDAP 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=A019678CF45FDA00C77B476D1C68AF87; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing certificates to be approved manually by agents.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=\nname=Renewal: Renew certificate to be manually approved by agents\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caManualRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 400 Bad Request 2016-03-14T19:09:49Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caManualRenewal?action=disable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caManualRenewal/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing certificates to be approved manually by agents.\nvisible=true\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=\nname=Renewal: Renew certificate to be manually approved by agents\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caManualRenewal\nclassId=caEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '366', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:49Z DEBUG response body '#Mon Mar 14 14:09:49 CDT 2016\nname=Renewal: Renew certificate to be manually approved by agents\nvisible=true\ninput.list=i1\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing certificates to be approved manually by agents.\ninput.i1.class_id=serialNumRenewInputImpl\nauth.instance_id=\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caManualRenewal?action=enable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'set-cookie': 'JSESSIONID=03486BFC3455C8088FD64345333A2613; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z INFO Migrating profile 'caTokenMSLoginEnrollment' to LDAP 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=6CDF9D3E786ADD78061CDC80E03CB034; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This profile is for enrolling MS Login Certificate\nenable=true\nenableBy=admin\nname=Token User MS Login Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12,p13,p14,p15\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=CN=uid=$request.uid$,E=$request.mail$, ou=$request.upn$, o=example\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=true\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail,givenName,sn,upn\npolicyset.set1.p1.default.params.ldap.basedn=ou=People,dc=example,dc=com\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=localhost.localdomain\npolicyset.set1.p1.default.params.ldap.ldapconn.port=389\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=true\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9443/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9443/ca/ocsp\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p15.constraint.class_id=noConstraintImpl\npolicyset.set1.p15.constraint.name=No Constraint\npolicyset.set1.p15.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.set1.p15.default.name=Extended Key Usage Extension Default\npolicyset.set1.p15.default.params.exKeyUsageCritical=false\npolicyset.set1.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2\n\nprofileId=caTokenMSLoginEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 400 Bad Request 2016-03-14T19:09:49Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:48 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenMSLoginEnrollment?action=disable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenMSLoginEnrollment/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This profile is for enrolling MS Login Certificate\nenable=true\nenableBy=admin\nname=Token User MS Login Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o2.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12,p13,p14,p15\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p1.constraint.name=No Constraint\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p1.default.params.dnpattern=CN=uid=$request.uid$,E=$request.mail$, ou=$request.upn$, o=example\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=true\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail,givenName,sn,upn\npolicyset.set1.p1.default.params.ldap.basedn=ou=People,dc=example,dc=com\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=localhost.localdomain\npolicyset.set1.p1.default.params.ldap.ldapconn.port=389\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\n policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=true\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9443/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9443/ca/ocsp\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p15.constraint.class_id=noConstraintImpl\npolicyset.set1.p15.constraint.name=No Constraint\npolicyset.set1.p15.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.set1.p15.default.name=Extended Key Usage Extension Default\npolicyset.set1.p15.default.params.exKeyUsageCritical=false\npolicyset.set1.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2\n\nprofileId=caTokenMSLoginEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:49Z DEBUG response body '#Mon Mar 14 14:09:49 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=true\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=389\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\noutput.o2.name=nsNKeyOutputImpl\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9443/ca/ocsp\npolicyset.set1.p15.constraint.name=No Constraint\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=CN=uid=$request.uid$,E=$request.mail$, ou=$request.upn$, o=example\npolicyset.set1.p1.default.params.ldap.ldapconn.host=localhost.localdomain\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12,p13,p14,p15\npolicyset.set1.p6.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$\noutput.list=o1\npolicyset.set1.p15.default.name=Extended Key Usage Extension Default\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p15.default.params.exKeyUsageCritical=false\npolicyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Token User MS Login Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail,givenName,sn,upn\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=No Constraint\ninput.list=i1\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p15.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling MS Login Certificate\npolicyset.set1.p15.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p15.default.class_id=extendedKeyUsageExtDefaultImpl\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=2\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=http://localhost.localdomain:9443/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL\npolicyset.set1.p1.constraint.class_id=noConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=true\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=ou=People,dc=example,dc=com\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenMSLoginEnrollment?action=enable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'set-cookie': 'JSESSIONID=2E351DF7721805EB4A9BD8041BD5F237; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z INFO Migrating profile 'caTokenUserSigningKeyRenewal' to LDAP 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=143EF8997488D7EF56AB26CD28DFAC74; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing a token certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token signing cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserSigningKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 400 Bad Request 2016-03-14T19:09:49Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyRenewal?action=disable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyRenewal/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing a token certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token signing cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserSigningKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '337', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:49Z DEBUG response body '#Mon Mar 14 14:09:49 CDT 2016\nname=smart card token signing cert renewal profile\nvisible=false\ninput.list=i1\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing a token certificate\ninput.i1.class_id=serialNumRenewInputImpl\nauth.instance_id=AgentCertAuth\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserSigningKeyRenewal?action=enable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'set-cookie': 'JSESSIONID=B906A14EC4A084FF7730DFD86370934D; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z INFO Migrating profile 'caTokenUserEncryptionKeyRenewal' to LDAP 2016-03-14T19:09:49Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=220ABC0E491C127AB87C96F1BDE68B53; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:49Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing a token encryption certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token encryption cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserEncryptionKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 400 Bad Request 2016-03-14T19:09:49Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyRenewal?action=disable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 204 No Content 2016-03-14T19:09:49Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:49Z DEBUG response body '' 2016-03-14T19:09:49Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyRenewal/raw 2016-03-14T19:09:49Z DEBUG request body 'desc=This certificate profile is for renewing a token encryption certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token encryption cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserEncryptionKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:49Z DEBUG response status 200 OK 2016-03-14T19:09:49Z DEBUG response headers {'content-length': '351', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:49Z DEBUG response body '#Mon Mar 14 14:09:49 CDT 2016\nname=smart card token encryption cert renewal profile\nvisible=false\ninput.list=i1\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing a token encryption certificate\ninput.i1.class_id=serialNumRenewInputImpl\nauth.instance_id=AgentCertAuth\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:49Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserEncryptionKeyRenewal?action=enable 2016-03-14T19:09:49Z DEBUG request body '' 2016-03-14T19:09:49Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:49Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:49Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:49Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:49Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:49Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'set-cookie': 'JSESSIONID=03E8086281017EAE062ED2477B0926F8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z INFO Migrating profile 'caTokenUserAuthKeyRenewal' to LDAP 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=75C508AB3E30F4DFEC28C2F939E59ED8; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for renewing a token authentication certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token authentication cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserAuthKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 400 Bad Request 2016-03-14T19:09:50Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserAuthKeyRenewal?action=disable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserAuthKeyRenewal/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for renewing a token authentication certificate\nvisible=false\nenable=true\nenableBy=admin\nrenewal=true\nauth.instance_id=AgentCertAuth\nname=smart card token authentication cert renewal profile\ninput.list=i1\ninput.i1.class_id=serialNumRenewInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\nprofileId=caTokenUserAuthKeyRenewal\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '359', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:50Z DEBUG response body '#Mon Mar 14 14:09:50 CDT 2016\nname=smart card token authentication cert renewal profile\nvisible=false\ninput.list=i1\nenableBy=admin\nrenewal=true\nenable=true\ndesc=This certificate profile is for renewing a token authentication certificate\ninput.i1.class_id=serialNumRenewInputImpl\nauth.instance_id=AgentCertAuth\noutput.list=o1\noutput.o1.class_id=certOutputImpl\n' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserAuthKeyRenewal?action=enable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'set-cookie': 'JSESSIONID=5D82309A35E1E3ADAD4D8DC6A33267F1; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z INFO Migrating profile 'caJarSigningCert' to LDAP 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=3B984BA97158D4D4F9B493D1E78C30CC; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This is an IPA profile for enrolling Jar Signing certificates.\nenable=true\nenableBy=admin\nname=Manual Jar Signing Certificate Enrollment\nvisible=false\nauth.class_id=\nauth.instance_id=raCertAuth\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caJarSigningSet\npolicyset.caJarSigningSet.list=1,2,3,4,5,6\npolicyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caJarSigningSet.1.constraint.name=Subject Name Constraint\npolicyset.caJarSigningSet.1.constraint.params.accept=true\npolicyset.caJarSigningSet.1.constraint.params.pattern=.*\npolicyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caJarSigningSet.1.default.name=Subject Name Default\npolicyset.caJarSigningSet.1.default.params.name=\npolicyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caJarSigningSet.2.constraint.name=Validity Constraint\npolicyset.caJarSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caJarSigningSet.2.constraint.params.range=2922\npolicyset.caJarSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caJarSigningSet.2.default.name=Validity Default\npolicyset.caJarSigningSet.2.default.params.range=1461\npolicyset.caJarSigningSet.2.default.params.startTime=60\npolicyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caJarSigningSet.3.constraint.name=Key Constraint\npolicyset.caJarSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.caJarSigningSet.3.constraint.params.keyType=RSA\npolicyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caJarSigningSet.3.default.name=Key Default\npolicyset.caJarSigningSet.4.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caJarSigningSet.4.constraint.name=Key Usage Extension Constraint\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCritical=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCrlSign=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDataEncipherment=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDecipherOnly=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDigitalSignature=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageEncipherOnly=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyAgreement=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyCertSign=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyEncipherment=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageNonRepudiation=-\npolicyset.caJarSigningSet.4.default.class_id=keyUsageExtDefaultImpl\npolicyset.caJarSigningSet.4.default.name=Key Usage Default\npolicyset.caJarSigningSet.4.default.params.keyUsageCritical=true\npolicyset.caJarSigningSet.4.default.params.keyUsageCrlSign=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDataEncipherment=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDecipherOnly=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDigitalSignature=true\npolicyset.caJarSigningSet.4.default.params.keyUsageEncipherOnly=false\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyAgreement=false\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyCertSign=true\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyEncipherment=false\npolicyset.caJarSigningSet.4.default.params.keyUsageNonRepudiation=false\npolicyset.caJarSigningSet.5.constraint.class_id=nsCertTypeExtConstraintImpl\npolicyset.caJarSigningSet.5.constraint.name=Netscape Certificate Type Extension Constraint\npolicyset.caJarSigningSet.5.constraint.params.nsCertCritical=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmail=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmailCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigning=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigningCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLClient=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLServer=-\npolicyset.caJarSigningSet.5.default.class_id=nsCertTypeExtDefaultImpl\npolicyset.caJarSigningSet.5.default.name=Netscape Certificate Type Extension Default\npolicyset.caJarSigningSet.5.default.params.nsCertCritical=false\npolicyset.caJarSigningSet.5.default.params.nsCertEmail=false\npolicyset.caJarSigningSet.5.default.params.nsCertEmailCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigning=true\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigningCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLClient=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLServer=false\npolicyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl\npolicyset.caJarSigningSet.6.constraint.name=No Constraint\npolicyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl\npolicyset.caJarSigningSet.6.default.name=Signing Alg\npolicyset.caJarSigningSet.6.default.params.signingAlg=-\nprofileId=caJarSigningCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 400 Bad Request 2016-03-14T19:09:50Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caJarSigningCert?action=disable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:49 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caJarSigningCert/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This is an IPA profile for enrolling Jar Signing certificates.\nenable=true\nenableBy=admin\nname=Manual Jar Signing Certificate Enrollment\nvisible=false\nauth.class_id=\nauth.instance_id=raCertAuth\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=caJarSigningSet\npolicyset.caJarSigningSet.list=1,2,3,4,5,6\npolicyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caJarSigningSet.1.constraint.name=Subject Name Constraint\npolicyset.caJarSigningSet.1.constraint.params.accept=true\npolicyset.caJarSigningSet.1.constraint.params.pattern=.*\npolicyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caJarSigningSet.1.default.name=Subject Name Default\npolicyset.caJarSigningSet.1.default.params.name=\npolicyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caJarSigningSet.2.constraint.name=Validity Constraint\npolicyset.caJarSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caJarSigningSet.2.constraint.params.range=2922\npolicyset.caJarSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caJarSigningSet.2.default.name=Validity Default\npolicyset.caJarSigningSet.2.default.params.range=1461\npolicyset.caJarSigningSet.2.default.params.startTime=60\npolicyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caJarSigningSet.3.constraint.name=Key Constraint\npolicyset.caJarSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.caJarSigningSet.3.constraint.params.keyType=RSA\npolicyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caJarSigningSet.3.default.name=Key Default\npolicyset.caJarSigningSet.4.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.caJarSigningSet.4.constraint.name=Key Usage Extension Constraint\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCritical=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCrlSign=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDataEncipherment=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDecipherOnly=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDigitalSignature=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageEncipherOnly=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyAgreement=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyCertSign=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyEncipherment=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageNonRepudiation=-\npolicyset.caJarSigningSet.4.default.class_id=keyUsageExtDefaultImpl\npolicyset.caJarSigningSet.4.default.name=Key Usage Default\npolicyset.caJarSigningSet.4.default.params.keyUsageCritical=true\npolicyset.caJarSigningSet.4.default.params.keyUsageCrlSign=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDataEncipherment=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDecipherOnly=false\npolicyset.caJarSigningSet.4.default.params.keyUsageDigitalSignature=true\npolicyset.caJarSigningSet.4.default.params.keyUsageEncipherOnly=false\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyAgreement=false\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyCertSign=true\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyEncipherment=false\npolicyset.caJarSigningSet.4.default.params.keyUsageNonRepudiation=false\npolicyset.caJarSigningSet.5.constraint.class_id=nsCertTypeExtConstraintImpl\npolicyset.caJarSigningSet.5.constraint.name=Netscape Certificate Type Extension Constraint\npolicyset.caJarSigningSet.5.constraint.params.nsCertCritical=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmail=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmailCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigning=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigningCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLCA=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLClient=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLServer=-\npolicyset.caJarSigningSet.5.default.class_id=nsCertTypeExtDefaultImpl\npolicyset.caJarSigningSet.5.default.name=Netscape Certificate Type Extension Default\npolicyset.caJarSigningSet.5.default.params.nsCertCritical=false\npolicyset.caJarSigningSet.5.default.params.nsCertEmail=false\npolicyset.caJarSigningSet.5.default.params.nsCertEmailCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigning=true\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigningCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLCA=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLClient=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLServer=false\npolicyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl\npolicyset.caJarSigningSet.6.constraint.name=No Constraint\npolicyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl\npolicyset.caJarSigningSet.6.default.name=Signing Alg\npolicyset.caJarSigningSet.6.default.params.signingAlg=-\nprofileId=caJarSigningCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '5339', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:50Z DEBUG response body '#Mon Mar 14 14:09:50 CDT 2016\npolicyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.caJarSigningSet.4.default.params.keyUsageNonRepudiation=false\ninput.i2.class_id=submitterInfoInputImpl\npolicyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false\npolicyset.caJarSigningSet.4.constraint.params.keyUsageEncipherOnly=-\nauth.instance_id=raCertAuth\npolicyset.caJarSigningSet.4.constraint.class_id=keyUsageExtConstraintImpl\noutput.o1.class_id=certOutputImpl\npolicyset.caJarSigningSet.1.constraint.params.accept=true\npolicyset.caJarSigningSet.1.default.name=Subject Name Default\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigning=true\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmailCA=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyAgreement=-\npolicyset.caJarSigningSet.4.default.class_id=keyUsageExtDefaultImpl\npolicyset.caJarSigningSet.5.constraint.params.nsCertEmail=-\npolicyset.caJarSigningSet.6.default.name=Signing Alg\npolicyset.caJarSigningSet.5.constraint.params.nsCertCritical=-\noutput.list=o1\npolicyset.caJarSigningSet.3.constraint.name=Key Constraint\npolicyset.caJarSigningSet.2.constraint.params.range=2922\npolicyset.caJarSigningSet.1.default.params.name=\ninput.list=i1,i2\npolicyset.caJarSigningSet.5.default.class_id=nsCertTypeExtDefaultImpl\npolicyset.caJarSigningSet.5.default.params.nsCertEmail=false\npolicyset.caJarSigningSet.2.default.params.range=1461\nvisible=false\ndesc=This is an IPA profile for enrolling Jar Signing certificates.\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCritical=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDecipherOnly=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyCertSign=-\npolicyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.caJarSigningSet.4.default.params.keyUsageDigitalSignature=true\npolicyset.caJarSigningSet.5.default.name=Netscape Certificate Type Extension Default\npolicyset.caJarSigningSet.3.constraint.params.keyType=RSA\nauth.class_id=\npolicyset.caJarSigningSet.2.constraint.name=Validity Constraint\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyEncipherment=false\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLClient=-\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLServer=-\npolicyset.caJarSigningSet.list=1,2,3,4,5,6\npolicyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl\nenable=true\npolicyset.caJarSigningSet.4.constraint.params.keyUsageNonRepudiation=-\npolicyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl\npolicyset.caJarSigningSet.1.constraint.name=Subject Name Constraint\npolicyset.caJarSigningSet.4.default.params.keyUsageDataEncipherment=false\npolicyset.caJarSigningSet.5.default.params.nsCertCritical=false\npolicyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl\npolicyset.caJarSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.caJarSigningSet.2.constraint.params.notAfterCheck=false\npolicyset.caJarSigningSet.4.default.name=Key Usage Default\nname=Manual Jar Signing Certificate Enrollment\npolicyset.caJarSigningSet.3.default.name=Key Default\npolicyset.caJarSigningSet.4.default.params.keyUsageCritical=true\npolicyset.caJarSigningSet.6.constraint.name=No Constraint\npolicyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.caJarSigningSet.1.constraint.params.pattern=.*\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigning=-\npolicyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl\npolicyset.caJarSigningSet.4.default.params.keyUsageEncipherOnly=false\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDigitalSignature=-\npolicyset.caJarSigningSet.5.constraint.class_id=nsCertTypeExtConstraintImpl\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyAgreement=false\npolicyset.caJarSigningSet.2.default.class_id=validityDefaultImpl\npolicyset.caJarSigningSet.5.default.params.nsCertEmailCA=false\npolicyset.list=caJarSigningSet\npolicyset.caJarSigningSet.5.constraint.params.nsCertObjectSigningCA=-\npolicyset.caJarSigningSet.4.default.params.keyUsageCrlSign=false\npolicyset.caJarSigningSet.5.constraint.params.nsCertSSLCA=-\npolicyset.caJarSigningSet.2.default.name=Validity Default\npolicyset.caJarSigningSet.2.default.params.startTime=60\npolicyset.caJarSigningSet.6.default.params.signingAlg=-\npolicyset.caJarSigningSet.4.constraint.params.keyUsageDataEncipherment=-\npolicyset.caJarSigningSet.4.default.params.keyUsageDecipherOnly=false\npolicyset.caJarSigningSet.5.constraint.name=Netscape Certificate Type Extension Constraint\npolicyset.caJarSigningSet.4.constraint.params.keyUsageCrlSign=-\npolicyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl\npolicyset.caJarSigningSet.5.default.params.nsCertSSLClient=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLServer=false\npolicyset.caJarSigningSet.5.default.params.nsCertSSLCA=false\npolicyset.caJarSigningSet.4.default.params.keyUsageKeyCertSign=true\npolicyset.caJarSigningSet.4.constraint.name=Key Usage Extension Constraint\npolicyset.caJarSigningSet.4.constraint.params.keyUsageKeyEncipherment=-\npolicyset.caJarSigningSet.5.default.params.nsCertObjectSigningCA=false\n' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caJarSigningCert?action=enable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'set-cookie': 'JSESSIONID=43E4153C52DE46DD1B09F180CFB7D5DB; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z INFO Migrating profile 'caIPAserviceCert' to LDAP 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=12D213A46D73B16ECBC167EC3CAA7522; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA \npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No Constraint\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\nprofileId=caIPAserviceCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 400 Bad Request 2016-03-14T19:09:50Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caIPAserviceCert?action=disable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caIPAserviceCert/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA \npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No Constraint\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\nprofileId=caIPAserviceCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '6256', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:50Z DEBUG response body '#Mon Mar 14 14:09:50 CDT 2016\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\ninput.i2.class_id=submitterInfoInputImpl\nauth.instance_id=raCertAuth\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\noutput.o1.class_id=certOutputImpl\npolicyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.9.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\noutput.list=o1\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\ninput.list=i1,i2\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\nvisible=false\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\ndesc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.\npolicyset.serverCertSet.8.default.name=Signing Alg\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.8.constraint.name=No Constraint\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=https://ipa.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\nenable=true\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.serverCertSet.7.constraint.name=No Constraint\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\nname=IPA-RA Agent-Authenticated Server Certificate Enrollment\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\npolicyset.serverCertSet.6.default.name=Key Usage Default\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA \npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=\n' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caIPAserviceCert?action=enable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'set-cookie': 'JSESSIONID=014B639734DBFAC845378725FF5597AB; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z INFO Migrating profile 'caEncUserCert' to LDAP 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=82B9FD2D9D8DA3AA2D62651D0ACF583D; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for enrolling user encryption certificates with option to archive keys.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Encryption Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\n\nprofileId=caEncUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 400 Bad Request 2016-03-14T19:09:50Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncUserCert?action=disable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncUserCert/raw 2016-03-14T19:09:50Z DEBUG request body 'desc=This certificate profile is for enrolling user encryption certificates with option to archive keys.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Encryption Certificates Enrollment\nauth.class_id=\ninput.list=i1,i2,i3\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=subjectNameInputImpl\ninput.i3.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\n\nprofileId=caEncUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 200 OK 2016-03-14T19:09:50Z DEBUG response headers {'content-length': '6314', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:50Z DEBUG response body '#Mon Mar 14 14:09:50 CDT 2016\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\ninput.i2.class_id=subjectNameInputImpl\noutput.o1.class_id=certOutputImpl\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.2.default.params.range=180\noutput.list=o1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\ninput.list=i1,i2,i3\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nvisible=false\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.1.constraint.params.accept=true\ndesc=This certificate profile is for enrolling user encryption certificates with option to archive keys.\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\nauth.class_id=\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\nenable=true\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\ninput.i1.class_id=certReqInputImpl\nenableBy=admin\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\ninput.i3.class_id=submitterInfoInputImpl\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\nname=Manual User Encryption Certificates Enrollment\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.3.constraint.params.keyType=RSA\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\n' 2016-03-14T19:09:50Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncUserCert?action=enable 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:50Z DEBUG response status 204 No Content 2016-03-14T19:09:50Z DEBUG response headers {'set-cookie': 'JSESSIONID=CD6D5FB192AEDC23DD207322BE8B56F9; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:50Z DEBUG response body '' 2016-03-14T19:09:50Z INFO Migrating profile 'caEncECUserCert' to LDAP 2016-03-14T19:09:50Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:50Z DEBUG request body '' 2016-03-14T19:09:50Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:50Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:50Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:50Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:50Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:50Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:50Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=60880801290CAC2ED908156664161E88; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Encryption ECC Certificates Enrollment\nauth.class_id=\ninput.list=i1\ninput.i1.class_id=encKeyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\nprofileId=caEncECUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 400 Bad Request 2016-03-14T19:09:51Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncECUserCert?action=disable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncECUserCert/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox.\nvisible=false\nenable=true\nenableBy=admin\nname=Manual User Encryption ECC Certificates Enrollment\nauth.class_id=\ninput.list=i1\ninput.i1.class_id=encKeyGenInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.1.constraint.params.accept=true\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.2.default.params.range=180\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\nprofileId=caEncECUserCert\nclassId=caEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'content-length': '6242', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:51Z DEBUG response body '#Mon Mar 14 14:09:51 CDT 2016\npolicyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.5.default.name=AIA Extension Default\noutput.o1.class_id=certOutputImpl\npolicyset.encryptionCertSet.2.default.params.startTime=0\npolicyset.encryptionCertSet.6.default.params.keyUsageCritical=true\npolicyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name\npolicyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.9.default.params.signingAlg=-\npolicyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.encryptionCertSet.1.constraint.params.pattern=CN=.*\npolicyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.2.default.params.range=180\noutput.list=o1\npolicyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1\ninput.list=i1\npolicyset.encryptionCertSet.3.constraint.name=Key Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0=\npolicyset.encryptionCertSet.9.constraint.name=No Constraint\npolicyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\nvisible=false\npolicyset.encryptionCertSet.4.default.name=Authority Key Identifier Default\npolicyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.encryptionCertSet.1.constraint.params.accept=true\ndesc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox.\npolicyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false\npolicyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.params.range=365\npolicyset.encryptionCertSet.3.default.name=Key Default\npolicyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.9.default.name=Signing Alg\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false\nauth.class_id=\npolicyset.encryptionCertSet.2.constraint.name=Validity Constraint\npolicyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.encryptionCertSet.8.constraint.name=No Constraint\nenable=true\npolicyset.encryptionCertSet.1.constraint.name=Subject Name Constraint\npolicyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9\npolicyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true\ninput.i1.class_id=encKeyGenInputImpl\nenableBy=admin\npolicyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.2.default.name=Validity Default\npolicyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint\npolicyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false\npolicyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl\npolicyset.encryptionCertSet.7.constraint.name=No Constraint\nname=Manual User Encryption ECC Certificates Enrollment\npolicyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.encryptionCertSet.3.constraint.params.keyParameters=nistp256,nistp521\npolicyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1\npolicyset.encryptionCertSet.2.default.class_id=validityDefaultImpl\npolicyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false\npolicyset.encryptionCertSet.2.constraint.params.notAfterCheck=false\npolicyset.encryptionCertSet.1.default.name=Subject Name Default\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.encryptionCertSet.3.constraint.params.keyType=EC\npolicyset.list=encryptionCertSet\npolicyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.6.default.name=Key Usage Default\npolicyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl\npolicyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.encryptionCertSet.5.constraint.name=No Constraint\npolicyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$\npolicyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.encryptionCertSet.1.default.params.name=\npolicyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false\npolicyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.encryptionCertSet.4.constraint.name=No Constraint\n' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caEncECUserCert?action=enable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'set-cookie': 'JSESSIONID=3EF9936CCB443C45067750064ADB1E50; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z INFO Migrating profile 'caTokenUserDelegateAuthKeyEnrollment' to LDAP 2016-03-14T19:09:51Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=999C1482215BD806CFD7CE79164D7B67; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This profile is for enrolling Token User Delegate Authentication key\nenable=true\nenableBy=admin\nname=Token User Delegate Authentication Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\ninput.i2.class_id=subjectDNInputImpl\ninput.i2.name=subjectDNInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\ninput.i3.name=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p1.constraint.name=Subject Name Constraint\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p1.default.params.name=\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserDelegateAuthKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 400 Bad Request 2016-03-14T19:09:51Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateAuthKeyEnrollment?action=disable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateAuthKeyEnrollment/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This profile is for enrolling Token User Delegate Authentication key\nenable=true\nenableBy=admin\nname=Token User Delegate Authentication Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\ninput.i2.class_id=subjectDNInputImpl\ninput.i2.name=subjectDNInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\ninput.i3.name=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p1.constraint.name=Subject Name Constraint\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p1.default.params.name=\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserDelegateAuthKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:51Z DEBUG response body '#Mon Mar 14 14:09:51 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_0=OtherName\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$\noutput.list=o1\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Token User Delegate Authentication Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\ninput.i2.name=subjectDNInputImpl\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=Subject Name Constraint\ninput.list=i1,i2,i3\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token User Delegate Authentication key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\ninput.i3.name=subjectAltNameExtInputImpl\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\ninput.i2.class_id=subjectDNInputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.name=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\ninput.i3.class_id=subjectAltNameExtInputImpl\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateAuthKeyEnrollment?action=enable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'set-cookie': 'JSESSIONID=50FEBBCD6BB6EE4CCCAF79BF0E10AF95; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:50 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z INFO Migrating profile 'caTokenUserDelegateSigningKeyEnrollment' to LDAP 2016-03-14T19:09:51Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/login 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=98B37671C95D90B98CBDD1FA303E0012; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This profile is for enrolling Token User Delegate Signing key\nenable=true\nenableBy=admin\nname=Token User Delegate Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\ninput.i2.class_id=subjectDNInputImpl\ninput.i2.name=subjectDNInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\ninput.i3.name=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p1.constraint.name=Subject Name Constraint\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserDelegateSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 400 Bad Request 2016-03-14T19:09:51Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'connection': 'close', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Profile already exists"}' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateSigningKeyEnrollment?action=disable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request PUT https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateSigningKeyEnrollment/raw 2016-03-14T19:09:51Z DEBUG request body 'desc=This profile is for enrolling Token User Delegate Signing key\nenable=true\nenableBy=admin\nname=Token User Delegate Signing Certificate Enrollment\nvisible=false\nauth.instance_id=AgentCertAuth\ninput.list=i1,i2,i3\ninput.i1.class_id=nsNKeyCertReqInputImpl\ninput.i1.name=nsNKeyCertReqInputImpl\ninput.i2.class_id=subjectDNInputImpl\ninput.i2.name=subjectDNInputImpl\ninput.i3.class_id=subjectAltNameExtInputImpl\ninput.i3.name=subjectAltNameExtInputImpl\noutput.list=o1\noutput.o1.class_id=nsNKeyOutputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.list=set1\n#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p1.constraint.name=Subject Name Constraint\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\n#changed ldap.enable to true to support SMIME\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p2.constraint.name=No Constraint\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p7.default.params.PoliciesExt.num=5\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p9.constraint.name=No Constraint\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\nprofileId=caTokenUserDelegateSigningKeyEnrollment\nclassId=caUserCertEnrollImpl\n' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 200 OK 2016-03-14T19:09:51Z DEBUG response headers {'transfer-encoding': 'chunked', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'content-type': 'application/json'} 2016-03-14T19:09:51Z DEBUG response body '#Mon Mar 14 14:09:51 CDT 2016\npolicyset.set1.p1.default.params.ldap.enable=false\npolicyset.set1.p5.default.params.keyUsageKeyAgreement=false\npolicyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl\npolicyset.set1.p2.default.params.range=1825\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization=\nauth.instance_id=AgentCertAuth\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId=\npolicyset.set1.p1.default.params.ldap.ldapconn.port=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p6.default.params.subjAltExtType_4=RFC822Name\npolicyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.set1.p6.default.params.subjAltExtType_3=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_2=RFC822Name\npolicyset.set1.p6.default.params.subjAltExtType_1=OtherName\npolicyset.set1.p6.default.params.subjAltExtType_0=RFC822Name\npolicyset.set1.p13.default.params.crlDistPointsNum=1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.constraint.name=No Constraint\npolicyset.set1.p7.default.name=Certificate Policies Extension Default\nenable=true\npolicyset.set1.p14.default.params.authInfoAccessADLocation_0=\npolicyset.set1.p14.default.params.authInfoAccessCritical=false\npolicyset.set1.p1.default.params.ldap.maxConns=4\npolicyset.set1.p13.default.params.crlDistPointsPointType_0=URIName\ninput.i1.name=nsNKeyCertReqInputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false\npolicyset.set1.p5.default.name=Key Usage Extension Default\npolicyset.set1.p13.default.params.crlDistPointsCritical=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false\noutput.o1.class_id=nsNKeyOutputImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p12.constraint.params.basicConstraintsIsCA=-\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User\npolicyset.set1.p1.default.params.ldap.ldapconn.host=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value=\npolicyset.set1.p6.default.params.subjAltExtPattern_4=\npolicyset.set1.p1.default.params.ldap.ldapconn.secureConn=false\npolicyset.set1.p9.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtPattern_3=\npolicyset.set1.p6.default.params.subjAltExtPattern_2=\npolicyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12\npolicyset.set1.p6.default.params.subjAltExtPattern_1=\npolicyset.set1.p13.default.params.crlDistPointsIssuerName_0=\npolicyset.set1.p6.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$\noutput.list=o1\npolicyset.set1.10.constraint.name=Renewal Grace Period Constraint\npolicyset.set1.p12.constraint.name=Basic Constraints Extension Constraint\npolicyset.set1.p6.default.params.subjAltNameExtCritical=false\npolicyset.set1.10.constraint.params.renewal.graceBefore=30\npolicyset.set1.p1.default.class_id=userSubjectNameDefaultImpl\npolicyset.set1.p4.constraint.name=No Constraint\npolicyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl\npolicyset.set1.p8.constraint.class_id=noConstraintImpl\npolicyset.set1.p6.default.params.subjAltExtGNEnable_4=false\nname=Token User Delegate Signing Certificate Enrollment\npolicyset.set1.p6.default.params.subjAltExtGNEnable_3=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_2=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_1=false\npolicyset.set1.p6.default.params.subjAltExtGNEnable_0=true\npolicyset.set1.p1.constraint.params.pattern=.*\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p13.default.params.crlDistPointsReasons_0=\npolicyset.set1.p2.default.params.startTime=0\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1\npolicyset.set1.p1.default.params.ldap.ldapconn.Version=2\npolicyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p2.default.class_id=validityDefaultImpl\npolicyset.set1.p7.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageDecipherOnly=false\npolicyset.set1.p1.default.params.ldapStringAttributes=uid,mail\npolicyset.set1.p8.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.minConns=1\npolicyset.set1.p12.constraint.params.basicConstraintsCritical=-\npolicyset.set1.10.default.class_id=noDefaultImpl\npolicyset.set1.p14.default.params.authInfoAccessNumADs=1\ninput.i2.name=subjectDNInputImpl\npolicyset.set1.p6.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.default.params.keyUsageEncipherOnly=false\npolicyset.set1.p1.default.name=Subject Name Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p1.default.params.ldap.searchName=uid\npolicyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.set1.p12.default.params.basicConstraintsPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p8.default.name=Subject Key Identifier Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true\npolicyset.set1.p5.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.Critical=false\npolicyset.set1.p1.constraint.name=Subject Name Constraint\ninput.list=i1,i2,i3\npolicyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.set1.p4.constraint.class_id=noConstraintImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.num=5\nenableBy=admin\npolicyset.set1.p5.default.params.keyUsageCritical=true\npolicyset.set1.p6.default.name=Subject Alternative Name Extension Default\npolicyset.set1.p13.constraint.name=No Constraint\npolicyset.set1.p4.default.class_id=signingAlgDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.set1.p14.constraint.class_id=noConstraintImpl\npolicyset.set1.p5.constraint.name=No Constraint\npolicyset.set1.p9.constraint.name=No Constraint\ndesc=This profile is for enrolling Token User Delegate Signing key\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId=\ninput.i3.name=subjectAltNameExtInputImpl\npolicyset.set1.p12.default.params.basicConstraintsIsCA=false\npolicyset.set1.p2.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.constraint.class_id=noConstraintImpl\npolicyset.set1.p13.default.params.crlDistPointsIssuerType_0=\ninput.i1.class_id=nsNKeyCertReqInputImpl\npolicyset.set1.p6.default.params.subjAltNameNumGNs=1\npolicyset.set1.p5.default.params.keyUsageCrlSign=false\npolicyset.set1.p13.default.params.crlDistPointsPointName_0=\npolicyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl\npolicyset.set1.10.constraint.params.renewal.graceAfter=30\npolicyset.set1.p1.constraint.class_id=subjectNameConstraintImpl\npolicyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl\npolicyset.list=set1\npolicyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p5.default.class_id=keyUsageExtDefaultImpl\npolicyset.set1.p2.constraint.name=No Constraint\nvisible=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p4.default.name=Signing Algorithm Default\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value=\npolicyset.set1.p5.default.params.keyUsageDataEncipherment=false\npolicyset.set1.p14.default.name=AIA Extension Default\npolicyset.set1.p4.default.params.signingAlg=-\npolicyset.set1.p5.default.params.keyUsageDigitalSignature=true\ninput.i2.class_id=subjectDNInputImpl\noutput.o1.name=nsNKeyOutputImpl\npolicyset.set1.p14.constraint.name=No Constraint\npolicyset.set1.p5.default.params.keyUsageKeyCertSign=false\npolicyset.set1.10.default.name=No Default\npolicyset.set1.p13.default.params.crlDistPointsEnable_0=false\npolicyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId=\npolicyset.set1.p6.constraint.name=No Constraint\npolicyset.set1.p1.default.params.ldap.basedn=\npolicyset.set1.p2.default.name=Validity Default\npolicyset.set1.p12.default.params.basicConstraintsCritical=false\npolicyset.set1.p5.default.params.keyUsageNonRepudiation=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false\ninput.i3.class_id=subjectAltNameExtInputImpl\npolicyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.set1.p9.default.name=Authority Key Identifier Extension Default\npolicyset.set1.p5.default.params.keyUsageKeyEncipherment=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p1.constraint.params.accept=true\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false\npolicyset.set1.p14.default.params.authInfoAccessADEnable_0=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId=\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false\npolicyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization=\npolicyset.set1.p12.default.name=Basic Constraints Extension Default\n' 2016-03-14T19:09:51Z DEBUG request POST https://jutta.cc.umanitoba.ca:8443/ca/rest/profiles/caTokenUserDelegateSigningKeyEnrollment?action=enable 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'content-type': 'application/x-www-form-urlencoded', 'server': 'Apache-Coyote/1.1'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG request GET https://jutta.cc.umanitoba.ca:8443/ca/rest/account/logout 2016-03-14T19:09:51Z DEBUG request body '' 2016-03-14T19:09:51Z DEBUG NSSConnection init jutta.cc.umanitoba.ca 2016-03-14T19:09:51Z DEBUG Connecting: 130.179.19.176:0 2016-03-14T19:09:51Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-03-14T19:09:51Z DEBUG cert valid True for "CN=jutta.cc.umanitoba.ca,O=UOFMT1" 2016-03-14T19:09:51Z DEBUG handshake complete, peer = 130.179.19.176:8443 2016-03-14T19:09:51Z DEBUG Protocol: TLS1.2 2016-03-14T19:09:51Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-03-14T19:09:51Z DEBUG response status 204 No Content 2016-03-14T19:09:51Z DEBUG response headers {'set-cookie': 'JSESSIONID=6F3A2E0F85628C50D3E205E57CB2F67A; Path=/ca/; Secure; HttpOnly', 'expires': 'Wed, 31 Dec 1969 18:00:00 CST', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Mon, 14 Mar 2016 19:09:51 GMT', 'content-type': 'application/xml'} 2016-03-14T19:09:51Z DEBUG response body '' 2016-03-14T19:09:51Z DEBUG duration: 16 seconds 2016-03-14T19:09:51Z DEBUG [22/23]: importing IPA certificate profiles 2016-03-14T19:09:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:09:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:09:51Z DEBUG Trying to find certificate subject base in sysupgrade 2016-03-14T19:09:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-03-14T19:09:51Z DEBUG Found certificate subject base in sysupgrade: O=UOFMT1 2016-03-14T19:09:53Z DEBUG Created connection context.ldap2_66946064 2016-03-14T19:09:54Z DEBUG Created connection context.ldap2_182082192 2016-03-14T19:09:54Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:54Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:54Z DEBUG Destroyed connection context.ldap2_182082192 2016-03-14T19:09:56Z DEBUG Created connection context.ldap2_141704016 2016-03-14T19:09:56Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:56Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:56Z DEBUG Destroyed connection context.ldap2_141704016 2016-03-14T19:09:56Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:56Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:56Z DEBUG Destroyed connection context.ldap2_66946064 2016-03-14T19:09:56Z DEBUG duration: 5 seconds 2016-03-14T19:09:56Z DEBUG [23/23]: adding default CA ACL 2016-03-14T19:09:57Z DEBUG Created connection context.ldap2_66947728 2016-03-14T19:09:58Z DEBUG Created connection context.ldap2_141703504 2016-03-14T19:09:58Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:09:58Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:09:59Z DEBUG Destroyed connection context.ldap2_141703504 2016-03-14T19:10:00Z DEBUG Created connection context.ldap2_141702800 2016-03-14T19:10:00Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:10:00Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:10:00Z DEBUG Destroyed connection context.ldap2_141702800 2016-03-14T19:10:00Z DEBUG raw: caacl_find(None, version=u'2.156') 2016-03-14T19:10:00Z DEBUG caacl_find(None, all=False, raw=False, version=u'2.156', no_members=False, pkey_only=False) 2016-03-14T19:10:00Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:10:00Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:10:00Z DEBUG Destroyed connection context.ldap2_66947728 2016-03-14T19:10:00Z DEBUG duration: 3 seconds 2016-03-14T19:10:00Z DEBUG Done configuring certificate server (pki-tomcatd). 2016-03-14T19:10:00Z DEBUG Restarting the directory and certificate servers 2016-03-14T19:10:00Z DEBUG Starting external process 2016-03-14T19:10:00Z DEBUG args='/bin/systemctl' 'stop' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:10:01Z DEBUG Process finished, return code=0 2016-03-14T19:10:01Z DEBUG stdout= 2016-03-14T19:10:01Z DEBUG stderr= 2016-03-14T19:10:01Z DEBUG Starting external process 2016-03-14T19:10:01Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at UOFMT1.service' 2016-03-14T19:10:09Z DEBUG Process finished, return code=0 2016-03-14T19:10:09Z DEBUG stdout= 2016-03-14T19:10:09Z DEBUG stderr= 2016-03-14T19:10:09Z DEBUG Starting external process 2016-03-14T19:10:09Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at UOFMT1.service' 2016-03-14T19:10:09Z DEBUG Process finished, return code=0 2016-03-14T19:10:09Z DEBUG stdout=active 2016-03-14T19:10:09Z DEBUG stderr= 2016-03-14T19:10:09Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-03-14T19:11:27Z DEBUG Starting external process 2016-03-14T19:11:27Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:27Z DEBUG Process finished, return code=0 2016-03-14T19:11:27Z DEBUG stdout= 2016-03-14T19:11:27Z DEBUG stderr= 2016-03-14T19:11:27Z DEBUG Starting external process 2016-03-14T19:11:27Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:27Z DEBUG Process finished, return code=0 2016-03-14T19:11:27Z DEBUG stdout=active 2016-03-14T19:11:27Z DEBUG stderr= 2016-03-14T19:11:27Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2016-03-14T19:11:29Z DEBUG Waiting until the CA is running 2016-03-14T19:11:29Z DEBUG Starting external process 2016-03-14T19:11:29Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus' 2016-03-14T19:11:37Z DEBUG Process finished, return code=0 2016-03-14T19:11:37Z DEBUG stdout=1CArunning10.2.5-6.el7 2016-03-14T19:11:37Z DEBUG stderr=--2016-03-14 14:11:29-- https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus Resolving jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)... 130.179.19.176 Connecting to jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)|130.179.19.176|:8443... connected. WARNING: cannot verify jutta.cc.umanitoba.ca's certificate, issued by ?/O=UOFMT1/CN=Certificate Authority?: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 167 Date: Mon, 14 Mar 2016 19:11:37 GMT Length: 167 [application/xml] Saving to: ?STDOUT? 0K 100% 41.1M=0s 2016-03-14 14:11:37 (41.1 MB/s) - written to stdout [167/167] 2016-03-14T19:11:37Z DEBUG The CA status is: running 2016-03-14T19:11:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:11:37Z DEBUG Starting external process 2016-03-14T19:11:37Z DEBUG args='/bin/systemctl' 'disable' 'pki-tomcatd.target' 2016-03-14T19:11:38Z DEBUG Process finished, return code=0 2016-03-14T19:11:38Z DEBUG stdout= 2016-03-14T19:11:38Z DEBUG stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target. 2016-03-14T19:11:38Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:11:38Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:11:39Z DEBUG Ensuring that service pki_tomcatd at pki-tomcat is not running while the next set of commands is being executed. 2016-03-14T19:11:39Z DEBUG Starting external process 2016-03-14T19:11:39Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:39Z DEBUG Process finished, return code=0 2016-03-14T19:11:39Z DEBUG stdout=active 2016-03-14T19:11:39Z DEBUG stderr= 2016-03-14T19:11:39Z DEBUG Stopping pki_tomcatd at pki-tomcat. 2016-03-14T19:11:39Z DEBUG Starting external process 2016-03-14T19:11:39Z DEBUG args='/bin/systemctl' 'stop' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:40Z DEBUG Process finished, return code=0 2016-03-14T19:11:40Z DEBUG stdout= 2016-03-14T19:11:40Z DEBUG stderr= 2016-03-14T19:11:40Z DEBUG Starting pki_tomcatd at pki-tomcat. 2016-03-14T19:11:40Z DEBUG Starting external process 2016-03-14T19:11:40Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:40Z DEBUG Process finished, return code=0 2016-03-14T19:11:40Z DEBUG stdout= 2016-03-14T19:11:40Z DEBUG stderr= 2016-03-14T19:11:40Z DEBUG Starting external process 2016-03-14T19:11:40Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd at pki-tomcat.service' 2016-03-14T19:11:40Z DEBUG Process finished, return code=0 2016-03-14T19:11:40Z DEBUG stdout=active 2016-03-14T19:11:40Z DEBUG stderr= 2016-03-14T19:11:40Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2016-03-14T19:11:42Z DEBUG Waiting until the CA is running 2016-03-14T19:11:42Z DEBUG Starting external process 2016-03-14T19:11:42Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus' 2016-03-14T19:11:59Z DEBUG Process finished, return code=0 2016-03-14T19:11:59Z DEBUG stdout=1CArunning10.2.5-6.el7 2016-03-14T19:11:59Z DEBUG stderr=--2016-03-14 14:11:42-- https://jutta.cc.umanitoba.ca:8443/ca/admin/ca/getStatus Resolving jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)... 130.179.19.176 Connecting to jutta.cc.umanitoba.ca (jutta.cc.umanitoba.ca)|130.179.19.176|:8443... connected. WARNING: cannot verify jutta.cc.umanitoba.ca's certificate, issued by ?/O=UOFMT1/CN=Certificate Authority?: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 167 Date: Mon, 14 Mar 2016 19:11:59 GMT Length: 167 [application/xml] Saving to: ?STDOUT? 0K 100% 37.0M=0s 2016-03-14 14:11:59 (37.0 MB/s) - written to stdout [167/167] 2016-03-14T19:11:59Z DEBUG The CA status is: running 2016-03-14T19:11:59Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:11:59Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:11:59Z DEBUG IPA FQDN 'jutta.cc.umanitoba.ca.' is not located in default domain 'uofmt1.' 2016-03-14T19:11:59Z DEBUG Domain 'cc.umanitoba.ca' needs additional mapping in krb5.conf 2016-03-14T19:11:59Z DEBUG Starting external process 2016-03-14T19:11:59Z DEBUG args='keyctl' 'get_persistent' '@s' '0' 2016-03-14T19:11:59Z DEBUG Process finished, return code=0 2016-03-14T19:11:59Z DEBUG stdout=137194057 2016-03-14T19:11:59Z DEBUG stderr= 2016-03-14T19:11:59Z DEBUG Enabling persistent keyring CCACHE 2016-03-14T19:12:00Z DEBUG Starting external process 2016-03-14T19:12:00Z DEBUG args='/bin/systemctl' 'is-active' 'krb5kdc.service' 2016-03-14T19:12:00Z DEBUG Process finished, return code=3 2016-03-14T19:12:00Z DEBUG stdout=unknown 2016-03-14T19:12:00Z DEBUG stderr= 2016-03-14T19:12:00Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:12:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:12:00Z DEBUG Starting external process 2016-03-14T19:12:00Z DEBUG args='/bin/systemctl' 'stop' 'krb5kdc.service' 2016-03-14T19:12:00Z DEBUG Process finished, return code=0 2016-03-14T19:12:00Z DEBUG stdout= 2016-03-14T19:12:00Z DEBUG stderr= 2016-03-14T19:12:00Z DEBUG Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds 2016-03-14T19:12:00Z DEBUG [1/8]: adding sasl mappings to the directory 2016-03-14T19:12:00Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket from SchemaCache 2016-03-14T19:12:00Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket conn= 2016-03-14T19:12:13Z DEBUG duration: 13 seconds 2016-03-14T19:12:13Z DEBUG [2/8]: configuring KDC 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Starting external process 2016-03-14T19:12:13Z DEBUG args='klist' '-V' 2016-03-14T19:12:13Z DEBUG Process finished, return code=0 2016-03-14T19:12:13Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-03-14T19:12:13Z DEBUG stderr= 2016-03-14T19:12:13Z DEBUG Backing up system configuration file '/etc/sysconfig/krb5kdc' 2016-03-14T19:12:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:13Z DEBUG Starting external process 2016-03-14T19:12:13Z DEBUG args='/usr/sbin/selinuxenabled' 2016-03-14T19:12:13Z DEBUG Process finished, return code=1 2016-03-14T19:12:13Z DEBUG stdout= 2016-03-14T19:12:13Z DEBUG stderr= 2016-03-14T19:12:13Z DEBUG duration: 0 seconds 2016-03-14T19:12:13Z DEBUG [3/8]: creating a keytab for the directory 2016-03-14T19:12:13Z DEBUG Starting external process 2016-03-14T19:12:13Z DEBUG args='kadmin.local' '-q' 'addprinc -randkey ldap/jutta.cc.umanitoba.ca at UOFMT1' '-x' 'ipa-setup-override-restrictions' 2016-03-14T19:12:22Z DEBUG Process finished, return code=0 2016-03-14T19:12:22Z DEBUG stdout=Authenticating as principal root/admin at UOFMT1 with password. Principal "ldap/jutta.cc.umanitoba.ca at UOFMT1" created. 2016-03-14T19:12:22Z DEBUG stderr=WARNING: no policy specified for ldap/jutta.cc.umanitoba.ca at UOFMT1; defaulting to no policy 2016-03-14T19:12:29Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' 2016-03-14T19:12:29Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist 2016-03-14T19:12:29Z DEBUG Starting external process 2016-03-14T19:12:29Z DEBUG args='kadmin.local' '-q' 'ktadd -k /etc/dirsrv/ds.keytab ldap/jutta.cc.umanitoba.ca at UOFMT1' '-x' 'ipa-setup-override-restrictions' 2016-03-14T19:12:39Z DEBUG Process finished, return code=0 2016-03-14T19:12:39Z DEBUG stdout=Authenticating as principal root/admin at UOFMT1 with password. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. 2016-03-14T19:12:39Z DEBUG stderr= 2016-03-14T19:12:39Z DEBUG duration: 25 seconds 2016-03-14T19:12:39Z DEBUG [4/8]: creating a keytab for the machine 2016-03-14T19:12:39Z DEBUG Starting external process 2016-03-14T19:12:39Z DEBUG args='kadmin.local' '-q' 'addprinc -randkey host/jutta.cc.umanitoba.ca at UOFMT1' '-x' 'ipa-setup-override-restrictions' 2016-03-14T19:12:48Z DEBUG Process finished, return code=0 2016-03-14T19:12:48Z DEBUG stdout=Authenticating as principal root/admin at UOFMT1 with password. Principal "host/jutta.cc.umanitoba.ca at UOFMT1" created. 2016-03-14T19:12:48Z DEBUG stderr=WARNING: no policy specified for host/jutta.cc.umanitoba.ca at UOFMT1; defaulting to no policy 2016-03-14T19:12:48Z DEBUG Backing up system configuration file '/etc/krb5.keytab' 2016-03-14T19:12:48Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-03-14T19:12:48Z DEBUG Starting external process 2016-03-14T19:12:48Z DEBUG args='kadmin.local' '-q' 'ktadd -k /etc/krb5.keytab host/jutta.cc.umanitoba.ca at UOFMT1' '-x' 'ipa-setup-override-restrictions' 2016-03-14T19:12:58Z DEBUG Process finished, return code=0 2016-03-14T19:12:58Z DEBUG stdout=Authenticating as principal root/admin at UOFMT1 with password. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/jutta.cc.umanitoba.ca at UOFMT1 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. 2016-03-14T19:12:58Z DEBUG stderr= 2016-03-14T19:13:04Z DEBUG duration: 25 seconds 2016-03-14T19:13:04Z DEBUG [5/8]: adding the password extension to the directory 2016-03-14T19:13:04Z DEBUG Starting external process 2016-03-14T19:13:04Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmp6ZKNXD' '-H' 'ldapi://%2fvar%2frun%2fslapd-UOFMT1.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpr6vKi9' 2016-03-14T19:13:05Z DEBUG Process finished, return code=0 2016-03-14T19:13:05Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_pwd_extop add nsslapd-pluginpath: libipa_pwd_extop add nsslapd-plugininitfunc: ipapwd_init add nsslapd-plugintype: extendedop add nsslapd-pluginbetxn: on add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_pwd_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=uofmt1 adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config" modify complete 2016-03-14T19:13:05Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-UOFMT1.socket/??base ) 2016-03-14T19:13:05Z DEBUG duration: 0 seconds 2016-03-14T19:13:05Z DEBUG [6/8]: enable GSSAPI for replication 2016-03-14T19:13:06Z DEBUG flushing ldaps://jutta.cc.umanitoba.ca:636 from SchemaCache 2016-03-14T19:13:06Z DEBUG retrieving schema for SchemaCache url=ldaps://jutta.cc.umanitoba.ca:636 conn= 2016-03-14T19:13:07Z INFO Setting agreement cn=meTomork.cc.umanitoba.ca,cn=replica,cn=dc\=uofmt1,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-03-14T19:13:08Z INFO Deleting schedule 2358-2359 0 from agreement cn=meTomork.cc.umanitoba.ca,cn=replica,cn=dc\=uofmt1,cn=mapping tree,cn=config 2016-03-14T19:13:09Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-03-14T19:13:09Z DEBUG flushing ldaps://mork.cc.umanitoba.ca:636 from SchemaCache 2016-03-14T19:13:09Z DEBUG retrieving schema for SchemaCache url=ldaps://mork.cc.umanitoba.ca:636 conn= 2016-03-14T19:13:09Z INFO Setting agreement cn=meTojutta.cc.umanitoba.ca,cn=replica,cn=dc\=uofmt1,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-03-14T19:13:10Z INFO Deleting schedule 2358-2359 0 from agreement cn=meTojutta.cc.umanitoba.ca,cn=replica,cn=dc\=uofmt1,cn=mapping tree,cn=config 2016-03-14T19:13:11Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-03-14T19:13:11Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/jutta.cc.umanitoba.ca at UOFMT1) and (krbprincipalname=ldap/mork.cc.umanitoba.ca at UOFMT1) 2016-03-14T19:13:12Z DEBUG Found both principals. 2016-03-14T19:13:16Z DEBUG duration: 11 seconds 2016-03-14T19:13:16Z DEBUG [7/8]: starting the KDC 2016-03-14T19:13:16Z DEBUG Starting external process 2016-03-14T19:13:16Z DEBUG args='/bin/systemctl' 'start' 'krb5kdc.service' 2016-03-14T19:13:21Z DEBUG Process finished, return code=0 2016-03-14T19:13:21Z DEBUG stdout= 2016-03-14T19:13:21Z DEBUG stderr= 2016-03-14T19:13:21Z DEBUG Starting external process 2016-03-14T19:13:21Z DEBUG args='/bin/systemctl' 'is-active' 'krb5kdc.service' 2016-03-14T19:13:21Z DEBUG Process finished, return code=0 2016-03-14T19:13:21Z DEBUG stdout=active 2016-03-14T19:13:21Z DEBUG stderr= 2016-03-14T19:13:21Z DEBUG duration: 4 seconds 2016-03-14T19:13:21Z DEBUG [8/8]: configuring KDC to start on boot 2016-03-14T19:13:21Z DEBUG Starting external process 2016-03-14T19:13:21Z DEBUG args='/bin/systemctl' 'is-enabled' 'krb5kdc.service' 2016-03-14T19:13:21Z DEBUG Process finished, return code=1 2016-03-14T19:13:21Z DEBUG stdout=disabled 2016-03-14T19:13:21Z DEBUG stderr= 2016-03-14T19:13:21Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:13:21Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:13:21Z DEBUG Starting external process 2016-03-14T19:13:21Z DEBUG args='/bin/systemctl' 'disable' 'krb5kdc.service' 2016-03-14T19:13:21Z DEBUG Process finished, return code=0 2016-03-14T19:13:21Z DEBUG stdout= 2016-03-14T19:13:21Z DEBUG stderr= 2016-03-14T19:13:23Z DEBUG duration: 2 seconds 2016-03-14T19:13:23Z DEBUG Done configuring Kerberos KDC (krb5kdc). 2016-03-14T19:13:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:13:23Z DEBUG Configuring kadmin 2016-03-14T19:13:23Z DEBUG [1/2]: starting kadmin 2016-03-14T19:13:23Z DEBUG Starting external process 2016-03-14T19:13:23Z DEBUG args='/bin/systemctl' 'is-active' 'kadmin.service' 2016-03-14T19:13:23Z DEBUG Process finished, return code=3 2016-03-14T19:13:23Z DEBUG stdout=failed 2016-03-14T19:13:23Z DEBUG stderr= 2016-03-14T19:13:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:13:23Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-14T19:13:23Z DEBUG Starting external process 2016-03-14T19:13:23Z DEBUG args='/bin/systemctl' 'restart' 'kadmin.service' 2016-03-14T19:13:33Z DEBUG Process finished, return code=1 2016-03-14T19:13:33Z DEBUG stdout= 2016-03-14T19:13:33Z DEBUG stderr=Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details. 2016-03-14T19:13:33Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 542, in __start self.restart() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 318, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 314, in restart capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run raise CalledProcessError(p.returncode, arg_string, stdout) CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 2016-03-14T19:13:33Z DEBUG [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 2016-03-14T19:13:33Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 586, in install krb = install_krb(config, setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 93, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 217, in create_replica self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 536, in create_instance self.start_creation("Configuring %s" % self.service_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 542, in __start self.restart() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 318, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 314, in restart capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run raise CalledProcessError(p.returncode, arg_string, stdout) 2016-03-14T19:13:33Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 2016-03-14T19:13:33Z ERROR Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 -------------- next part -------------- otp: Loaded Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): setting up network... Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 9: tcp 0.0.0.0.88 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): listening on fd 8: tcp ::.88 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25950](info): set up 4 sockets Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): creating 64 worker processes Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 8 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 9 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 7 Mar 10 14:20:39 jutta.cc.umanitoba.ca krb5kdc[25951](info): closing down fd 6 Mar 10 14:20:47 jutta.cc.umanitoba.ca krb5kdc[25952](info): commencing operation Mar 10 14:20:47 jutta.cc.umanitoba.ca krb5kdc[25954](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25953](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25957](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25956](info): commencing operation Mar 10 14:20:48 jutta.cc.umanitoba.ca krb5kdc[25955](info): commencing operation krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25951](Error): worker 25959 exited with status 256 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](debug): Got signal to request exit Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25955](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 8 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 9 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): closing down fd 6 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): closing down fd 6 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 7 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25953](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25952](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25956](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:49 jutta.cc.umanitoba.ca krb5kdc[25954](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: LOOKING_UP_CLIENT: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Server error Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](debug): Got signal to request exit Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 12 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 8 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 9 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 7 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): closing down fd 6 Mar 10 14:20:54 jutta.cc.umanitoba.ca krb5kdc[25957](info): shutting down otp: Loaded Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): setting up network... Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): listening on fd 9: tcp 0.0.0.0.88 Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): listening on fd 8: tcp ::.88 Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39742](info): set up 4 sockets Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39755](info): creating 64 worker processes Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39755](info): closing down fd 8 Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39755](info): closing down fd 9 Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39755](info): closing down fd 7 Mar 14 08:53:24 jutta.cc.umanitoba.ca krb5kdc[39755](info): closing down fd 6 Mar 14 08:53:31 jutta.cc.umanitoba.ca krb5kdc[39756](info): commencing operation Mar 14 08:53:31 jutta.cc.umanitoba.ca krb5kdc[39758](info): commencing operation Mar 14 08:53:31 jutta.cc.umanitoba.ca krb5kdc[39757](info): commencing operation Mar 14 08:53:32 jutta.cc.umanitoba.ca krb5kdc[39762](info): commencing operation Mar 14 08:53:33 jutta.cc.umanitoba.ca krb5kdc[39764](info): commencing operation Mar 14 08:53:33 jutta.cc.umanitoba.ca krb5kdc[39760](info): commencing operation Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): commencing operation Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): commencing operation Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): commencing operation krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39755](Error): worker 39766 exited with status 256 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): closing down fd 9 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): closing down fd 9 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): closing down fd 6 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): closing down fd 6 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39759](info): shutting down Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39763](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](info): closing down fd 9 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](info): closing down fd 6 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](info): closing down fd 8 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39760](info): shutting down Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](info): closing down fd 9 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](info): closing down fd 9 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](info): closing down fd 7 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](info): closing down fd 6 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): closing down fd 6 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39762](info): shutting down Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39757](info): shutting down Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39758](info): shutting down Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](debug): Got signal to request exit Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39761](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:34 jutta.cc.umanitoba.ca krb5kdc[39764](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: LOOKING_UP_SERVER: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Server error Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](debug): Got signal to request exit Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): closing down fd 12 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): closing down fd 8 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): closing down fd 9 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): closing down fd 7 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): closing down fd 6 Mar 14 08:53:39 jutta.cc.umanitoba.ca krb5kdc[39756](info): shutting down otp: Loaded Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): setting up network... Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): listening on fd 9: tcp 0.0.0.0.88 Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): listening on fd 8: tcp ::.88 Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44106](info): set up 4 sockets Mar 14 11:55:33 jutta.cc.umanitoba.ca krb5kdc[44107](info): creating 64 worker processes Mar 14 11:55:34 jutta.cc.umanitoba.ca krb5kdc[44107](info): closing down fd 8 Mar 14 11:55:34 jutta.cc.umanitoba.ca krb5kdc[44107](info): closing down fd 9 Mar 14 11:55:34 jutta.cc.umanitoba.ca krb5kdc[44107](info): closing down fd 7 Mar 14 11:55:34 jutta.cc.umanitoba.ca krb5kdc[44107](info): closing down fd 6 Mar 14 11:55:39 jutta.cc.umanitoba.ca krb5kdc[44108](info): commencing operation Mar 14 11:55:40 jutta.cc.umanitoba.ca krb5kdc[44111](info): commencing operation Mar 14 11:55:40 jutta.cc.umanitoba.ca krb5kdc[44110](info): commencing operation Mar 14 11:55:40 jutta.cc.umanitoba.ca krb5kdc[44112](info): commencing operation Mar 14 11:55:40 jutta.cc.umanitoba.ca krb5kdc[44109](info): commencing operation Mar 14 11:55:42 jutta.cc.umanitoba.ca krb5kdc[44108](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: NEEDED_PREAUTH: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Additional pre-authentication required Mar 14 11:55:42 jutta.cc.umanitoba.ca krb5kdc[44108](info): closing down fd 12 Mar 14 11:55:42 jutta.cc.umanitoba.ca krb5kdc[44117](info): commencing operation Mar 14 11:55:42 jutta.cc.umanitoba.ca krb5kdc[44113](info): commencing operation Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): commencing operation Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): commencing operation Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): commencing operation Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): commencing operation Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): commencing operation krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44107](Error): worker 44120 exited with status 256 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): closing down fd 7 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44114](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): closing down fd 7 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44118](info): shutting down Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): closing down fd 7 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): closing down fd 7 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44116](info): shutting down Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44119](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](debug): Got signal to request exit Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44108](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44113](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): closing down fd 7 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](info): closing down fd 8 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](info): closing down fd 9 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44110](info): shutting down Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44115](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44111](info): shutting down Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44112](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](info): closing down fd 6 Mar 14 11:55:43 jutta.cc.umanitoba.ca krb5kdc[44117](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: LOOKING_UP_CLIENT: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Server error Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](debug): Got signal to request exit Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): closing down fd 12 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): closing down fd 8 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): closing down fd 9 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): closing down fd 7 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): closing down fd 6 Mar 14 11:55:48 jutta.cc.umanitoba.ca krb5kdc[44109](info): shutting down otp: Loaded Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): setting up network... Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): listening on fd 9: tcp 0.0.0.0.88 Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): listening on fd 8: tcp ::.88 Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48219](info): set up 4 sockets Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48220](info): creating 64 worker processes Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48220](info): closing down fd 8 Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48220](info): closing down fd 9 Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48220](info): closing down fd 7 Mar 14 13:35:22 jutta.cc.umanitoba.ca krb5kdc[48220](info): closing down fd 6 Mar 14 13:35:27 jutta.cc.umanitoba.ca krb5kdc[48222](info): commencing operation Mar 14 13:35:27 jutta.cc.umanitoba.ca krb5kdc[48221](info): commencing operation Mar 14 13:35:28 jutta.cc.umanitoba.ca krb5kdc[48224](info): commencing operation Mar 14 13:35:28 jutta.cc.umanitoba.ca krb5kdc[48223](info): commencing operation Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48227](info): commencing operation Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48225](info): commencing operation Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48228](info): commencing operation Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48226](info): commencing operation Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48222](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: NEEDED_PREAUTH: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Additional pre-authentication required Mar 14 13:35:30 jutta.cc.umanitoba.ca krb5kdc[48222](info): closing down fd 12 Mar 14 13:35:31 jutta.cc.umanitoba.ca krb5kdc[48231](info): commencing operation Mar 14 13:35:31 jutta.cc.umanitoba.ca krb5kdc[48232](info): commencing operation Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): commencing operation Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): commencing operation krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48220](Error): worker 48233 exited with status 256 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48221](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](debug): Got signal to request exit Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48227](info): shutting down Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48225](info): shutting down Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48222](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48229](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48223](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48231](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48232](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48230](info): shutting down Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](info): closing down fd 7 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48224](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](info): closing down fd 6 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](info): closing down fd 8 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](info): closing down fd 9 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48228](info): shutting down Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 13:35:32 jutta.cc.umanitoba.ca krb5kdc[48226](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 otp: Loaded Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): setting up network... Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(7,IPV6_V6ONLY,1) worked Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): listening on fd 7: udp ::.88 (pktinfo) krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): listening on fd 9: tcp 0.0.0.0.88 Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): listening on fd 8: tcp ::.88 Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57026](info): set up 4 sockets Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57027](info): creating 64 worker processes Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57027](info): closing down fd 8 Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57027](info): closing down fd 9 Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57027](info): closing down fd 7 Mar 14 14:13:21 jutta.cc.umanitoba.ca krb5kdc[57027](info): closing down fd 6 Mar 14 14:13:26 jutta.cc.umanitoba.ca krb5kdc[57029](info): commencing operation Mar 14 14:13:26 jutta.cc.umanitoba.ca krb5kdc[57028](info): commencing operation Mar 14 14:13:28 jutta.cc.umanitoba.ca krb5kdc[57031](info): commencing operation Mar 14 14:13:28 jutta.cc.umanitoba.ca krb5kdc[57030](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57036](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57033](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57035](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57034](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57032](info): commencing operation Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57029](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.179.19.176: NEEDED_PREAUTH: ldap/jutta.cc.umanitoba.ca at UOFMT1 for krbtgt/UOFMT1 at UOFMT1, Additional pre-authentication required Mar 14 14:13:29 jutta.cc.umanitoba.ca krb5kdc[57029](info): closing down fd 12 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57027](Error): worker 57040 exited with status 256 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](debug): Got signal to request exit Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](debug): Got signal to request exit Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](debug): Got signal to request exit Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](debug): Got signal to request exit Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](debug): Got signal to request exit Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](info): closing down fd 9 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](info): closing down fd 7 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](info): closing down fd 9 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](info): closing down fd 7 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](info): closing down fd 7 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](info): closing down fd 8 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57029](info): shutting down Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57028](info): shutting down Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](info): closing down fd 9 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57030](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](info): closing down fd 9 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](info): closing down fd 6 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57031](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57035](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](info): closing down fd 7 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57034](info): shutting down Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57033](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](info): closing down fd 9 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](info): closing down fd 7 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57036](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](debug): Got signal to request exit krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 krb5kdc: Server error - while fetching master key K/M for realm UOFMT1 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](info): closing down fd 8 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](info): closing down fd 9 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](info): closing down fd 7 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](info): closing down fd 6 Mar 14 14:13:31 jutta.cc.umanitoba.ca krb5kdc[57032](info): shutting down krb5kdc: Server error - while fetching master keys list for realm UOFMT1 krb5kdc: Server error - while fetching master keys list for realm UOFMT1 krb5kdc: Server error - while fetching master keys list for realm UOFMT1 From Daryl.Fonseca-Holt at umanitoba.ca Tue Mar 15 02:12:05 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Mon, 14 Mar 2016 21:12:05 -0500 (CDT) Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E714FB.10603@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> <56E714FB.10603@umanitoba.ca> Message-ID: Hello Thierry, In searching for a way to slow down the start of kadmind I discovered that the prepare-replica install-replica process was modifying /etc/sysconfig/krb5kdc to this: KRB5KDC_ARGS='-w 64' KRB5REALM=UOFMT1 KRB5KDC_ARGS='-w 64' during the configuration of krb5kdc. Prior to that the file only contained: KRB5KDC_ARGS= I paused the replica-install as soon as this change appeared, made KRB5KDC_ARGS null, then resumed. The replica-install completed without error. Here's where it gets a bit odd. That value was, at one time, used on the master where the prepare-replica was done but has not been in /etc/sysconfig/krb5kdc for a long time. How is it being propagated from the master to the new replica? Is there some way to decrypt the replica file copied from the master to the replica after the replica-prepare to confirm that is where the value is coming from? Or is it being calculated on the replica? And why does it appear twice? 64 is the number of cores on the master and replica hosts. At one time I adjusted /etc/sysconfig/krb5kdc on the master so there would be one krb5kdc daemon process for each core but later decided to wait until stress testing showed that it was actually useful. I observed that starting that many instances of krb5kdc did stress the dirsrv instance for a little while during an ipactl restart. -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 From prashant at apigee.com Tue Mar 15 03:28:46 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 15 Mar 2016 08:58:46 +0530 Subject: [Freeipa-users] read-only service account - aci In-Reply-To: References: Message-ID: Anyone? On 11 March 2016 at 22:12, Prashant Bapat wrote: > Hi, > > I'm trying to use IPA's LDAP server as the user data base for an external > application. > > I have created a service account from ldif below. > > > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: changeme! > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > > This works fine. My question is whats the ACI associated with this new > user? Does this user have read-only access to everything in LDAP ? Or > should I add/tune the ACI. > > Thanks. > --Prashant > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Tue Mar 15 05:25:06 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 15 Mar 2016 10:55:06 +0530 Subject: [Freeipa-users] unable to authenticate using freeipa client In-Reply-To: References: Message-ID: For the error in the krb5_child.log (Tue Mar 15 04:35:51 2016) [[sssd[krb5_child[13708]]]] [sss_child_krb5_trace_cb] (0x4000): [13708] 1458016551.87210: Received error from KDC: -1765328359/Additional pre-authentication required I deleted the sssd cache as well as the /tmp/krb5* and restarted sssd , still the issue persists. Another error that I see is in /var/log/secure Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=q-tempuser Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=q-tempuser Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): received for user q-tempuser: 4 (System error) I have "UsePAM yes" and "GSSAPIAuthentication yes" in sshd_config. so not sure whats causing this.. I tried uninstalling and installing back the client as well but did not help.. Anything else that I might be missing out.. Thanks, Rakesh On Mon, Mar 14, 2016 at 5:50 PM, Rakesh Rajasekharan < rakesh.rajasekharan at gmail.com> wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to some error, > krb5_child.log > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x2000): No old ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XXXXXX] old_ccname: [not set] > keytab: [/etc/krb5.keytab] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1.1.1 at TEST.COM] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > 1.1.1.1 at TEST.COM in keytab. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [match_principal] > (0x1000): Principal matched to the sample (host/1.1.1.1 at TEST.COM). > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [get_tgt_times] > (0x1000): FAST ccache must be recreated > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Trying to become user [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Already user [0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [check_fast_ccache] > (0x2000): Running as [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864]]]] [create_ccache] > (0x4000): Initializing ccache of type [FILE] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [check_fast_ccache] > (0x0200): FAST TGT was successfully recreated! > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [become_user] > (0x0200): Trying to become user [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x2000): > Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [k5c_setup] > (0x2000): Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x0400): > Will perform online auth > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [TEST.COM] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > initial credentials for q-tempuser at TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > host/1.1.1.1 at TEST.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM > \@TEST.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > with result: -1765328243/Matching credential not found > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending > request (189 bytes) to TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating > TCP connection to stre > (END) > > > And here are the contents from sssd_domain.log > sssd_test.com > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): domain: test.com > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): user: q-tempuser > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): service: sshd > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): tty: ssh > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): ruser: > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): rhost: 127.0.0.1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): authtok type: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): priv: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): cli_pid: 11794 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x69e690 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x69e7b0 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Running > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): > Destroying timer event 0x69e7b0 "ltdb_timeout" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Ending > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [q-tempuser] found. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_port_status] > (0x1000): Port status of port 0 for server 'ipa-test-master.test.com' is > 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_resolve_server_process] (0x0200): Found address for server > ipa-test-master.test.com: [10.1.6.56] TTL 183 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > (0x1000): Waiting for child [11797]. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > (0x0100): child [11797] finished successfully. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 4, ) [Success] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Sending result [4][test.com] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Sent result [4][test.com] > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): > dbus conn: 0x678710 > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): > Dispatching. > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_message_handler] > (0x4000): Received SBUS method [ping] > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > > > Not sure what could be wrong here, I think thisused to work fine earlier . > > > Thanks, > Rakesh > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Mar 15 06:07:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 15 Mar 2016 08:07:43 +0200 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> <56E714FB.10603@umanitoba.ca> Message-ID: <20160315060743.GC4492@redhat.com> On Mon, 14 Mar 2016, Daryl Fonseca-Holt wrote: >Hello Thierry, > >In searching for a way to slow down the start of kadmind I discovered >that the prepare-replica install-replica process was modifying >/etc/sysconfig/krb5kdc to this: > KRB5KDC_ARGS='-w 64' > KRB5REALM=UOFMT1 > KRB5KDC_ARGS='-w 64' >during the configuration of krb5kdc. Prior to that the file only >contained: > KRB5KDC_ARGS= > >I paused the replica-install as soon as this change appeared, made >KRB5KDC_ARGS null, then resumed. The replica-install completed without >error. > >Here's where it gets a bit odd. That value was, at one time, used on >the master where the prepare-replica was done but has not been in >/etc/sysconfig/krb5kdc for a long time. How is it being propagated >from the master to the new replica? > >Is there some way to decrypt the replica file copied from the master >to the replica after the replica-prepare to confirm that is where the >value is coming from? Or is it being calculated on the replica? And >why does it appear twice? > >64 is the number of cores on the master and replica hosts. At one time >I adjusted /etc/sysconfig/krb5kdc on the master so there would be one >krb5kdc daemon process for each core but later decided to wait until >stress testing showed that it was actually useful. I observed that >starting that many instances of krb5kdc did stress the dirsrv instance >for a little while during an ipactl restart. I think this value is not in the replica file. This is part of configuration of Kerberos KDC (ipaserver/krbinstance.py, see KrbInstance.__configure_instance()) and it is based on the value of 'getconf _NPROCESSORS_ONLN'. When replica is being installed, the installer will call KrbInstance.create_replica() and that one will call __configure_instance(), thus setting up the KRB5KDC_ARGS to '-w <_NPROCESSORS_ONLN>'. -- / Alexander Bokovoy From alessandro.demaria at gmail.com Tue Mar 15 07:39:58 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Tue, 15 Mar 2016 07:39:58 +0000 Subject: [Freeipa-users] User certificate workflow Message-ID: Hello, I would like to have authenticated users to upload a csr request and have their certificate automatically signed. Their certificate would expire in x days. Given the short life of the certificate, I would then like them to be able to easily download the certificate. Any suggestion on how to do it? I would prefer the shell script approach but also having it self serviced on the web ui would be great. Regards -- Alessandro De Maria alessandro.demaria at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Mar 15 08:25:00 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 15 Mar 2016 09:25:00 +0100 Subject: [Freeipa-users] unable to authenticate using freeipa client In-Reply-To: References: Message-ID: <20160315082500.GA3059@p.redhat.com> On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to some error, > krb5_child.log > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x2000): No old ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XXXXXX] old_ccname: [not set] > keytab: [/etc/krb5.keytab] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1.1.1 at TEST.COM] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > 1.1.1.1 at TEST.COM in keytab. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [match_principal] > (0x1000): Principal matched to the sample (host/1.1.1.1 at TEST.COM). > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [get_tgt_times] > (0x1000): FAST ccache must be recreated > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Trying to become user [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Already user [0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [check_fast_ccache] > (0x2000): Running as [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864]]]] [create_ccache] > (0x4000): Initializing ccache of type [FILE] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [check_fast_ccache] > (0x0200): FAST TGT was successfully recreated! > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [become_user] > (0x0200): Trying to become user [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x2000): > Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [k5c_setup] > (0x2000): Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x0400): > Will perform online auth > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [TEST.COM] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > initial credentials for q-tempuser at TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > host/1.1.1.1 at TEST.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM > \@TEST.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > with result: -1765328243/Matching credential not found > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending > request (189 bytes) to TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating > TCP connection to stre > (END) Does the krb5_child.log really ends here? If yes, any change the disk is full? bye, Sumit > > > And here are the contents from sssd_domain.log > sssd_test.com > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > domain: test.com > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > user: q-tempuser > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > service: sshd > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > tty: ssh > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > ruser: > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > rhost: 127.0.0.1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > authtok type: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > priv: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > cli_pid: 11794 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): > logon name: not set > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x69e690 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added timed > event "ltdb_timeout": 0x69e7b0 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Running > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Destroying > timer event 0x69e7b0 "ltdb_timeout" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Ending > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [q-tempuser] found. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_port_status] (0x1000): > Port status of port 0 for server 'ipa-test-master.test.com' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_resolve_server_process] > (0x1000): Saving the first resolved server > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_resolve_server_process] > (0x0200): Found address for server ipa-test-master.test.com: [10.1.6.56] > TTL 183 > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > (0x1000): Waiting for child [11797]. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > (0x0100): child [11797] finished successfully. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [parse_krb5_child_response] > (0x1000): child response [1432158209][6][8]. > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 4, ) [Success] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Sending result [4][test.com] > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [be_pam_handler_callback] > (0x0100): Sent result [4][test.com] > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): > dbus conn: 0x678710 > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] (0x4000): > Dispatching. > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_message_handler] > (0x4000): Received SBUS method [ping] > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > > > Not sure what could be wrong here, I think thisused to work fine earlier . > > > Thanks, > Rakesh > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbabinsk at redhat.com Tue Mar 15 08:50:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 15 Mar 2016 09:50:06 +0100 Subject: [Freeipa-users] User certificate workflow In-Reply-To: References: Message-ID: <56E7CCBE.2080006@redhat.com> On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > Hello, > > I would like to have authenticated users to upload a csr request and > have their certificate automatically signed. Their certificate would > expire in x days. > > Given the short life of the certificate, I would then like them to be > able to easily download the certificate. > > Any suggestion on how to do it? > I would prefer the shell script approach but also having it self > serviced on the web ui would be great. > > Regards > > > -- > Alessandro De Maria > alessandro.demaria at gmail.com > > Hi Alessandro, for FreeIPA 4.2+ you can use the following links as a guide to set up a custom profile and CA ACL rules so that users can request certificates for themselves: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ The user then can generate CSR request e.g. using OpenSSL and use 'ipa cert-request' to send it to IPA CA. If you specify 'store=True' when adding the custom certificate profile, the certificate will be added to the user entry as 'usercertificate;binary' attribute which he can view from CLI/WebUI as PEM and save it to a file by copy-pasting it (The functionality to save the certificate directly to a file is under development). It should be possible to modify the certificate profile to restrict the maximum validity of the issued certificate but I have no knowledge about that. I have CC'ed Fraser Tweedale (the blog post author), he may help you with this. -- Martin^3 Babinsky From peljasz at yahoo.co.uk Tue Mar 15 09:24:08 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 15 Mar 2016 09:24:08 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E6EFA6.2050203@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> Message-ID: <56E7D4B8.80707@yahoo.co.uk> On 14/03/16 17:06, Rob Crittenden wrote: > lejeczek wrote: >> with... >> >> ipa: ERROR: group LDAP search did not return any result (search base: >> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >> groupofnames) >> >> I see users went in but later I realized that current samba's ou was >> "group" not groups. >> Can I just re-run migrations? > Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? Lastly, is there a way to preserve account locked/disabled status for posix/samba? > rob > > From alessandro.demaria at gmail.com Tue Mar 15 09:39:12 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Tue, 15 Mar 2016 09:39:12 +0000 Subject: [Freeipa-users] User certificate workflow In-Reply-To: <56E7CCBE.2080006@redhat.com> References: <56E7CCBE.2080006@redhat.com> Message-ID: Thank you Martin that's very helpful. The annoying thing about cut/paste from web ui is that the cert is not wrapped at 60 chars like it should be, but I guess I'll have to wait for the save certificate functionality. Any idea of then that's planned for? Regards Alessandro On 15 March 2016 at 08:50, Martin Babinsky wrote: > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > >> Hello, >> >> I would like to have authenticated users to upload a csr request and >> have their certificate automatically signed. Their certificate would >> expire in x days. >> >> Given the short life of the certificate, I would then like them to be >> able to easily download the certificate. >> >> Any suggestion on how to do it? >> I would prefer the shell script approach but also having it self >> serviced on the web ui would be great. >> >> Regards >> >> >> -- >> Alessandro De Maria >> alessandro.demaria at gmail.com >> >> >> > Hi Alessandro, > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > custom profile and CA ACL rules so that users can request certificates for > themselves: > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > cert-request' to send it to IPA CA. If you specify 'store=True' when adding > the custom certificate profile, the certificate will be added to the user > entry as 'usercertificate;binary' attribute which he can view from > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > functionality to save the certificate directly to a file is under > development). > > It should be possible to modify the certificate profile to restrict the > maximum validity of the issued certificate but I have no knowledge about > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you > with this. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alessandro De Maria alessandro.demaria at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Mar 15 09:47:49 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 15 Mar 2016 10:47:49 +0100 Subject: [Freeipa-users] ipa replica failed PR_DeleteSemaphore In-Reply-To: <20160314163323.GA19874@dead.ccr.buffalo.edu> References: <20160309144657.GA24736@dead.ccr.buffalo.edu> <56E03D98.9030705@redhat.com> <20160309153705.GB24736@dead.ccr.buffalo.edu> <20160309154631.GC24736@dead.ccr.buffalo.edu> <56E04D9E.2040005@redhat.com> <20160309165139.GD24736@dead.ccr.buffalo.edu> <56E05874.5020907@redhat.com> <20160312150202.GA13162@dead.ccr.buffalo.edu> <56E677C3.6050708@redhat.com> <20160314163323.GA19874@dead.ccr.buffalo.edu> Message-ID: <56E7DA45.6050709@redhat.com> On 03/14/2016 05:33 PM, Andrew E. Bruno wrote: > On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote: >> On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: >>> On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: >>>> On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: >>>>> On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: >>>>> >>>>> [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema; NSPR error - -5943 >>>> if ds is cleanly shutdown this file should be removed, if ds is killed it >>>> remains and should be recreated at restart, which fails. could you try >>>> another stop, remove the file manually and start again ? >>> We had our replicas crash again. Curious if it's safe to delete the >>> other db files as well: >>> >>> ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ >>> 30 DBVERSION >>> 6.8G ed35d212-2cb811e5-af63d574-de3f6355_55a95591000000040000.db >>> 0 ed35d212-2cb811e5-af63d574-de3f6355.sema >>> 18M f32bb356-2cb811e5-af63d574-de3f6355_55a955ca000000600000.db >>> 0 f32bb356-2cb811e5-af63d574-de3f6355.sema >>> >>> >>> Should all these files be deleted if the ds is cleanly shutdown? or should we >>> only remove the *.sema files. >> the *.db file contains the data of the changelog, if you delete them you >> start with a new cl and could get into replication problems requiring >> reinitialization. you normally shoul not delete them. >> The .sema is used to control how many threads can concurrently access the >> cl, it should be recreated at restart, so it is safe to delete them after a >> crash. > Sounds good..thanks. We deleted the .sema files after the crash and the > replicas came back up ok. > >> If you getting frequent crashes, we shoul try to find the reason for the >> crashes, could you try to get a core file ? > This time we had two replicas crash and ns-slapd wasn't running so we > couldn't grab a pstack. Here's a snip from the error logs right before > the crash (not sure if this is related or not): > > [11/Mar/2016:09:57:56 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11573832,cn=changelog!! > [11/Mar/2016:09:57:57 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11575824,cn=changelog!! > [11/Mar/2016:09:57:58 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=11575851,cn=changelog!! > [11/Mar/2016:10:00:28 -0500] - libdb: BDB2055 Lock table is out of available lock entries > [11/Mar/2016:10:00:28 -0500] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact 986efe12-71b811e5-9d33a516-e778e883; db error - 12 Cannot allocate memory > [11/Mar/2016:10:02:07 -0500] - libdb: BDB2055 Lock table is out of available lock entries > [11/Mar/2016:10:02:07 -0500] - compactdb: failed to compact changelog; db error - 12 Cannot allocate memory don't know if this is related to your crashes, but compation of changelog was running, probably for some time, and finally failed. The idea behind compaction is to compact a fragmented btree and reclaim some space, but it uses a transaction for the complete operation and lock every page accessed. This can be time consuming, blocking other txns, and run out of locks. There are two options to address this, either increase the number of configured db locks (problem is there is no good hint how much locks will be needed), or disable changelog compaction, by setting: dn: cn=changelog5,cn=config .. nsslapd-changelogcompactdb-interval: 0 I would disable compaction, I don't think there is much benefit (in my memory BDB compaction was slow and not very effective) and it is better to avoid the side effects > [11/Mar/2016:12:36:18 -0500] - slapd_poll(377) timed out > [11/Mar/2016:13:06:17 -0500] - slapd_poll(377) timed out > > We just upgraded to ipa 4.2 centos 7.2 and if we see anymore crashes > we'll try and get more info. > > Thanks again. > > --Andrew > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From rakesh.rajasekharan at gmail.com Tue Mar 15 09:51:34 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 15 Mar 2016 15:21:34 +0530 Subject: [Freeipa-users] unable to authenticate using freeipa client In-Reply-To: <20160315082500.GA3059@p.redhat.com> References: <20160315082500.GA3059@p.redhat.com> Message-ID: yes the space was indeed the culprit... i cleaned up some and login works fine now.. Thanks !! On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose wrote: > On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > > I set up freeipa in my environment and works perfectly. > > > > But just on one host , I am not able to authenticate. I get a permission > > denied eror. > > > > The sssd version I have is 1.12 > > > > the krb5_child log does point to some error, > > krb5_child.log > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > > (0x2000): No old ccache > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XXXXXX] old_ccname: [not set] > > keytab: [/etc/krb5.keytab] > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1.1.1 at TEST.COM] > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > > 1.1.1.1 at TEST.COM in keytab. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [match_principal] > > (0x1000): Principal matched to the sample (host/1.1.1.1 at TEST.COM). > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [get_tgt_times] > > (0x1000): FAST ccache must be recreated > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > > (0x0200): Trying to become user [0][0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > > (0x0200): Already user [0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] > [check_fast_ccache] > > (0x2000): Running as [0][0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864]]]] [create_ccache] > > (0x4000): Initializing ccache of type [FILE] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [check_fast_ccache] > > (0x0200): FAST TGT was successfully recreated! > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [become_user] > > (0x0200): Trying to become user [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x2000): > > Running as [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [k5c_setup] > > (0x2000): Running as [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x0400): > > Will perform online auth > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [tgt_req_child] > > (0x1000): Attempting to get a TGT > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [get_and_save_tgt] > > (0x0400): Attempting kinit for realm [TEST.COM] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > > initial credentials for q-tempuser at TEST.COM > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > > host/1.1.1.1 at TEST.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/ > TEST.COM > > \@TEST.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > with result: -1765328243/Matching credential not found > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending > > request (189 bytes) to TEST.COM > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating > > TCP connection to stre > > (END) > > Does the krb5_child.log really ends here? If yes, any change the disk is > full? > > bye, > Sumit > > > > > > > And here are the contents from sssd_domain.log > > sssd_test.com > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > domain: test.com > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > user: q-tempuser > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > service: sshd > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > tty: ssh > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > ruser: > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > rhost: 127.0.0.1 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > authtok type: 1 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > newauthtok type: 0 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > priv: 1 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > cli_pid: 11794 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] > (0x0100): > > logon name: not set > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added > timed > > event "ltdb_callback": 0x69e690 > > > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added > timed > > event "ltdb_timeout": 0x69e7b0 > > > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Running > > timer event 0x69e690 "ltdb_callback" > > > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): > Destroying > > timer event 0x69e7b0 "ltdb_timeout" > > > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Ending > > timer event 0x69e690 "ltdb_callback" > > > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > > [q-tempuser] found. > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [fo_resolve_service_send] > > (0x0100): Trying to resolve service 'IPA' > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_port_status] > (0x1000): > > Port status of port 0 for server 'ipa-test-master.test.com' is 'working' > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > > seconds > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [get_server_status] > > (0x1000): Status of server 'ipa-test-master.test.com' is 'working' > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_resolve_server_process] > > (0x1000): Saving the first resolved server > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_resolve_server_process] > > (0x0200): Found address for server ipa-test-master.test.com: [10.1.6.56] > > TTL 183 > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > > (0x2000): Setting up signal handler up for pid [11797] > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_handler_setup] > > (0x2000): Signal handler set up for pid [11797] > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [write_pipe_handler] > > (0x0400): All data has been sent! > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > > (0x1000): Waiting for child [11797]. > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [child_sig_handler] > > (0x0100): child [11797] finished successfully. > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [read_pipe_handler] > > (0x0400): EOF received, client finished > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [parse_krb5_child_response] > > (0x1000): child response [1432158209][6][8]. > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_pam_handler_callback] > > (0x0100): Backend returned: (0, 4, ) [Success] > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_pam_handler_callback] > > (0x0100): Sending result [4][test.com] > > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] > [be_pam_handler_callback] > > (0x0100): Sent result [4][test.com] > > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] > (0x4000): > > dbus conn: 0x678710 > > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_dispatch] > (0x4000): > > Dispatching. > > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] [sbus_message_handler] > > (0x4000): Received SBUS method [ping] > > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] > [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Mon Mar 14 11:57:15 2016) [sssd[be[test.com]]] > > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > > > > > > Not sure what could be wrong here, I think thisused to work fine earlier > . > > > > > > Thanks, > > Rakesh > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Mar 15 13:42:39 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2016 09:42:39 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E7D4B8.80707@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> Message-ID: <56E8114F.9000304@redhat.com> lejeczek wrote: > On 14/03/16 17:06, Rob Crittenden wrote: >> lejeczek wrote: >>> with... >>> >>> ipa: ERROR: group LDAP search did not return any result (search base: >>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>> groupofnames) >>> >>> I see users went in but later I realized that current samba's ou was >>> "group" not groups. >>> Can I just re-run migrations? >> Yes. It will skip over anything that already exists in IPA. > thanks Rob, may I ask why process by defaults looks up only objectclass: > groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. > Is there a reason it skips ldap+samba typical posixGroup & > sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. > Lastly, is there a way to preserve account locked/disabled status for > posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob From peljasz at yahoo.co.uk Tue Mar 15 14:14:14 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 15 Mar 2016 14:14:14 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E8114F.9000304@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> Message-ID: <56E818B6.4040200@yahoo.co.uk> On 15/03/16 13:42, Rob Crittenden wrote: > lejeczek wrote: >> On 14/03/16 17:06, Rob Crittenden wrote: >>> lejeczek wrote: >>>> with... >>>> >>>> ipa: ERROR: group LDAP search did not return any result (search base: >>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>> groupofnames) >>>> >>>> I see users went in but later I realized that current samba's ou was >>>> "group" not groups. >>>> Can I just re-run migrations? >>> Yes. It will skip over anything that already exists in IPA. >> thanks Rob, may I ask why process by defaults looks up only objectclass: >> groupofuniquenames, groupofnames? > It is conservative but this is why it can be overridden. > >> Is there a reason it skips ldap+samba typical posixGroup & >> sambaGroupMapping? > We haven't had many (any?) reports of migrating from ldap+samba. > >> Lastly, is there a way to preserve account locked/disabled status for >> posix/samba? > I don't know how it is stored but as long as the schema is available in > IPA then the values should be preserved on migration unless the > attributes are associated with a blacklisted objectclass. > > rob > last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) this might be more 389-ds related - in old days I remember DS had mozldap dedicated toolset, how is it these days? How do users deal with 389-ds IPA-related bits? many thanks From abokovoy at redhat.com Tue Mar 15 14:36:34 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 15 Mar 2016 16:36:34 +0200 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E818B6.4040200@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> Message-ID: <20160315143634.GF4492@redhat.com> On Tue, 15 Mar 2016, lejeczek wrote: >On 15/03/16 13:42, Rob Crittenden wrote: >>lejeczek wrote: >>>On 14/03/16 17:06, Rob Crittenden wrote: >>>>lejeczek wrote: >>>>>with... >>>>> >>>>>ipa: ERROR: group LDAP search did not return any result (search base: >>>>>ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>>>groupofnames) >>>>> >>>>>I see users went in but later I realized that current samba's ou was >>>>>"group" not groups. >>>>>Can I just re-run migrations? >>>>Yes. It will skip over anything that already exists in IPA. >>>thanks Rob, may I ask why process by defaults looks up only objectclass: >>>groupofuniquenames, groupofnames? >>It is conservative but this is why it can be overridden. >> >>>Is there a reason it skips ldap+samba typical posixGroup & >>>sambaGroupMapping? >>We haven't had many (any?) reports of migrating from ldap+samba. >> >>>Lastly, is there a way to preserve account locked/disabled status for >>>posix/samba? >>I don't know how it is stored but as long as the schema is available in >>IPA then the values should be preserved on migration unless the >>attributes are associated with a blacklisted objectclass. >> >>rob >> >last - this must most FAQ people wonder - can IPA's 389 backend be >used in the same/similar fashion samba uses ldap? skipping all the >kerberos bits? (samba & IPA on the same one box) For Samba and IPA on the same box, this is configured properly with ipa-adtrust-install. It uses ipasam PASSDB module instead of ldapsam. This module knows IPA LDAP schema and is capable to do more than ldapsam, but effectively you can use resulting Samba setup in the same way as you do with ldapsam. The configuration is: 1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora) 2. Run ipa-adtrust-install to configure both IPA and Samba. 3. Use 'net conf' tool to manage shares. 4. Use POSIX ACLs to set up access rights on the file system. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for inspiration. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Tue Mar 15 15:44:18 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 15 Mar 2016 15:44:18 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E8114F.9000304@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> Message-ID: <56E82DD2.4080501@yahoo.co.uk> On 15/03/16 13:42, Rob Crittenden wrote: > lejeczek wrote: >> On 14/03/16 17:06, Rob Crittenden wrote: >>> lejeczek wrote: >>>> with... >>>> >>>> ipa: ERROR: group LDAP search did not return any result (search base: >>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>> groupofnames) >>>> >>>> I see users went in but later I realized that current samba's ou was >>>> "group" not groups. >>>> Can I just re-run migrations? >>> Yes. It will skip over anything that already exists in IPA. >> thanks Rob, may I ask why process by defaults looks up only objectclass: >> groupofuniquenames, groupofnames? > It is conservative but this is why it can be overridden. > >> Is there a reason it skips ldap+samba typical posixGroup & >> sambaGroupMapping? > We haven't had many (any?) reports of migrating from ldap+samba. > >> Lastly, is there a way to preserve account locked/disabled status for >> posix/samba? > I don't know how it is stored but as long as the schema is available in > IPA then the values should be preserved on migration unless the > attributes are associated with a blacklisted objectclass. > > rob I don't think it works, I guess it matters how ipa tools map these attributes, I'm particularly looking at: ipa user-show ... Account disabled: False sambaAcctFlags gets migrated over, but shadow locked users.... I wonder how this works. If I had posix !passwd in my ldap userdb then it's not reflected in IPA, unless "Account disabled" is for something else. From rcritten at redhat.com Tue Mar 15 15:57:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2016 11:57:10 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E82DD2.4080501@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E82DD2.4080501@yahoo.co.uk> Message-ID: <56E830D6.4030106@redhat.com> lejeczek wrote: > On 15/03/16 13:42, Rob Crittenden wrote: >> lejeczek wrote: >>> On 14/03/16 17:06, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> with... >>>>> >>>>> ipa: ERROR: group LDAP search did not return any result (search base: >>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>>> groupofnames) >>>>> >>>>> I see users went in but later I realized that current samba's ou was >>>>> "group" not groups. >>>>> Can I just re-run migrations? >>>> Yes. It will skip over anything that already exists in IPA. >>> thanks Rob, may I ask why process by defaults looks up only objectclass: >>> groupofuniquenames, groupofnames? >> It is conservative but this is why it can be overridden. >> >>> Is there a reason it skips ldap+samba typical posixGroup & >>> sambaGroupMapping? >> We haven't had many (any?) reports of migrating from ldap+samba. >> >>> Lastly, is there a way to preserve account locked/disabled status for >>> posix/samba? >> I don't know how it is stored but as long as the schema is available in >> IPA then the values should be preserved on migration unless the >> attributes are associated with a blacklisted objectclass. >> >> rob > I don't think it works, I guess it matters how ipa tools map these > attributes, I'm particularly looking at: > ipa user-show > ... Account disabled: False > sambaAcctFlags gets migrated over, but shadow locked users.... I wonder > how this works. > If I had posix !passwd in my ldap userdb then it's not reflected in IPA, > unless "Account disabled" is for something else. IPA/389-ds uses nsAccountLock to lock accounts. rob From peljasz at yahoo.co.uk Tue Mar 15 16:50:04 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 15 Mar 2016 16:50:04 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E830D6.4030106@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E82DD2.4080501@yahoo.co.uk> <56E830D6.4030106@redhat.com> Message-ID: <56E83D3C.4070405@yahoo.co.uk> On 15/03/16 15:57, Rob Crittenden wrote: > lejeczek wrote: >> On 15/03/16 13:42, Rob Crittenden wrote: >>> lejeczek wrote: >>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> with... >>>>>> >>>>>> ipa: ERROR: group LDAP search did not return any >>>>>> result (search base: >>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>> groupofuniquenames, >>>>>> groupofnames) >>>>>> >>>>>> I see users went in but later I realized that current >>>>>> samba's ou was >>>>>> "group" not groups. >>>>>> Can I just re-run migrations? >>>>> Yes. It will skip over anything that already exists in >>>>> IPA. >>>> thanks Rob, may I ask why process by defaults looks up >>>> only objectclass: >>>> groupofuniquenames, groupofnames? >>> It is conservative but this is why it can be overridden. >>> >>>> Is there a reason it skips ldap+samba typical posixGroup & >>>> sambaGroupMapping? >>> We haven't had many (any?) reports of migrating from >>> ldap+samba. >>> >>>> Lastly, is there a way to preserve account >>>> locked/disabled status for >>>> posix/samba? >>> I don't know how it is stored but as long as the schema >>> is available in >>> IPA then the values should be preserved on migration >>> unless the >>> attributes are associated with a blacklisted objectclass. >>> >>> rob >> I don't think it works, I guess it matters how ipa tools >> map these >> attributes, I'm particularly looking at: >> ipa user-show >> ... Account disabled: False >> sambaAcctFlags gets migrated over, but shadow locked >> users.... I wonder >> how this works. >> If I had posix !passwd in my ldap userdb then it's not >> reflected in IPA, >> unless "Account disabled" is for something else. > > IPA/389-ds uses nsAccountLock to lock accounts. and in my case it could not work for I had (anybody sane would too) hashed pass in ldap userdb, am I right? If one has hundreds of user s/he thinks, o! it'd be great to keep that account enabled/disabled status - would there be a way around it? > > rob > > From peljasz at yahoo.co.uk Tue Mar 15 17:07:58 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 15 Mar 2016 17:07:58 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E818B6.4040200@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> Message-ID: <56E8416E.9020402@yahoo.co.uk> On 15/03/16 14:14, lejeczek wrote: > On 15/03/16 13:42, Rob Crittenden wrote: >> lejeczek wrote: >>> On 14/03/16 17:06, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> with... >>>>> >>>>> ipa: ERROR: group LDAP search did not return any >>>>> result (search base: >>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>> groupofuniquenames, >>>>> groupofnames) >>>>> >>>>> I see users went in but later I realized that current >>>>> samba's ou was >>>>> "group" not groups. >>>>> Can I just re-run migrations? >>>> Yes. It will skip over anything that already exists in >>>> IPA. >>> thanks Rob, may I ask why process by defaults looks up >>> only objectclass: >>> groupofuniquenames, groupofnames? >> It is conservative but this is why it can be overridden. >> >>> Is there a reason it skips ldap+samba typical posixGroup & >>> sambaGroupMapping? >> We haven't had many (any?) reports of migrating from >> ldap+samba. >> >>> Lastly, is there a way to preserve account >>> locked/disabled status for >>> posix/samba? >> I don't know how it is stored but as lon >> g as the schema is available in >> IPA then the values should be preserved on migration >> unless the >> attributes are associated with a blacklisted objectclass. >> >> rob >> > last - this must most FAQ people wonder - can IPA's 389 > backend be used in the same/similar fashion samba uses > ldap? skipping all the kerberos bits? (samba & IPA on the > same one box) > this might be more 389-ds related - in old days I remember > DS had mozldap dedicated toolset, how is it these days? > How do users deal with 389-ds IPA-related bits? > > many thanks > > > now when I've groups migrated I see mappings user-group are lost. Would it be because my groups did not go in first time together with users? From rcritten at redhat.com Tue Mar 15 17:21:59 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2016 13:21:59 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E83D3C.4070405@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E82DD2.4080501@yahoo.co.uk> <56E830D6.4030106@redhat.com> <56E83D3C.4070405@yahoo.co.uk> Message-ID: <56E844B7.5050607@redhat.com> lejeczek wrote: > On 15/03/16 15:57, Rob Crittenden wrote: >> lejeczek wrote: >>> On 15/03/16 13:42, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>>> lejeczek wrote: >>>>>>> with... >>>>>>> >>>>>>> ipa: ERROR: group LDAP search did not return any result (search >>>>>>> base: >>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>>>>> groupofnames) >>>>>>> >>>>>>> I see users went in but later I realized that current samba's ou was >>>>>>> "group" not groups. >>>>>>> Can I just re-run migrations? >>>>>> Yes. It will skip over anything that already exists in IPA. >>>>> thanks Rob, may I ask why process by defaults looks up only >>>>> objectclass: >>>>> groupofuniquenames, groupofnames? >>>> It is conservative but this is why it can be overridden. >>>> >>>>> Is there a reason it skips ldap+samba typical posixGroup & >>>>> sambaGroupMapping? >>>> We haven't had many (any?) reports of migrating from ldap+samba. >>>> >>>>> Lastly, is there a way to preserve account locked/disabled status for >>>>> posix/samba? >>>> I don't know how it is stored but as long as the schema is available in >>>> IPA then the values should be preserved on migration unless the >>>> attributes are associated with a blacklisted objectclass. >>>> >>>> rob >>> I don't think it works, I guess it matters how ipa tools map these >>> attributes, I'm particularly looking at: >>> ipa user-show >>> ... Account disabled: False >>> sambaAcctFlags gets migrated over, but shadow locked users.... I wonder >>> how this works. >>> If I had posix !passwd in my ldap userdb then it's not reflected in IPA, >>> unless "Account disabled" is for something else. >> >> IPA/389-ds uses nsAccountLock to lock accounts. > and in my case it could not work for I had (anybody sane would too) > hashed pass in ldap userdb, am I right? What won't work? Migrated user passwords will work just fine. > If one has hundreds of user s/he thinks, o! it'd be great to keep that > account enabled/disabled status - would there be a way around it? IPA isn't designed to be an LDAP backend for Samba so there isn't a lot of direct integration with the schema. You could write a plugin to keep the two attributes in sync. For those already migrated it should be pretty easy to write an LDAP search to find them and then for each user call ipa user-disable rob From rcritten at redhat.com Tue Mar 15 17:22:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2016 13:22:36 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E8416E.9020402@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <56E8416E.9020402@yahoo.co.uk> Message-ID: <56E844DC.4090803@redhat.com> lejeczek wrote: > On 15/03/16 14:14, lejeczek wrote: >> On 15/03/16 13:42, Rob Crittenden wrote: >>> lejeczek wrote: >>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> with... >>>>>> >>>>>> ipa: ERROR: group LDAP search did not return any result (search base: >>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>>>>> groupofnames) >>>>>> >>>>>> I see users went in but later I realized that current samba's ou was >>>>>> "group" not groups. >>>>>> Can I just re-run migrations? >>>>> Yes. It will skip over anything that already exists in IPA. >>>> thanks Rob, may I ask why process by defaults looks up only >>>> objectclass: >>>> groupofuniquenames, groupofnames? >>> It is conservative but this is why it can be overridden. >>> >>>> Is there a reason it skips ldap+samba typical posixGroup & >>>> sambaGroupMapping? >>> We haven't had many (any?) reports of migrating from ldap+samba. >>> >>>> Lastly, is there a way to preserve account locked/disabled status for >>>> posix/samba? >>> I don't know how it is stored but as lon >>> g as the schema is available in >>> IPA then the values should be preserved on migration unless the >>> attributes are associated with a blacklisted objectclass. >>> >>> rob >>> >> last - this must most FAQ people wonder - can IPA's 389 backend be >> used in the same/similar fashion samba uses ldap? skipping all the >> kerberos bits? (samba & IPA on the same one box) >> this might be more 389-ds related - in old days I remember DS had >> mozldap dedicated toolset, how is it these days? How do users deal >> with 389-ds IPA-related bits? >> >> many thanks >> >> >> > now when I've groups migrated I see mappings user-group are lost. Would > it be because my groups did not go in first time together with users? Need more info. What do you mean by mappings are lost? rob From janellenicole80 at gmail.com Tue Mar 15 17:33:34 2016 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 15 Mar 2016 10:33:34 -0700 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E844DC.4090803@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <56E8416E.9020402@yahoo.co.uk> <56E844DC.4090803@redhat.com> Message-ID: <56E8476E.2010409@gmail.com> The groups don't go on the 2nd pass because they already went on the first meant. I meant to reply to this the other day as I have had a lot of experience with re-running migration. Group membership for an already existing group, does NOT come over on the 2nd pass. I have found it is better to start fresh if you want a clean migration. Or, better yet, gather the group memberships via LDAP and migrate them by hand with a friendly script. I through one together to do that pretty easily. ~J On 3/15/16 10:22 AM, Rob Crittenden wrote: > lejeczek wrote: >> On 15/03/16 14:14, lejeczek wrote: >>> On 15/03/16 13:42, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>>> lejeczek wrote: >>>>>>> with... >>>>>>> >>>>>>> ipa: ERROR: group LDAP search did not return any result (search >>>>>>> base: >>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>>> groupofuniquenames, >>>>>>> groupofnames) >>>>>>> >>>>>>> I see users went in but later I realized that current samba's ou >>>>>>> was >>>>>>> "group" not groups. >>>>>>> Can I just re-run migrations? >>>>>> Yes. It will skip over anything that already exists in IPA. >>>>> thanks Rob, may I ask why process by defaults looks up only >>>>> objectclass: >>>>> groupofuniquenames, groupofnames? >>>> It is conservative but this is why it can be overridden. >>>> >>>>> Is there a reason it skips ldap+samba typical posixGroup & >>>>> sambaGroupMapping? >>>> We haven't had many (any?) reports of migrating from ldap+samba. >>>> >>>>> Lastly, is there a way to preserve account locked/disabled status for >>>>> posix/samba? >>>> I don't know how it is stored but as lon >>>> g as the schema is available in >>>> IPA then the values should be preserved on migration unless the >>>> attributes are associated with a blacklisted objectclass. >>>> >>>> rob >>>> >>> last - this must most FAQ people wonder - can IPA's 389 backend be >>> used in the same/similar fashion samba uses ldap? skipping all the >>> kerberos bits? (samba & IPA on the same one box) >>> this might be more 389-ds related - in old days I remember DS had >>> mozldap dedicated toolset, how is it these days? How do users deal >>> with 389-ds IPA-related bits? >>> >>> many thanks >>> >>> >>> >> now when I've groups migrated I see mappings user-group are lost. Would >> it be because my groups did not go in first time together with users? > > Need more info. What do you mean by mappings are lost? > > rob > From harri at afaics.de Tue Mar 15 17:42:01 2016 From: harri at afaics.de (Harald Dunkel) Date: Tue, 15 Mar 2016 18:42:01 +0100 Subject: [Freeipa-users] sssd.service start operation timed out Message-ID: <56E84969.3090603@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks, If I reboot my LXC server, then sssd doesn't come up in some containers. The logfile of an affected host shows - -- Reboot -- Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security Services Daemon... Feb 27 17:17:53 lxc1.example.com sssd[392]: Starting up Feb 27 17:17:54 lxc1.example.com sssd[be[471]: Starting up Feb 27 17:17:59 lxc1.example.com sssd[485]: Starting up Feb 27 17:17:59 lxc1.example.com sssd[487]: Starting up Feb 27 17:17:59 lxc1.example.com sssd[486]: Starting up Feb 27 17:17:59 lxc1.example.com sssd[484]: Starting up Feb 27 17:18:00 lxc1.example.com sssd[488]: Starting up Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1 Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1 Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 1 Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 2 Feb 27 17:18:53 lxc1.example.com systemd[1]: sssd.service start operation timed out. Terminating. Feb 27 17:18:53 lxc1.example.com sssd[485]: Shutting down Feb 27 17:18:53 lxc1.example.com sssd[484]: Shutting down Feb 27 17:18:53 lxc1.example.com sssd[488]: Shutting down Feb 27 17:18:53 lxc1.example.com sssd[be[471]: Shutting down Feb 27 17:18:53 lxc1.example.com sssd[487]: Shutting down Feb 27 17:18:53 lxc1.example.com sssd[486]: Shutting down Feb 27 17:18:53 lxc1.example.com systemd[1]: Failed to start System Security Services Daemon. Feb 27 17:18:53 lxc1.example.com systemd[1]: Unit sssd.service entered failed state. Shouldn't it keep on trying, or retry after a few minutes? sssd is version 1.12.5. Google doesn't mention this problem, so I wonder what is happening here? Every insightful comment is highly appreciated Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW6ElpAAoJEAqeKp5m04HL5kEH/03uUy+kyoLqrDpndZALEX0f 3XHFZryUNaJTUjQwtKe6tywmaKWcreQwZamwAFNxEQloGzhXiseAJ5LFNoP1KNuk qDdYji4cpRczpP1E7TvNdKahqEXCSeUSLEKzreR9ZYfQb+/pxlFxR/yTvIPlZhMG Wg1ckXfKh4jDfR5PTR1FdmdzvGCOg/GUhjQs1av+jJ0OQhSnQyfDFJOXM0HfyQv2 sDh6wNL2SAlQ9rPtLxF9mBLYkgZK9ibQ8uhA2FuF5noeuie/za5SouqlwlnWy/Ji 8NOgrmKB+nSAfcmeGB26aosHqaFoKX/mgrcYAbCwDFNnZXzBEEumWmlULKH5h8w= =gPWc -----END PGP SIGNATURE----- From tbordaz at redhat.com Tue Mar 15 17:55:44 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 15 Mar 2016 18:55:44 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E714FB.10603@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> <56E714FB.10603@umanitoba.ca> Message-ID: <56E84CA0.1090107@redhat.com> Hi Daryl, Thanks again for those logs and info. It confirms that slapi-nis tree priming delays DS startup (~1min10s). As Alexander mentioned it is now fixed with a differed priming. My understanding is that krb5kdc startup is intense on DS. It is not clear why but you may be right it is getting lot of config data. Problems are why it fails to start and ipareplica-install do not notice that failure. I will try to reproduce locally. I wanted to thank you again for all these feedbacks and tests regards theirry On 03/14/2016 08:46 PM, Daryl Fonseca-Holt wrote: > Hello Thierry, > > Attached is the pstacks from only the final DS restart. I don't think > they will show the whole picture. > > According to the debug log /var/log/ipareplica-install.log (attached) > the start of the krb5kdc.service (19:13:16Z) is successful, but the > krb5kdc log (attach) shows it is unable to fetch the master K/M at > 14:31:31CDT (-5hour offset). This is when the install log shows > kadmind failing. > > In my experience with the master observing top there are two intense > times for ns-slapd-. The first when it start, of course, and > the second when krb5kdc starts. I assume this is because krb5kdc must > get it's configuration and data from the same DS. krb5kdc fails but > the ipareplica-install script isn't aware of it. Finally > kadmin.service tries to access krb5kdc and finds that it is dead. > > Please note these logs are with Schema Compatability and NIS plugins > turned off per the other e-mail from Alexander. > > I've noticed on a running master I can prevent this type of failure by > manually starting dirsrv (systemctl start dirsrv@.service), > watch top until all threads of ns-slapd have settled, then systemctl > start krb5kdc.service, again watching top until ns-slapd threads have > settled down before systemctl start kadmin.service. This kind of > manual intervention is is not possible when running the > ipareplica-install script. > > I will look into introducing a delay at the completion of the dirsrv > and krb5kdc systemd units and see if I can accommodate > ipareplica-install. Just as an experiment for now. I need to advance > the project into High Availability testing but cannot do so without a > functioning replica. > > Regards, Daryl > > On 03/14/16 09:20, thierry bordaz wrote: >> Hi Daryl, >> >> Thanks for all the data. I will look at the pstacks. A first look >> shows that you capture import, bind... so may be a complete >> ipa-replica-install session. >> I will try to retrieve the specific startup time to see what was >> going on at that time. >> If you have the time to monitor only startup, it will help me >> shrinking the set of pstacks. >> Startup of DS last > 1min. If you may start DS and as soon as the >> ns-slapd process is launched, do regular pstacks. Then when you are >> able to send a simple ldapsearch (ldapsearch -x -b "" -s base), you >> may stop taking pstacks. >> >> thanks >> thierry >> >> On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: >>> Hi Thierry, >>> >>> I moved the old logs into a subdirectory called try1. I did the >>> recommended ipa-server-install --uninstall. Tried the replica >>> install again. Failed during kadmind start like the previous time. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The 5 second pstacks are at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console >>> >>> Thanks, Daryl >>> >>> >>> On 03/11/16 02:40, thierry bordaz wrote: >>>> Hello Deryl, >>>> >>>> My understanding is that ns-slapd is first slow to startup. >>>> Then when krb5kdc is starting it may load ns-slapd. >>>> >>>> We identified krb5kdc may be impacted by the number of users >>>> accounts. >>>> From the ns-slapd errors log it is not clear why it is so slow >>>> to start. >>>> >>>> Would you provide the ns-slapd access logs from that period. >>>> Also in order to know where ns-slapd is spending time, it would >>>> really help if you can get regular (each 5s) pstacks (with >>>> 389-ds-debuginfo), during DS startup and then later during >>>> krb5kdc startup. >>>> >>>> best regards >>>> thierry >>>> >>>> >>>> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>>>> Environment: >>>>> RHEL 7.2 >>>>> IPA 4.2.0-15 >>>>> nss 3.19.1-19 >>>>> 389-ds-base 1.3.4.0-26 >>>>> sssd 1.13.0-40 >>>>> >>>>> >>>>> I've encountered this problem in IPA 3.0.0 but hoped it was >>>>> addressed in 4.2.0. >>>>> >>>>> Trying to set up a replica of a master with 150,000+ user >>>>> accounts, NIS and Schema Compatability enabled on the master. >>>>> >>>>> During ipa-replica-install it attempts to start IPA. dirsrv >>>>> starts, krb5kdc starts, but then kadmind fails because krb5kdc has >>>>> gone missing. >>>>> >>>>> This happens during restart of IPA in version 3.0.0 too. There it >>>>> can be overcome by manually starting each component of IPA _but_ >>>>> waiting until ns-slapd- has settled down (as seen from >>>>> top) before starting krb5kdc. I also think that the startup of >>>>> krb5kdc loads the LDAP instance quite a bit. >>>>> >>>>> There is a problem in the startup logic where dirsrv is so busy >>>>> that even though krb5kdc successfully starts and allows the kadmin >>>>> to begin kdb5kdc is not really able to do its duties. >>>>> >>>>> I'm reporting this since there must be some way to delay the start >>>>> of krb5kdc and then kadmind until ns-slapd- is really >>>>> open for business. >>>>> >>>>> # systemctl status krb5kdc.service >>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>>> disabled; vendor preset: disabled) >>>>> Active: inactive (dead) >>>>> >>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>>> 5 KDC. >>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting >>>>> Kerberos 5 KDC... >>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>>> 5 KDC. >>>>> >>>>> # systemctl status krb5kdc.service >>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>>> disabled; vendor preset: disabled) >>>>> Active: inactive (dead) >>>>> >>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>>> 5 KDC. >>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting >>>>> Kerberos 5 KDC... >>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>>> 5 KDC. >>>>> >>>>> journalctl -xe was stale by the time I got to it so I've attached >>>>> /var/log/messages instead. >>>>> >>>>> The log from ipa-replica-install (with -d) is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>>>> The console script (mostly the same as the log but with my >>>>> entries) is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>>>> The /var/log/dirsrv/ns-slapd- access log is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>>>> >>>>> Regards, Daryl >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> -- >>> Daryl Fonseca-Holt >>> IST/CNS/Unix Server Team >>> University of Manitoba >>> 204.480.1079 >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Mar 15 18:21:55 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Mar 2016 19:21:55 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <56E84969.3090603@afaics.de> References: <56E84969.3090603@afaics.de> Message-ID: <20160315182155.GH25240@hendrix.redhat.com> On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi folks, > > If I reboot my LXC server, then sssd doesn't come up in some containers. > The logfile of an affected host shows > > - -- Reboot -- > Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security Services Daemon... > Feb 27 17:17:53 lxc1.example.com sssd[392]: Starting up > Feb 27 17:17:54 lxc1.example.com sssd[be[471]: Starting up > Feb 27 17:17:59 lxc1.example.com sssd[485]: Starting up > Feb 27 17:17:59 lxc1.example.com sssd[487]: Starting up > Feb 27 17:17:59 lxc1.example.com sssd[486]: Starting up > Feb 27 17:17:59 lxc1.example.com sssd[484]: Starting up > Feb 27 17:18:00 lxc1.example.com sssd[488]: Starting up > Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1 > Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1 > Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 1 > Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 2 > Feb 27 17:18:53 lxc1.example.com systemd[1]: sssd.service start operation timed out. Terminating. > Feb 27 17:18:53 lxc1.example.com sssd[485]: Shutting down > Feb 27 17:18:53 lxc1.example.com sssd[484]: Shutting down > Feb 27 17:18:53 lxc1.example.com sssd[488]: Shutting down > Feb 27 17:18:53 lxc1.example.com sssd[be[471]: Shutting down > Feb 27 17:18:53 lxc1.example.com sssd[487]: Shutting down > Feb 27 17:18:53 lxc1.example.com sssd[486]: Shutting down > Feb 27 17:18:53 lxc1.example.com systemd[1]: Failed to start System Security Services Daemon. > Feb 27 17:18:53 lxc1.example.com systemd[1]: Unit sssd.service entered failed state. > > Shouldn't it keep on trying, or retry after a few minutes? We don't have any such functionality.. > > sssd is version 1.12.5. Google doesn't mention this problem, so I > wonder what is happening here? I would suggest to look into the sssd logs.. From rcritten at redhat.com Tue Mar 15 18:57:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Mar 2016 14:57:56 -0400 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E8476E.2010409@gmail.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <56E8416E.9020402@yahoo.co.uk> <56E844DC.4090803@redhat.com> <56E8476E.2010409@gmail.com> Message-ID: <56E85B34.6080403@redhat.com> Janelle wrote: > The groups don't go on the 2nd pass because they already went on the > first meant. I meant to reply to this the other day as I have had a lot > of experience with re-running migration. Group membership for an already > existing group, does NOT come over on the 2nd pass. I have found it is > better to start fresh if you want a clean migration. Or, better yet, > gather the group memberships via LDAP and migrate them by hand with a > friendly script. I through one together to do that pretty easily. Right, if a group already exists it is assumed to have either been migrated successfully or was a pre-existing group, in either case no further action is taken. rob > > ~J > > On 3/15/16 10:22 AM, Rob Crittenden wrote: >> lejeczek wrote: >>> On 15/03/16 14:14, lejeczek wrote: >>>> On 15/03/16 13:42, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>>>> lejeczek wrote: >>>>>>>> with... >>>>>>>> >>>>>>>> ipa: ERROR: group LDAP search did not return any result (search >>>>>>>> base: >>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>>>> groupofuniquenames, >>>>>>>> groupofnames) >>>>>>>> >>>>>>>> I see users went in but later I realized that current samba's ou >>>>>>>> was >>>>>>>> "group" not groups. >>>>>>>> Can I just re-run migrations? >>>>>>> Yes. It will skip over anything that already exists in IPA. >>>>>> thanks Rob, may I ask why process by defaults looks up only >>>>>> objectclass: >>>>>> groupofuniquenames, groupofnames? >>>>> It is conservative but this is why it can be overridden. >>>>> >>>>>> Is there a reason it skips ldap+samba typical posixGroup & >>>>>> sambaGroupMapping? >>>>> We haven't had many (any?) reports of migrating from ldap+samba. >>>>> >>>>>> Lastly, is there a way to preserve account locked/disabled status for >>>>>> posix/samba? >>>>> I don't know how it is stored but as lon >>>>> g as the schema is available in >>>>> IPA then the values should be preserved on migration unless the >>>>> attributes are associated with a blacklisted objectclass. >>>>> >>>>> rob >>>>> >>>> last - this must most FAQ people wonder - can IPA's 389 backend be >>>> used in the same/similar fashion samba uses ldap? skipping all the >>>> kerberos bits? (samba & IPA on the same one box) >>>> this might be more 389-ds related - in old days I remember DS had >>>> mozldap dedicated toolset, how is it these days? How do users deal >>>> with 389-ds IPA-related bits? >>>> >>>> many thanks >>>> >>>> >>>> >>> now when I've groups migrated I see mappings user-group are lost. Would >>> it be because my groups did not go in first time together with users? >> >> Need more info. What do you mean by mappings are lost? >> >> rob >> > From harri at afaics.de Tue Mar 15 20:13:34 2016 From: harri at afaics.de (Harald Dunkel) Date: Tue, 15 Mar 2016 21:13:34 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <20160315182155.GH25240@hendrix.redhat.com> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> Message-ID: <56E86CEE.4090302@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/15/16 19:21, Jakub Hrozek wrote: > On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Shouldn't it keep on trying, or retry after a few minutes? > > We don't have any such functionality.. > Understood. Obviously the dependencies and parameters listed in sssd.service are not sufficient to guarantee a smooth system startup for sssd. Except for sssd the system booted fine, so I wonder what is different with sssd? >> >> sssd is version 1.12.5. Google doesn't mention this problem, so I wonder what is happening here? > > I would suggest to look into the sssd logs.. > I did, of course. There was no error message except (Sat Feb 27 17:18:53 2016) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory]) Looking at the time entry it seems this message came up after the timeout. Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW6GzuAAoJEAqeKp5m04HLFbcH/0+xuE1/f9T1L6mLGVWNKdBL KKlv4siSHYgF9gUsbaqyDYGpoO6wKeFnj9sFMtD92TX5+JrXttkqTS9VRzIoY3kx w4lchG83gKqTM10/tjjPHT4eLEviUg9C/AW+JfLUa85wG/hm507JSyYSgF1btRco Wp6qWlg5D6yaaZdRmJsuqBGotFmaIG88SfXLYxCuJsqnbZi2VA8s3lGkB+wfWHSQ sztI4uFCvgJjLwCRiwHRPvp5gv1SdOIY04A7du6IFGtaR4+UhNpRn8vev4MWeh8I uRIhfrbmmO/E+WgcyEIX4C6YqUR7gAMB8/7qNV7Wd9WsZxcLAiXZWqFo5Wh6BJU= =9CwW -----END PGP SIGNATURE----- From ftweedal at redhat.com Wed Mar 16 00:21:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 16 Mar 2016 10:21:03 +1000 Subject: [Freeipa-users] User certificate workflow In-Reply-To: References: <56E7CCBE.2080006@redhat.com> Message-ID: <20160316002103.GB18277@dhcp-40-8.bne.redhat.com> On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote: > Thank you Martin that's very helpful. > > The annoying thing about cut/paste from web ui is that the cert is not > wrapped at 60 chars like it should be, but I guess I'll have to wait for > the save certificate functionality. > Any idea of then that's planned for? > > Regards > Alessandro > Hi Alessandro, The easiest way to get the cert is with the `ipa user-show` (if it was saved to the IPA direct after issuance, which is controlled by the `store` option Martin mentioned). E.g.: ipa user-show alice --out=cert.pem Which will save alice's certificate(s) to the file `cert.pem`. If you copy the data from the web UI and save it to a file, the following will convert it to PEM: base64 -d < cert.txt | openssl x509 -inform DER > cert.pem Finally, to configure a profile to issue certificates with a validity of X days, the relevant profile configuration is: policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.range=740 policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=X policyset.serverCertSet.2.default.params.startTime=0 Replace `X` above with the desired lifetime in days. (Note that the index (`2`, above) may be different for different profiles.) Cheers, Fraser > On 15 March 2016 at 08:50, Martin Babinsky wrote: > > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > > > >> Hello, > >> > >> I would like to have authenticated users to upload a csr request and > >> have their certificate automatically signed. Their certificate would > >> expire in x days. > >> > >> Given the short life of the certificate, I would then like them to be > >> able to easily download the certificate. > >> > >> Any suggestion on how to do it? > >> I would prefer the shell script approach but also having it self > >> serviced on the web ui would be great. > >> > >> Regards > >> > >> > >> -- > >> Alessandro De Maria > >> alessandro.demaria at gmail.com > >> > >> > >> > > Hi Alessandro, > > > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > > custom profile and CA ACL rules so that users can request certificates for > > themselves: > > > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > > cert-request' to send it to IPA CA. If you specify 'store=True' when adding > > the custom certificate profile, the certificate will be added to the user > > entry as 'usercertificate;binary' attribute which he can view from > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > > functionality to save the certificate directly to a file is under > > development). > > > > It should be possible to modify the certificate profile to restrict the > > maximum validity of the issued certificate but I have no knowledge about > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you > > with this. > > > > -- > > Martin^3 Babinsky > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > -- > Alessandro De Maria > alessandro.demaria at gmail.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Wed Mar 16 08:30:24 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Mar 2016 09:30:24 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <56E86CEE.4090302@afaics.de> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> Message-ID: <20160316083024.GI25240@hendrix.redhat.com> On Tue, Mar 15, 2016 at 09:13:34PM +0100, Harald Dunkel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 03/15/16 19:21, Jakub Hrozek wrote: > > On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> > >> Shouldn't it keep on trying, or retry after a few minutes? > > > > We don't have any such functionality.. > > > > Understood. Obviously the dependencies and parameters listed > in sssd.service are not sufficient to guarantee a smooth > system startup for sssd. Except for sssd the system booted > fine, so I wonder what is different with sssd? If you can reproduce the issue, it would be nice to increase the debug_level a bit so that the debug logs are more verbose.. From peljasz at yahoo.co.uk Wed Mar 16 11:33:15 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 16 Mar 2016 11:33:15 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E844DC.4090803@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <56E8416E.9020402@yahoo.co.uk> <56E844DC.4090803@redhat.com> Message-ID: <56E9447B.1050805@yahoo.co.uk> On 15/03/16 17:22, Rob Crittenden wrote: > lejeczek wrote: >> On 15/03/16 14:14, lejeczek wrote: >>> On 15/03/16 13:42, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>>> lejeczek wrote: >>>>>>> with... >>>>>>> >>>>>>> ipa: ERROR: group LDAP search did not return any >>>>>>> result (search base: >>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>>> groupofuniquenames, >>>>>>> groupofnames) >>>>>>> >>>>>>> I see users went in but later I realized that >>>>>>> current samba's ou was >>>>>>> "group" not groups. >>>>>>> Can I just re-run migrations? >>>>>> Yes. It will skip over anything that already exists >>>>>> in IPA. >>>>> thanks Rob, may I ask why process by defaults looks up >>>>> only >>>>> objectclass: >>>>> groupofuniquenames, groupofnames? >>>> It is conservative but this is why it can be overridden. >>>> >>>>> Is there a reason it skips ldap+samba typical >>>>> posixGroup & >>>>> sambaGroupMapping? >>>> We haven't had many (any?) reports of migrating from >>>> ldap+samba. >>>> >>>>> Lastly, is there a way to preserve account >>>>> locked/disabled status for >>>>> posix/samba? >>>> I don't know how it is stored but as lon >>>> g as the schema is available in >>>> IPA then the values should be preserved on migration >>>> unless the >>>> attributes are associated with a blacklisted objectclass. >>>> >>>> rob >>>> >>> last - this must most FAQ people wonder - can IPA's 389 >>> backend be >>> used in the same/similar fashion samba uses ldap? >>> skipping all the >>> kerberos bits? (samba & IPA on the same one box) >>> this might be more 389-ds related - in old days I >>> remember DS had >>> mozldap dedicated toolset, how is it these days? How do >>> users deal >>> with 389-ds IPA-related bits? >>> >>> many thanks >>> >>> >>> >> now when I've groups migrated I see mappings user-group >> are lost. Would >> it be because my groups did not go in first time together >> with users? > > Need more info. What do you mean by mappings are lost? > yes, sorry, supplementary groups, these are there but I don't see id command confirms user is a member. > rob > > From alessandro.demaria at gmail.com Wed Mar 16 11:37:54 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Wed, 16 Mar 2016 11:37:54 +0000 Subject: [Freeipa-users] User certificate workflow In-Reply-To: <20160316002103.GB18277@dhcp-40-8.bne.redhat.com> References: <56E7CCBE.2080006@redhat.com> <20160316002103.GB18277@dhcp-40-8.bne.redhat.com> Message-ID: Fantastic thank you! On 16 Mar 2016 12:21 a.m., "Fraser Tweedale" wrote: > On Tue, Mar 15, 2016 at 09:39:12AM +0000, Alessandro De Maria wrote: > > Thank you Martin that's very helpful. > > > > The annoying thing about cut/paste from web ui is that the cert is not > > wrapped at 60 chars like it should be, but I guess I'll have to wait for > > the save certificate functionality. > > Any idea of then that's planned for? > > > > Regards > > Alessandro > > > Hi Alessandro, > > The easiest way to get the cert is with the `ipa user-show` (if > it was saved to the IPA direct after issuance, which is controlled > by the `store` option Martin mentioned). E.g.: > > ipa user-show alice --out=cert.pem > > Which will save alice's certificate(s) to the file `cert.pem`. > > If you copy the data from the web UI and save it to a file, the > following will convert it to PEM: > > base64 -d < cert.txt | openssl x509 -inform DER > cert.pem > > Finally, to configure a profile to issue certificates with a > validity of X days, the relevant profile configuration is: > > policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl > policyset.serverCertSet.2.constraint.name=Validity Constraint > policyset.serverCertSet.2.constraint.params.range=740 > policyset.serverCertSet.2.constraint.params.notBeforeCheck=false > policyset.serverCertSet.2.constraint.params.notAfterCheck=false > policyset.serverCertSet.2.default.class_id=validityDefaultImpl > policyset.serverCertSet.2.default.name=Validity Default > policyset.serverCertSet.2.default.params.range=X > policyset.serverCertSet.2.default.params.startTime=0 > > Replace `X` above with the desired lifetime in days. (Note that the > index (`2`, above) may be different for different profiles.) > > Cheers, > Fraser > > > On 15 March 2016 at 08:50, Martin Babinsky wrote: > > > > > On 03/15/2016 08:39 AM, Alessandro De Maria wrote: > > > > > >> Hello, > > >> > > >> I would like to have authenticated users to upload a csr request and > > >> have their certificate automatically signed. Their certificate would > > >> expire in x days. > > >> > > >> Given the short life of the certificate, I would then like them to be > > >> able to easily download the certificate. > > >> > > >> Any suggestion on how to do it? > > >> I would prefer the shell script approach but also having it self > > >> serviced on the web ui would be great. > > >> > > >> Regards > > >> > > >> > > >> -- > > >> Alessandro De Maria > > >> alessandro.demaria at gmail.com > > >> > > >> > > >> > > > Hi Alessandro, > > > > > > for FreeIPA 4.2+ you can use the following links as a guide to set up a > > > custom profile and CA ACL rules so that users can request certificates > for > > > themselves: > > > > > > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > > > > > > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > > > > > The user then can generate CSR request e.g. using OpenSSL and use 'ipa > > > cert-request' to send it to IPA CA. If you specify 'store=True' when > adding > > > the custom certificate profile, the certificate will be added to the > user > > > entry as 'usercertificate;binary' attribute which he can view from > > > CLI/WebUI as PEM and save it to a file by copy-pasting it (The > > > functionality to save the certificate directly to a file is under > > > development). > > > > > > It should be possible to modify the certificate profile to restrict the > > > maximum validity of the issued certificate but I have no knowledge > about > > > that. I have CC'ed Fraser Tweedale (the blog post author), he may help > you > > > with this. > > > > > > -- > > > Martin^3 Babinsky > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > -- > > Alessandro De Maria > > alessandro.demaria at gmail.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harri at afaics.de Wed Mar 16 13:30:40 2016 From: harri at afaics.de (Harald Dunkel) Date: Wed, 16 Mar 2016 14:30:40 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <20160316083024.GI25240@hendrix.redhat.com> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> Message-ID: <56E96000.6000001@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Jakub, On 03/16/16 09:30, Jakub Hrozek wrote: > > If you can reproduce the issue, it would be nice to increase the debug_level a bit so that the debug logs are more verbose.. > Using debug level 9 I got (Wed Mar 16 13:24:57 2016) [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c2a0 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c360 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c2a0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c360 "ltdb_timeout" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c2a0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): no modules required by the db (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): No modules specified for this database (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c2d0 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c390 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c2d0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c390 "ltdb_timeout" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c2d0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c4e0 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c5a0 (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c4e0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c5a0 "ltdb_timeout" (Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c4e0 "ltdb_callback" (Wed Mar 16 13:25:00 2016) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for example.com: /var/lib/sss/db/cache_example.com.ldb (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dbe0 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3dca0 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dbe0 "ltdb_callback" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3dca0 "ltdb_timeout" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dbe0 "ltdb_callback" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dd80 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3de40 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dd80 "ltdb_callback" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3de40 "ltdb_timeout" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dd80 "ltdb_callback" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dfd0 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3e090 (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dfd0 "ltdb_callback" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3e090 "ltdb_timeout" (Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dfd0 "ltdb_callback" (Wed Mar 16 13:25:04 2016) [sssd] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=d5f35f30568405c90a0fc9e756e950a0 (Wed Mar 16 13:25:05 2016) [sssd] [sbus_add_watch] (0x2000): 0xb3e070/0xb3dda0 (14), R/- (enabled) (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [example.com]: [60] (Wed Mar 16 13:25:05 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup (Wed Mar 16 13:25:06 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Terminating [example.com][474] (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Child [example.com] terminated with a signal (Wed Mar 16 13:25:08 2016) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory]) (Wed Mar 16 13:25:08 2016) [sssd] [sbus_remove_watch] (0x2000): 0xb3e070/0xb3dda0 daemon.log shows : Mar 16 13:16:57 lxc10 systemd[1]: Stopping Getty on tty1... Mar 16 13:16:57 lxc10 systemd[1]: Stopping Getty on tty4... Mar 16 13:16:57 lxc10 systemd[1]: Stopping Container Getty on /dev/pts/3... Mar 16 13:16:57 lxc10 systemd[1]: Stopping Container Getty on /dev/pts/2... Mar 16 13:24:28 lxc10 systemd[1]: Started Remount Root and Kernel File Systems. Mar 16 13:24:28 lxc10 systemd[1]: Started Various fixups to make systemd work better on Debian. Mar 16 13:24:28 lxc10 systemd[1]: Starting Load/Save Random Seed... Mar 16 13:24:28 lxc10 systemd[1]: Starting Local File Systems (Pre). : Mar 16 13:24:28 lxc10 systemd[1]: Started System Logging Service. Mar 16 13:24:41 lxc10 exim4[189]: Starting MTA: exim4. Mar 16 13:24:41 lxc10 systemd[1]: Started LSB: exim Mail Transport Agent. Mar 16 13:24:43 lxc10 dbus[191]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 30000ms) Mar 16 13:24:57 lxc10 sssd: Starting up Mar 16 13:25:06 lxc10 systemd[1]: sssd.service start operation timed out. Terminating. Mar 16 13:25:06 lxc10 systemd[1]: Failed to start System Security Services Daemon. Mar 16 13:25:06 lxc10 systemd[1]: Unit sssd.service entered failed state. Mar 16 13:25:06 lxc10 systemd[1]: Starting User and Group Name Lookups. Mar 16 13:25:06 lxc10 systemd[1]: Reached target User and Group Name Lookups. Mar 16 13:25:06 lxc10 systemd[1]: Starting Login Service... Mar 16 13:25:06 lxc10 systemd[1]: Starting Permit User Sessions... : Does this help? Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW6WAAAAoJEAqeKp5m04HLcLwIAIU6Mjg3aTe6CHDdOUi6Nvt7 EBMDrmAS5nXV5CM/CiQc7JitUQPTmwhjTTOERUXu2o3f1L9LLwC2zTLbB0oLnqBX ZNCZ/tjrMZBSSO6jAxmfcRlBOemsVinNFBavtpxQSvwoZ9wokUe1GI2NxBgL2kKR fdEOUGOlgnglXlPY25cILDaoQ9yaw+LJY+Vmu5NJ73cnkfejYVnMJYtcYjFQhPSx 0zuQspROQAJCFmXWj7VH5MTysfuVjjn0GWbGfJIOXw+/1LKdIuebgG8TACXZItXR 1S3P4VU7c5DR0a7vqohCrGDRwBZDDMg4FhKPel9rkyUwHpN4ur9EZscq8N8FJDY= =9uIf -----END PGP SIGNATURE----- From mkosek at redhat.com Wed Mar 16 13:31:35 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Mar 2016 14:31:35 +0100 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: References: Message-ID: <56E96037.5090306@redhat.com> On 03/12/2016 04:47 PM, Brad Bendy wrote: > Hi, > > YubiKey supports HOTP it appears, but im having a heck of a time > getting the token to add FreeIPA. The YubiKey tool gives me the OATH > Token which is 6 bytes and the secret key in 20 bytes hex. Ive entered > the secret key and OATH token into the "key" field, ive tried all > algorithms and get the error of "invalid 'ipatokenotpkey': Non-base32 > digit found" > > Am I missing something? Or is this just not possible at all? I can't > find any documentation on Google saying how to set these up. > > Thanks! Just for the record, you are adding the Yubikey via FreeIPA Web UI? We also have otptoken-add-yubikey command that makes adding tokens easy. CCing Nathaniel to consider what we could do to make your use case easier. From mkosek at redhat.com Wed Mar 16 13:37:29 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Mar 2016 14:37:29 +0100 Subject: [Freeipa-users] read-only service account - aci In-Reply-To: References: Message-ID: <56E96199.5030602@redhat.com> On 03/15/2016 04:28 AM, Prashant Bapat wrote: > Anyone? > > On 11 March 2016 at 22:12, Prashant Bapat > wrote: > > Hi, > > I'm trying to use IPA's LDAP server as the user data base for an external > application. > > I have created a service account from ldif below. > > > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: changeme! > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > > This works fine. My question is whats the ACI associated with this new user? > Does this user have read-only access to everything in LDAP ? Or should I > add/tune the ACI. This system user can now access all LDAP data that are allowed for authenticated users. It should not have permission to actually write something unless you allow any user write something. You can see the FreeIPA system read permissions [1] to see what authenticated users are allowed to read. At minimum, they can read more information about users, group member and others: # ipa permission-find --bindtype=all | grep "Permission name" Permission name: System: Read AD Domains Permission name: System: Read CA ACLs Permission name: System: Read CA Renewal Information Permission name: System: Read Certificate Profiles Permission name: System: Read DNA Configuration Permission name: System: Read Domain Level Permission name: System: Read Global Configuration Permission name: System: Read Group ID Overrides Permission name: System: Read Group Membership Permission name: System: Read HBAC Rules Permission name: System: Read HBAC Service Groups Permission name: System: Read HBAC Services Permission name: System: Read Host Membership Permission name: System: Read Hostgroup Membership Permission name: System: Read Hostgroups Permission name: System: Read Hosts Permission name: System: Read ID Ranges Permission name: System: Read ID Views Permission name: System: Read Netgroup Membership Permission name: System: Read Netgroups Permission name: System: Read OTP Configuration Permission name: System: Read Realm Domains Permission name: System: Read Replication Information Permission name: System: Read SELinux User Maps Permission name: System: Read Services Permission name: System: Read Sudo Command Groups Permission name: System: Read Sudo Commands Permission name: System: Read Sudo Rules Permission name: System: Read Trust Information Permission name: System: Read User Addressbook Attributes Permission name: System: Read User ID Overrides Permission name: System: Read User IPA Attributes Permission name: System: Read User Kerberos Attributes Permission name: System: Read User Membership Martin [1] http://www.freeipa.org/page/V4/Managed_Read_permissions From lslebodn at redhat.com Wed Mar 16 13:43:02 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 16 Mar 2016 14:43:02 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <56E96000.6000001@afaics.de> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> <56E96000.6000001@afaics.de> Message-ID: <20160316134302.GB18853@mail.corp.redhat.com> On (16/03/16 14:30), Harald Dunkel wrote: >Hi Jakub, > >On 03/16/16 09:30, Jakub Hrozek wrote: >> >> If you can reproduce the issue, it would be nice to increase the debug_level a bit so that the debug logs are more verbose.. >> > >Using debug level 9 I got > >(Wed Mar 16 13:24:57 2016) [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c2a0 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c360 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c2a0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c360 "ltdb_timeout" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c2a0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): no modules required by the db >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): No modules specified for this database >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c2d0 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c390 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c2d0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c390 "ltdb_timeout" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c2d0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3c4e0 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3c5a0 >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3c4e0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3c5a0 "ltdb_timeout" >(Wed Mar 16 13:25:00 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3c4e0 "ltdb_callback" >(Wed Mar 16 13:25:00 2016) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for example.com: /var/lib/sss/db/cache_example.com.ldb >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dbe0 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3dca0 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dbe0 "ltdb_callback" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3dca0 "ltdb_timeout" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dbe0 "ltdb_callback" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse! >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dd80 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3de40 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dd80 "ltdb_callback" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3de40 "ltdb_timeout" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dd80 "ltdb_callback" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_callback": 0xb3dfd0 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xb3e090 >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Running timer event 0xb3dfd0 "ltdb_callback" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Destroying timer event 0xb3e090 "ltdb_timeout" >(Wed Mar 16 13:25:01 2016) [sssd] [ldb] (0x4000): Ending timer event 0xb3dfd0 "ltdb_callback" >(Wed Mar 16 13:25:04 2016) [sssd] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=d5f35f30568405c90a0fc9e756e950a0 >(Wed Mar 16 13:25:05 2016) [sssd] [sbus_add_watch] (0x2000): 0xb3e070/0xb3dda0 (14), R/- (enabled) >(Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] >(Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [example.com]: [60] >(Wed Mar 16 13:25:05 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sssd should spawn child processes here. >(Wed Mar 16 13:25:06 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command ^^^^^^^^^^^^^^^^^^^^^^^^^ After a second, sssd got signal for shutdown. >(Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children ^^^^^^^^^^ SIGTERM >(Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0040): Returned with: 0 >(Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Terminating [example.com][474] >(Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Child [example.com] terminated with a signal >(Wed Mar 16 13:25:08 2016) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory]) >(Wed Mar 16 13:25:08 2016) [sssd] [sbus_remove_watch] (0x2000): 0xb3e070/0xb3dda0 > > It does not look like problem in sssd. LS From npmccallum at redhat.com Wed Mar 16 14:38:54 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 16 Mar 2016 10:38:54 -0400 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: <56E96037.5090306@redhat.com> References: <56E96037.5090306@redhat.com> Message-ID: <1458139134.2518.1.camel@redhat.com> On Wed, 2016-03-16 at 14:31 +0100, Martin Kosek wrote: > On 03/12/2016 04:47 PM, Brad Bendy wrote: > > > > Hi, > > > > YubiKey supports HOTP it appears, but im having a heck of a time > > getting the token to add FreeIPA. The YubiKey tool gives me the > > OATH > > Token which is 6 bytes and the secret key in 20 bytes hex. Ive > > entered > > the secret key and OATH token into the "key" field, ive tried all > > algorithms and get the error of "invalid 'ipatokenotpkey': Non- > > base32 > > digit found" > > > > Am I missing something? Or is this just not possible at all? I > > can't > > find any documentation on Google saying how to set these up. > > > > Thanks! > Just for the record, you are adding the Yubikey via FreeIPA Web UI? > We also > have otptoken-add-yubikey command that makes adding tokens easy. > > CCing Nathaniel to consider what we could do to make your use case > easier. I will second the use of otptoken-add-yubikey. Just insert the token and run the command. :) From abokovoy at redhat.com Wed Mar 16 14:44:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Mar 2016 16:44:04 +0200 Subject: [Freeipa-users] YUbiKey for HOTP auth In-Reply-To: <1458139134.2518.1.camel@redhat.com> References: <56E96037.5090306@redhat.com> <1458139134.2518.1.camel@redhat.com> Message-ID: <20160316144404.GU4492@redhat.com> On Wed, 16 Mar 2016, Nathaniel McCallum wrote: >On Wed, 2016-03-16 at 14:31 +0100, Martin Kosek wrote: >> On 03/12/2016 04:47 PM, Brad Bendy wrote: >> > >> > Hi, >> > >> > YubiKey supports HOTP it appears, but im having a heck of a time >> > getting the token to add FreeIPA. The YubiKey tool gives me the >> > OATH >> > Token which is 6 bytes and the secret key in 20 bytes hex. Ive >> > entered >> > the secret key and OATH token into the "key" field, ive tried all >> > algorithms and get the error of "invalid 'ipatokenotpkey': Non- >> > base32 >> > digit found" >> > >> > Am I missing something? Or is this just not possible at all? I >> > can't >> > find any documentation on Google saying how to set these up. >> > >> > Thanks! >> Just for the record, you are adding the Yubikey via FreeIPA Web UI? >> We also >> have otptoken-add-yubikey command that makes adding tokens easy. >> >> CCing Nathaniel to consider what we could do to make your use case >> easier. > >I will second the use of otptoken-add-yubikey. Just insert the token >and run the command. :) And if you need a guidance, here is the demo: https://www.youtube.com/watch?v=zK2FmP0j6tY&list=PLnztcusQEwUopAVws6l5EgcIO_LqXiws2&index=1 -- / Alexander Bokovoy From tbordaz at redhat.com Wed Mar 16 15:24:48 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 16 Mar 2016 16:24:48 +0100 Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56E714FB.10603@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> <56E714FB.10603@umanitoba.ca> Message-ID: <56E97AC0.7060106@redhat.com> Hello Daryl, I can reproduce locally the slow DS startup (due to slapi-nis priming). In fact the version I was using had not the slapi-nis fix to differ the priming. I failed to reproduce the intensive load on DS when krb5kdc startup. Looking at yours logs, we can see that krb5kdc startup triggers a set of requests during 3s up to 8s. The logs are looking like (note the etime can go up to 2s): [10/Mar/2016:14:20:35 -0600] conn=40 fd=87 slot=87 connection from local to /var/run/slapd-UOFMT1.socket [10/Mar/2016:14:20:36 -0600] conn=40 AUTOBIND dn="cn=Directory Manager" [10/Mar/2016:14:20:36 -0600] conn=40 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [10/Mar/2016:14:20:36 -0600] conn=40 op=0 RESULT err=0 tag=97 nentries=0 *etime=1* dn="cn=Directory Manager" [10/Mar/2016:14:20:36 -0600] conn=40 op=1 SRCH base="cn=UOFMT1,cn=kerberos,dc=uofmt1" scope=0 filter="(objectClass=*)" attrs=ALL [10/Mar/2016:14:20:36 -0600] conn=40 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [10/Mar/2016:14:20:36 -0600] conn=40 op=2 SRCH base="cn=ipaConfig,cn=etc,dc=uofmt1" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [10/Mar/2016:14:20:36 -0600] conn=40 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [10/Mar/2016:14:20:36 -0600] conn=40 op=3 SRCH base="dc=uofmt1" scope=2 filter="(objectClass=ipaNTDomainAttrs)" attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup ipaNTSecurityIdentifier" [10/Mar/2016:14:20:37 -0600] conn=40 op=3 RESULT err=0 tag=101 nentries=0 *etime=1* [10/Mar/2016:14:20:37 -0600] conn=40 op=4 SRCH base="cn=UOFMT1,cn=kerberos,dc=uofmt1" scope=0 filter="(krbMKey=*)" attrs="krbMKey" [10/Mar/2016:14:20:37 -0600] conn=40 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [10/Mar/2016:14:20:37 -0600] conn=40 op=5 SRCH base="dc=uofmt1" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=K/M at UOFMT1))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [10/Mar/2016:14:20:38 -0600] conn=40 op=5 RESULT err=0 tag=101 nentries=1 *etime=1* [10/Mar/2016:14:20:39 -0600] conn=40 op=6 UNBIND [10/Mar/2016:14:20:39 -0600] conn=40 op=6 fd=87 closed - U1 I think the request op=3 (SRCH base="dc=uofmt1" scope=2 filter="(objectClass=ipaNTDomainAttrs)") is slow also because of slapi-nis. In fact it is indexed and returns 0 entry. So only plugins can create this high etime. An improvement in slapi-nis makes its search callback noop when it comes from krb and I am running this improvement. In conclusion I think both slow DS startup and KRB5 startup are fixed in RHEL 7. thanks theirry On 03/14/2016 08:46 PM, Daryl Fonseca-Holt wrote: > Hello Thierry, > > Attached is the pstacks from only the final DS restart. I don't think > they will show the whole picture. > > According to the debug log /var/log/ipareplica-install.log (attached) > the start of the krb5kdc.service (19:13:16Z) is successful, but the > krb5kdc log (attach) shows it is unable to fetch the master K/M at > 14:31:31CDT (-5hour offset). This is when the install log shows > kadmind failing. > > In my experience with the master observing top there are two intense > times for ns-slapd-. The first when it start, of course, and > the second when krb5kdc starts. I assume this is because krb5kdc must > get it's configuration and data from the same DS. krb5kdc fails but > the ipareplica-install script isn't aware of it. Finally > kadmin.service tries to access krb5kdc and finds that it is dead. > > Please note these logs are with Schema Compatability and NIS plugins > turned off per the other e-mail from Alexander. > > I've noticed on a running master I can prevent this type of failure by > manually starting dirsrv (systemctl start dirsrv@.service), > watch top until all threads of ns-slapd have settled, then systemctl > start krb5kdc.service, again watching top until ns-slapd threads have > settled down before systemctl start kadmin.service. This kind of > manual intervention is is not possible when running the > ipareplica-install script. > > I will look into introducing a delay at the completion of the dirsrv > and krb5kdc systemd units and see if I can accommodate > ipareplica-install. Just as an experiment for now. I need to advance > the project into High Availability testing but cannot do so without a > functioning replica. > > Regards, Daryl > > On 03/14/16 09:20, thierry bordaz wrote: >> Hi Daryl, >> >> Thanks for all the data. I will look at the pstacks. A first look >> shows that you capture import, bind... so may be a complete >> ipa-replica-install session. >> I will try to retrieve the specific startup time to see what was >> going on at that time. >> If you have the time to monitor only startup, it will help me >> shrinking the set of pstacks. >> Startup of DS last > 1min. If you may start DS and as soon as the >> ns-slapd process is launched, do regular pstacks. Then when you are >> able to send a simple ldapsearch (ldapsearch -x -b "" -s base), you >> may stop taking pstacks. >> >> thanks >> thierry >> >> On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: >>> Hi Thierry, >>> >>> I moved the old logs into a subdirectory called try1. I did the >>> recommended ipa-server-install --uninstall. Tried the replica >>> install again. Failed during kadmind start like the previous time. >>> >>> The log from ipa-replica-install (with -d) is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>> The console script (mostly the same as the log but with my entries) >>> is at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>> The 5 second pstacks are at >>> http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console >>> >>> Thanks, Daryl >>> >>> >>> On 03/11/16 02:40, thierry bordaz wrote: >>>> Hello Deryl, >>>> >>>> My understanding is that ns-slapd is first slow to startup. >>>> Then when krb5kdc is starting it may load ns-slapd. >>>> >>>> We identified krb5kdc may be impacted by the number of users >>>> accounts. >>>> From the ns-slapd errors log it is not clear why it is so slow >>>> to start. >>>> >>>> Would you provide the ns-slapd access logs from that period. >>>> Also in order to know where ns-slapd is spending time, it would >>>> really help if you can get regular (each 5s) pstacks (with >>>> 389-ds-debuginfo), during DS startup and then later during >>>> krb5kdc startup. >>>> >>>> best regards >>>> thierry >>>> >>>> >>>> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>>>> Environment: >>>>> RHEL 7.2 >>>>> IPA 4.2.0-15 >>>>> nss 3.19.1-19 >>>>> 389-ds-base 1.3.4.0-26 >>>>> sssd 1.13.0-40 >>>>> >>>>> >>>>> I've encountered this problem in IPA 3.0.0 but hoped it was >>>>> addressed in 4.2.0. >>>>> >>>>> Trying to set up a replica of a master with 150,000+ user >>>>> accounts, NIS and Schema Compatability enabled on the master. >>>>> >>>>> During ipa-replica-install it attempts to start IPA. dirsrv >>>>> starts, krb5kdc starts, but then kadmind fails because krb5kdc has >>>>> gone missing. >>>>> >>>>> This happens during restart of IPA in version 3.0.0 too. There it >>>>> can be overcome by manually starting each component of IPA _but_ >>>>> waiting until ns-slapd- has settled down (as seen from >>>>> top) before starting krb5kdc. I also think that the startup of >>>>> krb5kdc loads the LDAP instance quite a bit. >>>>> >>>>> There is a problem in the startup logic where dirsrv is so busy >>>>> that even though krb5kdc successfully starts and allows the kadmin >>>>> to begin kdb5kdc is not really able to do its duties. >>>>> >>>>> I'm reporting this since there must be some way to delay the start >>>>> of krb5kdc and then kadmind until ns-slapd- is really >>>>> open for business. >>>>> >>>>> # systemctl status krb5kdc.service >>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>>> disabled; vendor preset: disabled) >>>>> Active: inactive (dead) >>>>> >>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>>> 5 KDC. >>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting >>>>> Kerberos 5 KDC... >>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>>> 5 KDC. >>>>> >>>>> # systemctl status krb5kdc.service >>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>>>> disabled; vendor preset: disabled) >>>>> Active: inactive (dead) >>>>> >>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos >>>>> 5 KDC. >>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting >>>>> Kerberos 5 KDC... >>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos >>>>> 5 KDC. >>>>> >>>>> journalctl -xe was stale by the time I got to it so I've attached >>>>> /var/log/messages instead. >>>>> >>>>> The log from ipa-replica-install (with -d) is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>>>> The console script (mostly the same as the log but with my >>>>> entries) is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>>>> The /var/log/dirsrv/ns-slapd- access log is at >>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>>>> >>>>> Regards, Daryl >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> -- >>> Daryl Fonseca-Holt >>> IST/CNS/Unix Server Team >>> University of Manitoba >>> 204.480.1079 >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeffrey.armstrong at gasoc.com Wed Mar 16 18:00:47 2016 From: jeffrey.armstrong at gasoc.com (Armstrong, Jeffrey) Date: Wed, 16 Mar 2016 18:00:47 +0000 Subject: [Freeipa-users] ipa user login access denied Message-ID: <3DAC7A5927B8594195EA704FB41255B06588BD79@Supernatural2.gafoc.com> Hi I'm unable to login via ssh to an ipa client or server as the admin user or a new user. This a new installation of the ipa server and clients. I've saved some of the error messages: I created a test user (tuser). I was able to su - tuser successfully. I was not able to ssh to the master ipa server or any of the clients. Below I have some information from the sssd log, the command ipa hbactest, and the secure log. If you need any other info please let me know. Thanks Jeff sssd_.log sh tuser at pcs1dc01 Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Set /proc/self/oom_score_adj to 0 Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Connection from 10.109.4.20 port 60969 Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Failed publickey for tuser from 10.109.4.20 port 60969 ssh2 Password: Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30793]: Postponed keyboard-interactive for tuser from 10.109.4.20 port 60969 ssh2 Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.109.4.20 user=tuser Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30795]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.109.4.20 user=tuser Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]: pam_sss(sshd:account): Access denied for user tuser: 6 (Permission denied) Mar 16 12:40:57 pcs1dc01 authpriv.err sshd[30792]: error: PAM: User account has expired for tuser from 10.109.4.20 Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30792]: Failed keyboard-interactive/pam for tuser from 10.109.4.20 port 60969 ssh2 Received disconnect from UNKNOWN: 2: Too many authentication failures for tuser Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30793]: Disconnecting: Too many authentication failures for tuse Command: ipa hbactest User name: tuser Target host: Service: ssh --------------------- Access granted: False --------------------- Not matched rules: GUI_ACCESS Not matched rules: SSH_ACCESS Secure log Mar 16 12:29:55 authpriv.notice sshd[30697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=tuser Mar 16 12:29:56 authpriv.info sshd[30697]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=tuser Mar 16 12:29:56 authpriv.notice sshd[30697]: pam_sss(sshd:account): Access denied for user tuser: 6 (Permission denied) Mar 16 12:29:56 authpriv.err sshd[30694]: error: PAM: User account has expired for tuser from 10.109.4.20 Mar 16 12:29:56 authpriv.info sshd[30694]: Failed keyboard-interactive/pam for tuser from port 60942 ssh2 Received disconnect from UNKNOWN: 2: Too many authentication failures for tuser Mar 16 12:29:56 authpriv.info sshd[30695]: Disconnecting: Too many authentication failures for tuser -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Mar 16 18:13:18 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Mar 2016 14:13:18 -0400 Subject: [Freeipa-users] ipa user login access denied In-Reply-To: <3DAC7A5927B8594195EA704FB41255B06588BD79@Supernatural2.gafoc.com> References: <3DAC7A5927B8594195EA704FB41255B06588BD79@Supernatural2.gafoc.com> Message-ID: <56E9A23E.7050506@redhat.com> Armstrong, Jeffrey wrote: > Hi > > I?m unable to login via ssh to an ipa client or server as the admin user > or a new user. This a new installation of the ipa server and clients. > > I?ve saved some of the error messages: > > I created a test user (tuser). I was able to su ? tuser successfully. > I was not able to ssh to the master ipa server or any of the clients. > > Below I have some information from the sssd log, the command ipa > hbactest, and the secure log. > > If you need any other info please let me know. > > Thanks > > Jeff > > sssd_.log > > ** > > sh tuser at pcs1dc01 > > Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Set > /proc/self/oom_score_adj to 0 > > Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Connection from > 10.109.4.20 port 60969 > > Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Failed publickey for > tuser from 10.109.4.20 port 60969 ssh2 > > Password: Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30793]: Postponed > keyboard-interactive for tuser from 10.109.4.20 port 60969 ssh2 > > Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]: > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=10.109.4.20 user=tuser > > Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30795]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=10.109.4.20 user=tuser > > Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]: > pam_sss(sshd:account): Access denied for user tuser: 6 (Permission denied) > > Mar 16 12:40:57 pcs1dc01 authpriv.err sshd[30792]: error: PAM: User > account has expired for tuser from 10.109.4.20 > > Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30792]: Failed > keyboard-interactive/pam for tuser from 10.109.4.20 port 60969 ssh2 > > Received disconnect from UNKNOWN: 2: Too many authentication failures > for tuser > > Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30793]: Disconnecting: Too > many authentication failures for tuse > > ** > > *Command:* ipa hbactest > > User name: tuser > > Target host: > > Service: ssh > > --------------------- > > Access granted: False > > --------------------- > > Not matched rules: GUI_ACCESS > > Not matched rules: SSH_ACCESS There is your answer right there. Add tuser to the appropriate rule. And as of the last login attempt the user is logged out due to too many failed attempts. Lockout duration default is 5 minutes IIRC. rob > > *Secure log* > > Mar 16 12:29:55 authpriv.notice sshd[30697]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= > user=tuser > > Mar 16 12:29:56 authpriv.info sshd[30697]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost= user=tuser > > Mar 16 12:29:56 authpriv.notice sshd[30697]: pam_sss(sshd:account): > Access denied for user tuser: 6 (Permission denied) > > Mar 16 12:29:56 authpriv.err sshd[30694]: error: PAM: User account has > expired for tuser from 10.109.4.20 > > Mar 16 12:29:56 authpriv.info sshd[30694]: Failed > keyboard-interactive/pam for tuser from port 60942 ssh2 > > Received disconnect from UNKNOWN: 2: Too many authentication failures > for tuser > > Mar 16 12:29:56 authpriv.info sshd[30695]: Disconnecting: Too many > authentication failures for tuser > > > From sbingram at gmail.com Wed Mar 16 18:58:34 2016 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 16 Mar 2016 11:58:34 -0700 Subject: [Freeipa-users] cannot access keys in /var/lib/pki-ca/alias Message-ID: I've run into a problem on a v3 IPA where several certificates did not renew automatically with certmonger. I'm now, of course stuck and trying to renew the certificates manually. I've managed to renew the WebUI cert, and now onto the pki-ca certificate in the /var/lib/pki-ca/alias NSS store. I'm trying to renew the Server-Cert there but can't because I don't seem to have the correct password. I'm trying to use the same password as in /etc/httpd/alias/pwdfile.txt, but it's not working. Does this store for the CA use a different password? Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Mar 16 19:38:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Mar 2016 15:38:47 -0400 Subject: [Freeipa-users] cannot access keys in /var/lib/pki-ca/alias In-Reply-To: References: Message-ID: <56E9B647.6030403@redhat.com> Stephen Ingram wrote: > I've run into a problem on a v3 IPA where several certificates did not > renew automatically with certmonger. I'm now, of course stuck and trying > to renew the certificates manually. I've managed to renew the WebUI > cert, and now onto the pki-ca certificate in the /var/lib/pki-ca/alias > NSS store. I'm trying to renew the Server-Cert there but can't because I > don't seem to have the correct password. I'm trying to use the same > password as in /etc/httpd/alias/pwdfile.txt, but it's not working. Does > this store for the CA use a different password? I think it's best to step back and find out what you've already done. What does getcert list show (and be sure to remove any embedded PIN info)? rob From outbackdingo at gmail.com Thu Mar 17 06:43:41 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Thu, 17 Mar 2016 07:43:41 +0100 Subject: [Freeipa-users] CentOS 7 new install - no client ssh Message-ID: client cant ssh - any ideas ssh dingo at xxx.xxx.xxx.xxx dingo at xxx.xxx.xxx.xxx's password: Permission denied, please try again. dingo at xxx.xxx.xxx.xxx's password: cat sssd/sssd_somehost.com.log (Thu Mar 17 02:44:30 2016) [sssd[be[somehost.com]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Thu Mar 17 02:44:30 2016) [sssd[be[osomehost.com]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Mar 17 07:44:14 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Mar 2016 08:44:14 +0100 Subject: [Freeipa-users] CentOS 7 new install - no client ssh In-Reply-To: References: Message-ID: <20160317074414.GG3044@hendrix> On Thu, Mar 17, 2016 at 07:43:41AM +0100, Outback Dingo wrote: > client cant ssh - any ideas > > ssh dingo at xxx.xxx.xxx.xxx > dingo at xxx.xxx.xxx.xxx's password: > Permission denied, please try again. > dingo at xxx.xxx.xxx.xxx's password: > > > cat sssd/sssd_somehost.com.log > (Thu Mar 17 02:44:30 2016) [sssd[be[somehost.com]]] [krb5_auth_store_creds] > (0x0010): unsupported PAM command [249]. > (Thu Mar 17 02:44:30 2016) [sssd[be[osomehost.com]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. Please follow: https://fedorahosted.org/sssd/wiki/Troubleshooting From outbackdingo at gmail.com Thu Mar 17 08:08:35 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Thu, 17 Mar 2016 09:08:35 +0100 Subject: [Freeipa-users] CentOS 7 new install - no client ssh In-Reply-To: <20160317074414.GG3044@hendrix> References: <20160317074414.GG3044@hendrix> Message-ID: On Thu, Mar 17, 2016 at 8:44 AM, Jakub Hrozek wrote: > On Thu, Mar 17, 2016 at 07:43:41AM +0100, Outback Dingo wrote: > > client cant ssh - any ideas > > > > ssh dingo at xxx.xxx.xxx.xxx > > dingo at xxx.xxx.xxx.xxx's password: > > Permission denied, please try again. > > dingo at xxx.xxx.xxx.xxx's password: > > > > > > cat sssd/sssd_somehost.com.log > > (Thu Mar 17 02:44:30 2016) [sssd[be[somehost.com]]] > [krb5_auth_store_creds] > > (0x0010): unsupported PAM command [249]. > > (Thu Mar 17 02:44:30 2016) [sssd[be[osomehost.com]]] > > [krb5_auth_store_creds] (0x0010): password not available, offline auth > may > > not work. > > Please follow: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > how about... your clock it off run ntpdate pool.ntp.org and fixed.... > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeffrey.armstrong at gasoc.com Thu Mar 17 14:27:04 2016 From: jeffrey.armstrong at gasoc.com (Armstrong, Jeffrey) Date: Thu, 17 Mar 2016 14:27:04 +0000 Subject: [Freeipa-users] LIB error while logging into ipa client. Message-ID: <3DAC7A5927B8594195EA704FB41255B06588C455@Supernatural2.gafoc.com> Hi The following error occurs when I ssh to an ipa client: /usr/bin/sss_ssh_knownhostsproxy: /cots/gnu/samba/lib/libtevent.so.0: no version information available (required by /usr/lib64/sssd/libsss_util.so) /usr/bin/sss_ssh_knownhostsproxy: /cots/gnu/samba/lib/libtevent.so.0: no version information available (required by /usr/lib64/libldb.so.1) The Red Hat ver. 6.6 Ipa server 3.0.0-42 Ipa client 3.0.0-42 Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Mar 17 15:06:39 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Mar 2016 16:06:39 +0100 Subject: [Freeipa-users] LIB error while logging into ipa client. In-Reply-To: <3DAC7A5927B8594195EA704FB41255B06588C455@Supernatural2.gafoc.com> References: <3DAC7A5927B8594195EA704FB41255B06588C455@Supernatural2.gafoc.com> Message-ID: <20160317150639.GB26709@hendrix.redhat.com> On Thu, Mar 17, 2016 at 02:27:04PM +0000, Armstrong, Jeffrey wrote: > Hi > > The following error occurs when I ssh to an ipa client: > > /usr/bin/sss_ssh_knownhostsproxy: /cots/gnu/samba/lib/libtevent.so.0: no version information available (required by /usr/lib64/sssd/libsss_util.so) > /usr/bin/sss_ssh_knownhostsproxy: /cots/gnu/samba/lib/libtevent.so.0: no version information available (required by /usr/lib64/libldb.so.1) SSSD depends on libtevent which is an event loop library that comes from Samba. It appears that you have some third-party provided libtevent on your system that takes precedence over the one we normally install to /usr/lib64/ > > The Red Hat ver. 6.6 > Ipa server 3.0.0-42 > Ipa client 3.0.0-42 > > Jeff > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From prashant at apigee.com Thu Mar 17 16:31:13 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 17 Mar 2016 22:01:13 +0530 Subject: [Freeipa-users] read-only service account - aci In-Reply-To: <56E96199.5030602@redhat.com> References: <56E96199.5030602@redhat.com> Message-ID: Great! Thanks Martin. On 16 March 2016 at 19:07, Martin Kosek wrote: > On 03/15/2016 04:28 AM, Prashant Bapat wrote: > > Anyone? > > > > On 11 March 2016 at 22:12, Prashant Bapat > > wrote: > > > > Hi, > > > > I'm trying to use IPA's LDAP server as the user data base for an > external > > application. > > > > I have created a service account from ldif below. > > > > > > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: changeme! > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > > > This works fine. My question is whats the ACI associated with this > new user? > > Does this user have read-only access to everything in LDAP ? Or > should I > > add/tune the ACI. > > This system user can now access all LDAP data that are allowed for > authenticated users. It should not have permission to actually write > something > unless you allow any user write something. > > You can see the FreeIPA system read permissions [1] to see what > authenticated > users are allowed to read. At minimum, they can read more information about > users, group member and others: > > # ipa permission-find --bindtype=all | grep "Permission name" > Permission name: System: Read AD Domains > Permission name: System: Read CA ACLs > Permission name: System: Read CA Renewal Information > Permission name: System: Read Certificate Profiles > Permission name: System: Read DNA Configuration > Permission name: System: Read Domain Level > Permission name: System: Read Global Configuration > Permission name: System: Read Group ID Overrides > Permission name: System: Read Group Membership > Permission name: System: Read HBAC Rules > Permission name: System: Read HBAC Service Groups > Permission name: System: Read HBAC Services > Permission name: System: Read Host Membership > Permission name: System: Read Hostgroup Membership > Permission name: System: Read Hostgroups > Permission name: System: Read Hosts > Permission name: System: Read ID Ranges > Permission name: System: Read ID Views > Permission name: System: Read Netgroup Membership > Permission name: System: Read Netgroups > Permission name: System: Read OTP Configuration > Permission name: System: Read Realm Domains > Permission name: System: Read Replication Information > Permission name: System: Read SELinux User Maps > Permission name: System: Read Services > Permission name: System: Read Sudo Command Groups > Permission name: System: Read Sudo Commands > Permission name: System: Read Sudo Rules > Permission name: System: Read Trust Information > Permission name: System: Read User Addressbook Attributes > Permission name: System: Read User ID Overrides > Permission name: System: Read User IPA Attributes > Permission name: System: Read User Kerberos Attributes > Permission name: System: Read User Membership > > Martin > > [1] http://www.freeipa.org/page/V4/Managed_Read_permissions > -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Thu Mar 17 22:17:41 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 17 Mar 2016 23:17:41 +0100 Subject: [Freeipa-users] is it possible to add a value to the group 'mail' attrirbute? Message-ID: hi, see subject. For user accounts it's possible (even multivalued), Adding it using an ldap client gives me error 65 (attribute 65 not allowed). Thanks -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Mar 18 05:14:14 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 18 Mar 2016 07:14:14 +0200 Subject: [Freeipa-users] is it possible to add a value to the group 'mail' attrirbute? In-Reply-To: References: Message-ID: <20160318051414.GS4492@redhat.com> On Thu, 17 Mar 2016, Natxo Asenjo wrote: >hi, > >see subject. For user accounts it's possible (even multivalued), > >Adding it using an ldap client gives me error 65 (attribute 65 not allowed). In order to add *any* attribute to *any* LDAP entry you need two conditions to be satisfied: 1. LDAP entry in question should have object class that allows this attribute 2. Authenticated user should have ACI that allows to add this attribute to this entry 'Attribute not allowed' means condition (1) is not satisfied. FreeIPA LDAP server has three object classes by default that allow you to add mail attribute to an entry: -- inetOrgPerson -- mailRecipient -- mailGroup I'd say that if you want to associate mail with a group, mailGroup would be a better object class to use. It is an auxiliary object class, meaning it only adds some attributes to an entry and there should exist more fundamental classes (we have them for group already). As for (2), admins should have enough rights to modify 'mail' attribute and 'objectclass' attribute on group entries. -- / Alexander Bokovoy From natxo.asenjo at gmail.com Fri Mar 18 06:32:25 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 18 Mar 2016 07:32:25 +0100 Subject: [Freeipa-users] is it possible to add a value to the group 'mail' attrirbute? In-Reply-To: <20160318051414.GS4492@redhat.com> References: <20160318051414.GS4492@redhat.com> Message-ID: hi, On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy wrote: > On Thu, 17 Mar 2016, Natxo Asenjo wrote: > >> hi, >> >> see subject. For user accounts it's possible (even multivalued), >> >> Adding it using an ldap client gives me error 65 (attribute 65 not >> allowed). >> > In order to add *any* attribute to *any* LDAP entry you need two > conditions to be satisfied: > > 1. LDAP entry in question should have object class that allows this > attribute > 2. Authenticated user should have ACI that allows to add this attribute > to this entry > > 'Attribute not allowed' means condition (1) is not satisfied. FreeIPA > LDAP server has three object classes by default that allow you to add mail > attribute to an entry: > -- inetOrgPerson > -- mailRecipient > -- mailGroup > > I'd say that if you want to associate mail with a group, mailGroup > would be a better object class to use. It is an auxiliary object class, > meaning it only adds some attributes to an entry and there should exist > more fundamental classes (we have them for group already). > > As for (2), admins should have enough rights to modify 'mail' attribute > and 'objectclass' attribute on group entries > thanks for your explanation. I have added the mailGroup objectclass to the default group objectclasses group options in 'configurarion' and now I can add the entry. This post helped too: https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html Thanks! -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Fri Mar 18 06:47:15 2016 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 17 Mar 2016 23:47:15 -0700 Subject: [Freeipa-users] cannot access keys in /var/lib/pki-ca/alias In-Reply-To: <56EABF46.1010007@redhat.com> References: <56E9B647.6030403@redhat.com> <56E9DDFC.2020109@redhat.com> <56EABF46.1010007@redhat.com> Message-ID: On Thu, Mar 17, 2016 at 7:29 AM, Rob Crittenden wrote: --snip-- > Since I now saw three 'Server-Cert' certificates with two accompanying >> keys, I exported the certs and keys, then removed all of the >> 'Server-Cert' entries and then imported back only the key and the most >> recent cert. That fixed most of the errors with the WebUI such that the >> only remaining error was about the PKI-CA. >> > > That might be ok eventually but the nickname change could cause problems > moving forward. You'll need to add certmonger tracking as well if you stick > with the new cert. > > The worrying one is the ipaCert as this agent is used to do some of >> the renewals. NEED_CSR_GEN_PIN generally means that it can't >> authenticate to the NSS database, /etc/httpd/alias in this case. >> Again, need to know exactly what you've done. >> >> >> I didn't touch the ipaCert in the store. Looks like it expired on Feb 22: >> >> Validity: >> Not Before: Tue Mar 04 08:48:49 2014 >> Not After : Mon Feb 22 08:48:49 2016 >> >> I can access the keys in the /etc/httpd/alias store with pwdfile.text. >> Again, no access to store in /var/lib/pki-ca/alias with that same >> password. Should I try to renew ipaCert? >> >> > What I'd suggest is to set the date to Feb 16, run ipactl restrart, then > restart certmonger and see what happens. This assumes, of course, that the > current web server cert is valid then. The Web server cert is valid now from 01/01/2016-01/01/2018 so it should have worked, but setting the date to Feb 16 did not work. Looking through the logs I see: Feb 16 00:29:46 ipa1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20160222084849. Feb 16 00:29:46 ipa1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20160222084849. Feb 16 00:29:46 ipa1 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20160222084949. Feb 16 00:29:46 ipa1 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20160222084849. which makes me think that certmonger actually wanted to try and work this time. However, then I see: Feb 16 00:29:47 ipa1 certmonger: Server at " https://ipa1.ipa.domain:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error Feb 16 00:29:47 ipa1 certmonger: Server at " https://ipa1.ipa.domain:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error Feb 16 00:29:47 ipa1 certmonger: Server at " https://ipa1.ipa.domain:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error Feb 16 00:29:47 ipa1 certmonger: Server at " https://ipa1.ipa.domain:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error I also saw a certmonger decoding error with a certificate after the error. As it prints out the certificate in the log, I tried tracking it down, but no success. Looking at the tomcat logs for the CA startup on port 9443, I see: Feb 16, 2016 12:31:43 AM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9443 JSSSocketFactory init - exception thrown:java.lang.NullPointerException Looking this up leads me to https://bugzilla.redhat.com/show_bug.cgi?id=1058366. Seeing this bug is not even fixed in IPA version 3.0.x, and I wasn't sure exactly how to implement any solution described there, I couldn't make it work. I'm not sure if this is the reason that certmonger flopped in the first place as it has updated certs before, but, perhaps it was a bug introduced after it was functioning correctly. Should I be able to access anything on SSL port 9443 in the browser just to see if it's working? Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.fedora at earsdown.com Fri Mar 18 09:12:44 2016 From: a.fedora at earsdown.com (earsdown) Date: Fri, 18 Mar 2016 20:12:44 +1100 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals Message-ID: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> Hi all, Firstly, a big thank you to everyone who works on the FreeIPA project - you guys are my heroes. Let's talk about the new Certificate Profile and CA ACL feature and some use cases that should be possible but I'm struggling to implement. Hopefully I'm just missing something obvious, and if not, perhaps someone here can suggest a workaround. I'll do my best to keep this as brief and concise as possible, and I'm grateful for any help given. Some background: Our environment is composed of AWS EC2 instances running CentOS 7 (7.2.1511 + ipa-server-4.2.0-15, fully patched afaik). Our instances acquire three certificates during creation, which is achieved via user-data/cloud-init. The first certificate is linked to service principal puppet/$HOSTNAME, the second is linked to HTTP/$HOSTNAME, and the third is the default NSS-based certificate linked to the host principal (via ipa-client-install --request-cert). We want our long-lived EC2 instances to acquire certificates using the standard caIPAserviceCert profile. Examples would be database servers, puppetmasters, etc. We use EC2 spot instances via auto-scaling groups heavily - these are our short-lived instances. For example, application servers, etc. We want our short-lived instances to acquire certificates with a really short validity (like 3 days). Read on to find out why. Our applications login to their respective postgresql databases using mutual SSL auth (i.e. IPA CA issued certificates). Sadly, postgresql has to be restarted every time the CRL is updated (see section 17.9.2 of postgresql doc). If the CRL expires, postgres stops authenticating clients via SSL. This means we're forced to either turn off CRL checking in postgres entirely or have really long CRL validity times - we're going to go with the latter. It also means application servers will need to be issued with short-lived certificates (and must not have access to the caIPAserviceCert profile) because we can't realistically restart our production database servers every time an application server's certificate gets revoked. The use case: 1. Suppose we have a hostgroup called "database_servers" and a host called "db01" that is a member. 3. Modify the default CA ACL "hosts_services_caIPAserviceCert" to restrict access to the "database_servers" hostgroup only (i.e. no services or users allowed). 4. Attempt to request a certificate (via ipa-getcert) from the "db01" server (which is in the "database_servers" hostgroup). The request should be linked (via -K) to a service principal like postgres/$HOSTNAME (service to be created beforehand). 5. This currently fails with CA_REJECTED ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Principal 'postgres/db01.example.com at EXAMPLE.COM' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance.). Is this the intended behaviour? If so, is there any way to avoid having to add each and every individual service principal directly to the CA ACL? After all, we have hostgroups to avoid the mess of adding individual hosts, right? Well... each host would have several service principals...and we don't seem to have a way of grouping them. Thanks in advance, ~earsdown From jgoddard at emerlyn.com Fri Mar 18 15:08:14 2016 From: jgoddard at emerlyn.com (Jeff Goddard) Date: Fri, 18 Mar 2016 11:08:14 -0400 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Message-ID: Hello all, I'm following this guide: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605, 3] ../source3/lib/smbldap.c:579(smbldap_start_tls) StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection) smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250, 3] ../source3/lib/smbldap.c:1013(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774, 4] ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837, 3] ../source3/smbd/server_exit.c:249(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h id-management-1.internal.emerlyn.com uid=jgoddard does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Fri Mar 18 15:35:15 2016 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 18 Mar 2016 16:35:15 +0100 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount In-Reply-To: References: Message-ID: <201603181535.u2IFZZc2030795@d06av11.portsmouth.uk.ibm.com> Hi Jeff When I last integrated FreeIPA and Samba I used ldapmodify to successfully add sambaSAMAccount and sambaGroupMapping. ldapmodify -Y GSSAPI < To: freeipa-users at redhat.com Date: 18.03.2016 16:11 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Sent by: freeipa-users-bounces at redhat.com Hello all, I'm following this guide: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605,? 3] ../source3/lib/smbldap.c:579 (smbldap_start_tls) ? StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661,? 2] ../source3/lib/smbldap.c:794 (smbldap_open_connection) ? smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250,? 3] ../source3/lib/smbldap.c:1013 (smbldap_connect_system) ? ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774,? 4] ../source3/passdb/pdb_ldap.c:1496 (ldapsam_getsampwnam) ? ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856,? 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) ? check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890,? 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) ? check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944,? 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) ? check_ntlm_password:? Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972,? 2] ../auth/gensec/spnego.c:746 (gensec_spnego_server_negTokenTarg) ? SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837,? 3] ../source3/smbd/server_exit.c:249 (exit_server_common) ? Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h id-management-1.internal.emerlyn.com uid=jgoddard ?does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From jgoddard at emerlyn.com Fri Mar 18 15:43:05 2016 From: jgoddard at emerlyn.com (Jeff Goddard) Date: Fri, 18 Mar 2016 11:43:05 -0400 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount In-Reply-To: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> References: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> Message-ID: Christopher, Thank you for the response. IT seems my syntax is still not correct. HEre is the command and output I received: [root at id-management-1 ~]# ldapmodify -Y GSSAPI < wrote: > Hi Jeff > > When I last integrated FreeIPA and Samba I used ldapmodify to successfully > add sambaSAMAccount and sambaGroupMapping. > > > ldapmodify -Y GSSAPI < dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com > changetype: modify > add: ipaUserObjectClasses > ipaUserObjectClasses: sambaSAMAccount > - > add: ipaGroupObjectClasses > ipaGroupObjectClasses: sambaGroupMapping > EOF > > Note, also there is a notorious spelling mistake under Point 5 of the > Fedora instructions you are following > > cosAttribute: sambaGrouptType > > should be: > > cosAttribute: sambaGroupType > > i.e. sambaGroupType has only one "T". > > Chris > > [image: Inactive hide details for Jeff Goddard ---18.03.2016 > 16:11:10---Hello all, I'm following this guide:]Jeff Goddard > ---18.03.2016 16:11:10---Hello all, I'm following this guide: > > From: Jeff Goddard > To: freeipa-users at redhat.com > Date: 18.03.2016 16:11 > Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount > Sent by: freeipa-users-bounces at redhat.com > ------------------------------ > > > > > Hello all, > > I'm following this guide: > *https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html* > > in attempts to have a SAMBA server with freeipa as the back-end > authentication method. My problem is that the command: ipa config-mod > --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount > fails with the message: ipa: ERROR: objectclass > top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount > not found. > > Using the web GUI I was able to add this field but it doesn't dynamically > add it to my existing users and so I get errors such as: > > [2016/03/18 10:20:21.052605, 3] > ../source3/lib/smbldap.c:579(smbldap_start_tls) > StartTLS issued: using a TLS connection > [2016/03/18 10:20:21.052661, 2] > ../source3/lib/smbldap.c:794(smbldap_open_connection) > smbldap_open_connection: connection opened > [2016/03/18 10:20:21.055250, 3] > ../source3/lib/smbldap.c:1013(smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > [2016/03/18 10:20:21.056774, 4] > ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam) > ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 > [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) > check_sam_security: Couldn't find user 'jgoddard' in passdb. > [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > check_ntlm_password: sam authentication for user [jgoddard] FAILED with > error NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] > FAILED with error NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.056972, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.057837, 3] > ../source3/smbd/server_exit.c:249(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > When trying to authenticate to my share. > > The search from the samba server: ldapsearch -LLL -x -h > *id-management-1.internal.emerlyn.com* > uid=jgoddard > does not return a value for sambaSAMAccount either. Can anyone provide me > a pointer or documentation on where I'm going wrong? > > Thanks, > > Jeff-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From jgoddard at emerlyn.com Fri Mar 18 16:08:04 2016 From: jgoddard at emerlyn.com (Jeff Goddard) Date: Fri, 18 Mar 2016 12:08:04 -0400 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount In-Reply-To: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> References: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> Message-ID: Found the syntax error. Apparently the DN is: dn:cn=ipaconfig,cn=etc,dc=internal,dc=emerlyn,dc=com rather than dn:cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb < christopher.lamb at ch.ibm.com> wrote: > Hi Jeff > > When I last integrated FreeIPA and Samba I used ldapmodify to successfully > add sambaSAMAccount and sambaGroupMapping. > > > ldapmodify -Y GSSAPI < dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com > changetype: modify > add: ipaUserObjectClasses > ipaUserObjectClasses: sambaSAMAccount > - > add: ipaGroupObjectClasses > ipaGroupObjectClasses: sambaGroupMapping > EOF > > Note, also there is a notorious spelling mistake under Point 5 of the > Fedora instructions you are following > > cosAttribute: sambaGrouptType > > should be: > > cosAttribute: sambaGroupType > > i.e. sambaGroupType has only one "T". > > Chris > > [image: Inactive hide details for Jeff Goddard ---18.03.2016 > 16:11:10---Hello all, I'm following this guide:]Jeff Goddard > ---18.03.2016 16:11:10---Hello all, I'm following this guide: > > From: Jeff Goddard > To: freeipa-users at redhat.com > Date: 18.03.2016 16:11 > Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount > Sent by: freeipa-users-bounces at redhat.com > ------------------------------ > > > > > Hello all, > > I'm following this guide: > *https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html* > > in attempts to have a SAMBA server with freeipa as the back-end > authentication method. My problem is that the command: ipa config-mod > --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount > fails with the message: ipa: ERROR: objectclass > top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount > not found. > > Using the web GUI I was able to add this field but it doesn't dynamically > add it to my existing users and so I get errors such as: > > [2016/03/18 10:20:21.052605, 3] > ../source3/lib/smbldap.c:579(smbldap_start_tls) > StartTLS issued: using a TLS connection > [2016/03/18 10:20:21.052661, 2] > ../source3/lib/smbldap.c:794(smbldap_open_connection) > smbldap_open_connection: connection opened > [2016/03/18 10:20:21.055250, 3] > ../source3/lib/smbldap.c:1013(smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > [2016/03/18 10:20:21.056774, 4] > ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam) > ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 > [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) > check_sam_security: Couldn't find user 'jgoddard' in passdb. > [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > check_ntlm_password: sam authentication for user [jgoddard] FAILED with > error NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] > FAILED with error NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.056972, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_NO_SUCH_USER > [2016/03/18 10:20:21.057837, 3] > ../source3/smbd/server_exit.c:249(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > When trying to authenticate to my share. > > The search from the samba server: ldapsearch -LLL -x -h > *id-management-1.internal.emerlyn.com* > uid=jgoddard > does not return a value for sambaSAMAccount either. Can anyone provide me > a pointer or documentation on where I'm going wrong? > > Thanks, > > Jeff-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From michael.rainey.ctr at nrlssc.navy.mil Fri Mar 18 15:53:08 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Fri, 18 Mar 2016 10:53:08 -0500 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <20160311083222.GF3059@p.redhat.com> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <20160311083222.GF3059@p.redhat.com> Message-ID: Hi Sumit, It has been a week and I am following up with you on the lock screen issue. Have you had any progress? If so, I am hoping implementing the fix will be quick and easy. Thanks, *Michael Rainey* On 03/11/2016 02:32 AM, Sumit Bose wrote: > On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: >> Greetings, >> >> I have been adding systems to my new domain and utilizing the smart card >> login feature. To date the smart card login feature is working very well. >> However, my group has been trying to implement locking the screen when the >> smart card is removed, but have not been successful at making it work. Does >> anyone have any suggestions as to what it would take to enable locking the >> screen when the smart card is removed. > This requires a better integration with gdm which is currently WIP > (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please > ping me in about a week about this again, then I might have done some > more testing. > > bye, > Sumit > >> Thank you in advance. >> -- >> *Michael Rainey* >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Fri Mar 18 16:19:43 2016 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 18 Mar 2016 17:19:43 +0100 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount In-Reply-To: References: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> Message-ID: <201603181620.u2IGK1NX003918@d06av12.portsmouth.uk.ibm.com> Hi Jeff As far as I can see, your command looks ok (though I don't know what your dn should look like). Did you run the "kinit admin" command before? When I was doing the Samba + FreeIPA integration I found using an LDAP browser (Apache Directory Studio) very useful to visualise the LDAP "tree" (and even if required to manually edit objects ....) Chris From: Jeff Goddard To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 18.03.2016 16:43 Subject: Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Christopher, Thank you for the response. IT seems my syntax is still not correct. HEre is the command and output I received: [root at id-management-1 ~]# ldapmodify -Y GSSAPI < wrote: Hi Jeff When I last integrated FreeIPA and Samba I used ldapmodify to successfully add sambaSAMAccount and sambaGroupMapping. ldapmodify -Y GSSAPI < To: freeipa-users at redhat.com Date: 18.03.2016 16:11 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Sent by: freeipa-users-bounces at redhat.com Hello all, I'm following this guide: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605,? 3] ../source3/lib/smbldap.c:579 (smbldap_start_tls) ? StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661,? 2] ../source3/lib/smbldap.c:794 (smbldap_open_connection) ? smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250,? 3] ../source3/lib/smbldap.c:1013 (smbldap_connect_system) ? ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774,? 4] ../source3/passdb/pdb_ldap.c:1496 (ldapsam_getsampwnam) ? ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856,? 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) ? check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890,? 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) ? check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944,? 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) ? check_ntlm_password:? Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972,? 2] ../auth/gensec/spnego.c:746 (gensec_spnego_server_negTokenTarg) ? SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837,? 3] ../source3/smbd/server_exit.c:249 (exit_server_common) ? Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h id-management-1.internal.emerlyn.com uid=jgoddard ?does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org?for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From sbose at redhat.com Fri Mar 18 16:53:23 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 18 Mar 2016 17:53:23 +0100 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount In-Reply-To: References: <201603181535.u2IFZYn8003299@d06av12.portsmouth.uk.ibm.com> Message-ID: <20160318165323.GD7134@p.redhat.com> On Fri, Mar 18, 2016 at 12:08:04PM -0400, Jeff Goddard wrote: > Found the syntax error. Apparently the DN is: > dn:cn=ipaconfig,cn=etc,dc=internal,dc=emerlyn,dc=com rather than > dn:cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com > > > > On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb < > christopher.lamb at ch.ibm.com> wrote: > > > Hi Jeff > > > > When I last integrated FreeIPA and Samba I used ldapmodify to successfully > > add sambaSAMAccount and sambaGroupMapping. > > > > > > ldapmodify -Y GSSAPI < > dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com > > changetype: modify > > add: ipaUserObjectClasses > > ipaUserObjectClasses: sambaSAMAccount > > - > > add: ipaGroupObjectClasses > > ipaGroupObjectClasses: sambaGroupMapping > > EOF > > > > Note, also there is a notorious spelling mistake under Point 5 of the > > Fedora instructions you are following > > > > cosAttribute: sambaGrouptType > > > > should be: > > > > cosAttribute: sambaGroupType > > > > i.e. sambaGroupType has only one "T". > > > > Chris > > > > [image: Inactive hide details for Jeff Goddard ---18.03.2016 > > 16:11:10---Hello all, I'm following this guide:]Jeff Goddard > > ---18.03.2016 16:11:10---Hello all, I'm following this guide: > > > > From: Jeff Goddard > > To: freeipa-users at redhat.com > > Date: 18.03.2016 16:11 > > Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount > > Sent by: freeipa-users-bounces at redhat.com > > ------------------------------ > > > > > > > > > > Hello all, > > > > I'm following this guide: > > *https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html* > > > > in attempts to have a SAMBA server with freeipa as the back-end > > authentication method. My problem is that the command: ipa config-mod > > --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount --userobjectclasses only expects on argument, but the option can be used multiple times. If you use bash you can use the brace expansion to make this easier: ipa config-mod --userobjectclasses={top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount} (please note no spaces are allowed between the braces} As a general remark, you can find out about the real attribute names and the DN by using the --all and --raw options: ipa config-show --all --raw HTH bye, Sumit > > fails with the message: ipa: ERROR: objectclass > > top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount > > not found. > > > > Using the web GUI I was able to add this field but it doesn't dynamically > > add it to my existing users and so I get errors such as: > > > > [2016/03/18 10:20:21.052605, 3] > > ../source3/lib/smbldap.c:579(smbldap_start_tls) > > StartTLS issued: using a TLS connection > > [2016/03/18 10:20:21.052661, 2] > > ../source3/lib/smbldap.c:794(smbldap_open_connection) > > smbldap_open_connection: connection opened > > [2016/03/18 10:20:21.055250, 3] > > ../source3/lib/smbldap.c:1013(smbldap_connect_system) > > ldap_connect_system: successful connection to the LDAP server > > [2016/03/18 10:20:21.056774, 4] > > ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam) > > ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 > > [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), > > class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) > > check_sam_security: Couldn't find user 'jgoddard' in passdb. > > [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), > > class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > > check_ntlm_password: sam authentication for user [jgoddard] FAILED with > > error NT_STATUS_NO_SUCH_USER > > [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), > > class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] > > FAILED with error NT_STATUS_NO_SUCH_USER > > [2016/03/18 10:20:21.056972, 2] > > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > > SPNEGO login failed: NT_STATUS_NO_SUCH_USER > > [2016/03/18 10:20:21.057837, 3] > > ../source3/smbd/server_exit.c:249(exit_server_common) > > Server exit (NT_STATUS_CONNECTION_RESET) > > > > When trying to authenticate to my share. > > > > The search from the samba server: ldapsearch -LLL -x -h > > *id-management-1.internal.emerlyn.com* > > uid=jgoddard > > does not return a value for sambaSAMAccount either. Can anyone provide me > > a pointer or documentation on where I'm going wrong? > > > > Thanks, > > > > Jeff-- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From randym at chem.byu.edu Fri Mar 18 20:21:02 2016 From: randym at chem.byu.edu (Randy Morgan) Date: Fri, 18 Mar 2016 14:21:02 -0600 Subject: [Freeipa-users] Directory Search Question Message-ID: <56EC632E.1060807@chem.byu.edu> We have a FreeIPA Version 4.2 production installation that seems to have a limitation we cannot figure out how to overcome. Users cannot search, from the gui, for a specific user. The only users who can perform a search for a specific user are full-admins, everyone else the search option does not respond, meaning that if you click on the magnifying glass, nothing happens. We have a large number of groups, and they are managed by the group owner, who needs to be able to do a user search. This appears to be a permissions issue, but we are not sure what we need to change to make it so that we can assign search capability to specific user groups. Any help would be greatly appreciated. Randy -- Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 From harri at afaics.de Sat Mar 19 09:38:08 2016 From: harri at afaics.de (Harald Dunkel) Date: Sat, 19 Mar 2016 10:38:08 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <20160316134302.GB18853@mail.corp.redhat.com> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> <56E96000.6000001@afaics.de> <20160316134302.GB18853@mail.corp.redhat.com> Message-ID: <56ED1E00.8020208@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/16/16 14:43, Lukas Slebodnik wrote: > On (16/03/16 14:30), Harald Dunkel wrote: >> (Wed Mar 16 13:25:05 2016) [sssd] [sbus_add_watch] (0x2000): 0xb3e070/0xb3dda0 (14), R/- (enabled) (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between >> SIGTERM and SIGKILL for [example.com]: [60] (Wed Mar 16 13:25:05 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sssd should spawn child processes here. >> (Wed Mar 16 13:25:06 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command > ^^^^^^^^^^^^^^^^^^^^^^^^^ After a second, sssd got signal for shutdown. >> (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children > ^^^^^^^^^^ SIGTERM >> (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Terminating [example.com][474] (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Child [example.com] terminated with a signal (Wed Mar 16 13:25:08 >> 2016) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory]) (Wed Mar 16 13:25:08 2016) [sssd] [sbus_remove_watch] (0x2000): 0xb3e070/0xb3dda0 >> >> > > It does not look like problem in sssd. > Are you sure? Then why doesn't it "spawn child processes here"? I would guess the SIGTERM was either sent by systemd or sssd's startup script? Since freeipa doesn't work with anything else but systemd its a little bit cheap now to say "not my problem", is it? Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW7R4AAAoJEAqeKp5m04HLtY0H/2+96DjhCx873/koFhQm+nZo OLnsBbZd6O1ujFHHMYbtUelavHTGkKuClne5oojEfMle7YxuhgSmZdHQ8JC/b6AH mIR6W9dxDNsYB9ChXL1+BCGYr9RAq4G/dYymnvfSE1HlDEQ+mWTt9vhjD4p5za79 ldetXkHnGus25F1z7nNGONYtYDDmeRaqrBxuWblKTKCA6zRwfFjtOP+/Zr3D5/fG PkC2t7nciocFJIhPvEsfrV+5y1fGHfNS8JJ+aW2rFx70OvGIN+fcWF9q/yv6ibd4 MAg9R0ZigLgtqIS+o//c7BeL3yjInu6Pw5Ns16u8M832HDhDzCQsCffhdeX8n+A= =9yfe -----END PGP SIGNATURE----- From lslebodn at redhat.com Sat Mar 19 09:59:44 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 19 Mar 2016 10:59:44 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <56ED1E00.8020208@afaics.de> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> <56E96000.6000001@afaics.de> <20160316134302.GB18853@mail.corp.redhat.com> <56ED1E00.8020208@afaics.de> Message-ID: <20160319095943.GA18225@mail.corp.redhat.com> On (19/03/16 10:38), Harald Dunkel wrote: >On 03/16/16 14:43, Lukas Slebodnik wrote: >> On (16/03/16 14:30), Harald Dunkel wrote: >>> (Wed Mar 16 13:25:05 2016) [sssd] [sbus_add_watch] (0x2000): 0xb3e070/0xb3dda0 (14), R/- (enabled) (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] (Wed Mar 16 13:25:05 2016) [sssd] [get_ping_config] (0x0100): Time between >>> SIGTERM and SIGKILL for [example.com]: [60] (Wed Mar 16 13:25:05 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sssd should spawn child processes here. >>> (Wed Mar 16 13:25:06 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command >> ^^^^^^^^^^^^^^^^^^^^^^^^^ After a second, sssd got signal for shutdown. >>> (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children >> ^^^^^^^^^^ SIGTERM >>> (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Terminating [example.com][474] (Wed Mar 16 13:25:08 2016) [sssd] [monitor_quit] (0x0020): Child [example.com] terminated with a signal (Wed Mar 16 13:25:08 >>> 2016) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory]) (Wed Mar 16 13:25:08 2016) [sssd] [sbus_remove_watch] (0x2000): 0xb3e070/0xb3dda0 >>> >>> >> >> It does not look like problem in sssd. >> > >Are you sure? Then why doesn't it "spawn child processes here"? > Logs are from main process. If the main progess get a signal for shutdown then it cannot continue with "spawning child processes". sssd has to shutdown. >I would guess the SIGTERM was either sent by systemd or sssd's >startup script? What do you mean by sssd's startup script? You either have systemd or upstart/sysv and you should know which initsystem do you use. sssd does not send SIGTERM to itself therefore signal had to be send from somewhere else. So it's not a problem of sssd. >Since freeipa doesn't work with anything else >but systemd its a little bit cheap now to say "not my problem", >is it? > "freeipa-server" doesn't work with anything else but systemd. and freeipa-client just configure sssd and few other services. But sssd itself can run without systemd. LS From pgb205 at yahoo.com Sat Mar 19 21:58:56 2016 From: pgb205 at yahoo.com (pgb205) Date: Sat, 19 Mar 2016 21:58:56 +0000 (UTC) Subject: [Freeipa-users] Unable to authenticate References: <1163824813.1321602.1458424736851.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1163824813.1321602.1458424736851.JavaMail.yahoo@mail.yahoo.com> I have enabled debugging withdebug_level = 7 in sssd.conf Receive following error messages:Marking server 'ipa-server' as 'name resolved'[be_resolve_server_process] (0x0200): Found address for server ipa-server [get_port_status] (0x1000): Port status of port 389 for server 'ipa-server' is 'not working' telnet ipa-server 389 works so it's not a problem with name resolution or ports being blocked in krb5.conf i do have entries for ipa-server as well. The logs also claim that the server is offline, but that's of course is not the root cause. Are there any other things that I'm missing. Or what would you suggest as next troubleshooting step? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From harri at afaics.de Sun Mar 20 12:00:55 2016 From: harri at afaics.de (Harald Dunkel) Date: Sun, 20 Mar 2016 13:00:55 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <20160319095943.GA18225@mail.corp.redhat.com> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> <56E96000.6000001@afaics.de> <20160316134302.GB18853@mail.corp.redhat.com> <56ED1E00.8020208@afaics.de> <20160319095943.GA18225@mail.corp.redhat.com> Message-ID: <56EE90F7.5060205@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Lukas, On 03/19/16 10:59, Lukas Slebodnik wrote: > On (19/03/16 10:38), Harald Dunkel wrote: > >> Since freeipa doesn't work with anything else but systemd its a little bit cheap now to say "not my problem", is it? >> > "freeipa-server" doesn't work with anything else but systemd. and freeipa-client just configure sssd and few other services. > Without systemd: root at lxc31:~# ipa-client-install Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2790, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2771, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2006, in install ipaclient.ntpconf.check_timedate_services() File "/usr/lib/python2.7/dist-packages/ipaclient/ntpconf.py", line 183, in check_timedate_services if instance.is_enabled() or instance.is_running(): File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 321, in is_enabled self.service_instance(instance_name)]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 321, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory Of course I understand that writing portable software is a difficult task, but is this restriction really necessary, if ipa client support is about "just configure sssd and a few other services"? Currently I have to install systemd to make ipa-client-install work, and later I can move back to sysvinit to support HA services. You have to admit that this is weird. Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW7pDyAAoJEAqeKp5m04HLcYQIAJLxFHxVSGMhHz791iZUgGCX qBNIP1JI8QmADgS0G0FZZx/s94Gb0iLrH/64aFGYDFdQAC1HZex6DkOxzSfADJlD JSWU6cTAIw0ktGJpj05oJCQXU2VMCg5PswyPnY4rwOqKlVnb5zQrD6yk6alkhz37 p7lSbgtzj6MkfwkVBNlb9epJFQEzGZYVOC8tfNQhVOmDgnlBBDVcsUSxASQlXr2G 7ASxOKwukWCIrP62jIwamIstg9n8TUkI95avkvwh5DvitBBADQxDA/GmF2VZG8NG Ohy0ONrzZHXML2cB3Rvwab20rXUcwv2vypmgGP4QE9bOezNw89ZROtx1MsiqOn0= =64Gt -----END PGP SIGNATURE----- From lslebodn at redhat.com Mon Mar 21 08:22:12 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 21 Mar 2016 09:22:12 +0100 Subject: [Freeipa-users] sssd.service start operation timed out In-Reply-To: <56EE90F7.5060205@afaics.de> References: <56E84969.3090603@afaics.de> <20160315182155.GH25240@hendrix.redhat.com> <56E86CEE.4090302@afaics.de> <20160316083024.GI25240@hendrix.redhat.com> <56E96000.6000001@afaics.de> <20160316134302.GB18853@mail.corp.redhat.com> <56ED1E00.8020208@afaics.de> <20160319095943.GA18225@mail.corp.redhat.com> <56EE90F7.5060205@afaics.de> Message-ID: <20160321082212.GA5897@mail.corp.redhat.com> On (20/03/16 13:00), Harald Dunkel wrote: >Hi Lukas, > >On 03/19/16 10:59, Lukas Slebodnik wrote: >> On (19/03/16 10:38), Harald Dunkel wrote: >> >>> Since freeipa doesn't work with anything else but systemd its a little bit cheap now to say "not my problem", is it? >>> >> "freeipa-server" doesn't work with anything else but systemd. and freeipa-client just configure sssd and few other services. >> > >Without systemd: > >root at lxc31:~# ipa-client-install >Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 2790, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 2771, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2006, in install > ipaclient.ntpconf.check_timedate_services() > File "/usr/lib/python2.7/dist-packages/ipaclient/ntpconf.py", line 183, in check_timedate_services > if instance.is_enabled() or instance.is_running(): > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line 321, in is_enabled > self.service_instance(instance_name)]) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 321, in run > preexec_fn=preexec_fn) > File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ > errread, errwrite) > File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child > raise child_exception >OSError: [Errno 2] No such file or directory > > >Of course I understand that writing portable software is a >difficult task, but is this restriction really necessary, if >ipa client support is about "just configure sssd and a few >other services"? Currently I have to install systemd to make >ipa-client-install work, and later I can move back to sysvinit >to support HA services. > But it's not problem of sssd. And it's not related to you issue with LXC containers. It's problem of ipa-client-install Feel free to send patches which make freeipa-client more portable http://www.freeipa.org/page/Contribute/Code LS From mkosek at redhat.com Mon Mar 21 08:26:30 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 21 Mar 2016 09:26:30 +0100 Subject: [Freeipa-users] Directory Search Question In-Reply-To: <56EC632E.1060807@chem.byu.edu> References: <56EC632E.1060807@chem.byu.edu> Message-ID: <56EFB036.7050503@redhat.com> On 03/18/2016 09:21 PM, Randy Morgan wrote: > We have a FreeIPA Version 4.2 production installation that seems to have a > limitation we cannot figure out how to overcome. Users cannot search, from the > gui, for a specific user. The only users who can perform a search for a > specific user are full-admins, everyone else the search option does not > respond, meaning that if you click on the magnifying glass, nothing happens. > We have a large number of groups, and they are managed by the group owner, who > needs to be able to do a user search. This appears to be a permissions issue, > but we are not sure what we need to change to make it so that we can assign > search capability to specific user groups. Any help would be greatly appreciated. Hello Randy, What permissions have you defined to allow your group admins to administer the groups? On my RHEL-7.2 machine, I tried setting up delegation like that: # kinit admin Password for admin at RHEL72: # ipa group-add lab # ipa permission-add --type group --right write --filter "(cn=lab)" --attrs member can_manage_lab # ipa user-add --first Lab --last Admin labadmin # ipa passwd labadmin # ipa role-add labadmin # ipa privilege-add labadmin # ipa role-add-member labadmin --users labadmin # ipa role-add-privilege labadmin --privilege labadmin # ipa privilege-add-permission labadmin --permissions labadmin # ipa privilege-add-permission labadmin --permissions can_manage_lab # ipa user-show labadmin ... Roles: labadmin # ipa user-add --first Lab --last User labuser1 # ipa user-add --first Lab --last User labuser2 # kinit labadmin Password for labadmin at RHEL72: Password expired. You must change it now. Enter new password: Enter it again: # ipa group-add-member lab --users labuser1 Group name: lab GID: 632400001 Member users: labuser1 ------------------------- Number of members added 1 ------------------------- When I tried to achieve similar with labadmin on https://ipa.rhel72/ipa/ui/#/e/group/member_user/lab it worked for me as well and I was able to manage lab group members in the UI. HTH, Martin From lslebodn at redhat.com Mon Mar 21 08:32:09 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 21 Mar 2016 09:32:09 +0100 Subject: [Freeipa-users] Unable to authenticate In-Reply-To: <1163824813.1321602.1458424736851.JavaMail.yahoo@mail.yahoo.com> References: <1163824813.1321602.1458424736851.JavaMail.yahoo.ref@mail.yahoo.com> <1163824813.1321602.1458424736851.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160321083209.GB5897@mail.corp.redhat.com> On (19/03/16 21:58), pgb205 wrote: >I have enabled debugging withdebug_level = 7 in sssd.conf >Receive following error messages:Marking server 'ipa-server' as 'name resolved'[be_resolve_server_process] (0x0200): Found address for server ipa-server >[get_port_status] (0x1000): Port status of port 389 for server 'ipa-server' is 'not working' > It would be good to find a reason why port 389 for server 'ipa-server' is 'not working'. Try to follow instructions from wiki https://fedorahosted.org/sssd/wiki/Troubleshooting LS From harvero at gmail.com Mon Mar 21 15:05:29 2016 From: harvero at gmail.com (Bob) Date: Mon, 21 Mar 2016 11:05:29 -0400 Subject: [Freeipa-users] Tracking Login Times Message-ID: We currently have 18 master ODSEE servers that we use to provide authentication services to both Redhat, SuSE, and Solaris systems. We are looking to add IPA servers to environment. We have a requirement to track time of last authentication. With ODSEE, time of last authentication tracking is enabled with this: *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on* Looking at the Redhat DS 9 documentation, I see an account policy plug-in: cn=Account Policy Plugin,cn=plugins,cn=config Looking the freeipa.org pages on the server plugins, I do not see the account policy plugin listed. http://www.freeipa.org/page/Directory_Server Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" installed on Redhat 7, I do see the account policy plugin in the config tree. Is the use of this account policy plugin supported with IPA? Should it work? Thanks, Bob Harvey -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 21 15:22:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Mar 2016 11:22:14 -0400 Subject: [Freeipa-users] Tracking Login Times In-Reply-To: References: Message-ID: <56F011A6.4040801@redhat.com> Bob wrote: > We currently have 18 master ODSEE servers that we use to provide authentication services to both Redhat, SuSE, and Solaris systems. We are looking to add IPA servers to > environment. > > We have a requirement to track time of last authentication. With ODSEE, time of last authentication tracking is enabled with this: > > *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on* > > > Looking at the Redhat DS 9 documentation, I see an account policy plug-in: > > > cn=Account Policy Plugin,cn=plugins,cn=config > > Looking thefreeipa.org pages on the server plugins, I do not see the account policy plugin listed. > http://www.freeipa.org/page/Directory_Server > > Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" installed on Redhat 7, I do see the account policy plugin in the config tree. > > > Is the use of this account policy plugin supported with IPA? Should it work? IPA has its own password policy. You can get last successful authentication via krbLastSuccessfulAuth Don't let the attribute name mislead you, it is updated on every authentication. Also note that this is per-IPA master. It is not replicated. rob From pvoborni at redhat.com Mon Mar 21 15:28:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 21 Mar 2016 16:28:27 +0100 Subject: [Freeipa-users] Announcing FreeIPA 4.2.4 Message-ID: <56F0131B.4050209@redhat.com> The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23. https://bodhi.fedoraproject.org/updates/freeipa-4.2.4-1.fc23 This release notes are also available on http://www.freeipa.org/page/Releases/4.2.4 == Highlights in 4.2.4 == FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23. === Bug fixes === * Fixed issue in installation of server with external CA where second step of installation "forgot" options from previous step which could lead, e.g., to DNS server not being installed. #5556 * Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name * Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506 * Fixed issue with bind not starting after update due to wrong file permissions. #5520 * Fixed issue in installation of server without CA when certmonger was not running. #5519 * Fixed issue in upgrade of NIS maps. #5507 * Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709 * Fixed issue with installation of KRA on a replica. #5346 * Fixed issue with DNSSEC key purging not being handled properly #5334 * Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269 * Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117 * Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665 * Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655 * Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472 * Fixed issue with missing "System: Read Replication Agreements" ACI on new replicas. #5631 * Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567 === Enhancements === * ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686 == Upgrading == Upgrade instructions are available on upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.2.3 == === Abhijeet Kasurde (2) === * Fixed small typo in stage-user documentation * Fixed login error message box in LoginScreen page === Alexander Bokovoy (1) === * slapi-nis: update configuration to allow external members of IPA groups === Christian Heimes (1) === * Require Dogtag 10.2.6-13 to fix KRA uninstall === David Kupka (5) === * ipa-cacert-renew: Fix connection to ldap. * ipa-otptoken-import: Fix connection to ldap. * test: Temporarily increase timeout in vault test. * installer: Propagate option values from components instead of copying them. * installer: Fix logic of reading option values from cache. === Fraser Tweedale (5) === * TLS and Dogtag HTTPS request logging improvements * Avoid race condition caused by profile delete and recreate * Do not erroneously reinit NSS in Dogtag interface * Add profiles and default CA ACL on migration * Do not decode HTTP reason phrase from Dogtag === Gabe Alford (2) === * Incomplete ports for IPA AD Trust * Check if IPA is configured before attempting a winsync migration === Jan Cholasta (9) === * install: fix command line option validation * install: export KRA agent PEM file in ipa-kra-install * cert renewal: make renewal of ipaCert atomic * client install: do not corrupt OpenSSH config with Match sections * ipalib: assume version 2.0 when skip_version_check is enabled * cert renewal: import all external CA certs on IPA CA cert renewal * CA install: explicitly set dogtag_version to 10 * replica install: validate DS and HTTP server certificates * certdb: never use the -r option of certutil === Lenka Doudova (2) === * Adding descriptive IDs to stageuser tests * Tests: Fix tests for (stage)user plugin === Martin Babinsky (13) === * fix error reporting when installer option is supplied with invalid choice * suppress errors arising from adding existing LDAP entries during KRA install * update idrange tests to reflect disabled modification of local ID ranges * disconnect ldap2 backend after adding default CA ACL profiles * do not disconnect when using existing connection to check default CA ACLs * fix error message assertion in negative forced client reenrollment tests * prevent crash of CA-less server upgrade due to absent certmonger * use FFI call to rpmvercmp function for version comparison * fix standalone installation of externally signed CA on IPA master * always start certmonger during IPA server configuration upgrade * upgrade: unconditional import of certificate profiles into LDAP * CI tests: use old schema when testing hostmask-based sudo rules * use LDAPS during standalone CA/KRA subsystem deployment === Martin Ba?ti (27) === * fix caching in get_ipa_config * upgrade: fix migration of old dns forward zones * Fix upgrade of forwardzones when zone is in realmdomains * ipa-getkeytab: do not return error when translations cannot be loaded * KRA: do not stop certmonger during standalone uninstall * ipa-kra-install: allow to install first KRA on replica * Modify error message to install first instance of KRA * Fix version comparison * DNS: fix file permissions * Explicitly call chmod on newly created directories * Fix: replace mkdir with chmod * FIX: ipa_kdb_principals: add missing break statement * Allow to used mixed case for sysrestore * Upgrade: Fix upgrade of NIS Server configuration * Tests: DNS replace 192.0.2.0/24 with 198.18.0.0/15 range * make lint: use config file and plugin for pylint * Disable new pylint checks * upgrade: fix config of sidgen and extdom plugins * trusts: use ipaNTTrustPartner attribute to detect trust entries * Warn user if trust is broken * fix upgrade: wait for proper DS socket after DS restart * Pylint: add missing attributes of errors to definitions * fix permission: Read Replication Agreements * Make PTR records check optional for IPA installation * Fix connections to DS during installation * pylint: supress false positive no-member errors * Fix broken trust warnings === Milan Kubik (1) === * Applied tier0 and tier1 marks on unit tests and xmlrpc tests === Milan Kub?k (1) === * ipatests: Fix missed module import in ipaserver tests === Petr Voborn?k (3) === * advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins * cookie parser: do not fail on cookie with empty value * fix incorrect name of ipa-winsync-migrate command in help === Petr ?pa?ek (12) === * Makefile: disable parallel build * DNSSEC: Improve error reporting from ipa-ods-exporter * DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP * DNSSEC: Make sure that current key state in LDAP matches key state in BIND * DNSSEC: remove obsolete TODO note * DNSSEC: add debug mode to ldapkeydb.py * DNSSEC: logging improvements in ipa-ods-exporter * DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP * DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP * DNSSEC: ipa-ods-exporter: add ldap-cleanup command * DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal * DNSSEC: Log debug messages at log level DEBUG === Simo Sorce (2) === * Return default TL_DATA is krbExtraData is missing * Insure the admin_conn is disconnected on stop === Sumit Bose (4) === * ipasam: fix wrong usage of talloc_new() * ipasam: use more restrictive search filter for group lookup * ipasam: fix a use-after-free issue * ipa-kdb: map_groups() consider all results === Tom?? Babej (4) === * tests: Fix incorrect uninstall method invocation * tests: Add hostmask detection for sudo rules validating on hostmask * ipa-adtrust-install: Allow dash in the NETBIOS name * spec: Bump required sssd version to 1.13.3-5 -- Petr Vobornik From peljasz at yahoo.co.uk Mon Mar 21 16:30:16 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 21 Mar 2016 16:30:16 +0000 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56E844B7.5050607@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E82DD2.4080501@yahoo.co.uk> <56E830D6.4030106@redhat.com> <56E83D3C.4070405@yahoo.co.uk> <56E844B7.5050607@redhat.com> Message-ID: <56F02198.7070608@yahoo.co.uk> On 15/03/16 17:21, Rob Crittenden wrote: > lejeczek wrote: >> On 15/03/16 15:57, Rob Crittenden wrote: >>> lejeczek wrote: >>>> On 15/03/16 13:42, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>>>> lejeczek wrote: >>>>>>>> with... >>>>>>>> >>>>>>>> ipa: ERROR: group LDAP search did not return any >>>>>>>> result (search >>>>>>>> base: >>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>>>> groupofuniquenames, >>>>>>>> groupofnames) >>>>>>>> >>>>>>>> I see users went in but later I realized that >>>>>>>> current samba's ou was >>>>>>>> "group" not groups. >>>>>>>> Can I just re-run migrations? >>>>>>> Yes. It will skip over anything that already exists >>>>>>> in IPA. >>>>>> thanks Rob, may I ask why process by defaults looks >>>>>> up only >>>>>> objectclass: >>>>>> groupofuniquenames, groupofnames? >>>>> It is conservative but this is why it can be overridden. >>>>> >>>>>> Is there a reason it skips ldap+samba typical >>>>>> posixGroup & >>>>>> sambaGroupMapping? >>>>> We haven't had many (any?) reports of migrating from >>>>> ldap+samba. >>>>> >>>>>> Lastly, is there a way to preserve account >>>>>> locked/disabled status for >>>>>> posix/samba? >>>>> I don't know how it is stored but as long as the >>>>> schema is available in >>>>> IPA then the values should be preserved on migration >>>>> unless the >>>>> attributes are associated with a blacklisted objectclass. >>>>> >>>>> rob >>>> I don't think it works, I guess it matters how ipa >>>> tools map these >>>> attributes, I'm particularly looking at: >>>> ipa user-show >>>> ... Account disabled: False >>>> sambaAcctFlags gets migrated over, but shadow locked >>>> users.... I wonder >>>> how this works. >>>> If I had posix !passwd in my ldap userdb then it's not >>>> reflected in IPA, >>>> unless "Account disabled" is for something else. >>> >>> IPA/389-ds uses nsAccountLock to lock accounts. >> and in my case it could not work for I had (anybody sane >> would too) >> hashed pass in ldap userdb, am I right? > > What won't work? Migrated user passwords will work just fine. > >> If one has hundreds of user s/he thinks, o! it'd be great >> to keep that >> account enabled/disabled status - would there be a way >> around it? > > IPA isn't designed to be an LDAP backend for Samba so > there isn't a lot of direct integration with the schema. > You could write a plugin to keep the two attributes in sync. how does one write a plugin? Where should I begin in terms of docs, howtos? thanks. L. > > For those already migrated it should be pretty easy to > write an LDAP search to find them and then for each user > call ipa user-disable > > rob > From harvero at gmail.com Mon Mar 21 17:47:44 2016 From: harvero at gmail.com (Bob) Date: Mon, 21 Mar 2016 13:47:44 -0400 Subject: [Freeipa-users] Tracking Login Times In-Reply-To: <56F011A6.4040801@redhat.com> References: <56F011A6.4040801@redhat.com> Message-ID: If each IPA server tracks time of last auth independently, then one ipa server might disable an inactive account. But that account might be active on another servers. In a fail over case where the server that that account normally uses is down, the user would not have a usable account. Is it possible to use the account policy plugin? Or is there a way to track time of last auth that is replicated. I need to have accounts that have been inactive for 90 days automatically disabled. On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden wrote: > Bob wrote: > >> We currently have 18 master ODSEE servers that we use to provide >> authentication services to both Redhat, SuSE, and Solaris systems. We are >> looking to add IPA servers to >> environment. >> >> We have a requirement to track time of last authentication. With ODSEE, >> time of last authentication tracking is enabled with this: >> >> *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on* >> >> >> Looking at the Redhat DS 9 documentation, I see an account policy plug-in: >> >> >> cn=Account Policy Plugin,cn=plugins,cn=config >> >> Looking thefreeipa.org pages on the server >> plugins, I do not see the account policy plugin listed. >> http://www.freeipa.org/page/Directory_Server >> >> Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" >> installed on Redhat 7, I do see the account policy plugin in the config >> tree. >> >> >> Is the use of this account policy plugin supported with IPA? Should it >> work? >> > > IPA has its own password policy. You can get last successful > authentication via krbLastSuccessfulAuth > > Don't let the attribute name mislead you, it is updated on every > authentication. > > Also note that this is per-IPA master. It is not replicated. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 21 17:56:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Mar 2016 13:56:27 -0400 Subject: [Freeipa-users] Tracking Login Times In-Reply-To: References: <56F011A6.4040801@redhat.com> Message-ID: <56F035CB.2090506@redhat.com> Bob wrote: > If each IPA server tracks time of last auth independently, then one ipa > server might disable an inactive account. But that account might be > active on another servers. In a fail over case where the server that > that account normally uses is down, the user would not have a usable > account. > > Is it possible to use the account policy plugin? Or is there a way to > track time of last auth that is replicated. I need to have accounts > that have been inactive for 90 days automatically disabled. You can't use the account policy plugin but it isn't aware of Kerberos so it would miss potentially a lot of authentications. You could modify replication agreements to not ignore this attribute but you potentially create a replication "storm", particularly early morning when everyone logs in at the same time. In any case IPA password policy doesn't currently handle inactivity. There is a ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential short-term workaround). rob > > On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden > wrote: > > Bob wrote: > > We currently have 18 master ODSEE servers that we use to provide > authentication services to both Redhat, SuSE, and Solaris > systems. We are looking to add IPA servers to > environment. > > We have a requirement to track time of last authentication. > With ODSEE, time of last authentication tracking is enabled with > this: > > *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on* > > > Looking at the Redhat DS 9 documentation, I see an account > policy plug-in: > > > cn=Account Policy Plugin,cn=plugins,cn=config > > Looking thefreeipa.org > pages on the server plugins, I do not see > the account policy plugin listed. > http://www.freeipa.org/page/Directory_Server > > Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: > 2.156" installed on Redhat 7, I do see the account policy plugin > in the config tree. > > > Is the use of this account policy plugin supported with IPA? > Should it work? > > > IPA has its own password policy. You can get last successful > authentication via krbLastSuccessfulAuth > > Don't let the attribute name mislead you, it is updated on every > authentication. > > Also note that this is per-IPA master. It is not replicated. > > rob > > > > From foley at ru.is Mon Mar 21 18:27:52 2016 From: foley at ru.is (Joseph Timothy Foley) Date: Mon, 21 Mar 2016 18:27:52 +0000 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate Message-ID: Hi there. I setup an IPA4.2.0 on RHEL7 service for our CS department on ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is I used StartSSL to sign our certificate for HTTP and LDAP usage because I didn't want our users to deal with the internal CA nor could we get the CA certificate signed. Problem is, I can't find any information on how to get the new certificates installed on the running IPA server. They expire in 2 days, so I'm running out of time. Any help would be greatly appreciated. I can only find information on how to setup these certificates on a brand new IPA or replicant. There isn't any obvious information on how to put updated certificates into a running instance. Thanks in advance. Joe -- Dr. Joseph T. Foley Assistant Professor, Reykjavik University +354-599-6569 From foley at ru.is Mon Mar 21 19:27:06 2016 From: foley at ru.is (Joseph Timothy Foley) Date: Mon, 21 Mar 2016 19:27:06 +0000 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: Message-ID: I just discovered that the certificate on ipa2.cs.ru.is is good to August, so I have a little bit of breathing room. That said, the ipa.cs.ru.is certificate will expire on March 23, so I need to update it. -- Dr. Joseph T. Foley Assistant Professor, Reykjavik University +354-599-6569 On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: >Hi there. >I setup an IPA4.2.0 on RHEL7 service for our CS department on >ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >I used StartSSL to sign our certificate for HTTP and LDAP usage because I >didn't want our users to deal with the internal CA nor could we get the CA >certificate signed. Problem is, I can't find any information on how to >get the new certificates installed on the running IPA server. They expire >in 2 days, so I'm running out of time. Any help would be greatly >appreciated. > >I can only find information on how to setup these certificates on a brand >new IPA or replicant. There isn't any obvious information on how to put >updated certificates into a running instance. > >Thanks in advance. > >Joe >-- >Dr. Joseph T. Foley Assistant Professor, Reykjavik >University +354-599-6569 > > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From rcritten at redhat.com Mon Mar 21 19:47:21 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Mar 2016 15:47:21 -0400 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: References: Message-ID: <56F04FC9.6@redhat.com> Joseph Timothy Foley wrote: > I just discovered that the certificate on ipa2.cs.ru.is is good to August, > so I have a little bit of breathing room. That said, the ipa.cs.ru.is > certificate will expire on March 23, so I need to update it. The process to get a new cert is pretty much the same as you obtained the original assuming you kept the original CSR. You'd re-submit that to StartSSL and they will provide a new certificate in PEM format. Add that to the relevant database via: # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to cert.pem I can't give much more specific information without knowing if you are, for example, using the came cert/key for both 389-ds and Apache. rob > -- > Dr. Joseph T. Foley Assistant Professor, Reykjavik > University +354-599-6569 > > > > On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: > >> Hi there. >> I setup an IPA4.2.0 on RHEL7 service for our CS department on >> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >> I used StartSSL to sign our certificate for HTTP and LDAP usage because I >> didn't want our users to deal with the internal CA nor could we get the CA >> certificate signed. Problem is, I can't find any information on how to >> get the new certificates installed on the running IPA server. They expire >> in 2 days, so I'm running out of time. Any help would be greatly >> appreciated. >> >> I can only find information on how to setup these certificates on a brand >> new IPA or replicant. There isn't any obvious information on how to put >> updated certificates into a running instance. >> >> Thanks in advance. >> >> Joe >> -- >> Dr. Joseph T. Foley Assistant Professor, Reykjavik >> University +354-599-6569 >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > From ftweedal at redhat.com Tue Mar 22 04:55:01 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 22 Mar 2016 14:55:01 +1000 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> Message-ID: <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: > Hi all, > > Firstly, a big thank you to everyone who works on the FreeIPA project - you > guys are my heroes. > > Let's talk about the new Certificate Profile and CA ACL feature and some use > cases that should be possible but I'm struggling to implement. Hopefully I'm > just missing something obvious, and if not, perhaps someone here can suggest > a workaround. I'll do my best to keep this as brief and concise as possible, > and I'm grateful for any help given. > > Some background: > > Our environment is composed of AWS EC2 instances running CentOS 7 (7.2.1511 > + ipa-server-4.2.0-15, fully patched afaik). > Our instances acquire three certificates during creation, which is achieved > via user-data/cloud-init. The first certificate is linked to service > principal puppet/$HOSTNAME, the second is linked to HTTP/$HOSTNAME, and the > third is the default NSS-based certificate linked to the host principal (via > ipa-client-install --request-cert). > We want our long-lived EC2 instances to acquire certificates using the > standard caIPAserviceCert profile. Examples would be database servers, > puppetmasters, etc. > We use EC2 spot instances via auto-scaling groups heavily - these are our > short-lived instances. For example, application servers, etc. > We want our short-lived instances to acquire certificates with a really > short validity (like 3 days). Read on to find out why. > > Our applications login to their respective postgresql databases using mutual > SSL auth (i.e. IPA CA issued certificates). Sadly, postgresql has to be > restarted every time the CRL is updated (see section 17.9.2 of postgresql > doc). If the CRL expires, postgres stops authenticating clients via SSL. > This means we're forced to either turn off CRL checking in postgres entirely > or have really long CRL validity times - we're going to go with the latter. > It also means application servers will need to be issued with short-lived > certificates (and must not have access to the caIPAserviceCert profile) > because we can't realistically restart our production database servers every > time an application server's certificate gets revoked. > > The use case: > > 1. Suppose we have a hostgroup called "database_servers" and a host called > "db01" that is a member. > 3. Modify the default CA ACL "hosts_services_caIPAserviceCert" to restrict > access to the "database_servers" hostgroup only (i.e. no services or users > allowed). > 4. Attempt to request a certificate (via ipa-getcert) from the "db01" server > (which is in the "database_servers" hostgroup). The request should be linked > (via -K) to a service principal like postgres/$HOSTNAME (service to be > created beforehand). > 5. This currently fails with CA_REJECTED ca-error: Server at > https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC > failed at server. Insufficient access: Principal > 'postgres/db01.example.com at EXAMPLE.COM' is not permitted to use CA '.' with > profile 'caIPAserviceCert' for certificate issuance.). > > Is this the intended behaviour? If so, is there any way to avoid having to > add each and every individual service principal directly to the CA ACL? > After all, we have hostgroups to avoid the mess of adding individual hosts, > right? Well... each host would have several service principals...and we > don't seem to have a way of grouping them. > > Thanks in advance, > > ~earsdown > Hi, This is expected behaviour. The CA ACLs control which profiles may be used with which subject principals, which in your use case is a service principal. Adding the host or hostgroup to the CA ACL does not apply to service principals, even though the hostname may be the same. For grouping services, FreeIPA currently does not have a "group" object for service principals. So at the moment, either every applicable service must be added to the ACL, or you can allow all services with the command: 'ipa caacl-mod --servicecat=all'. I hope that explains the situation clearly. Let me know your follow-up questions! To my fellow FreeIPA developers: are service groups a sensible RFE? Is there a reason why they have not been implemented? Cheers, Fraser From abokovoy at redhat.com Tue Mar 22 05:05:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 22 Mar 2016 07:05:04 +0200 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> Message-ID: <20160322050504.GE4492@redhat.com> On Tue, 22 Mar 2016, Fraser Tweedale wrote: >On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: >> Hi all, >> >> Firstly, a big thank you to everyone who works on the FreeIPA project - you >> guys are my heroes. >> >> Let's talk about the new Certificate Profile and CA ACL feature and some use >> cases that should be possible but I'm struggling to implement. Hopefully I'm >> just missing something obvious, and if not, perhaps someone here can suggest >> a workaround. I'll do my best to keep this as brief and concise as possible, >> and I'm grateful for any help given. >> >> Some background: >> >> Our environment is composed of AWS EC2 instances running CentOS 7 (7.2.1511 >> + ipa-server-4.2.0-15, fully patched afaik). >> Our instances acquire three certificates during creation, which is achieved >> via user-data/cloud-init. The first certificate is linked to service >> principal puppet/$HOSTNAME, the second is linked to HTTP/$HOSTNAME, and the >> third is the default NSS-based certificate linked to the host principal (via >> ipa-client-install --request-cert). >> We want our long-lived EC2 instances to acquire certificates using the >> standard caIPAserviceCert profile. Examples would be database servers, >> puppetmasters, etc. >> We use EC2 spot instances via auto-scaling groups heavily - these are our >> short-lived instances. For example, application servers, etc. >> We want our short-lived instances to acquire certificates with a really >> short validity (like 3 days). Read on to find out why. >> >> Our applications login to their respective postgresql databases using mutual >> SSL auth (i.e. IPA CA issued certificates). Sadly, postgresql has to be >> restarted every time the CRL is updated (see section 17.9.2 of postgresql >> doc). If the CRL expires, postgres stops authenticating clients via SSL. >> This means we're forced to either turn off CRL checking in postgres entirely >> or have really long CRL validity times - we're going to go with the latter. >> It also means application servers will need to be issued with short-lived >> certificates (and must not have access to the caIPAserviceCert profile) >> because we can't realistically restart our production database servers every >> time an application server's certificate gets revoked. >> >> The use case: >> >> 1. Suppose we have a hostgroup called "database_servers" and a host called >> "db01" that is a member. >> 3. Modify the default CA ACL "hosts_services_caIPAserviceCert" to restrict >> access to the "database_servers" hostgroup only (i.e. no services or users >> allowed). >> 4. Attempt to request a certificate (via ipa-getcert) from the "db01" server >> (which is in the "database_servers" hostgroup). The request should be linked >> (via -K) to a service principal like postgres/$HOSTNAME (service to be >> created beforehand). >> 5. This currently fails with CA_REJECTED ca-error: Server at >> https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC >> failed at server. Insufficient access: Principal >> 'postgres/db01.example.com at EXAMPLE.COM' is not permitted to use CA '.' with >> profile 'caIPAserviceCert' for certificate issuance.). >> >> Is this the intended behaviour? If so, is there any way to avoid having to >> add each and every individual service principal directly to the CA ACL? >> After all, we have hostgroups to avoid the mess of adding individual hosts, >> right? Well... each host would have several service principals...and we >> don't seem to have a way of grouping them. >> >> Thanks in advance, >> >> ~earsdown >> >Hi, > >This is expected behaviour. The CA ACLs control which profiles may >be used with which subject principals, which in your use case is a >service principal. Adding the host or hostgroup to the CA ACL does >not apply to service principals, even though the hostname may be the >same. > >For grouping services, FreeIPA currently does not have a "group" >object for service principals. So at the moment, either every >applicable service must be added to the ACL, or you can allow all >services with the command: 'ipa caacl-mod --servicecat=all'. > >I hope that explains the situation clearly. Let me know your >follow-up questions! > >To my fellow FreeIPA developers: are service groups a sensible RFE? >Is there a reason why they have not been implemented? I don't think you need to group services this way. For managing services, and this means being able to issue certificates/keytabs for them, we have hosts. By default a host that a service belongs to is capable to modify userCertificate attribute of the service already, so I would expect it to be able to issue certificates with subject principal corresponding to the service. If CAACL would follow the same logic by allowing hosts that manage services to issue certificates with subject principals corresponding to these services, that should be enough because, after all, these host objects already have write permissions and can upload whatever certificates they like to the service objects. -- / Alexander Bokovoy From foley at ru.is Tue Mar 22 08:56:44 2016 From: foley at ru.is (Joseph Timothy Foley) Date: Tue, 22 Mar 2016 08:56:44 +0000 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: <56F04FC9.6@redhat.com> References: <56F04FC9.6@redhat.com> Message-ID: <1458637003.15613.5.camel@stress.hir.is> Hi Rob. To add to this mess, I seem to have somehow confused the LDAP certificate configuration in the process of setting up a replicant (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The previous certificate was a corporate Level2 certificate. Trying to use the old certificate (which expires tomorrow) doesn't seem to put it back in working order. This is what I did to make the pkcs file: cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is the root_bundle.crt they now send you in a zip file) openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is Then copied it to ipa.cs.ru.is and ran ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg Everything looks fine until: [24/38]: setting up initial replication Starting replication, please wait until this has completed. [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: Connect error] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication Looking at the setup log in /var/log/ipareplica-install.log: 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache url=ldap://ipa2.cs.ru.is:389 conn= 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from SchemaCache 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa.cs.ru.is:636 conn= 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 377, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1014, in setup_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start replication 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 2016-03-22T08:49:24Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 566, in install ds = install_replica_ds(config) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 77, in install_replica_ds ca_file=config.dir + "/ca.crt", File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 364, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 377, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1014, in setup_replication raise RuntimeError("Failed to start replication") 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication 2016-03-22T08:49:24Z ERROR Failed to start replication On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: > Joseph Timothy Foley wrote: > > I just discovered that the certificate on ipa2.cs.ru.is is good to August, > > so I have a little bit of breathing room. That said, the ipa.cs.ru.is > > certificate will expire on March 23, so I need to update it. > > The process to get a new cert is pretty much the same as you obtained > the original assuming you kept the original CSR. You'd re-submit that to > StartSSL and they will provide a new certificate in PEM format. > > Add that to the relevant database via: > > # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to > cert.pem > > I can't give much more specific information without knowing if you are, > for example, using the came cert/key for both 389-ds and Apache. > > rob > > > -- > > Dr. Joseph T. Foley Assistant Professor, Reykjavik > > University +354-599-6569 > > > > > > > > On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: > > > >> Hi there. > >> I setup an IPA4.2.0 on RHEL7 service for our CS department on > >> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is > >> I used StartSSL to sign our certificate for HTTP and LDAP usage because I > >> didn't want our users to deal with the internal CA nor could we get the CA > >> certificate signed. Problem is, I can't find any information on how to > >> get the new certificates installed on the running IPA server. They expire > >> in 2 days, so I'm running out of time. Any help would be greatly > >> appreciated. > >> > >> I can only find information on how to setup these certificates on a brand > >> new IPA or replicant. There isn't any obvious information on how to put > >> updated certificates into a running instance. > >> > >> Thanks in advance. > >> > >> Joe > >> -- > >> Dr. Joseph T. Foley Assistant Professor, Reykjavik > >> University +354-599-6569 > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > > -- Dr. Joseph T. Foley Assistant Professor, Dept. of Science & Engineering, Reykjavik University Menntavegur 1, Nauth?lsv?k | 101 Reykjav?k | Iceland | Phone: +354-599-6569 | Fax +354-599-6201 | www.ru.is From mkosek at redhat.com Tue Mar 22 08:59:58 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Mar 2016 09:59:58 +0100 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> Message-ID: <56F1098E.2070403@redhat.com> On 03/22/2016 05:55 AM, Fraser Tweedale wrote: > On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: ... > To my fellow FreeIPA developers: are service groups a sensible RFE? > Is there a reason why they have not been implemented? It *is* sensible RFE and it was actually already filed! https://fedorahosted.org/freeipa/ticket/5277 Please feel free to add yourself to CC to receive updates or even help us with implementation. Thanks, Martin From th at casalogic.dk Tue Mar 22 08:59:05 2016 From: th at casalogic.dk (Troels Hansen) Date: Tue, 22 Mar 2016 09:59:05 +0100 (CET) Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () Message-ID: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> I have noticed a bug in the IPA webinterface, under DNS Zones -> and clicking on a zone that contains a DNS record containig space (\032) Currently, I get: "LIFX\032Bulb: DNS resource record not found" However, after clicking OK, it displays the rest of the records. Its in no way a pretty DNS record, but still working. The reason for it being there is that I have enabled ddns updates from out DHCP server, and it works without any problems, except this crappy WIFI light bulb. The DNS record is in the IPA database: Record name: LIFX\032Bulb A record: 192.168.20.252 TXT record: "009143ca16c9890339c7ec33825e0da5ce" I can dig it: # dig "LIFX Bulb.casalogic.lan" A .......... ;; ANSWER SECTION: LIFX\032Bulb.casalogic.lan. 1800 IN A 192.168.20.252 However, something goes wrong in the web interface. I'm running IPA 4.2.0 -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Mar 22 09:42:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 22 Mar 2016 10:42:33 +0100 Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> Message-ID: <56F11389.3060004@redhat.com> On 03/22/2016 09:59 AM, Troels Hansen wrote: > I have noticed a bug in the IPA webinterface, under DNS Zones -> and clicking > on a zone that contains a DNS record containig space (\032) > > Currently, I get: "LIFX\032Bulb: DNS resource record not found" > > However, after clicking OK, it displays the rest of the records. > > Its in no way a pretty DNS record, but still working. > The reason for it being there is that I have enabled ddns updates from out DHCP > server, and it works without any problems, except this crappy WIFI light bulb. > > The DNS record is in the IPA database: > > Record name: LIFX\032Bulb > A record: 192.168.20.252 > TXT record: "009143ca16c9890339c7ec33825e0da5ce" > > I can dig it: > # dig "LIFX Bulb.casalogic.lan" A > .......... > ;; ANSWER SECTION: > LIFX\032Bulb.casalogic.lan. 1800 IN A 192.168.20.252 > > However, something goes wrong in the web interface. > > I'm running IPA 4.2.0 > > -- > > Med venlig hilsen > > *Troels Hansen* Tried it to reproduce on 4.3 development branch. It works for me in Web UI. But I get the error in CLI: $ ipa dnsrecord-find my.zone.test. ... other records ... Record name: LIFX\032Bulb A record: 10.34.58.132 TXT record: 009143ca16c9890339c7ec33825e0da5ce $ ipa dnsrecord-show my.zone.test. LIFX\032Bulb ipa: ERROR: LIFX032Bulb: DNS resource record not found $ ipa dnsrecord-show my.zone.test. "LIFX Bulb" Record name: LIFX\032Bulb A record: 10.34.58.132 TXT record: 009143ca16c9890339c7ec33825e0da5ce web ui uses API command: {"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]} Could you check what is yours? 1. open developer tool in browser (usually F12) 2. Network tab 3. Refresh the page, look at new request to ipa/session/json 4. examine "Request Payload" some old example in FF: https://pvoborni.fedorapeople.org/images/devtools.png I would say that there weren't any changes in 4.2 -> 4.3 it this area. So not sure why the behavior in your case is opposite. Anyway it suggests minor encoding issue. -- Petr Vobornik From ftweedal at redhat.com Tue Mar 22 09:50:11 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 22 Mar 2016 19:50:11 +1000 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <56F1098E.2070403@redhat.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> <56F1098E.2070403@redhat.com> Message-ID: <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote: > On 03/22/2016 05:55 AM, Fraser Tweedale wrote: > > On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: > ... > > To my fellow FreeIPA developers: are service groups a sensible RFE? > > Is there a reason why they have not been implemented? > > It *is* sensible RFE and it was actually already filed! > > https://fedorahosted.org/freeipa/ticket/5277 > > Please feel free to add yourself to CC to receive updates or even help us with > implementation. > > Thanks, > Martin > Good to know... I've added myself to Cc and also filed an RFE for enhancing CA ACLs with service groups once #5277 is implemented: https://fedorahosted.org/freeipa/ticket/5753 Cheers, Fraser From th at casalogic.dk Tue Mar 22 10:21:34 2016 From: th at casalogic.dk (Troels Hansen) Date: Tue, 22 Mar 2016 11:21:34 +0100 (CET) Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <56F11389.3060004@redhat.com> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> Message-ID: <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> > > web ui uses API command: > {"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]} > > Could you check what is yours? > 1. open developer tool in browser (usually F12) > 2. Network tab > 3. Refresh the page, look at new request to ipa/session/json > 4. examine "Request Payload" > some old example in FF: > https://pvoborni.fedorapeople.org/images/devtools.png Mine seems to show the exact same thing: {"method":"dnsrecord_show","params":[["casalogic.lan.","LIFX\\032Bulb"],{"all":true}]} My version reports {"version":"2.156"}]} Tried FF and Chrome, but same result in both. However: # ipa dnsrecord-show casalogic.lan. LIFX\032Bulb ipa: ERROR: LIFX032Bulb: DNS resource record not found # ipa dnsrecord-show casalogic.lan. "LIFX Bulb" ipa: ERROR: LIFX\032Bulb: DNS resource record not found But: # ipa dnsrecord-find casalogic.lan ...... Record name: LIFX\032Bulb A record: 192.168.20.252 TXT record: "009143ca16c9890339c7ec33825e0da5ce" ..... # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 > I would say that there weren't any changes in 4.2 -> 4.3 it this area. > So not sure why the behavior in your case is opposite. > > Anyway it suggests minor encoding issue. > -- > Petr Vobornik -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. From pspacek at redhat.com Tue Mar 22 11:34:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 22 Mar 2016 12:34:56 +0100 Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> Message-ID: <56F12DE0.3060506@redhat.com> On 22.3.2016 11:21, Troels Hansen wrote: >> >> web ui uses API command: >> {"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]} >> >> Could you check what is yours? >> 1. open developer tool in browser (usually F12) >> 2. Network tab >> 3. Refresh the page, look at new request to ipa/session/json >> 4. examine "Request Payload" >> some old example in FF: >> https://pvoborni.fedorapeople.org/images/devtools.png > > > Mine seems to show the exact same thing: > > > {"method":"dnsrecord_show","params":[["casalogic.lan.","LIFX\\032Bulb"],{"all":true}]} > > > My version reports {"version":"2.156"}]} > > Tried FF and Chrome, but same result in both. > > However: > > # ipa dnsrecord-show casalogic.lan. LIFX\032Bulb > ipa: ERROR: LIFX032Bulb: DNS resource record not found > # ipa dnsrecord-show casalogic.lan. "LIFX Bulb" > ipa: ERROR: LIFX\032Bulb: DNS resource record not found Have you tried # ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' ? I suspect that Bash is playing escaping game with you. Petr^2 Spacek > > But: > # ipa dnsrecord-find casalogic.lan > ...... > Record name: LIFX\032Bulb > A record: 192.168.20.252 > TXT record: "009143ca16c9890339c7ec33825e0da5ce" > ..... > > # ipa --version > VERSION: 4.2.0, API_VERSION: 2.156 > > > >> I would say that there weren't any changes in 4.2 -> 4.3 it this area. >> So not sure why the behavior in your case is opposite. >> >> Anyway it suggests minor encoding issue. >> -- >> Petr Vobornik > -- Petr^2 Spacek From th at casalogic.dk Tue Mar 22 12:04:55 2016 From: th at casalogic.dk (Troels Hansen) Date: Tue, 22 Mar 2016 13:04:55 +0100 (CET) Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <56F12DE0.3060506@redhat.com> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> <56F12DE0.3060506@redhat.com> Message-ID: <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> ----- On Mar 22, 2016, at 12:34 PM, Petr Spacek pspacek at redhat.com wrote: > > Have you tried > # ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' > ? > > I suspect that Bash is playing escaping game with you. > Same result...... ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' ipa: ERROR: LIFX\032Bulb: DNS resource record not found From sbose at redhat.com Tue Mar 22 12:25:15 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 22 Mar 2016 13:25:15 +0100 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <20160311083222.GF3059@p.redhat.com> Message-ID: <20160322122515.GA8004@p.redhat.com> On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: > Hi Sumit, > > It has been a week and I am following up with you on the lock screen issue. > Have you had any progress? If so, I am hoping implementing the fix will be > quick and easy. Thank you for your patience. Please find a test build for RHEL/CentOS 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . Besides the updated version of SSSD you should replace /etc/pam.d/smartcard-auth with ======== /etc/pam.d/smartcard-auth ========= auth required pam_env.so auth sufficient pam_sss.so allow_missing_name auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so =========================================== and /etc/dconf/db/distro.d/10-authconfig ===== /etc/dconf/db/distro.d/10-authconfig ===== [org/gnome/login-screen] enable-fingerprint-authentication=false [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' =============================================== and /etc/dconf/db/distro.d/locks/10-authconfig-locks ====== /etc/dconf/db/distro.d/locks/10-authconfig-locks === /org/gnome/login-screen/enable-fingerprint-authentication /org/gnome/settings-daemon/peripherals/smartcard =========================================================== and call 'dconf update' to get the new setting loaded. Finally it might be a good idea to restart gdm to make sure the new setting and PAM configuration is really active although I would expect that gdm is able to pick up the changes at run-time. Any feedback, good or bad, is welcome. bye, Sumit > > Thanks, > > *Michael Rainey* > > On 03/11/2016 02:32 AM, Sumit Bose wrote: > >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > >>Greetings, > >> > >>I have been adding systems to my new domain and utilizing the smart card > >>login feature. To date the smart card login feature is working very well. > >>However, my group has been trying to implement locking the screen when the > >>smart card is removed, but have not been successful at making it work. Does > >>anyone have any suggestions as to what it would take to enable locking the > >>screen when the smart card is removed. > >This requires a better integration with gdm which is currently WIP > >(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please > >ping me in about a week about this again, then I might have done some > >more testing. > > > >bye, > >Sumit > > > >>Thank you in advance. > >>-- > >>*Michael Rainey* > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From a.fedora at earsdown.com Tue Mar 22 11:57:37 2016 From: a.fedora at earsdown.com (earsdown) Date: Tue, 22 Mar 2016 22:57:37 +1100 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> <56F1098E.2070403@redhat.com> <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, Martin and Alexander, Thanks for looking into this! For what it's worth, I think for this particular use case, I'm leaning more towards Alexander when he said: > I don't think you need to group services this way. For managing > services, and this means being able to issue certificates/keytabs for > them, we have hosts. By default a host that a service belongs to is > capable to modify userCertificate attribute of the service already, so > I > would expect it to be able to issue certificates with subject principal > corresponding to the service. > If CAACL would follow the same logic by allowing hosts that manage > services to issue certificates with subject principals corresponding to > these services, that should be enough because, after all, these host > objects already have write permissions and can upload whatever > certificates they like to the service objects. > -- > / Alexander Bokovoy Personally, I was very surprised when I discovered that, even though a host principal may manage a service principal, it is currently unable to request a certificate for that service principal if the service principal doesn't have specific access to the certificate profile, even though the host principal may have access to the same certificate profile. In my mind the CA ACL should be evaluated against the identity of the requestor, not the issuee. As long as the requestor is allowed to request on behalf of the issuee (achieved via the managedby attribute), then it should work. Now, if I used the credentials of the service principal directly (say, with a service keytab) to make the request (supposing the service principal wasn't listed in the CA ACL), then denying the request would be the expected behaviour (imo of course). Okay, so even though Alexander's suggestion might be more intuitive, implementing service groups might be more feasible from a technical standpoint, and I'm fairly sure this use case would also be solved by implementing service groups. But, it would be painful without automember regexp rules, so please don't forget this :D Cheers! On 2016-03-22 20:50, Fraser Tweedale wrote: > On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote: >> On 03/22/2016 05:55 AM, Fraser Tweedale wrote: >> > On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: >> ... >> > To my fellow FreeIPA developers: are service groups a sensible RFE? >> > Is there a reason why they have not been implemented? >> >> It *is* sensible RFE and it was actually already filed! >> >> https://fedorahosted.org/freeipa/ticket/5277 >> >> Please feel free to add yourself to CC to receive updates or even help >> us with >> implementation. >> >> Thanks, >> Martin >> > Good to know... I've added myself to Cc and also filed an RFE for > enhancing CA ACLs with service groups once #5277 is implemented: > https://fedorahosted.org/freeipa/ticket/5753 > > Cheers, > Fraser From rcritten at redhat.com Tue Mar 22 13:44:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2016 09:44:55 -0400 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: <1458637003.15613.5.camel@stress.hir.is> References: <56F04FC9.6@redhat.com> <1458637003.15613.5.camel@stress.hir.is> Message-ID: <56F14C57.8020607@redhat.com> Joseph Timothy Foley wrote: > Hi Rob. > > To add to this mess, I seem to have somehow confused the LDAP > certificate configuration in the process of setting up a replicant > (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The > previous certificate was a corporate Level2 certificate. Trying to use > the old certificate (which expires tomorrow) doesn't seem to put it back > in working order. I thought you just needed to update the certificate. Why are you creating a new replica? My own StartSSL Server cert expires in a month and I just renewed it this morning. They have a new subordinate CA, that might be part of the problem (both sides need to trust it). I'd look in the access log of the remote 389-ds server to see what error it threw (and the local one too I suppose). But really, you should be able to replace the certs using certutil, not re-install the whole thing. rob > This is what I did to make the pkcs file: > > cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt > cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is > the root_bundle.crt they now send you in a zip file) > > openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey > private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is > > ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX > --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is > > Then copied it to ipa.cs.ru.is and ran > ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg > > Everything looks fine until: > [24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: > Connect error] > > [error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to > start replication > > > Looking at the setup log in /var/log/ipareplica-install.log: > > 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache > url=ldap://ipa2.cs.ru.is:389 conn= instan\ > ce at 0x8cfc908> > 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. > 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from > SchemaCache > 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache > url=ldaps://ipa.cs.ru.is:636 conn= instan\ > ce at 0x8a01830> > 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line > 377, in __setup_replica > r_bindpw=self.dm_password) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1014, in setup_replication > raise RuntimeError("Failed to start replication") > RuntimeError: Failed to start replication > > 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start > replication > 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 > 2016-03-22T08:49:24Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line > 311, in run > cfgr.run() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 281, in run > self.execute() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 303, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > step() > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 524, in _configure > executor.next() > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 421, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 418, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > util.raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > step() > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > raise_exc_info(exc_info) > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > line 63, in _install > for nothing in self._installer(self.parent): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main > install(self) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated > func(installer) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 566, in install > ds = install_replica_ds(config) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 77, in install_replica_ds > ca_file=config.dir + "/ca.crt", > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line > 364, in create_replica > self.start_creation(runtime=60) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line > 377, in __setup_replica > r_bindpw=self.dm_password) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1014, in setup_replication > raise RuntimeError("Failed to start replication") > > 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: Failed to start replication > 2016-03-22T08:49:24Z ERROR Failed to start replication > > On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: >> Joseph Timothy Foley wrote: >>> I just discovered that the certificate on ipa2.cs.ru.is is good to August, >>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is >>> certificate will expire on March 23, so I need to update it. >> >> The process to get a new cert is pretty much the same as you obtained >> the original assuming you kept the original CSR. You'd re-submit that to >> StartSSL and they will provide a new certificate in PEM format. >> >> Add that to the relevant database via: >> >> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to >> cert.pem >> >> I can't give much more specific information without knowing if you are, >> for example, using the came cert/key for both 389-ds and Apache. >> >> rob >> >>> -- >>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>> University +354-599-6569 >>> >>> >>> >>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: >>> >>>> Hi there. >>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on >>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >>>> I used StartSSL to sign our certificate for HTTP and LDAP usage because I >>>> didn't want our users to deal with the internal CA nor could we get the CA >>>> certificate signed. Problem is, I can't find any information on how to >>>> get the new certificates installed on the running IPA server. They expire >>>> in 2 days, so I'm running out of time. Any help would be greatly >>>> appreciated. >>>> >>>> I can only find information on how to setup these certificates on a brand >>>> new IPA or replicant. There isn't any obvious information on how to put >>>> updated certificates into a running instance. >>>> >>>> Thanks in advance. >>>> >>>> Joe >>>> -- >>>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>>> University +354-599-6569 >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> >> > From brad.bendy at gmail.com Tue Mar 22 17:06:56 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Tue, 22 Mar 2016 10:06:56 -0700 Subject: [Freeipa-users] sudo with OTP In-Reply-To: References: <20160314144954.GY3059@p.redhat.com> Message-ID: Im having some issues applying these patches with dependencies. But on a side note, this needs to be applied to the client machines as well the IPA server itself, correct? Thanks On Mon, Mar 14, 2016 at 8:54 AM, Brad Bendy wrote: > I see that now, thanks for the link. Ill give those patches a whirl. > > On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose wrote: >> On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: >>> HI, >>> >>> I have OTP setup and working just fine for logging into any servers, >>> when attempting to run any command with sudo I get a "First factor:" >>> prompt, I have entered my normal password but it fails. This only >>> happens when OTP is on, with OTP off sudo works like you would think. >> >> This is a know issue, please see >> https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case >> you use CentOS/RHEL7 you can find a test build at >> http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 . >> >> bye, >> Sumit >>> >>> The logs on the machine im trying to sudo show: >>> >>> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=1818600003 >>> auid=1818600003 ses=8 >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> msg='op=PAM:authentication grantors=? acct="myusername" >>> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed' >>> >>> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=1818600003 >>> auid=1818600003 ses=8 >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> msg='cwd="/" cmd="su" terminal=pts/0 res=failed' >>> >>> Which it not being much help at all, on the IPA server itself im >>> seeing nothing in the log when I run sudo, I do though when I login as >>> my normal user. >>> >>> Google appears to have zero results on this, any clues what else I can >>> check? Seems odd to me! >>> >>> Thanks >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From jbaird at follett.com Tue Mar 22 18:49:43 2016 From: jbaird at follett.com (Baird, Josh) Date: Tue, 22 Mar 2016 18:49:43 +0000 Subject: [Freeipa-users] Samba Integration with AD Trust Message-ID: Hi all, I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7). I have a kerberos trust established between IPA and AD. I have followed the instructions on the wiki [1], but had some questions and problems specifically related to share permissions: I'm having trouble with shares where I need to grant access to a specific AD user/group. I have tried this and other variations with no success: [shared] path = /home/shared writable = yes browsable = yes valid users = testsamba at ad.domain.lan I have also tried: valid users = ad\testsamba vaild users= @ad\testsamba valid users= @testsamba at ad.domain.lan What is the proper way to allow specific AD groups access to the Samba share? I also tried nesting an external group in a POSIX group with no success. Should I be using something other than 'valid users'? [1] http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Thanks, Josh From jstephen at redhat.com Tue Mar 22 19:09:50 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Tue, 22 Mar 2016 15:09:50 -0400 Subject: [Freeipa-users] Samba Integration with AD Trust In-Reply-To: References: Message-ID: <56F1987E.2080400@redhat.com> I have used the following successfully in the past: [shared] path = /home/shared valid users = @ad_admins read only = No guest ok = Yes This requires the sssd-libwbclient rpm which may be installed already as a dependency. -Justin On 03/22/2016 02:49 PM, Baird, Josh wrote: > Hi all, > > I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7). I have a kerberos trust established between IPA and AD. I have followed the instructions on the wiki [1], but had some questions and problems specifically related to share permissions: > > I'm having trouble with shares where I need to grant access to a specific AD user/group. I have tried this and other variations with no success: > > [shared] > path = /home/shared > writable = yes > browsable = yes > valid users = testsamba at ad.domain.lan > > I have also tried: > > valid users = ad\testsamba > vaild users= @ad\testsamba > valid users= @testsamba at ad.domain.lan > > > What is the proper way to allow specific AD groups access to the Samba share? I also tried nesting an external group in a POSIX group with no success. Should I be using something other than 'valid users'? > > [1] http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > Thanks, > > Josh > From ftweedal at redhat.com Tue Mar 22 22:48:36 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 23 Mar 2016 08:48:36 +1000 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> <56F1098E.2070403@redhat.com> <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> Message-ID: <20160322224835.GZ18277@dhcp-40-8.bne.redhat.com> On Tue, Mar 22, 2016 at 10:57:37PM +1100, earsdown wrote: > Hi Fraser, Martin and Alexander, > > Thanks for looking into this! For what it's worth, I think for this > particular use case, I'm leaning more towards Alexander when he said: > > >I don't think you need to group services this way. For managing > >services, and this means being able to issue certificates/keytabs for > >them, we have hosts. By default a host that a service belongs to is > >capable to modify userCertificate attribute of the service already, so I > >would expect it to be able to issue certificates with subject principal > >corresponding to the service. > > >If CAACL would follow the same logic by allowing hosts that manage > >services to issue certificates with subject principals corresponding to > >these services, that should be enough because, after all, these host > >objects already have write permissions and can upload whatever > >certificates they like to the service objects. > >-- > >/ Alexander Bokovoy > > Personally, I was very surprised when I discovered that, even though a host > principal may manage a service principal, it is currently unable to request > a certificate for that service principal if the service principal doesn't > have specific access to the certificate profile, even though the host > principal may have access to the same certificate profile. In my mind the CA > ACL should be evaluated against the identity of the requestor, not the > issuee. As long as the requestor is allowed to request on behalf of the > issuee (achieved via the managedby attribute), then it should work. Now, if > I used the credentials of the service principal directly (say, with a > service keytab) to make the request (supposing the service principal wasn't > listed in the CA ACL), then denying the request would be the expected > behaviour (imo of course). > > Okay, so even though Alexander's suggestion might be more intuitive, > implementing service groups might be more feasible from a technical > standpoint, and I'm fairly sure this use case would also be solved by > implementing service groups. But, it would be painful without automember > regexp rules, so please don't forget this :D > > Cheers! > The CA ACLs solve a different part of the authorisation puzzle for certificates: what profiles (or, in the future, (sub-)CAs) may be used to issue certs to a given subject is a different question from which entities can request certificates on behalf of the subject. Profiles which are allowed for a host principal (representing physical or virtual machines) are not necessarily the same profiles that should be used for service principals. This is why CA ACLs must be executed against the issuee principal. It is best to implement service groups then support them in CA ACLs. Final note: directory ACIs allow hosts to request certificates for services they manage. The overall authorisation for cert issuance depends on *both* the directory ACIs and CA ACLs. Cheers, Fraser > On 2016-03-22 20:50, Fraser Tweedale wrote: > >On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote: > >>On 03/22/2016 05:55 AM, Fraser Tweedale wrote: > >>> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: > >>... > >>> To my fellow FreeIPA developers: are service groups a sensible RFE? > >>> Is there a reason why they have not been implemented? > >> > >>It *is* sensible RFE and it was actually already filed! > >> > >>https://fedorahosted.org/freeipa/ticket/5277 > >> > >>Please feel free to add yourself to CC to receive updates or even help > >>us with > >>implementation. > >> > >>Thanks, > >>Martin > >> > >Good to know... I've added myself to Cc and also filed an RFE for > >enhancing CA ACLs with service groups once #5277 is implemented: > >https://fedorahosted.org/freeipa/ticket/5753 > > > >Cheers, > >Fraser > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From foley at ru.is Wed Mar 23 01:17:05 2016 From: foley at ru.is (Joseph Timothy Foley) Date: Wed, 23 Mar 2016 01:17:05 +0000 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: <56F14C57.8020607@redhat.com> Message-ID: Hi Rob. You are right that I should be able to just update it on our second server. What happened was I was trying to see if the certificate would work on the install process since I couldn't figure out the renewal. This did not work, which is why I just sent out an update of my new LDAP error. If I understand you correctly, I somehow need to add the new trust chain to both sides. How would I go about doing that? Joe -- Dr. Joseph T. Foley Assistant Professor, Reykjavik University +354-599-6569 On 3/22/16 1:44 PM, "Rob Crittenden" wrote: >Joseph Timothy Foley wrote: >> Hi Rob. >> >> To add to this mess, I seem to have somehow confused the LDAP >> certificate configuration in the process of setting up a replicant >> (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The >> previous certificate was a corporate Level2 certificate. Trying to use >> the old certificate (which expires tomorrow) doesn't seem to put it back >> in working order. > >I thought you just needed to update the certificate. Why are you >creating a new replica? > >My own StartSSL Server cert expires in a month and I just renewed it >this morning. They have a new subordinate CA, that might be part of the >problem (both sides need to trust it). I'd look in the access log of the >remote 389-ds server to see what error it threw (and the local one too I >suppose). > >But really, you should be able to replace the certs using certutil, not >re-install the whole thing. > >rob > > >> This is what I did to make the pkcs file: >> >> cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt >> cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is >> the root_bundle.crt they now send you in a zip file) >> >> openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey >> private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is >> >> ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX >> --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is >> >> Then copied it to ipa.cs.ru.is and ran >> ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg >> >> Everything looks fine until: >> [24/38]: setting up initial replication >> Starting replication, please wait until this has completed. >> >> [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: >> Connect error] >> >> [error] RuntimeError: Failed to start replication >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to >> start replication >> >> >> Looking at the setup log in /var/log/ipareplica-install.log: >> >> 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache >> url=ldap://ipa2.cs.ru.is:389 conn=> instan\ >> ce at 0x8cfc908> >> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. >> 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from >> SchemaCache >> 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache >> url=ldaps://ipa.cs.ru.is:636 conn=> instan\ >> ce at 0x8a01830> >> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 377, in __setup_replica >> r_bindpw=self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1014, in setup_replication >> raise RuntimeError("Failed to start replication") >> RuntimeError: Failed to start replication >> >> 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start >> replication >> 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 >> 2016-03-22T08:49:24Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>line >> 311, in run >> cfgr.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> self.execute() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> for nothing in self._executor(): >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> executor.next() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> for nothing in self._installer(self.parent): >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 879, in main >> install(self) >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 295, in decorated >> func(installer) >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 566, in install >> ds = install_replica_ds(config) >> >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 77, in install_replica_ds >> ca_file=config.dir + "/ca.crt", >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 364, in create_replica >> self.start_creation(runtime=60) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 377, in __setup_replica >> r_bindpw=self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1014, in setup_replication >> raise RuntimeError("Failed to start replication") >> >> 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: Failed to start replication >> 2016-03-22T08:49:24Z ERROR Failed to start replication >> >> On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: >>> Joseph Timothy Foley wrote: >>>> I just discovered that the certificate on ipa2.cs.ru.is is good to >>>>August, >>>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is >>>> certificate will expire on March 23, so I need to update it. >>> >>> The process to get a new cert is pretty much the same as you obtained >>> the original assuming you kept the original CSR. You'd re-submit that >>>to >>> StartSSL and they will provide a new certificate in PEM format. >>> >>> Add that to the relevant database via: >>> >>> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to >>> cert.pem >>> >>> I can't give much more specific information without knowing if you are, >>> for example, using the came cert/key for both 389-ds and Apache. >>> >>> rob >>> >>>> -- >>>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>>> University +354-599-6569 >>>> >>>> >>>> >>>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: >>>> >>>>> Hi there. >>>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on >>>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >>>>> I used StartSSL to sign our certificate for HTTP and LDAP usage >>>>>because I >>>>> didn't want our users to deal with the internal CA nor could we get >>>>>the CA >>>>> certificate signed. Problem is, I can't find any information on how >>>>>to >>>>> get the new certificates installed on the running IPA server. They >>>>>expire >>>>> in 2 days, so I'm running out of time. Any help would be greatly >>>>> appreciated. >>>>> >>>>> I can only find information on how to setup these certificates on a >>>>>brand >>>>> new IPA or replicant. There isn't any obvious information on how to >>>>>put >>>>> updated certificates into a running instance. >>>>> >>>>> Thanks in advance. >>>>> >>>>> Joe >>>>> -- >>>>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>>>> University +354-599-6569 >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >> > From stacy.redmond at blueshieldca.com Wed Mar 23 01:44:13 2016 From: stacy.redmond at blueshieldca.com (Redmond, Stacy) Date: Wed, 23 Mar 2016 01:44:13 +0000 Subject: [Freeipa-users] Removing the requirement to add domain to users login Message-ID: <5434D6A65FEF2B428D5CC8D77FA7DA715576317A@wexc201p.bsc.bscal.com> I have been tasked with setting up an IPA AD trust. I have my ipa server setup, the trust is setup, and appears to be working for the most part. I have two problems. I would like for users to login with userid only. Right now I can only login using userid at ad_domain I am hoping there is some way to just have it search that domain as well as the default ipa domain I will add my other problem, but am willing to send a second email to the group if needed. When I login to my linux client and type id, I see lots of groups but they don't all match the member of list I pull using an ldap search of AD. IPA Server: RHEL 7.2 ipa 4.2 Client: RHEL 7.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Wed Mar 23 01:56:34 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Wed, 23 Mar 2016 01:56:34 +0000 Subject: [Freeipa-users] Removing the requirement to add domain to users login In-Reply-To: <5434D6A65FEF2B428D5CC8D77FA7DA715576317A@wexc201p.bsc.bscal.com> References: <5434D6A65FEF2B428D5CC8D77FA7DA715576317A@wexc201p.bsc.bscal.com> Message-ID: <0137003026EBE54FBEC540C5600C03C4350BB4@PMC-EXMBX02.petermac.org.au> Stacy With regard to you first problem, IIRC you can have it default to a single domain ? it doesn?t matter which. Users from the other domain, will need to login via the user at my.other.domain.com I had exactly this problem. If you want to change it, it?s the default_domain_suffix option. Cheers L. From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Redmond, Stacy Sent: Wednesday, 23 March 2016 12:44 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] Removing the requirement to add domain to users login I have been tasked with setting up an IPA AD trust. I have my ipa server setup, the trust is setup, and appears to be working for the most part. I have two problems. I would like for users to login with userid only. Right now I can only login using userid at ad_domain I am hoping there is some way to just have it search that domain as well as the default ipa domain I will add my other problem, but am willing to send a second email to the group if needed. When I login to my linux client and type id, I see lots of groups but they don?t all match the member of list I pull using an ldap search of AD. IPA Server: RHEL 7.2 ipa 4.2 Client: RHEL 7.2 This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Mar 23 02:48:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2016 22:48:36 -0400 Subject: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate In-Reply-To: References: Message-ID: <56F20404.50805@redhat.com> Joseph Timothy Foley wrote: > Hi Rob. > You are right that I should be able to just update it on our second > server. What happened was I was trying to see if the certificate would > work on the install process since I couldn't figure out the renewal. > This did not work, which is why I just sent out an update of my new LDAP > error. > If I understand you correctly, I somehow need to add the new trust chain > to both sides. How would I go about doing that? The cert I just got from StartSSL came as a zip file containing a bunch of zip files. One was something like ApacheSomething.zip which contained two PEM files: the intermediate CA and the server cert. Using 389-ds as an example, you'd do something like to add the new server certificate: # certutil -A -n Server-Cert -d /etc/dirsrv/slapd-REALM -t u,u,u -a -i /path/to/2_my.domain.crt To add the intermediate CA: # certutil -A -n "StartCom Class 1 DV Server CA" -d /etc/dirsrv/slapd-REALM -t CT,CT, -a -i /path/to/1_root_bundle.crt The nickname may vary. This is the subject of the intermediate that issued my cert as an example. You can do something like: # openssl x509 -text -in /path/to/1_root_bundle.crt |grep Subject And use that as inspiration for the nickname. It just needs to be a unique string, but using something relevant is often helpful (e.g. you can use foo but will you know what that is next year). Verify that the updated cert works: # certutil -V -u V -d /etc/dirsrv/slapd-REALM -n Server-Cert certutil: certificate is valid Restart the dirsrv process to pick up the new cert. rob > > Joe > -- > Dr. Joseph T. Foley Assistant Professor, Reykjavik > University +354-599-6569 > > > > > > On 3/22/16 1:44 PM, "Rob Crittenden" wrote: > >> Joseph Timothy Foley wrote: >>> Hi Rob. >>> >>> To add to this mess, I seem to have somehow confused the LDAP >>> certificate configuration in the process of setting up a replicant >>> (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The >>> previous certificate was a corporate Level2 certificate. Trying to use >>> the old certificate (which expires tomorrow) doesn't seem to put it back >>> in working order. >> >> I thought you just needed to update the certificate. Why are you >> creating a new replica? >> >> My own StartSSL Server cert expires in a month and I just renewed it >> this morning. They have a new subordinate CA, that might be part of the >> problem (both sides need to trust it). I'd look in the access log of the >> remote 389-ds server to see what error it threw (and the local one too I >> suppose). >> >> But really, you should be able to replace the certs using certutil, not >> re-install the whole thing. >> >> rob >> >> >>> This is what I did to make the pkcs file: >>> >>> cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt >>> cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is >>> the root_bundle.crt they now send you in a zip file) >>> >>> openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey >>> private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is >>> >>> ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX >>> --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is >>> >>> Then copied it to ipa.cs.ru.is and ran >>> ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg >>> >>> Everything looks fine until: >>> [24/38]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> >>> [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: >>> Connect error] >>> >>> [error] RuntimeError: Failed to start replication >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to >>> start replication >>> >>> >>> Looking at the setup log in /var/log/ipareplica-install.log: >>> >>> 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache >>> url=ldap://ipa2.cs.ru.is:389 conn=>> instan\ >>> ce at 0x8cfc908> >>> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. >>> 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from >>> SchemaCache >>> 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache >>> url=ldaps://ipa.cs.ru.is:636 conn=>> instan\ >>> ce at 0x8a01830> >>> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>> 377, in __setup_replica >>> r_bindpw=self.dm_password) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1014, in setup_replication >>> raise RuntimeError("Failed to start replication") >>> RuntimeError: Failed to start replication >>> >>> 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start >>> replication >>> 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 >>> 2016-03-22T08:49:24Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> return_value = self.run() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line >>> 311, in run >>> cfgr.run() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 281, in run >>> self.execute() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 303, in execute >>> for nothing in self._executor(): >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> self._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> step() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 524, in _configure >>> executor.next() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> self._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 421, in _handle_exception >>> self.__parent._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 418, in _handle_exception >>> super(ComponentBase, self)._handle_exception(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> util.raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> step() >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> raise_exc_info(exc_info) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>> line 63, in _install >>> for nothing in self._installer(self.parent): >>> File >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>> .py", line 879, in main >>> install(self) >>> File >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>> .py", line 295, in decorated >>> func(installer) >>> File >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>> .py", line 566, in install >>> ds = install_replica_ds(config) >>> >>> File >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>> .py", line 77, in install_replica_ds >>> ca_file=config.dir + "/ca.crt", >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>> 364, in create_replica >>> self.start_creation(runtime=60) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>> 377, in __setup_replica >>> r_bindpw=self.dm_password) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1014, in setup_replication >>> raise RuntimeError("Failed to start replication") >>> >>> 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, >>> exception: RuntimeError: Failed to start replication >>> 2016-03-22T08:49:24Z ERROR Failed to start replication >>> >>> On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: >>>> Joseph Timothy Foley wrote: >>>>> I just discovered that the certificate on ipa2.cs.ru.is is good to >>>>> August, >>>>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is >>>>> certificate will expire on March 23, so I need to update it. >>>> >>>> The process to get a new cert is pretty much the same as you obtained >>>> the original assuming you kept the original CSR. You'd re-submit that >>>> to >>>> StartSSL and they will provide a new certificate in PEM format. >>>> >>>> Add that to the relevant database via: >>>> >>>> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to >>>> cert.pem >>>> >>>> I can't give much more specific information without knowing if you are, >>>> for example, using the came cert/key for both 389-ds and Apache. >>>> >>>> rob >>>> >>>>> -- >>>>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>>>> University +354-599-6569 >>>>> >>>>> >>>>> >>>>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" wrote: >>>>> >>>>>> Hi there. >>>>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on >>>>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >>>>>> I used StartSSL to sign our certificate for HTTP and LDAP usage >>>>>> because I >>>>>> didn't want our users to deal with the internal CA nor could we get >>>>>> the CA >>>>>> certificate signed. Problem is, I can't find any information on how >>>>>> to >>>>>> get the new certificates installed on the running IPA server. They >>>>>> expire >>>>>> in 2 days, so I'm running out of time. Any help would be greatly >>>>>> appreciated. >>>>>> >>>>>> I can only find information on how to setup these certificates on a >>>>>> brand >>>>>> new IPA or replicant. There isn't any obvious information on how to >>>>>> put >>>>>> updated certificates into a running instance. >>>>>> >>>>>> Thanks in advance. >>>>>> >>>>>> Joe >>>>>> -- >>>>>> Dr. Joseph T. Foley Assistant Professor, Reykjavik >>>>>> University +354-599-6569 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>> >> > From lslebodn at redhat.com Wed Mar 23 07:09:02 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 23 Mar 2016 08:09:02 +0100 Subject: [Freeipa-users] sudo with OTP In-Reply-To: References: <20160314144954.GY3059@p.redhat.com> Message-ID: <20160323070901.GC2241@mail.corp.redhat.com> On (22/03/16 10:06), Brad Bendy wrote: >Im having some issues applying these patches with dependencies. But on >a side note, this needs to be applied to the client machines as well >the IPA server itself, correct? > I pushed related sudo patches to fedora yesterday. They are in updates-testing ATM. If you want to test packages on el6 or el7 Then backported version of fedora packages are available in our sssd group copr repo. https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ Please report any bugs here or to sssd-users. LS From sbose at redhat.com Wed Mar 23 08:37:38 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 23 Mar 2016 09:37:38 +0100 Subject: [Freeipa-users] Removing the requirement to add domain to users login In-Reply-To: <5434D6A65FEF2B428D5CC8D77FA7DA715576317A@wexc201p.bsc.bscal.com> References: <5434D6A65FEF2B428D5CC8D77FA7DA715576317A@wexc201p.bsc.bscal.com> Message-ID: <20160323083738.GA18816@p.redhat.com> On Wed, Mar 23, 2016 at 01:44:13AM +0000, Redmond, Stacy wrote: > I have been tasked with setting up an IPA AD trust. I have my ipa server setup, the trust is setup, and appears to be working for the most part. I have two problems. I would like for users to login with userid only. Right now I can only login using userid at ad_domain I am hoping there is some way to just have it search that domain as well as the default ipa domain > > I will add my other problem, but am willing to send a second email to the group if needed. When I login to my linux client and type id, I see lots of groups but they don't all match the member of list I pull using an ldap search of AD. This is expected because the list in the user entry is not complete. E.g. it is possible to created nested groups in AD and the memberships due to group nesting are not see in the LDAP entry. Cross-domain group membership are not covered here as well. HTH bye, Sumit > > IPA Server: RHEL 7.2 ipa 4.2 > Client: RHEL 7.2 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Wed Mar 23 09:37:08 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 23 Mar 2016 10:37:08 +0100 Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> <56F12DE0.3060506@redhat.com> <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> Message-ID: <56F263C4.302@redhat.com> On 22.3.2016 13:04, Troels Hansen wrote: > ----- On Mar 22, 2016, at 12:34 PM, Petr Spacek pspacek at redhat.com wrote: > >> >> Have you tried >> # ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' >> ? >> >> I suspect that Bash is playing escaping game with you. >> > > Same result...... > > ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' > ipa: ERROR: LIFX\032Bulb: DNS resource record not found Interesting, I'm curious how the data in LDAP look like. Please run ldapsearch command similar to this: $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' '(idnsName=*LIFX*)' Do not forget to change 'dc=example,dc=com' to match your realm name. Thank you. -- Petr^2 Spacek From th at casalogic.dk Wed Mar 23 09:44:48 2016 From: th at casalogic.dk (Troels Hansen) Date: Wed, 23 Mar 2016 10:44:48 +0100 (CET) Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <56F263C4.302@redhat.com> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> <56F12DE0.3060506@redhat.com> <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> <56F263C4.302@redhat.com> Message-ID: <666049762.2179067.1458726288349.JavaMail.zimbra@casalogic.dk> ----- On Mar 23, 2016, at 10:37 AM, Petr Spacek pspacek at redhat.com wrote: > > Interesting, I'm curious how the data in LDAP look like. > > Please run ldapsearch command similar to this: > > $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' '(idnsName=*LIFX*)' > # LIFX Bulb, casalogic.lan, dns, casalogic.lan dn: idnsName=LIFX Bulb,idnsname=casalogic.lan,cn=dns,dc=casalogic,dc=lan dNSTTL: 1800 tXTRecord: "009143ca16c9890339c7ec33825e0da5ce" aRecord: 192.168.20.252 objectClass: idnsRecord objectClass: top idnsName: LIFX Bulb From th at casalogic.dk Wed Mar 23 09:50:19 2016 From: th at casalogic.dk (Troels Hansen) Date: Wed, 23 Mar 2016 10:50:19 +0100 (CET) Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <666049762.2179067.1458726288349.JavaMail.zimbra@casalogic.dk> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> <56F12DE0.3060506@redhat.com> <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> <56F263C4.302@redhat.com> <666049762.2179067.1458726288349.JavaMail.zimbra@casalogic.dk> Message-ID: <342463316.2179400.1458726619298.JavaMail.zimbra@casalogic.dk> > > # LIFX Bulb, casalogic.lan, dns, casalogic.lan > dn: idnsName=LIFX Bulb,idnsname=casalogic.lan,cn=dns,dc=casalogic,dc=lan > dNSTTL: 1800 > tXTRecord: "009143ca16c9890339c7ec33825e0da5ce" > aRecord: 192.168.20.252 > objectClass: idnsRecord > objectClass: top > idnsName: LIFX Bulb Which actually starts to make sence. # ipa dnsrecord-show casalogic.lan. 'LIFX Bulb' ipa: ERROR: LIFX\032Bulb: DNS resource record not found So..... dhcp inserts the DNS record in LDAP with space, and IPA converts to \032 on querying..... From pspacek at redhat.com Wed Mar 23 10:24:10 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 23 Mar 2016 11:24:10 +0100 Subject: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 () In-Reply-To: <342463316.2179400.1458726619298.JavaMail.zimbra@casalogic.dk> References: <586012520.2164439.1458637145609.JavaMail.zimbra@casalogic.dk> <56F11389.3060004@redhat.com> <1635679211.2165881.1458642094395.JavaMail.zimbra@casalogic.dk> <56F12DE0.3060506@redhat.com> <1051863791.2167803.1458648295595.JavaMail.zimbra@casalogic.dk> <56F263C4.302@redhat.com> <666049762.2179067.1458726288349.JavaMail.zimbra@casalogic.dk> <342463316.2179400.1458726619298.JavaMail.zimbra@casalogic.dk> Message-ID: <56F26ECA.6030206@redhat.com> On 23.3.2016 10:50, Troels Hansen wrote: > >> >> # LIFX Bulb, casalogic.lan, dns, casalogic.lan >> dn: idnsName=LIFX Bulb,idnsname=casalogic.lan,cn=dns,dc=casalogic,dc=lan >> dNSTTL: 1800 >> tXTRecord: "009143ca16c9890339c7ec33825e0da5ce" >> aRecord: 192.168.20.252 >> objectClass: idnsRecord >> objectClass: top >> idnsName: LIFX Bulb > > Which actually starts to make sence. > > # ipa dnsrecord-show casalogic.lan. 'LIFX Bulb' > ipa: ERROR: LIFX\032Bulb: DNS resource record not found > > So..... dhcp inserts the DNS record in LDAP with space, and IPA converts to \032 on querying..... Oh yes, this problem is caused by https://fedorahosted.org/freeipa/ticket/3972 aka https://fedorahosted.org/bind-dyndb-ldap/ticket/12 aka https://fedorahosted.org/389/ticket/47564 FreeIPA is using string manipulations for DNS data but DNS data are generally not strings, so weird things happen (sometimes). Did you find a way to modify the record using CLI? (e.g. using space instead of \032)? -- Petr^2 Spacek From mkosek at redhat.com Wed Mar 23 11:35:45 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Mar 2016 12:35:45 +0100 Subject: [Freeipa-users] Tracking Login Times In-Reply-To: <56F035CB.2090506@redhat.com> References: <56F011A6.4040801@redhat.com> <56F035CB.2090506@redhat.com> Message-ID: <56F27F91.2050300@redhat.com> On 03/21/2016 06:56 PM, Rob Crittenden wrote: > Bob wrote: >> If each IPA server tracks time of last auth independently, then one ipa >> server might disable an inactive account. But that account might be >> active on another servers. In a fail over case where the server that >> that account normally uses is down, the user would not have a usable >> account. >> >> Is it possible to use the account policy plugin? Or is there a way to >> track time of last auth that is replicated. I need to have accounts >> that have been inactive for 90 days automatically disabled. > > You can't use the account policy plugin but it isn't aware of Kerberos so it > would miss potentially a lot of authentications. > > You could modify replication agreements to not ignore this attribute but you > potentially create a replication "storm", particularly early morning when > everyone logs in at the same time. > > In any case IPA password policy doesn't currently handle inactivity. There is a > ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential > short-term workaround). JFTR, this is the ticket with failed login replication RFE: https://fedorahosted.org/freeipa/ticket/3700 Martin From stsimb at forthnet.gr Wed Mar 23 11:54:51 2016 From: stsimb at forthnet.gr (Sotiris Tsimbonis) Date: Wed, 23 Mar 2016 13:54:51 +0200 Subject: [Freeipa-users] Problem migrating from openldap using groups in a group Message-ID: <56F2840B.3060508@forthnet.gr> Hi all, I'm trying to migrate into freeipa some users and groups from an old ldap server I've inherited. But migrate-ds fails to import groups inside usergroups, is believes they are users and imports them wrongly.. trying to migrate with command: ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \ --base-dn="ou=Forthnet,dc=staff,dc=forthnet" \ --user-container=ou=users \ --group-container=ou=groups \ --group-objectclass=posixgroup \ --schema=RFC2307 \ ldap://devldap01.forthnet.prv:389 (version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64) here is part of the ldif from devldap01 --------------------------------------- dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet cn: security-tech objectClass: posixGroup structuralObjectClass: posixGroup entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f creatorsName: cn=root,dc=staff,dc=forthnet createTimestamp: 20080520162000Z memberUid: dimitria gidNumber: 1730 entryCSN: 20100107135233Z#000000#00#000000 modifiersName: cn=root,dc=staff,dc=forthnet modifyTimestamp: 20100107135233Z dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet cn: abusewg objectClass: posixGroup structuralObjectClass: posixGroup entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f creatorsName: cn=root,dc=staff,dc=forthnet createTimestamp: 20080520161722Z memberUid: ccha memberUid: dzer memberUid: gmouz memberUid: isek memberUid: kavaklis memberUid: nasl memberUid: pmav memberUid: stsimb memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet gidNumber: 1010 entryCSN: 20151203143609Z#000000#00#000000 modifiersName: cn=root,dc=staff,dc=forthnet modifyTimestamp: 20151203143609Z -------------------------------------------------------------------- migrate-ds completes with no failures. The usergroup "security-tech" is correctly imported in freeipa, it contains user "dimitria" who is also imported correctly. But usergroup "abusewg" contains 9 users and reports an error "user not found: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet". I would expect it to migrate the "security-tech" as a usergroup, not as a user. Any suggestions please? Thanks, Sot. From abokovoy at redhat.com Wed Mar 23 12:27:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 23 Mar 2016 14:27:13 +0200 Subject: [Freeipa-users] Problem migrating from openldap using groups in a group In-Reply-To: <56F2840B.3060508@forthnet.gr> References: <56F2840B.3060508@forthnet.gr> Message-ID: <20160323122713.GL4492@redhat.com> On Wed, 23 Mar 2016, Sotiris Tsimbonis wrote: >Hi all, > >I'm trying to migrate into freeipa some users and groups from an old >ldap server I've inherited. But migrate-ds fails to import groups inside >usergroups, is believes they are users and imports them wrongly.. > >trying to migrate with command: >ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \ > --base-dn="ou=Forthnet,dc=staff,dc=forthnet" \ > --user-container=ou=users \ > --group-container=ou=groups \ > --group-objectclass=posixgroup \ > --schema=RFC2307 \ > ldap://devldap01.forthnet.prv:389 > >(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64) > >here is part of the ldif from devldap01 >--------------------------------------- >dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet >cn: security-tech >objectClass: posixGroup >structuralObjectClass: posixGroup >entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f >creatorsName: cn=root,dc=staff,dc=forthnet >createTimestamp: 20080520162000Z >memberUid: dimitria >gidNumber: 1730 >entryCSN: 20100107135233Z#000000#00#000000 >modifiersName: cn=root,dc=staff,dc=forthnet >modifyTimestamp: 20100107135233Z > >dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet >cn: abusewg >objectClass: posixGroup >structuralObjectClass: posixGroup >entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f >creatorsName: cn=root,dc=staff,dc=forthnet >createTimestamp: 20080520161722Z >memberUid: ccha >memberUid: dzer >memberUid: gmouz >memberUid: isek >memberUid: kavaklis >memberUid: nasl >memberUid: pmav >memberUid: stsimb >memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet >gidNumber: 1010 >entryCSN: 20151203143609Z#000000#00#000000 >modifiersName: cn=root,dc=staff,dc=forthnet >modifyTimestamp: 20151203143609Z >-------------------------------------------------------------------- > >migrate-ds completes with no failures. > >The usergroup "security-tech" is correctly imported in freeipa, it >contains user "dimitria" who is also imported correctly. > >But usergroup "abusewg" contains 9 users and reports an error >"user not found: >cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet". > >I would expect it to migrate the "security-tech" as a usergroup, not as >a user. migrate-ds did everything right because memberUid attribute in RFC2307 schema is the uid of a user, not a group. RFC2307 schema does not allow to have nested groups. memberUid syntax is ( nisSchema.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' ) i.e. this is IA5String, not a DN. This doesn't help you much because your LDAP server use was already violating RFC2307 so I'd suggest to fix these violations and group membership manually. -- / Alexander Bokovoy From jbaird at follett.com Wed Mar 23 13:10:47 2016 From: jbaird at follett.com (Baird, Josh) Date: Wed, 23 Mar 2016 13:10:47 +0000 Subject: [Freeipa-users] Samba Integration with AD Trust In-Reply-To: References: Message-ID: Justin, @ad_admins is an AD group, correct (not a POSIX group), correct? I still cannot get this working. Home directory shares are working fine. (apologies for the broken threading - I don't think I received your message for some reason) Thanks, Josh > -----Original Message----- From: Justin Stephenson To: "Baird, Josh" , "'freeipa-users redhat com'" Subject: Re: [Freeipa-users] Samba Integration with AD Trust Date: Tue, 22 Mar 2016 15:09:50 -0400 I have used the following successfully in the past: [shared] path = /home/shared valid users = @ad_admins read only = No guest ok = Yes This requires the sssd-libwbclient rpm which may be installed already as a dependency. -Justin > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Baird, Josh > Sent: Tuesday, March 22, 2016 2:50 PM > To: 'freeipa-users at redhat.com' > Subject: [Freeipa-users] Samba Integration with AD Trust > > Hi all, > > I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7). I have a > kerberos trust established between IPA and AD. I have followed the > instructions on the wiki [1], but had some questions and problems specifically > related to share permissions: > > I'm having trouble with shares where I need to grant access to a specific AD > user/group. I have tried this and other variations with no success: > > [shared] > path = /home/shared > writable = yes > browsable = yes > valid users = testsamba at ad.domain.lan > > I have also tried: > > valid users = ad\testsamba > vaild users= @ad\testsamba > valid users= @testsamba at ad.domain.lan > > > What is the proper way to allow specific AD groups access to the Samba > share? I also tried nesting an external group in a POSIX group with no > success. Should I be using something other than 'valid users'? > > [1] > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wi > th_IPA > > Thanks, > > Josh > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jbaird at follett.com Wed Mar 23 13:23:07 2016 From: jbaird at follett.com (Baird, Josh) Date: Wed, 23 Mar 2016 13:23:07 +0000 Subject: [Freeipa-users] Samba Integration with AD Trust In-Reply-To: References: Message-ID: Actually - it looks like this is working. I think I had something cached on the Windows client that I was testing from. Thanks for the help. > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Baird, Josh > Sent: Wednesday, March 23, 2016 9:11 AM > To: 'freeipa-users at redhat.com' > Subject: Re: [Freeipa-users] Samba Integration with AD Trust > > Justin, > > @ad_admins is an AD group, correct (not a POSIX group), correct? I still > cannot get this working. Home directory shares are working fine. > > (apologies for the broken threading - I don't think I received your message > for some reason) > > Thanks, > > Josh > > > -----Original Message----- > From: Justin Stephenson > To: "Baird, Josh" , "'freeipa-users redhat com'" > > Subject: Re: [Freeipa-users] Samba Integration with AD Trust > Date: Tue, 22 Mar 2016 15:09:50 -0400 > I have used the following successfully in the past: > > [shared] > path = /home/shared > valid users = @ad_admins > read only = No > guest ok = Yes > > This requires the sssd-libwbclient rpm which may be installed already as a > dependency. > > -Justin > > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > > bounces at redhat.com] On Behalf Of Baird, Josh > > Sent: Tuesday, March 22, 2016 2:50 PM > > To: 'freeipa-users at redhat.com' > > Subject: [Freeipa-users] Samba Integration with AD Trust > > > > Hi all, > > > > I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7). I have > > a kerberos trust established between IPA and AD. I have followed the > > instructions on the wiki [1], but had some questions and problems > > specifically related to share permissions: > > > > I'm having trouble with shares where I need to grant access to a > > specific AD user/group. I have tried this and other variations with no > success: > > > > [shared] > > path = /home/shared > > writable = yes > > browsable = yes > > valid users = testsamba at ad.domain.lan > > > > I have also tried: > > > > valid users = ad\testsamba > > vaild users= @ad\testsamba > > valid users= @testsamba at ad.domain.lan > > > > > > What is the proper way to allow specific AD groups access to the Samba > > share? I also tried nesting an external group in a POSIX group with > > no success. Should I be using something other than 'valid users'? > > > > [1] > > > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wi > > th_IPA > > > > Thanks, > > > > Josh > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From a.fedora at earsdown.com Wed Mar 23 05:37:43 2016 From: a.fedora at earsdown.com (a.fedora at earsdown.com) Date: Wed, 23 Mar 2016 16:37:43 +1100 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <20160322224835.GZ18277@dhcp-40-8.bne.redhat.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> <56F1098E.2070403@redhat.com> <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> <20160322224835.GZ18277@dhcp-40-8.bne.redhat.com> Message-ID: <6305470E-ABD6-4614-8DA5-481E78103A7C@earsdown.com> Some excellent points, and thank you for being open to having the conversation - I know you don't have to, and it is appreciated. > Profiles which are allowed for a host principal (representing > physical or virtual machines) are not necessarily the same profiles > that should be used for service principals. This is why CA ACLs > must be executed against the issuee principal. Certmonger uses the host credential (from the host keytab) to make all requests on behalf of all service principals of a given machine, right? So if that machine is compromised then so too are all keys/certificates issued to that machine. If I think a machine is more likely to become compromised, I'd want to lock down the Certificate Profiles available to that whole machine. Even if I end up using different profiles for different services on the same machine, I'm still forced to trust certmonger to use the right profile for each request. So, even with future sub-CAs (this excites me btw), I'm just not sure I understand the security benefit of evaluating CA ACLs against the subject/issuee of the request, when (as you say) directory ACIs are already doing this. Lets look at this from another angle. Suppose I obtain a service keytab for my unprivileged web application (say HTTP/myapp01.example.com), which is needed to authenticate web clients via kerberos/gssapi. The app also needs x509 certificates for TLS, which is handled by certmonger. Given the current approach of CA ACLs, it would be possible for my unprivileged web-app (if it were to become compromised) to use its service keytab to request certificates from IPA directly, which is undesirable, but I'd have no way of stopping it. I'm even more curious about how I'd explain and justify this behaviour to clients. It's confusing, you know? Cheers > On 23 Mar 2016, at 09:48, Fraser Tweedale wrote: > >> On Tue, Mar 22, 2016 at 10:57:37PM +1100, earsdown wrote: >> Hi Fraser, Martin and Alexander, >> >> Thanks for looking into this! For what it's worth, I think for this >> particular use case, I'm leaning more towards Alexander when he said: >> >>> I don't think you need to group services this way. For managing >>> services, and this means being able to issue certificates/keytabs for >>> them, we have hosts. By default a host that a service belongs to is >>> capable to modify userCertificate attribute of the service already, so I >>> would expect it to be able to issue certificates with subject principal >>> corresponding to the service. >> >>> If CAACL would follow the same logic by allowing hosts that manage >>> services to issue certificates with subject principals corresponding to >>> these services, that should be enough because, after all, these host >>> objects already have write permissions and can upload whatever >>> certificates they like to the service objects. >>> -- >>> / Alexander Bokovoy >> >> Personally, I was very surprised when I discovered that, even though a host >> principal may manage a service principal, it is currently unable to request >> a certificate for that service principal if the service principal doesn't >> have specific access to the certificate profile, even though the host >> principal may have access to the same certificate profile. In my mind the CA >> ACL should be evaluated against the identity of the requestor, not the >> issuee. As long as the requestor is allowed to request on behalf of the >> issuee (achieved via the managedby attribute), then it should work. Now, if >> I used the credentials of the service principal directly (say, with a >> service keytab) to make the request (supposing the service principal wasn't >> listed in the CA ACL), then denying the request would be the expected >> behaviour (imo of course). >> >> Okay, so even though Alexander's suggestion might be more intuitive, >> implementing service groups might be more feasible from a technical >> standpoint, and I'm fairly sure this use case would also be solved by >> implementing service groups. But, it would be painful without automember >> regexp rules, so please don't forget this :D >> >> Cheers! > The CA ACLs solve a different part of the authorisation puzzle for > certificates: what profiles (or, in the future, (sub-)CAs) may be > used to issue certs to a given subject is a different question from > which entities can request certificates on behalf of the subject. > Profiles which are allowed for a host principal (representing > physical or virtual machines) are not necessarily the same profiles > that should be used for service principals. This is why CA ACLs > must be executed against the issuee principal. > > It is best to implement service groups then support them in CA ACLs. > > Final note: directory ACIs allow hosts to request certificates for > services they manage. The overall authorisation for cert issuance > depends on *both* the directory ACIs and CA ACLs. > > Cheers, > Fraser > >>> On 2016-03-22 20:50, Fraser Tweedale wrote: >>>> On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote: >>>>> On 03/22/2016 05:55 AM, Fraser Tweedale wrote: >>>>> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote: >>>> ... >>>>> To my fellow FreeIPA developers: are service groups a sensible RFE? >>>>> Is there a reason why they have not been implemented? >>>> >>>> It *is* sensible RFE and it was actually already filed! >>>> >>>> https://fedorahosted.org/freeipa/ticket/5277 >>>> >>>> Please feel free to add yourself to CC to receive updates or even help >>>> us with >>>> implementation. >>>> >>>> Thanks, >>>> Martin >>> Good to know... I've added myself to Cc and also filed an RFE for >>> enhancing CA ACLs with service groups once #5277 is implemented: >>> https://fedorahosted.org/freeipa/ticket/5753 >>> >>> Cheers, >>> Fraser >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From samuel.joseph.james at gmail.com Wed Mar 23 14:50:13 2016 From: samuel.joseph.james at gmail.com (Sam James) Date: Wed, 23 Mar 2016 14:50:13 +0000 Subject: [Freeipa-users] PKI Authentication Issues Message-ID: Hello everyone, I've been banging my head against the wall for a few days now trying to resolve an issue with PKI and I'm hoping I might get some help. First some context. About a week ago I was alerted that all of our replicas were offline due to pki-tomcatd not starting. Futher investigation determined that all of the pki certs had expired two days earlier. I turned back time and successfully updated the certs and certmonger updated the rest of the replicas. Now I'm seeing the following symptoms: 1. Searching certificates via the web UI will display certificate info. 2. Attemping to view certificate details results in an "IPA Error 4301: CertificateOperationError" the exception being "Invalid Credential.". 3. Issuing the ipa cert-show command results in the same "Invalid Credential." exception. 4. PKI debug log shows: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=DOMAIN.COM] authentication failure 5. PKI system log shows: Cannot authenticate agent with certificate Serial 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM. Error: User not found. In trolling this list I've done the following things troubleshooting: 1. Ensured the certs being monitored by certmonger are correct. 2. Ensured the certs in the http and pki-tomcat NSS databases are as expected. 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct description and cert (it had the wrong serialnumber in the description but i've updated that). 4. Ensured the CS.cfg has the correct certs (it did). Any suggestions or assistance would be apprecitated. Thanks! Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Mar 23 16:31:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 23 Mar 2016 17:31:20 +0100 Subject: [Freeipa-users] PKI Authentication Issues In-Reply-To: References: Message-ID: <56F2C4D8.5080000@redhat.com> On 03/23/2016 03:50 PM, Sam James wrote: > Hello everyone, > > I've been banging my head against the wall for a few days now trying to resolve > an issue with PKI and I'm hoping I might get some help. First some context. > > About a week ago I was alerted that all of our replicas were offline due to > pki-tomcatd not starting. Futher investigation determined that all of the pki > certs had expired two days earlier. I turned back time and successfully updated > the certs and certmonger updated the rest of the replicas. > > Now I'm seeing the following symptoms: > 1. Searching certificates via the web UI will display certificate info. > 2. Attemping to view certificate details results in an "IPA Error 4301: > CertificateOperationError" the exception being "Invalid Credential.". > 3. Issuing the ipa cert-show command results in the same "Invalid Credential." > exception. > 4. PKI debug log shows: SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA > RA,O=DOMAIN.COM ] authentication failure > 5. PKI system log shows: Cannot authenticate agent with certificate Serial > 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM . Error: User > not found. PKI has some build-in accounts which uses certificates for authentication. It matches a user by a certificate. The error above means that it cannot find any user for cert with serial no 0x123456789 So the possible cause is the user you checked (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated description, but is the cert correct? > > In trolling this list I've done the following things troubleshooting: > > 1. Ensured the certs being monitored by certmonger are correct. > 2. Ensured the certs in the http and pki-tomcat NSS databases are as expected. > 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct description > and cert (it had the wrong serialnumber in the description but i've updated that). > 4. Ensured the CS.cfg has the correct certs (it did). > > Any suggestions or assistance would be apprecitated. > > Thanks! > Sam > -- Petr Vobornik From ghyde at chem.byu.edu Wed Mar 23 16:52:12 2016 From: ghyde at chem.byu.edu (Garrett Hyde) Date: Wed, 23 Mar 2016 10:52:12 -0600 Subject: [Freeipa-users] Can't Search For Users Message-ID: I'm currently running ipa-server version 4.2.0, release 15.el7_2.6 on a RHEL 7.2 server. When a user **not** in the "admins" group tries searching for a user, they receive "No entries." In the WebUI, this happens on the "Active users" page or when trying to add a user to a group, role, etc. It also happens when a user uses the CLI (e.g., `ipa user-find ...`). I've tried adding a user to all of the available roles listed under "Role Based Access Control", but they still can't search for users. Currently, only users in the "admins" group can search for users. Is there a permission or privilege I'm missing? How can I grant users the ability to search for other users? -- Garrett Hyde -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.rainey.ctr at nrlssc.navy.mil Wed Mar 23 17:25:50 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Wed, 23 Mar 2016 12:25:50 -0500 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <20160322122515.GA8004@p.redhat.com> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <20160311083222.GF3059@p.redhat.com> <20160322122515.GA8004@p.redhat.com> Message-ID: <-YIZNLHHf8ydVU_RF0f2cn1BBvA73J1jc1HheNmGkRJC_cDS7NeFbw@cipher.nrlssc.navy.mil> Hi Sumit, I've trying to download the rpm via the Koji client and have been unable to locate package. Are there any extra steps I need to complete before I can find the package, such as, create an account in Fedora Build System. Performing a general search for SSSD only returns a list of packages from Fedora Projects and nothing from the EL repo. Thanks, *Michael Rainey* NRL 7320 Computer Support Group Building 1009, Room C156 Stennis Space Center, MS 39529 On 03/22/2016 07:25 AM, Sumit Bose wrote: > On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: >> Hi Sumit, >> >> It has been a week and I am following up with you on the lock screen issue. >> Have you had any progress? If so, I am hoping implementing the fix will be >> quick and easy. > Thank you for your patience. Please find a test build for RHEL/CentOS > 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . > > Besides the updated version of SSSD you should replace > /etc/pam.d/smartcard-auth with > > ======== /etc/pam.d/smartcard-auth ========= > auth required pam_env.so > auth sufficient pam_sss.so allow_missing_name > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > =========================================== > > and /etc/dconf/db/distro.d/10-authconfig > > ===== /etc/dconf/db/distro.d/10-authconfig ===== > [org/gnome/login-screen] > enable-fingerprint-authentication=false > > [org/gnome/settings-daemon/peripherals/smartcard] > removal-action='lock-screen' > =============================================== > > and /etc/dconf/db/distro.d/locks/10-authconfig-locks > > ====== /etc/dconf/db/distro.d/locks/10-authconfig-locks === > /org/gnome/login-screen/enable-fingerprint-authentication > /org/gnome/settings-daemon/peripherals/smartcard > =========================================================== > > and call 'dconf update' to get the new setting loaded. Finally it might > be a good idea to restart gdm to make sure the new setting and PAM > configuration is really active although I would expect that gdm is able > to pick up the changes at run-time. > > Any feedback, good or bad, is welcome. > > bye, > Sumit > >> Thanks, >> >> *Michael Rainey* >> >> On 03/11/2016 02:32 AM, Sumit Bose wrote: >>> On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: >>>> Greetings, >>>> >>>> I have been adding systems to my new domain and utilizing the smart card >>>> login feature. To date the smart card login feature is working very well. >>>> However, my group has been trying to implement locking the screen when the >>>> smart card is removed, but have not been successful at making it work. Does >>>> anyone have any suggestions as to what it would take to enable locking the >>>> screen when the smart card is removed. >>> This requires a better integration with gdm which is currently WIP >>> (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please >>> ping me in about a week about this again, then I might have done some >>> more testing. >>> >>> bye, >>> Sumit >>> >>>> Thank you in advance. >>>> -- >>>> *Michael Rainey* >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From samuel.joseph.james at gmail.com Wed Mar 23 18:00:15 2016 From: samuel.joseph.james at gmail.com (Sam James) Date: Wed, 23 Mar 2016 18:00:15 +0000 Subject: [Freeipa-users] PKI Authentication Issues In-Reply-To: <56F2C4D8.5080000@redhat.com> References: <56F2C4D8.5080000@redhat.com> Message-ID: Yes the cert is correct. The userCertificate field matches the output of "certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer removed, and the serial number matches as well albeit in decimal instead of hex. # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM; CN=IPA RA, O=DOMAIN.COM userCertificate:: userstate: 1 uid: ipara sn: ipara usertype: agentType objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: ipara On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik wrote: > On 03/23/2016 03:50 PM, Sam James wrote: > >> Hello everyone, >> >> I've been banging my head against the wall for a few days now trying to >> resolve >> an issue with PKI and I'm hoping I might get some help. First some >> context. >> >> About a week ago I was alerted that all of our replicas were offline due >> to >> pki-tomcatd not starting. Futher investigation determined that all of >> the pki >> certs had expired two days earlier. I turned back time and successfully >> updated >> the certs and certmonger updated the rest of the replicas. >> >> Now I'm seeing the following symptoms: >> 1. Searching certificates via the web UI will display certificate info. >> 2. Attemping to view certificate details results in an "IPA Error 4301: >> CertificateOperationError" the exception being "Invalid Credential.". >> 3. Issuing the ipa cert-show command results in the same "Invalid >> Credential." >> exception. >> 4. PKI debug log shows: SignedAuditEventFactory: create() >> >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA >> RA,O=DOMAIN.COM ] authentication failure >> 5. PKI system log shows: Cannot authenticate agent with certificate >> Serial >> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM . >> Error: User >> not found. >> > > PKI has some build-in accounts which uses certificates for authentication. > It matches a user by a certificate. The error above means that it cannot > find any user for cert with serial no 0x123456789 > > So the possible cause is the user you checked > (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated > description, but is the cert correct? > > > >> In trolling this list I've done the following things troubleshooting: >> >> 1. Ensured the certs being monitored by certmonger are correct. >> 2. Ensured the certs in the http and pki-tomcat NSS databases are as >> expected. >> 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct >> description >> and cert (it had the wrong serialnumber in the description but i've >> updated that). >> 4. Ensured the CS.cfg has the correct certs (it did). >> >> Any suggestions or assistance would be apprecitated. >> >> Thanks! >> Sam >> >> -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Daryl.Fonseca-Holt at umanitoba.ca Wed Mar 23 21:23:52 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Wed, 23 Mar 2016 16:23:52 -0500 (CDT) Subject: [Freeipa-users] ipa-replica-install IPA startup timing issue In-Reply-To: <56F2AFF5.5020007@umanitoba.ca> References: <56E1F0E4.9080605@umanitoba.ca> <56E28490.6030406@redhat.com> <56E6C57D.3010203@umanitoba.ca> <56E6C8CA.6020800@redhat.com> <56E714FB.10603@umanitoba.ca> <56E97AC0.7060106@redhat.com> <56F26473.3090705@redhat.com> <56F2AFF5.5020007@umanitoba.ca> Message-ID: Forgot to CC the ML. Sorry. -- Daryl Fonseca-Holt IST/CNS/Unix Server Team University of Manitoba 204.480.1079 On Wed, 23 Mar 2016, Daryl Fonseca-Holt wrote: > Hi Thierry, > > I have not filed a support request with RedHat for two reasons. First, it > seems that the NIS priming may not be a problem in the post 4.2.0 release. > Second, I am able to work around the problem by modifying the code where it > uses the number of krb5kdc daemons to start thus alleviating the crush of 64 > daemons starting. As suggested by Alexander I'm patching > ipaserver/install/krbinstance.py. > > # diff -c ipaserver/install/krbinstance.py.df > ipaserver/install/krbinstance.py > *** ipaserver/install/krbinstance.py.df 2015-06-18 07:54:49.000000000 > -0500 > --- ipaserver/install/krbinstance.py 2016-03-22 13:37:16.056210609 -0500 > *************** > *** 355,360 **** > --- 355,362 ---- > > MIN_KRB5KDC_WITH_WORKERS = "1.9" > cpus = os.sysconf('SC_NPROCESSORS_ONLN') > + #XXX > + cpus = 1 > workers = False > (stdout, stderr, rc) = ipautil.run(['klist', '-V'], > raiseonerr=False) > if rc == 0: > > > With this patch the constant in /etc/sysconfig/krb5kdc is lower. After the > ipa-replica-install completes I will increase this manually to the original > value. > > This has allowed the building phase of the project to continue. > > Thanks, Daryl > > On 03/23/16 04:40, thierry bordaz wrote: >> Hi Daryl, >> >> Me again... :-) >> As a follow up of this issue I would like to know if you already open a >> case to RH support ? >> >> Also, have you identified a workaround to make ipa-replica-install >> successful or are you still suffering from this issue ? >> >> best regards >> thierry >> >> On 03/16/2016 04:24 PM, thierry bordaz wrote: >>> Hello Daryl, >>> >>> I can reproduce locally the slow DS startup (due to slapi-nis >>> priming). In fact the version I was using had not the slapi-nis >>> fix to differ the priming. >>> >>> I failed to reproduce the intensive load on DS when krb5kdc startup. >>> Looking at yours logs, we can see that krb5kdc startup triggers a >>> set of requests during 3s up to 8s. The logs are looking like >>> (note the etime can go up to 2s): >>> >>> [10/Mar/2016:14:20:35 -0600] conn=40 fd=87 slot=87 connection >>> from local to /var/run/slapd-UOFMT1.socket >>> [10/Mar/2016:14:20:36 -0600] conn=40 AUTOBIND dn="cn=Directory >>> Manager" >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=0 BIND dn="cn=Directory >>> Manager" method=sasl version=3 mech=EXTERNAL >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=0 RESULT err=0 tag=97 >>> nentries=0 *etime=1* dn="cn=Directory Manager" >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=1 SRCH >>> base="cn=UOFMT1,cn=kerberos,dc=uofmt1" scope=0 >>> filter="(objectClass=*)" attrs=ALL >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=1 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=2 SRCH >>> base="cn=ipaConfig,cn=etc,dc=uofmt1" scope=0 >>> filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData >>> ipaUserAuthType" >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=2 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [10/Mar/2016:14:20:36 -0600] conn=40 op=3 SRCH base="dc=uofmt1" >>> scope=2 filter="(objectClass=ipaNTDomainAttrs)" >>> attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup >>> ipaNTSecurityIdentifier" >>> [10/Mar/2016:14:20:37 -0600] conn=40 op=3 RESULT err=0 tag=101 >>> nentries=0 *etime=1* >>> [10/Mar/2016:14:20:37 -0600] conn=40 op=4 SRCH >>> base="cn=UOFMT1,cn=kerberos,dc=uofmt1" scope=0 >>> filter="(krbMKey=*)" attrs="krbMKey" >>> [10/Mar/2016:14:20:37 -0600] conn=40 op=4 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [10/Mar/2016:14:20:37 -0600] conn=40 op=5 SRCH base="dc=uofmt1" >>> scope=2 >>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=K/M at UOFMT1))" >>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias >>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference >>> krbPrincipalExpiration krbPasswordExpiration >>> krbPwdPolicyReference krbPrincipalType krbPwdHistory >>> krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth >>> krbLastFailedAuth krbLoginFailedCount krbExtraData >>> krbLastAdminUnlock krbObjectReferences krbTicketFlags >>> krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory >>> ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" >>> [10/Mar/2016:14:20:38 -0600] conn=40 op=5 RESULT err=0 tag=101 >>> nentries=1 *etime=1* >>> [10/Mar/2016:14:20:39 -0600] conn=40 op=6 UNBIND >>> [10/Mar/2016:14:20:39 -0600] conn=40 op=6 fd=87 closed - U1 >>> >>> >>> I think the request op=3 (SRCH base="dc=uofmt1" scope=2 >>> filter="(objectClass=ipaNTDomainAttrs)") is slow also because of >>> slapi-nis. In fact it is indexed and returns 0 entry. So only >>> plugins can create this high etime. >>> An improvement in slapi-nis makes its search callback noop when >>> it comes from krb and I am running this improvement. >>> >>> In conclusion I think both slow DS startup and KRB5 startup are >>> fixed in RHEL 7. >>> >>> thanks >>> theirry >>> >>> >>> On 03/14/2016 08:46 PM, Daryl Fonseca-Holt wrote: >>>> Hello Thierry, >>>> >>>> Attached is the pstacks from only the final DS restart. I don't think >>>> they will show the whole picture. >>>> >>>> According to the debug log /var/log/ipareplica-install.log (attached) the >>>> start of the krb5kdc.service (19:13:16Z) is successful, but the krb5kdc >>>> log (attach) shows it is unable to fetch the master K/M at 14:31:31CDT >>>> (-5hour offset). This is when the install log shows kadmind failing. >>>> >>>> In my experience with the master observing top there are two intense >>>> times for ns-slapd-. The first when it start, of course, and >>>> the second when krb5kdc starts. I assume this is because krb5kdc must get >>>> it's configuration and data from the same DS. krb5kdc fails but the >>>> ipareplica-install script isn't aware of it. Finally kadmin.service tries >>>> to access krb5kdc and finds that it is dead. >>>> >>>> Please note these logs are with Schema Compatability and NIS plugins >>>> turned off per the other e-mail from Alexander. >>>> >>>> I've noticed on a running master I can prevent this type of failure by >>>> manually starting dirsrv (systemctl start dirsrv@.service), >>>> watch top until all threads of ns-slapd have settled, then systemctl >>>> start krb5kdc.service, again watching top until ns-slapd threads have >>>> settled down before systemctl start kadmin.service. This kind of manual >>>> intervention is is not possible when running the ipareplica-install >>>> script. >>>> >>>> I will look into introducing a delay at the completion of the dirsrv and >>>> krb5kdc systemd units and see if I can accommodate ipareplica-install. >>>> Just as an experiment for now. I need to advance the project into High >>>> Availability testing but cannot do so without a functioning replica. >>>> >>>> Regards, Daryl >>>> >>>> On 03/14/16 09:20, thierry bordaz wrote: >>>>> Hi Daryl, >>>>> >>>>> Thanks for all the data. I will look at the pstacks. A first look shows >>>>> that you capture import, bind... so may be a complete >>>>> ipa-replica-install session. >>>>> I will try to retrieve the specific startup time to see what was going >>>>> on at that time. >>>>> If you have the time to monitor only startup, it will help me shrinking >>>>> the set of pstacks. >>>>> Startup of DS last > 1min. If you may start DS and as soon as the >>>>> ns-slapd process is launched, do regular pstacks. Then when you are able >>>>> to send a simple ldapsearch (ldapsearch -x -b "" -s base), you may stop >>>>> taking pstacks. >>>>> >>>>> thanks >>>>> thierry >>>>> >>>>> On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote: >>>>>> Hi Thierry, >>>>>> >>>>>> I moved the old logs into a subdirectory called try1. I did the >>>>>> recommended ipa-server-install --uninstall. Tried the replica install >>>>>> again. Failed during kadmind start like the previous time. >>>>>> >>>>>> The log from ipa-replica-install (with -d) is at >>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>>>>> The console script (mostly the same as the log but with my entries) is >>>>>> at >>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>>>>> The 5 second pstacks are at >>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console >>>>>> >>>>>> Thanks, Daryl >>>>>> >>>>>> >>>>>> On 03/11/16 02:40, thierry bordaz wrote: >>>>>>> Hello Deryl, >>>>>>> >>>>>>> My understanding is that ns-slapd is first slow to startup. >>>>>>> Then when krb5kdc is starting it may load ns-slapd. >>>>>>> >>>>>>> We identified krb5kdc may be impacted by the number of users >>>>>>> accounts. >>>>>>> From the ns-slapd errors log it is not clear why it is so >>>>>>> slow to start. >>>>>>> >>>>>>> Would you provide the ns-slapd access logs from that period. >>>>>>> Also in order to know where ns-slapd is spending time, it >>>>>>> would really help if you can get regular (each 5s) pstacks >>>>>>> (with 389-ds-debuginfo), during DS startup and then later >>>>>>> during krb5kdc startup. >>>>>>> >>>>>>> best regards >>>>>>> thierry >>>>>>> >>>>>>> >>>>>>> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote: >>>>>>>> Environment: >>>>>>>> RHEL 7.2 >>>>>>>> IPA 4.2.0-15 >>>>>>>> nss 3.19.1-19 >>>>>>>> 389-ds-base 1.3.4.0-26 >>>>>>>> sssd 1.13.0-40 >>>>>>>> >>>>>>>> >>>>>>>> I've encountered this problem in IPA 3.0.0 but hoped it was addressed >>>>>>>> in 4.2.0. >>>>>>>> >>>>>>>> Trying to set up a replica of a master with 150,000+ user accounts, >>>>>>>> NIS and Schema Compatability enabled on the master. >>>>>>>> >>>>>>>> During ipa-replica-install it attempts to start IPA. dirsrv starts, >>>>>>>> krb5kdc starts, but then kadmind fails because krb5kdc has gone >>>>>>>> missing. >>>>>>>> >>>>>>>> This happens during restart of IPA in version 3.0.0 too. There it can >>>>>>>> be overcome by manually starting each component of IPA _but_ waiting >>>>>>>> until ns-slapd- has settled down (as seen from top) before >>>>>>>> starting krb5kdc. I also think that the startup of krb5kdc loads the >>>>>>>> LDAP instance quite a bit. >>>>>>>> >>>>>>>> There is a problem in the startup logic where dirsrv is so busy that >>>>>>>> even though krb5kdc successfully starts and allows the kadmin to >>>>>>>> begin kdb5kdc is not really able to do its duties. >>>>>>>> >>>>>>>> I'm reporting this since there must be some way to delay the start of >>>>>>>> krb5kdc and then kadmind until ns-slapd- is really open for >>>>>>>> business. >>>>>>>> >>>>>>>> # systemctl status krb5kdc.service >>>>>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >>>>>>>> vendor preset: disabled) >>>>>>>> Active: inactive (dead) >>>>>>>> >>>>>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>>>>>>> KDC. >>>>>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >>>>>>>> KDC... >>>>>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>>>>>>> KDC. >>>>>>>> >>>>>>>> # systemctl status krb5kdc.service >>>>>>>> ? krb5kdc.service - Kerberos 5 KDC >>>>>>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >>>>>>>> vendor preset: disabled) >>>>>>>> Active: inactive (dead) >>>>>>>> >>>>>>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 >>>>>>>> KDC. >>>>>>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 >>>>>>>> KDC... >>>>>>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 >>>>>>>> KDC. >>>>>>>> >>>>>>>> journalctl -xe was stale by the time I got to it so I've attached >>>>>>>> /var/log/messages instead. >>>>>>>> >>>>>>>> The log from ipa-replica-install (with -d) is at >>>>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log >>>>>>>> The console script (mostly the same as the log but with my entries) >>>>>>>> is at >>>>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console >>>>>>>> The /var/log/dirsrv/ns-slapd- access log is at >>>>>>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access >>>>>>>> >>>>>>>> Regards, Daryl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> Daryl Fonseca-Holt >>>>>> IST/CNS/Unix Server Team >>>>>> University of Manitoba >>>>>> 204.480.1079 >>>>> >>>> >>>> -- >>>> -- >>>> Daryl Fonseca-Holt >>>> IST/CNS/Unix Server Team >>>> University of Manitoba >>>> 204.480.1079 >>> >>> >>> >> > > -- > -- > Daryl Fonseca-Holt > IST/CNS/Unix Server Team > University of Manitoba > 204.480.1079 > > From brad.bendy at gmail.com Wed Mar 23 21:41:52 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Wed, 23 Mar 2016 14:41:52 -0700 Subject: [Freeipa-users] sudo with OTP In-Reply-To: <20160323070901.GC2241@mail.corp.redhat.com> References: <20160314144954.GY3059@p.redhat.com> <20160323070901.GC2241@mail.corp.redhat.com> Message-ID: I will upgrade a few machines and test this out, I just got done making a script for RADIUS to handle OTP, I didn't see this e-mail till now! If Password + RADIUS are turned on for the user it looks like it's still doing the first factor prompt, if I don't enable the password option then a LDAP (have not tested Kerberos yet) lookup will fail, haven't dug into to see if the account is disabled or what is causing that. Does that sound correct though? My idea was to have FreeIPA proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth that way, I take it that's not going to work? Thanks On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik wrote: > On (22/03/16 10:06), Brad Bendy wrote: >>Im having some issues applying these patches with dependencies. But on >>a side note, this needs to be applied to the client machines as well >>the IPA server itself, correct? >> > I pushed related sudo patches to fedora yesterday. > They are in updates-testing ATM. > > If you want to test packages on el6 or el7 > Then backported version of fedora packages are available in > our sssd group copr repo. > https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ > > Please report any bugs here or to sssd-users. > > LS From brad.bendy at gmail.com Wed Mar 23 21:55:21 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Wed, 23 Mar 2016 14:55:21 -0700 Subject: [Freeipa-users] sudo with OTP In-Reply-To: References: <20160314144954.GY3059@p.redhat.com> <20160323070901.GC2241@mail.corp.redhat.com> Message-ID: Ignore what I said earlier :) The issue is when I run sudo the lookup appears to still be wanting OTP (even though RADIUS is the only box checked for that user), no matter what I enter it won't go past that first prompt, the request never makes it over to my RADIUS server at all. Standard logins work just fine but soon as you try to sudo it wants the "first factor" but request never make it to the RADIUS server. Im going to play around with some settings, but am I missing something or is there no way to forward the sudo request to the same RADIUS server as well? Thanks On Wed, Mar 23, 2016 at 2:41 PM, Brad Bendy wrote: > I will upgrade a few machines and test this out, I just got done > making a script for RADIUS to handle OTP, I didn't see this e-mail > till now! > > If Password + RADIUS are turned on for the user it looks like it's > still doing the first factor prompt, if I don't enable the password > option then a LDAP (have not tested Kerberos yet) lookup will fail, > haven't dug into to see if the account is disabled or what is causing > that. Does that sound correct though? My idea was to have FreeIPA > proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth > that way, I take it that's not going to work? > > Thanks > > > On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik wrote: >> On (22/03/16 10:06), Brad Bendy wrote: >>>Im having some issues applying these patches with dependencies. But on >>>a side note, this needs to be applied to the client machines as well >>>the IPA server itself, correct? >>> >> I pushed related sudo patches to fedora yesterday. >> They are in updates-testing ATM. >> >> If you want to test packages on el6 or el7 >> Then backported version of fedora packages are available in >> our sssd group copr repo. >> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ >> >> Please report any bugs here or to sssd-users. >> >> LS From brad.bendy at gmail.com Wed Mar 23 22:20:07 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Wed, 23 Mar 2016 15:20:07 -0700 Subject: [Freeipa-users] sudo with OTP In-Reply-To: References: <20160314144954.GY3059@p.redhat.com> <20160323070901.GC2241@mail.corp.redhat.com> Message-ID: Just updated to the testing on F23 and sudo does work, but it prompts for a single password and the single user password work, OTP is not needed or prompted. I still need OTP when I login as my user just not on sudo, is that the correct behavior and if so can that be changed to always require OTP? Thanks On Wed, Mar 23, 2016 at 2:55 PM, Brad Bendy wrote: > Ignore what I said earlier :) > > The issue is when I run sudo the lookup appears to still be wanting > OTP (even though RADIUS is the only box checked for that user), no > matter what I enter it won't go past that first prompt, the request > never makes it over to my RADIUS server at all. Standard logins work > just fine but soon as you try to sudo it wants the "first factor" but > request never make it to the RADIUS server. Im going to play around > with some settings, but am I missing something or is there no way to > forward the sudo request to the same RADIUS server as well? > > Thanks > > > On Wed, Mar 23, 2016 at 2:41 PM, Brad Bendy wrote: >> I will upgrade a few machines and test this out, I just got done >> making a script for RADIUS to handle OTP, I didn't see this e-mail >> till now! >> >> If Password + RADIUS are turned on for the user it looks like it's >> still doing the first factor prompt, if I don't enable the password >> option then a LDAP (have not tested Kerberos yet) lookup will fail, >> haven't dug into to see if the account is disabled or what is causing >> that. Does that sound correct though? My idea was to have FreeIPA >> proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth >> that way, I take it that's not going to work? >> >> Thanks >> >> >> On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik wrote: >>> On (22/03/16 10:06), Brad Bendy wrote: >>>>Im having some issues applying these patches with dependencies. But on >>>>a side note, this needs to be applied to the client machines as well >>>>the IPA server itself, correct? >>>> >>> I pushed related sudo patches to fedora yesterday. >>> They are in updates-testing ATM. >>> >>> If you want to test packages on el6 or el7 >>> Then backported version of fedora packages are available in >>> our sssd group copr repo. >>> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ >>> >>> Please report any bugs here or to sssd-users. >>> >>> LS From ftweedal at redhat.com Thu Mar 24 00:56:31 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 24 Mar 2016 10:56:31 +1000 Subject: [Freeipa-users] Certificate profiles and CA ACLs for service principals In-Reply-To: <6305470E-ABD6-4614-8DA5-481E78103A7C@earsdown.com> References: <56535c6e3ec310a6639f4616b1a396f5@earsdown.com> <20160322045501.GU18277@dhcp-40-8.bne.redhat.com> <56F1098E.2070403@redhat.com> <20160322095011.GY18277@dhcp-40-8.bne.redhat.com> <20160322224835.GZ18277@dhcp-40-8.bne.redhat.com> <6305470E-ABD6-4614-8DA5-481E78103A7C@earsdown.com> Message-ID: <20160324005631.GG18277@dhcp-40-8.bne.redhat.com> On Wed, Mar 23, 2016 at 04:37:43PM +1100, a.fedora at earsdown.com wrote: > Some excellent points, and thank you for being open to having the > conversation - I know you don't have to, and it is appreciated. > > > Profiles which are allowed for a host principal (representing > > physical or virtual machines) are not necessarily the same > > profiles that should be used for service principals. This is > > why CA ACLs must be executed against the issuee principal. > > > Certmonger uses the host credential (from the host keytab) to make > all requests on behalf of all service principals of a given > machine, right? > That's correct. > So if that machine is compromised then so too are > all keys/certificates issued to that machine. If I think a machine > is more likely to become compromised, I'd want to lock down the > Certificate Profiles available to that whole machine. > Protecting keys is a separate issue from the the CA being able to answer the question "can I issue certs to principal P using profile X?". > Even if I > end up using different profiles for different services on the same > machine, I'm still forced to trust certmonger to use the right > profile for each request. > CA ACLs are stored and evaluated on the IPA server. If Certmonger uses the "wrong profile for a request", the worst that will happen is CA ACL enforcement will deny the request. I do not see how any special trust resides in Certmonger in this scenario. > So, even with future sub-CAs (this excites me btw), I'm just not > sure I understand the security benefit of evaluating CA ACLs > against the subject/issuee of the request, when (as you say) > directory ACIs are already doing this. > Directory ACIs govern which principals can request a certificate on behalf of a subject principal. CA ACLs govern which profile(s) are valid for such a request. These are quite different things, and both are important. (I'm glad you're excited about sub-CA support; I am too!) > Lets look at this from another angle. Suppose I obtain a service > keytab for my unprivileged web application (say > HTTP/myapp01.example.com), which is needed to authenticate web > clients via kerberos/gssapi. The app also needs x509 certificates > for TLS, which is handled by certmonger. Given the current > approach of CA ACLs, it would be possible for my unprivileged > web-app (if it were to become compromised) to use its service > keytab to request certificates from IPA directly, which is > undesirable, but I'd have no way of stopping it. > The same is true for rogue user or host credentials. The scope is even bigger for compromised host credentials, since a host principal can request certificates both for itself and for any services it manages. > I'm even more curious about how I'd explain and justify this > behaviour to clients. It's confusing, you know? > I am open to any ideas about how to explain this more clearly. The best approach I can think of is to explain that CA ACLs are about answering, "what kinds of certificate can the CA issue to subject principal 'P'?", and emphasising that that is a very different question from, "who can request a certificate on behalf of subject principal 'P'?". Thanks, Fraser > Cheers > > > On 23 Mar 2016, at 09:48, Fraser Tweedale > > wrote: > > > >> On Tue, Mar 22, 2016 at 10:57:37PM +1100, earsdown wrote: Hi > >> Fraser, Martin and Alexander, > >> > >> Thanks for looking into this! For what it's worth, I think for > >> this particular use case, I'm leaning more towards Alexander > >> when he said: > >> > >>> I don't think you need to group services this way. For > >>> managing services, and this means being able to issue > >>> certificates/keytabs for them, we have hosts. By default a > >>> host that a service belongs to is capable to modify > >>> userCertificate attribute of the service already, so I would > >>> expect it to be able to issue certificates with subject > >>> principal corresponding to the service. > >> > >>> If CAACL would follow the same logic by allowing hosts that > >>> manage services to issue certificates with subject principals > >>> corresponding to these services, that should be enough > >>> because, after all, these host objects already have write > >>> permissions and can upload whatever certificates they like to > >>> the service objects. -- / Alexander Bokovoy > >> > >> Personally, I was very surprised when I discovered that, even > >> though a host principal may manage a service principal, it is > >> currently unable to request a certificate for that service > >> principal if the service principal doesn't have specific access > >> to the certificate profile, even though the host principal may > >> have access to the same certificate profile. In my mind the CA > >> ACL should be evaluated against the identity of the requestor, > >> not the issuee. As long as the requestor is allowed to request > >> on behalf of the issuee (achieved via the managedby attribute), > >> then it should work. Now, if I used the credentials of the > >> service principal directly (say, with a service keytab) to make > >> the request (supposing the service principal wasn't listed in > >> the CA ACL), then denying the request would be the expected > >> behaviour (imo of course). > >> > >> Okay, so even though Alexander's suggestion might be more > >> intuitive, implementing service groups might be more feasible > >> from a technical standpoint, and I'm fairly sure this use case > >> would also be solved by implementing service groups. But, it > >> would be painful without automember regexp rules, so please > >> don't forget this :D > >> > >> Cheers! > > The CA ACLs solve a different part of the authorisation puzzle > > for certificates: what profiles (or, in the future, (sub-)CAs) > > may be used to issue certs to a given subject is a different > > question from which entities can request certificates on behalf > > of the subject. Profiles which are allowed for a host principal > > (representing physical or virtual machines) are not necessarily > > the same profiles that should be used for service principals. > > This is why CA ACLs must be executed against the issuee > > principal. > > > > It is best to implement service groups then support them in CA > > ACLs. > > > > Final note: directory ACIs allow hosts to request certificates > > for services they manage. The overall authorisation for cert > > issuance depends on *both* the directory ACIs and CA ACLs. > > > > Cheers, Fraser > > > >>> On 2016-03-22 20:50, Fraser Tweedale wrote: > >>>> On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote: > >>>>> On 03/22/2016 05:55 AM, Fraser Tweedale wrote: On Fri, Mar > >>>>> 18, 2016 at 08:12:44PM +1100, earsdown wrote: > >>>> ... > >>>>> To my fellow FreeIPA developers: are service groups a > >>>>> sensible RFE? Is there a reason why they have not been > >>>>> implemented? > >>>> > >>>> It *is* sensible RFE and it was actually already filed! > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/5277 > >>>> > >>>> Please feel free to add yourself to CC to receive updates or > >>>> even help us with implementation. > >>>> > >>>> Thanks, Martin > >>> Good to know... I've added myself to Cc and also filed an RFE > >>> for enhancing CA ACLs with service groups once #5277 is > >>> implemented: https://fedorahosted.org/freeipa/ticket/5753 > >>> > >>> Cheers, Fraser > >> > >> -- Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users Go to > >> http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Thu Mar 24 07:16:33 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Mar 2016 08:16:33 +0100 Subject: [Freeipa-users] Can't Search For Users In-Reply-To: References: Message-ID: <56F39451.5070908@redhat.com> On 23.3.2016 17:52, Garrett Hyde wrote: > I'm currently running ipa-server version 4.2.0, release 15.el7_2.6 on a > RHEL 7.2 server. > > When a user **not** in the "admins" group tries searching for a user, they > receive "No entries." In the WebUI, this happens on the "Active users" page > or when trying to add a user to a group, role, etc. It also happens when a > user uses the CLI (e.g., `ipa user-find ...`). I've tried adding a user to > all of the available roles listed under "Role Based Access Control", but > they still can't search for users. > > Currently, only users in the "admins" group can search for users. Is there > a permission or privilege I'm missing? How can I grant users the ability to > search for other users? I suspect that you are hitting this bug: https://fedorahosted.org/freeipa/ticket/5168 It is in our queue, stay tuned. -- Petr^2 Spacek From sbose at redhat.com Thu Mar 24 10:09:16 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 24 Mar 2016 11:09:16 +0100 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <-YIZNLHHf8ydVU_RF0f2cn1BBvA73J1jc1HheNmGkRJC_cDS7NeFbw@cipher.nrlssc.navy.mil> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <20160311083222.GF3059@p.redhat.com> <20160322122515.GA8004@p.redhat.com> <-YIZNLHHf8ydVU_RF0f2cn1BBvA73J1jc1HheNmGkRJC_cDS7NeFbw@cipher.nrlssc.navy.mil> Message-ID: <20160324100916.GG18816@p.redhat.com> On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote: > Hi Sumit, > > I've trying to download the rpm via the Koji client and have been unable to > locate package. Are there any extra steps I need to complete before I can > find the package, such as, create an account in Fedora Build System. > Performing a general search for SSSD only returns a list of packages from > Fedora Projects and nothing from the EL repo. The link I sent is the meta link for the different supported platforms (x86_64, pcc64 and pcc64le). If you select the link for x86_64 you should be able to see download links for the x86_64 packages. Nevertheless I created a new build http://koji.fedoraproject.org/koji/taskinfo?taskID=13446490 to fix some issue with the package version number in the previous build. The x86_64 packages can be found at http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 . To make the download easy you can try the following command: curl http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 | grep -o '"https://.*.rpm"' | xargs -n 1 curl -L -O HTH bye, Sumit > > Thanks, > > *Michael Rainey* > NRL 7320 > Computer Support Group > Building 1009, Room C156 > Stennis Space Center, MS 39529 > On 03/22/2016 07:25 AM, Sumit Bose wrote: > >On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: > >>Hi Sumit, > >> > >>It has been a week and I am following up with you on the lock screen issue. > >>Have you had any progress? If so, I am hoping implementing the fix will be > >>quick and easy. > >Thank you for your patience. Please find a test build for RHEL/CentOS > >7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . > > > >Besides the updated version of SSSD you should replace > >/etc/pam.d/smartcard-auth with > > > >======== /etc/pam.d/smartcard-auth ========= > >auth required pam_env.so > >auth sufficient pam_sss.so allow_missing_name > >auth required pam_deny.so > > > >account required pam_unix.so > >account sufficient pam_localuser.so > >account sufficient pam_succeed_if.so uid < 1000 quiet > >account [default=bad success=ok user_unknown=ignore] pam_sss.so > >account required pam_permit.so > > > > > >session optional pam_keyinit.so revoke > >session required pam_limits.so > >-session optional pam_systemd.so > >session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > >session required pam_unix.so > >session optional pam_sss.so > >=========================================== > > > >and /etc/dconf/db/distro.d/10-authconfig > > > >===== /etc/dconf/db/distro.d/10-authconfig ===== > >[org/gnome/login-screen] > >enable-fingerprint-authentication=false > > > >[org/gnome/settings-daemon/peripherals/smartcard] > >removal-action='lock-screen' > >=============================================== > > > >and /etc/dconf/db/distro.d/locks/10-authconfig-locks > > > >====== /etc/dconf/db/distro.d/locks/10-authconfig-locks === > >/org/gnome/login-screen/enable-fingerprint-authentication > >/org/gnome/settings-daemon/peripherals/smartcard > >=========================================================== > > > >and call 'dconf update' to get the new setting loaded. Finally it might > >be a good idea to restart gdm to make sure the new setting and PAM > >configuration is really active although I would expect that gdm is able > >to pick up the changes at run-time. > > > >Any feedback, good or bad, is welcome. > > > >bye, > >Sumit > > > >>Thanks, > >> > >>*Michael Rainey* > >> > >>On 03/11/2016 02:32 AM, Sumit Bose wrote: > >>>On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > >>>>Greetings, > >>>> > >>>>I have been adding systems to my new domain and utilizing the smart card > >>>>login feature. To date the smart card login feature is working very well. > >>>>However, my group has been trying to implement locking the screen when the > >>>>smart card is removed, but have not been successful at making it work. Does > >>>>anyone have any suggestions as to what it would take to enable locking the > >>>>screen when the smart card is removed. > >>>This requires a better integration with gdm which is currently WIP > >>>(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please > >>>ping me in about a week about this again, then I might have done some > >>>more testing. > >>> > >>>bye, > >>>Sumit > >>> > >>>>Thank you in advance. > >>>>-- > >>>>*Michael Rainey* > >>>>-- > >>>>Manage your subscription for the Freeipa-users mailing list: > >>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>Go to http://freeipa.org for more info on the project > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > From Dennis.Ott at mckesson.com Thu Mar 24 15:29:45 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Thu, 24 Mar 2016 15:29:45 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails Message-ID: I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working through and solving a few issues, my current efforts fail when setting up the replica CA. If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x replica without any problem. However, if I try to create a replica from my two year old test lab instance (production will be another matter for the future) it fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x and has been upgraded to the latest versions in the 6.x chain. It is old enough to have had all the certificates renewed, but I believe I have worked through all the issues related to that. Below is what I believe are the useful portions of the pertinent logs. I've not been able to find anything online that speaks to the errors I am seeing Thanks for your help. /var/log/ipareplica-install.log 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user 2016-03-23T21:55:11Z DEBUG group pkiuser exists 2016-03-23T21:55:11Z DEBUG user pkiuser exists 2016-03-23T21:55:11Z DEBUG duration: 0 seconds 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance 2016-03-23T21:55:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-23T21:55:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_client_database_dir = /tmp/tmp-g0CKZ3 pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root at localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = ptipa1.example.com pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 7389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ptipa1.example.com:443 2016-03-23T21:55:11Z DEBUG Starting external process 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 2016-03-23T21:56:51Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160323175511.log Loading deployment configuration from /tmp/tmpGQ59ZC. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-03-23T21:56:51Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error while updating security domain: java.io.IOException: 2"} 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit status 1 2016-03-23T21:56:51Z CRITICAL See the installation logs and the following files/directories for more information: 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. 2016-03-23T21:56:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 584, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2016-03-23T21:56:51Z ERROR CA configuration failed. /var/log/pki/pki-ca-spawn..log 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd at .service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service 2016-03-23 17:55:12 pkispawn : INFO ... configuring 'pki.server.deployment.scriptlets.configuration' 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 /root/.dogtag/pki-tomcat/ca 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca 2016-03-23 17:55:12 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/password.conf' 2016-03-23 17:55:12 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf' 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/password.conf 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca/password.conf 2016-03-23 17:55:12 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2016-03-23 17:55:12 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server may still be down 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server may still be down 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2016-03-23 17:55:24 pkispawn : DEBUG ........... 0CArunning10.2.5-6.el7 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI configuration data. 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration data. 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error while updating security domain: java.io.IOException: 2"} 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3906, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err /var/log/pki/pki-tomcat/ca/debug [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory Manager [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com port 389, secure connection, false, authentication type 1 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.manager_ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/server/conf/manager.ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20) [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(ConfigurationUtils) [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory Manager [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com port 389, secure connection, false, authentication type 1 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.post_ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/vlv.ldif [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/vlvtasks.ldif [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn cn=index1160589769, cn=index, cn=tasks, cn=config [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: SystemConfigService:processCerts(): san_server_cert not found for tag sslserver [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote (revised) [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for certTag sslserver [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA, always use its Master CA to generate the 'sslserver' certificate to avoid any changes which may have been made to the X500Name directory string encoding order. [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: injectSAN=false [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: content requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316 [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: status=0 [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: handleCertRequest() begins [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert request [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag 'sslserver' using cert type 'remote' [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process remote...import cert [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert cert-pki-ca [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted successfully [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2 [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate successfully, certTag=sslserver [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert Panel/SavePKCS12 Panel === [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo=IPAptipa1.example.com44344344344380FALSEpki-cadTRUE100000 [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ptipa1.example.com port=443 [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to update security domain using admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId. [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying agent port with client auth [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ptipa1.example.com port=443 [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: status=1 [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security domain: java.io.IOException: 2 [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value Dennis M Ott Infrastructure Administrator Infrastructure and Security Operations McKesson Corporation McKesson Pharmacy Systems and Automation www.mckesson.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aalam at paperlesspost.com Thu Mar 24 16:21:09 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Thu, 24 Mar 2016 12:21:09 -0400 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd Message-ID: Hello I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly. Example: %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client What i have configured in Freeipa Sudo Rules: Sudo Option: !authenticate Who: dev (group) Access this host: testing (group) Run Commands: set of commands that are defined. Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password. Thank You -------------- next part -------------- An HTML attachment was scrubbed... URL: From brad.bendy at gmail.com Thu Mar 24 16:59:10 2016 From: brad.bendy at gmail.com (Brad Bendy) Date: Thu, 24 Mar 2016 09:59:10 -0700 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: References: Message-ID: What's your config look like in the GUI? Long as you assign the users to the group and everything it should work. Your sssd.conf file shows sudo in there as well? On Thu, Mar 24, 2016 at 9:21 AM, Ash Alam wrote: > Hello > > I am looking for some guidance on how to properly do sudo with Freeipa. I > have read up on what i need to do but i cant seem to get to work correctly. > Now with sudoers.d i can accomplish this fairly quickly. > > Example: > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > What i have configured in Freeipa Sudo Rules: > > Sudo Option: !authenticate > Who: dev (group) > Access this host: testing (group) > Run Commands: set of commands that are defined. > > Now when i apply this, it still does not work as it asks for a password for > the user and then fails. I am hoping to allow a group to only run certain > commands without requiring password. > > Thank You > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Thu Mar 24 17:01:34 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 24 Mar 2016 18:01:34 +0100 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: References: Message-ID: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> > On 24 Mar 2016, at 17:21, Ash Alam wrote: > > Hello > > I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly. > > Example: > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > What i have configured in Freeipa Sudo Rules: > > Sudo Option: !authenticate > Who: dev (group) > Access this host: testing (group) > Run Commands: set of commands that are defined. > > Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password. > You should first find out why sudo fails completely. We have this guide that should help you: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO About asking for passwords -- defining a special sudo rule called 'defaults' and then adding '!authenticate' should help: Add a special Sudo rule for default Sudo server configuration: ipa sudorule-add defaults Set a default Sudo option: ipa sudorule-add-option defaults --sudooption '!authenticate' From aalam at paperlesspost.com Thu Mar 24 18:50:02 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Thu, 24 Mar 2016 14:50:02 -0400 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> Message-ID: Based on (How to troubleshoot Sudo) - Maybe i miss spoke when i said it fails completely. Rather it keeps asking for the users password which it does not accept. - I do not have sudo in sssd.conf - I do not have sudoers: sss defined in nsswitch.conf - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these needs to be defined - If this is the case then adding them might resolve my issues. - for the special sudo rule(s). is there any way to track it via the gui? I am trying to keep track of all the configs so its not a blackhole for the next person. - This is what it looks like on the web gui [image: Inline image 1] - This is what a clients sssd.conf looks like [domain/xxxxx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = pp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = xxxxxx chpass_provider = ipa ipa_server = _srv_, xxxxx ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = XXXXX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek wrote: > > > On 24 Mar 2016, at 17:21, Ash Alam wrote: > > > > Hello > > > > I am looking for some guidance on how to properly do sudo with Freeipa. > I have read up on what i need to do but i cant seem to get to work > correctly. Now with sudoers.d i can accomplish this fairly quickly. > > > > Example: > > > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > > > What i have configured in Freeipa Sudo Rules: > > > > Sudo Option: !authenticate > > Who: dev (group) > > Access this host: testing (group) > > Run Commands: set of commands that are defined. > > > > Now when i apply this, it still does not work as it asks for a password > for the user and then fails. I am hoping to allow a group to only run > certain commands without requiring password. > > > > You should first find out why sudo fails completely. We have this guide > that should help you: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > About asking for passwords -- defining a special sudo rule called > 'defaults' and then adding '!authenticate' should help: > Add a special Sudo rule for default Sudo server configuration: > ipa sudorule-add defaults > > Set a default Sudo option: > ipa sudorule-add-option defaults --sudooption '!authenticate' -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa_sudo_option.png Type: image/png Size: 104460 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 24 19:04:02 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Mar 2016 15:04:02 -0400 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> Message-ID: <56F43A22.2060608@redhat.com> Ash Alam wrote: > Based on (How to troubleshoot Sudo) > > - Maybe i miss spoke when i said it fails completely. Rather it keeps > asking for the users password which it does not accept. > - I do not have sudo in sssd.conf > - I do not have sudoers: sss defined in nsswitch.conf > - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if > these needs to be defined > - If this is the case then adding them might resolve my issues. > - for the special sudo rule(s). is there any way to track it via the > gui? I am trying to keep track of all the configs so its not a blackhole > for the next person. It would help to know the release of Fedora you're using, the rpm version of ipa-client and sssd. If you are using Fedora freeipa docs they are extremely old, at best F-18. Use the RHEL docs. rob > > - This is what it looks like on the web gui > Inline image 1 > > > - This is what a clients sssd.conf looks like > [domain/xxxxx] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = pp > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = xxxxxx > chpass_provider = ipa > ipa_server = _srv_, xxxxx > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = XXXXX > [nss] > homedir_substring = /home > > [pam] > [sudo] > [autofs] > [ssh] > [pac] > [ifp] > > On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek > wrote: > > > > On 24 Mar 2016, at 17:21, Ash Alam > wrote: > > > > Hello > > > > I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly. > > > > Example: > > > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > > > What i have configured in Freeipa Sudo Rules: > > > > Sudo Option: !authenticate > > Who: dev (group) > > Access this host: testing (group) > > Run Commands: set of commands that are defined. > > > > Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password. > > > > You should first find out why sudo fails completely. We have this > guide that should help you: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > About asking for passwords -- defining a special sudo rule called > 'defaults' and then adding '!authenticate' should help: > Add a special Sudo rule for default Sudo server configuration: > ipa sudorule-add defaults > > Set a default Sudo option: > ipa sudorule-add-option defaults --sudooption '!authenticate' > > > > From jeffrey.armstrong at gasoc.com Thu Mar 24 19:14:56 2016 From: jeffrey.armstrong at gasoc.com (Armstrong, Jeffrey) Date: Thu, 24 Mar 2016 19:14:56 +0000 Subject: [Freeipa-users] IPA command to batch create users. Message-ID: <3DAC7A5927B8594195EA704FB41255B06588F5E6@Supernatural2.gafoc.com> Hello, I would like to find out if I can create a large number of users in IPA at one time. If so, what is the command to do that. Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Thu Mar 24 19:44:30 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 24 Mar 2016 20:44:30 +0100 Subject: [Freeipa-users] IPA command to batch create users. In-Reply-To: <3DAC7A5927B8594195EA704FB41255B06588F5E6@Supernatural2.gafoc.com> References: <3DAC7A5927B8594195EA704FB41255B06588F5E6@Supernatural2.gafoc.com> Message-ID: hi, On Thu, Mar 24, 2016 at 8:14 PM, Armstrong, Jeffrey < jeffrey.armstrong at gasoc.com> wrote: > Hello, > > > > I would like to find out if I can create a large number of users in IPA at > one time. If so, what is the command to do that. > > > you can use ipa user-add command in a bash loop, or read the user names from a file, feeding that file to ipa user-add. -- -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 24 20:00:17 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Mar 2016 16:00:17 -0400 Subject: [Freeipa-users] IPA command to batch create users. In-Reply-To: References: <3DAC7A5927B8594195EA704FB41255B06588F5E6@Supernatural2.gafoc.com> Message-ID: <56F44751.1060805@redhat.com> Natxo Asenjo wrote: > > hi, > > On Thu, Mar 24, 2016 at 8:14 PM, Armstrong, Jeffrey > > wrote: > > Hello,____ > > __ __ > > I would like to find out if I can create a large number of users in > IPA at one time. If so, what is the command to do that.____ > > > you can use ipa user-add command in a bash loop, or read the user names > from a file, feeding that file to ipa user-add. There is also a batch command which is used by the UI to send multiple commands at once. This saves on some roundtrip time. Here is some semi-python, grossly simplified batch = [] for line in 'output_from_etc_passwd': (login, passwd, uid, gid, gecos, dir, shell) = line.split(':') batch.append(dict(method='user_add', params=([login], dict(gidnumber=int(gid), uidnumber=int(uid), gecos=gecos.strip(), homedir=dir, shell=shell, givenname=first, sn=last, noprivate=u'true', addattr='userPassword={crypt}%s' % passwd)))) results = api.Command['batch'](batch)['results'] You probably don't want too many requests at once, say 50 or 100 might be nice. The results will be a list of all the outputs from the various commands. rob From aalam at paperlesspost.com Thu Mar 24 20:22:06 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Thu, 24 Mar 2016 16:22:06 -0400 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: <56F43A22.2060608@redhat.com> References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> <56F43A22.2060608@redhat.com> Message-ID: I should clarify. I was just following the fedora/ipa docs. My Ipa servers are Centos 7.2 and Ipa 4.2. Clients are Centos 6.6 and 3.0.0 $ rpm -q sssd ipa-client sssd-1.11.6-30.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 On Thu, Mar 24, 2016 at 3:04 PM, Rob Crittenden wrote: > Ash Alam wrote: > >> Based on (How to troubleshoot Sudo) >> >> - Maybe i miss spoke when i said it fails completely. Rather it keeps >> asking for the users password which it does not accept. >> - I do not have sudo in sssd.conf >> - I do not have sudoers: sss defined in nsswitch.conf >> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if >> these needs to be defined >> - If this is the case then adding them might resolve my issues. >> - for the special sudo rule(s). is there any way to track it via the >> gui? I am trying to keep track of all the configs so its not a blackhole >> for the next person. >> > > It would help to know the release of Fedora you're using, the rpm version > of ipa-client and sssd. > > If you are using Fedora freeipa docs they are extremely old, at best F-18. > Use the RHEL docs. > > rob > > >> - This is what it looks like on the web gui >> Inline image 1 >> >> >> - This is what a clients sssd.conf looks like >> [domain/xxxxx] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = pp >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = xxxxxx >> chpass_provider = ipa >> ipa_server = _srv_, xxxxx >> ldap_tls_cacert = /etc/ipa/ca.crt >> [sssd] >> services = nss, pam, ssh >> config_file_version = 2 >> >> domains = XXXXX >> [nss] >> homedir_substring = /home >> >> [pam] >> [sudo] >> [autofs] >> [ssh] >> [pac] >> [ifp] >> >> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek > > wrote: >> >> >> > On 24 Mar 2016, at 17:21, Ash Alam > > wrote: >> > >> > Hello >> > >> > I am looking for some guidance on how to properly do sudo with >> Freeipa. I have read up on what i need to do but i cant seem to get to work >> correctly. Now with sudoers.d i can accomplish this fairly quickly. >> > >> > Example: >> > >> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client >> > >> > What i have configured in Freeipa Sudo Rules: >> > >> > Sudo Option: !authenticate >> > Who: dev (group) >> > Access this host: testing (group) >> > Run Commands: set of commands that are defined. >> > >> > Now when i apply this, it still does not work as it asks for a >> password for the user and then fails. I am hoping to allow a group to only >> run certain commands without requiring password. >> > >> >> You should first find out why sudo fails completely. We have this >> guide that should help you: >> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >> >> About asking for passwords -- defining a special sudo rule called >> 'defaults' and then adding '!authenticate' should help: >> Add a special Sudo rule for default Sudo server configuration: >> ipa sudorule-add defaults >> >> Set a default Sudo option: >> ipa sudorule-add-option defaults --sudooption '!authenticate' >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.rainey.ctr at nrlssc.navy.mil Thu Mar 24 20:48:34 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Thu, 24 Mar 2016 15:48:34 -0500 Subject: [Freeipa-users] Lock screen when Smart Card is removed. In-Reply-To: <20160324100916.GG18816@p.redhat.com> References: <_1ZpdFsXKWmdSYRSYk8Xc0Aor5jcUaVJofpJ1Wy9L8SxyPeFTZrMhA@cipher.nrlssc.navy.mil> <20160311083222.GF3059@p.redhat.com> <20160322122515.GA8004@p.redhat.com> <-YIZNLHHf8ydVU_RF0f2cn1BBvA73J1jc1HheNmGkRJC_cDS7NeFbw@cipher.nrlssc.navy.mil> <20160324100916.GG18816@p.redhat.com> Message-ID: Hi Sumit, Your test packages and configuration changes are working very well. I See no issues with the two machines on which the fixes were applied. The two systems are running Scientific LInux 7.2 and Centos 7.2. I will continue to perform more tests to see if there are any issues. I do have another question to ask you in the meantime. The question was asked, "How long would it take for these changes to make there way into the current repos?" Do you think it will take few weeks, or will we need to wait for the next point release? We are just trying to determine how to proceed in rolling out the packages. Thanks again, *Michael Rainey* On 03/24/2016 05:09 AM, Sumit Bose wrote: > On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote: >> Hi Sumit, >> >> I've trying to download the rpm via the Koji client and have been unable to >> locate package. Are there any extra steps I need to complete before I can >> find the package, such as, create an account in Fedora Build System. >> Performing a general search for SSSD only returns a list of packages from >> Fedora Projects and nothing from the EL repo. > The link I sent is the meta link for the different supported platforms > (x86_64, pcc64 and pcc64le). If you select the link for x86_64 you > should be able to see download links for the x86_64 packages. > > Nevertheless I created a new build > http://koji.fedoraproject.org/koji/taskinfo?taskID=13446490 to fix some > issue with the package version number in the previous build. The x86_64 > packages can be found at > http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 . To make > the download easy you can try the following command: > > curl http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 | grep -o '"https://.*.rpm"' | xargs -n 1 curl -L -O > > HTH > > bye, > Sumit > >> Thanks, >> >> *Michael Rainey* >> NRL 7320 >> Computer Support Group >> Building 1009, Room C156 >> Stennis Space Center, MS 39529 >> On 03/22/2016 07:25 AM, Sumit Bose wrote: >>> On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: >>>> Hi Sumit, >>>> >>>> It has been a week and I am following up with you on the lock screen issue. >>>> Have you had any progress? If so, I am hoping implementing the fix will be >>>> quick and easy. >>> Thank you for your patience. Please find a test build for RHEL/CentOS >>> 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . >>> >>> Besides the updated version of SSSD you should replace >>> /etc/pam.d/smartcard-auth with >>> >>> ======== /etc/pam.d/smartcard-auth ========= >>> auth required pam_env.so >>> auth sufficient pam_sss.so allow_missing_name >>> auth required pam_deny.so >>> >>> account required pam_unix.so >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 1000 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_sss.so >>> account required pam_permit.so >>> >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> -session optional pam_systemd.so >>> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid >>> session required pam_unix.so >>> session optional pam_sss.so >>> =========================================== >>> >>> and /etc/dconf/db/distro.d/10-authconfig >>> >>> ===== /etc/dconf/db/distro.d/10-authconfig ===== >>> [org/gnome/login-screen] >>> enable-fingerprint-authentication=false >>> >>> [org/gnome/settings-daemon/peripherals/smartcard] >>> removal-action='lock-screen' >>> =============================================== >>> >>> and /etc/dconf/db/distro.d/locks/10-authconfig-locks >>> >>> ====== /etc/dconf/db/distro.d/locks/10-authconfig-locks === >>> /org/gnome/login-screen/enable-fingerprint-authentication >>> /org/gnome/settings-daemon/peripherals/smartcard >>> =========================================================== >>> >>> and call 'dconf update' to get the new setting loaded. Finally it might >>> be a good idea to restart gdm to make sure the new setting and PAM >>> configuration is really active although I would expect that gdm is able >>> to pick up the changes at run-time. >>> >>> Any feedback, good or bad, is welcome. >>> >>> bye, >>> Sumit >>> >>>> Thanks, >>>> >>>> *Michael Rainey* >>>> >>>> On 03/11/2016 02:32 AM, Sumit Bose wrote: >>>>> On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: >>>>>> Greetings, >>>>>> >>>>>> I have been adding systems to my new domain and utilizing the smart card >>>>>> login feature. To date the smart card login feature is working very well. >>>>>> However, my group has been trying to implement locking the screen when the >>>>>> smart card is removed, but have not been successful at making it work. Does >>>>>> anyone have any suggestions as to what it would take to enable locking the >>>>>> screen when the smart card is removed. >>>>> This requires a better integration with gdm which is currently WIP >>>>> (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please >>>>> ping me in about a week about this again, then I might have done some >>>>> more testing. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> Thank you in advance. >>>>>> -- >>>>>> *Michael Rainey* >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Thu Mar 24 20:51:14 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 24 Mar 2016 20:51:14 +0000 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> Message-ID: <2EBB29CB9A8F494FB5253F6AF2E6A1981D6C0893@hoshi.uni.lux> Hi, Are you not missing ?sudo? in [sssd] and did you restard the services on the machine? We found quite a significant cache, which sometimes lead to asking passwords. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html You might even have to delete /var/lib/sss/db/ contents and restart sssd. Best, From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ash Alam Sent: jeudi 24 mars 2016 19:50 To: Jakub Hrozek Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd Based on (How to troubleshoot Sudo) - Maybe i miss spoke when i said it fails completely. Rather it keeps asking for the users password which it does not accept. - I do not have sudo in sssd.conf - I do not have sudoers: sss defined in nsswitch.conf - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these needs to be defined - If this is the case then adding them might resolve my issues. - for the special sudo rule(s). is there any way to track it via the gui? I am trying to keep track of all the configs so its not a blackhole for the next person. - This is what it looks like on the web gui [Inline image 1] - This is what a clients sssd.conf looks like [domain/xxxxx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = pp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = xxxxxx chpass_provider = ipa ipa_server = _srv_, xxxxx ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = XXXXX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek > wrote: > On 24 Mar 2016, at 17:21, Ash Alam > wrote: > > Hello > > I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly. > > Example: > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > What i have configured in Freeipa Sudo Rules: > > Sudo Option: !authenticate > Who: dev (group) > Access this host: testing (group) > Run Commands: set of commands that are defined. > > Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password. > You should first find out why sudo fails completely. We have this guide that should help you: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO About asking for passwords -- defining a special sudo rule called 'defaults' and then adding '!authenticate' should help: Add a special Sudo rule for default Sudo server configuration: ipa sudorule-add defaults Set a default Sudo option: ipa sudorule-add-option defaults --sudooption '!authenticate' -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 14858 bytes Desc: image001.png URL: From pvoborni at redhat.com Thu Mar 24 21:23:17 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 24 Mar 2016 22:23:17 +0100 Subject: [Freeipa-users] Announcing FreeIPA 4.3.1 Message-ID: <56F45AC5.3050807@redhat.com> The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository shortly after Easter Holidays. This announcement with links to Trac tickets is available on http://www.freeipa.org/page/Releases/4.3.1 . Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.1-1.fc24 == Highlights in 4.3.1 == === Enhancements === * FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589 * [[Directory Server]] is configured with "default" cipher suite instead of "+all" #5684 * topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647 * MS-PAC extension was made optional for users #2579, currently without UI #5752 * added option to disable preauth for service principal names. Configurable via ipaconfigstring value "KDC:Disable Default Preauth for SPNs" in server config. #3860 * improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026 * 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740 * `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411 * deprecated keytab_set extended operation was removed from ipasam module #5495 * an option was added to Web UI to allow to specify GID number in user adder dialog * improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544 * FreeIPA python packages were made independent on architecture(noarch) #5596 * AD users are now shown as members of IPA groups when external group is added to IPA group #4403 === Bug fixes === * fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612 * fixed bug where ipa-server-install didn't stop on error and subsequently reported incorrect root cause #2539 * fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412 * fixed issue with vault-archive command sometimes not working #5538 * fixed regression in Web UI where required indicator '*' was missing on Global Password Policy page, priority field #5553 * fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding --auto-reverse and --allow-zone-overlap options #5563 * fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564 * fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575 * fixed rare bug in connection handling which can cause a crash of KDC #5577 * fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583 * fixed not displaying suffixes in IPA servers table in Web UI #5609 * fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637 * fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663 == Upgrading == Upgrade instructions are available on upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.3.0 == === Abhijeet Kasurde (1) === * Fixed login error message box in LoginScreen page === Alexander Bokovoy (1) === * slapi-nis: update configuration to allow external members of IPA groups === Christian Heimes (3) === * Require Dogtag 10.2.6-13 to fix KRA uninstall * Modernize mod_nss's cipher suites * Move user/group constants for PKI and DS into ipaplatform === David Kupka (19) === * installer: Propagate option values from components instead of copying them. * installer: Fix logic of reading option values from cache. * ipa-dns-install: Do not check for zone overlap when DNS installed. * ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options * installer: Change reverse zones question to better reflect reality. * Fix: Use unattended parameter instead of options.unattended * CI: Add '2-connected' topology generator. * CI: Add simple replication test in 2-connected topology. * CI: Add test for 2-connected topology generator. * CI: Fix pep8 errors in 2-connected topology generator * CI: add empty topology test for 2-connected topology generator * CI: Add double circle topology. * CI: Add replication test utilizing double-circle topology. * CI: Add test for double-circle topology generator. * CI: Make double circle topology python3 compatible * upgrade: Match whole pre/post command not just basename. * dsinstance: add start_tracking_certificates method * httpinstance: add start_tracking_certificates method * Look up HTTPD_USER's UID and GID during installation. === Filip Skola (3) === * Refactor test_user_plugin, use UserTracker for tests * Refactor test_replace * Refactor test_attr === Fraser Tweedale (1) === * Do not decode HTTP reason phrase from Dogtag === Jan Cholasta (13) === * ipalib: assume version 2.0 when skip_version_check is enabled * ipapython: remove default_encoding_utf8 * ipapython: port p11helper C code to Python * ipapython: use python-cryptography instead of libcrypto in p11helper * spec file: package python-ipalib as noarch * cert renewal: import all external CA certs on IPA CA cert renewal * replica install: validate DS and HTTP server certificates * replica promotion: fix AVC denials in remote connection check * test_ipagetkeytab: fix missing import * cacert install: fix trust chain validation * client: stop using /etc/pki/nssdb * certdb: never use the -r option of certutil * daemons: remove unused erroneous _ipap11helper import === Ludwig Krispenz (1) === * prevent moving of topology entries out of managed scope by modrdn operations === Luk?? Slebodn?k (1) === * IPA-SAM: Fix build with samba 4.4 === Martin Babinsky (21) === * raise more descriptive Backend connection-related exceptions * prevent crash of CA-less server upgrade due to absent certmonger * use FFI call to rpmvercmp function for version comparison * tests for package version comparison * fix Py3 incompatible exception instantiation in replica install code * ipa-csreplica-manage: remove extraneous ldap2 connection * IPA upgrade: move replication ACIs to the mapping tree entry * uninstallation: more robust check for master removal from topology * correctly set LDAP bind related attributes when setting up replication * disable RA plugins when promoting a replica from CA-less master * fix standalone installation of externally signed CA on IPA master * reset ldap.conf to point to newly installer replica after promotion * always start certmonger during IPA server configuration upgrade * upgrade: unconditional import of certificate profiles into LDAP * CI tests: use old schema when testing hostmask-based sudo rules * use LDAPS during standalone CA/KRA subsystem deployment * test_cert_plugin: use only first part of the hostname to construct short name * only search for Kerberos SRV records when autodiscovery was requested * spec: add conflict with bind-chroot to freeipa-server-dns * spec: require python-cryptography newer than 0.9 * otptoken-add: improve the robustness of QR code printing === Martin Ba?ti (36) === * Fix DNS tests: dns-resolve returns warning * Fix version comparison * Fix: replace mkdir with chmod * Allow to used mixed case for sysrestore * Upgrade: Fix upgrade of NIS Server configuration * DNSSEC test: fix adding zones with --skip-overlap-check * DNSSEC CI: add missing ldns-utils dependency * CI test: fix regression in task.install_kra * Warn about potential loss of CA, KRA, DNSSEC during uninstall * Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter * Exclude o=ipaca subtree from Retro Changelog (syncrepl) * Fix DNSSEC test: add glue record * DNSSEC CI: fix zone delegations * make lint: use config file and plugin for pylint * Disable new pylint checks * Py3: do not use dict.iteritems() * upgrade: fix config of sidgen and extdom plugins * trusts: use ipaNTTrustPartner attribute to detect trust entries * Warn user if trust is broken * fix upgrade: wait for proper DS socket after DS restart * Revert "test: Temporarily increase timeout in vault test." * Pylint: add missing attributes of errors to definitions * fix permission: Read Replication Agreements * Make PTR records check optional for IPA installation * Fix connections to DS during installation * pylint: supress false positive no-member errors * CI: allow customized DS install test to work with domain levels * fix suspicious except statements * Configure 389ds with "default" cipher suite * krb5conf: use 'true' instead of 'yes' for forwardable option * stageuser-activate: Normalize manager value * Remove redundant parameters from CS.cfg in dogtaginstance * Fix broken trust warnings * spec: Add missing dependencies to python*-ipalib package * SPEC: do not run upgrade when ipa server is not installed * Fix stageuser-activate - managers test === Michael Simacek (1) === * Fix bytes/string handling in rpc === Milan Kub?k (6) === * ipatests: Roll back the forwarder config after a test case * ipatests: Fix configuration problems in dns tests * ipatests: Make the A record for hosts in topology conditional * ipatests: fix the install of external ca * ipatests: Add missing certificate profile fixture * ipatests: extend permission plugin test with new expected output === Oleg Fayans (17) === * CI tests: Enabled automatic creation of reverse zone during master installation * CI tests: Added domain realm as a parameter to master installation in integration tests * Fixed install_ca and install_kra under domain level 0 * fixed an issue with master installation not creating reverse zone * Enabled recreation of test directory in apply_common_fixes function * Updated connect/disconnect replica to work with both domainlevels * Removed --ip-address option from replica installation * Removed messing around with resolv.conf * Integration tests for replica promotion feature * Enabled setting domain level explicitly in test class * Removed a constantly failing call to prepare_host * Made apply_common_fixes call at replica installation independent on domain_level * Workaround for ticket 5627 * Added copyright info to replica promotion tests * rewrite a misprocessed teardown_method method as a custom decorator * Reverted changes in mh fixture causing some tests to fail * Fixed a bug with prepare_host failing upon existing ipatests folder === Pavel Vomacka (4) === * Add pan and zoom functionality to the topology graph * Nodes stay fixed after initial animation. * Add field for group id in user add dialog * Resize topology graph canvas according to window size === Petr Viktorin (23) === * Use explicit truncating division * Don't index exceptions directly * Use print_function future definition wherever print() is used * Alias "unicode" to "str" under Python 3 * Avoid builtins that were removed in Python 3 * dnsutil: Rename __nonzero__ to __bool__ * Remove deprecated contrib/RHEL4 * make-lint: Allow running pylint --py3k to detect Python3 issues * Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) * test_parameters: Ignore specific error message * ipaldap, ldapupdate: Encoding fixes for Python 3 * ipautil.run, kernel_keyring: Encoding fixes for Python 3 * tests: Use absolute imports * ipautil: Use mode 'w+' in write_tmp_file * test_util: str/bytes check fixes for Python 3 * p11helper: Port to Python 3 * cli: Don't encode/decode for stdin/stdout on Python 3 * Package python3-ipaclient * migration.py: Remove stray get_ipa_basedn import * Move get_ipa_basedn from ipautil to ipadiscovery * ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() * ipapython.sysrestore: Use str methods instead of functions from the string module * ipalib.x809: Accept bytes for make_pem === Petr Voborn?k (11) === * webui: add examples to network address validator error message * webui: pwpolicy cospriority field was marked as required * spec: do not require arch specific ipalib package from noarch packages * webui: dislay server suffixes in server search page * stop installer when setup-ds.pl fail * webui: remove moot error from webui build * webui: use API call ca_is_enabled instead of enable_ra env variable. * advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins * cookie parser: do not fail on cookie with empty value * fix incorrect name of ipa-winsync-migrate command in help * Become IPA 4.3.1 === Petr ?pa?ek (15) === * DNSSEC: Improve error reporting from ipa-ods-exporter * DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP * DNSSEC: Make sure that current key state in LDAP matches key state in BIND * DNSSEC: remove obsolete TODO note * DNSSEC: add debug mode to ldapkeydb.py * DNSSEC: logging improvements in ipa-ods-exporter * DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP * DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP * DNSSEC: ipa-ods-exporter: add ldap-cleanup command * DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal * DNSSEC: Log debug messages at log level DEBUG * Fix --auto-reverse option in --unattended mode. * Fix dns_is_enabled() API command to throw exceptions as appropriate * Fix DNS zone overlap check to allow ipa-replica-install to work * Fix ipa-adtrust-install to always generate SRV records with FQDNs === Simo Sorce (6) === * Use only AES enctypes by default * Always verify we have a valid ldap context. * Improve keytab code to select the right principal. * Convert ipa-sam to use the new getkeytab control * Allow admins to disable preauth for SPNs. * Allow to specify Kerberos authz data type per user === Stanislav Laznicka (4) === * Listing and cleaning RUV extended for CA suffix * Automatically detect and remove dangling RUVs * Cosmetic changes to the code * Fixes minor issues === Sumit Bose (1) === * ipa-kdb: map_groups() consider all results === Thierry Bordaz (2) === * configure DNA plugin shared config entries to allow connection with GSSAPI * DS deadlock when memberof scopes topology plugin updates === Timo Aaltonen (6) === * Use HTTPD_USER in dogtaginstance.py * Move freeipa certmonger helpers to libexecdir. * ipa_restore: Import only FQDN from ipalib.constants * ipaplatform: Move remaining user/group constants to ipaplatform.constants. * Use ODS_USER/ODS_GROUP in opendnssec_conf.template * Fix kdc.conf.template to use ipaplatform.paths. === Tom?? Babej (4) === * py3: Remove py3 incompatible exception handling * ipa-adtrust-install: Allow dash in the NETBIOS name * spec: Bump required sssd version to 1.13.3-5 * adtrustinstance: Make sure smb.conf exists -- Petr Vobornik From john.1209 at yahoo.com Thu Mar 24 23:41:30 2016 From: john.1209 at yahoo.com (John Williams) Date: Thu, 24 Mar 2016 23:41:30 +0000 (UTC) Subject: [Freeipa-users] IPA sporadic behavior References: <2134722981.4993761.1458862890562.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2134722981.4993761.1458862890562.JavaMail.yahoo@mail.yahoo.com> I've got some sporadic behavior on my IPA instance and I'm hoping someone can help me resolve the issue. ?The problem is that many times my clients cannot authenticate to the respective hosts. ?First, my environment. ?Some details: ipa2 - centos 6.3 - ?ipa server 3.0.0ipa3 - centos 7.1 - ipa server 4.1.0 We had a FreeIPA server host ipa1 that died some time ago. ?I do not have any details on that host. Again, the problem is that clients cannot authenticate very frequently. ? Here are some examples of the problems I am having:? I client can login to the console of a CentOS 6.7 host, but cannot SSH into it.? One user can login to a host, but another user cannot. Some diagnostics information: Services running on IPA servers: [root at ipa2 ~]# ps -ef | grep krbroot ? ? ?6007 ?5936 ?0 19:21 pts/5 ? ?00:00:00 grep krbroot ? ? 22339 ? ? 1 ?0 Feb06 ? ? ? ? ?00:00:00 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root ? ? 22344 22339 ?0 Feb06 ? ? ? ? ?00:42:56 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root ? ? 22345 22339 ?0 Feb06 ? ? ? ? ?00:42:50 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2 [root at ipa3 ~]# ps -ef | grep ?krbroot ? ? ?2513 ? ? 1 ?0 ?2015 ? ? ? ? ?00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root ? ? ?2514 ?2513 ?0 ?2015 ? ? ? ? ?00:01:20 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root ? ? ?2515 ?2513 ?0 ?2015 ? ? ? ? ?00:01:18 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root ? ? ?5702 ?5609 ?0 19:20 pts/1 ? ?00:00:00 grep --color=auto krb slapd is running on both servers: [root at ipa3 ~]# ps -ef | grep slapddirsrv ? ?2464 ? ? 1 ?0 ?2015 ? ? ? ? ?09:39:37 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w /var/run/dirsrv/slapd-IDEF.startpidroot ? ? ?5707 ?5609 ?0 19:25 pts/1 ? ?00:00:00 grep --color=auto slapd[root at ipa3 ~]#? [root at ipa2 ~]# ps -ef | grep slapdroot ? ? ?6024 ?5936 ?0 19:26 pts/5 ? ?00:00:00 grep slapddirsrv ? 22137 ? ? 1 ?3 Feb06 ? ? ? ? ?1-20:48:55 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w /var/run/dirsrv/slapd-AAA .startpidpkisrv ? 22209 ? ? 1 ?0 Feb06 ? ? ? ? ?00:44:54 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid[root at ipa2 ~]#? System time is synchronized across all hosts. For DNS, I have the following entries: [root at sharedone ~]# dig ipa.BBB.AAA +short192.168.120.253[root at sharedone ~]# dig ipa2.BBB.AAA +short192.168.120.253[root at sharedone ~]# dig ipa3.BBB.AAA +short192.168.120.139[root at sharedone ~]#? Now the ipa.AAA.AAA server does not exist anymore because it died. ?But if I remove that DNS entrey everything stops working and no one can authenticate, versus the sporadic issues we are having. If you need more detials or specific information, please let me know. ?I'm at a loss as to what causes this behavior. Thanks, JT -------------- next part -------------- An HTML attachment was scrubbed... URL: From tgeier at accertify.com Sat Mar 26 03:26:39 2016 From: tgeier at accertify.com (Timothy Geier) Date: Sat, 26 Mar 2016 03:26:39 +0000 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: References: <56B86DE0.4070909@redhat.com> <7F0EB8FC-8F2F-49D1-A124-562B5B0A55A2@accertify.com> <56B9AA53.1000400@redhat.com> <56BAFC6E.6030605@redhat.com> <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> Message-ID: <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> On Feb 28, 2016, at 2:15 AM, Timothy Geier > wrote: On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz > wrote: On 02/22/2016 11:51 PM, Timothy Geier wrote: What?s the established procedure to start a 389 instance without any replication agreements enabled? The only thing that seemed close on google (http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html) seems risky and couldn?t be done trivially in a production environment. no, this is about how to get out of problems when replication could no longer synchronize its csn time generation, either by too many accumulate time drifts o playing with system time, hope you don't have to go thru this. Enabling disabling a replication agreement can be done by setting the configuration parameter: look for replication agreements (entries with objectclass=nsDS5ReplicationAgreement) and set nsds5ReplicaEnabled: off you can do this with an ldapmodify when the server is running or by editing /etc/dirsrv/slapd-/dse.ldif when teh server is stopped Thanks for the procedure..the good news is this worked quite well in making sure that 389 didn?t crash immediately after startup. The bad news is that the certificates still didn?t renew due to Server at "http://master_server:8080/ca/ee/ca/profileSubmit" replied: Profile caServerCert Not Found which was the same error in getcert list I saw that one time 389 didn?t crash right away. At least now this can be further troubleshooted without worrying about 389. To follow up on this issue, we haven?t been able to get any further since last month due to the missing caServerCert profile..the configuration files /usr/share/pki/ca/profiles/ca/caServerCert.cfg and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present and are identical. The pki-ca package passes rpm -V as well. Are there any other troubleshooting steps we can take? "This message and any attachments may contain confidential information. If you have received this message in error, any use or distribution is prohibited. Please notify us by reply e-mail if you have mistakenly received this message, and immediately and permanently delete it and any attachments. Thank you." -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at stefany.eu Sun Mar 27 19:14:47 2016 From: martin at stefany.eu (Martin =?UTF-8?Q?=C5=A0tefany?=) Date: Sun, 27 Mar 2016 21:14:47 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates Message-ID: <1459106087.18839.25.camel@stefany.eu> Hello, I seem to be having some issues with IPA CA feature not generating certificates with DNS SubjectAltNames. I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under CentOS 7.2 / IPA 4.2 something's different. Here are the original steps which worked fine for my first use case :: $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 $ ipa host-add mail.example.com $ ipa service-add?smtp/mail.example.com $ ipa service-add?smtp/mail1.example.com $?ipa service-add-host?smtp/mail.example.com --hosts=mail1.example.com $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ ? ? ? ? ? ? ? ? ? ? ? -f /etc/pki/tls/certs/postfix.pem???\ ? ? ? ? ? ? ? ? ? ? ? -N CN=mail1.example.com,O=EXAMPLE.COM \ ? ? ? ? ? ? ? ? ? ? ? -D mail1.example.com -D mail.example.com \ ? ? ? ? ? ? ? ? ? ? ? -K smtp/mail1.example.com (and repeat for every next member of the cluster...) After this, I would get certificate with something like :: $ sudo ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20150419153933': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/postfix.key' certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=mail1.example.com,O=EXAMPLE.COM expires: 2017-04-19 15:39:35 UTC dns: mail1.example.com,mail.example.com principal name: smtp/mail1.example.com at EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yes with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns' info line present. Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm getting this :: $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- reverse $ ipa host-add?w3.example.com $ ipa service-add?HTTP/w3.example.com $ ipa service-add HTTP/http1.example.com $ ipa service-add-host?HTTP/w3.example.com --hosts=http1.example.com $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ ? ? ? ? ? ? ? ? ? ? ? -f /etc/pki/tls/certs/httpd.pem???\ ? ? ? ? ? ? ? ? ? ? ? -N CN=http1.example.com,O=EXAMPLE.COM \ ? ? ? ? ? ? ? ? ? ? ? -D http1.example.com -D w3.example.com \ ? ? ? ? ? ? ? ? ? ? ? -K HTTP/http1.example.com $ sudo ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20160327095125': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/http.key' certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=http1.example.com,OU=pki-ipa,O=IPA expires: 2018-03-28 09:51:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yes Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing? To be clear, if I don't do :: $ ipa service-add-host?HTTP/w3.example.com --hosts=http1.example.com then certificate is just not issued with 'REJECTED', but once this is done properly in described steps, DNS SANs are not happening. I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only against my current IPA 4.2 on CentOS 7.2. For the actual certificates :: $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text Certificate: ????Data: ????????Version: 3 (0x2) ????????Serial Number: 15 (0xf) ????Signature Algorithm: sha256WithRSAEncryption ????????Issuer: O=EXAMPLE.COM, CN=Certificate Authority ????????Validity ????????????Not Before: Apr 19 15:39:35 2015 GMT ????????????Not After : Apr 19 15:39:35 2017 GMT ????????Subject: O=EXAMPLE.COM, CN=mail1.example.com ????????Subject Public Key Info: ????????????Public Key Algorithm: rsaEncryption ????????????????Public-Key: (2048 bit) ????????????????Modulus: ? ? ? ? ? ? ? ? ? ? [cut] ????????????????Exponent: 65537 (0x10001) ????????X509v3 extensions: ????????????X509v3 Authority Key Identifier:? ????????????????keyid:[cut] ????????????Authority Information Access:? ????????????????OCSP - URI:http://ipa-ca.example.com/ca/ocsp ????????????X509v3 Key Usage: critical ????????????????Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment ????????????X509v3 Extended Key Usage:? ????????????????TLS Web Server Authentication, TLS Web Client Authentication ????????????X509v3 CRL Distribution Points:? ????????????????Full Name: ??????????????????URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin ????????????????CRL Issuer: ??????????????????DirName: O = ipaca, CN = Certificate Authority ????????????X509v3 Subject Key Identifier:? ????????????????[cut] ????????????X509v3 Subject Alternative Name:? ????????????????DNS:mail1.example.com, DNS:mail.example.com, othername:, othername: ????Signature Algorithm: sha256WithRSAEncryption ? ? ? ? ?[cut] vs. $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout Certificate: ????Data: ????????Version: 3 (0x2) ????????Serial Number: 71 (0x47) ????Signature Algorithm: sha256WithRSAEncryption ????????Issuer: O=EXAMPLE.COM, CN=Certificate Authority ????????Validity ????????????Not Before: Mar 27 09:51:27 2016 GMT ????????????Not After : Mar 28 09:51:27 2018 GMT ????????Subject: O=IPA, OU=pki-ipa, CN=http1.example.com ????????Subject Public Key Info: ????????????Public Key Algorithm: rsaEncryption ????????????????Public-Key: (2048 bit) ????????????????Modulus: ? ? ? ? ? ? ? ? ? ? [cut] ????????????????Exponent: 65537 (0x10001) ????????X509v3 extensions: ????????????X509v3 Authority Key Identifier:? ????????????????keyid:[cut] ????????????Authority Information Access:? ????????????????OCSP - URI:http://idmc1.example.com:80/ca/ocsp ????????????X509v3 Key Usage: critical ????????????????Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment ????????????X509v3 Extended Key Usage:? ????????????????TLS Web Server Authentication, TLS Web Client Authentication ????Signature Algorithm: sha256WithRSAEncryption ? ? ? ? ?[cut] so even reference to CRL is missing here, but OCSP is present. Sorry if this is duplicate, but from what I was able to find, DNS SubjectAltNames are reported working since CentOS 7.1, and I think I'm consistent with?http://www.freeipa.org/page/PKI, unless I miss something obvious here. For new features like certificate profiles and ACLs, I haven't changed any defaults as far as I know as there was no need for that. Thank you for any support in advance! And Happy Easter! Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Mon Mar 28 13:15:43 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2016 09:15:43 -0400 Subject: [Freeipa-users] IPA sporadic behavior In-Reply-To: <2134722981.4993761.1458862890562.JavaMail.yahoo@mail.yahoo.com> References: <2134722981.4993761.1458862890562.JavaMail.yahoo.ref@mail.yahoo.com> <2134722981.4993761.1458862890562.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56F92E7F.60807@redhat.com> John Williams wrote: > I've got some sporadic behavior on my IPA instance and I'm hoping > someone can help me resolve the issue. The problem is that many times > my clients cannot authenticate to the respective hosts. First, my > environment. Some details: > > ipa2 - centos 6.3 - ipa server 3.0.0 > ipa3 - centos 7.1 - ipa server 4.1.0 > > We had a FreeIPA server host ipa1 that died some time ago. I do not > have any details on that host. > > Again, the problem is that clients cannot authenticate very frequently. > > Here are some examples of the problems I am having: > I client can login to the console of a CentOS 6.7 host, but cannot > SSH into it. > One user can login to a host, but another user cannot. > > Some diagnostics information: > > Services running on IPA servers: > > [root at ipa2 ~]# ps -ef | grep krb > root 6007 5936 0 19:21 pts/5 00:00:00 grep krb > root 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r AAA > -P /var/run/krb5kdc.pid -w 2 > root 22344 22339 0 Feb06 ? 00:42:56 /usr/sbin/krb5kdc -r AAA > -P /var/run/krb5kdc.pid -w 2 > root 22345 22339 0 Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA > -P /var/run/krb5kdc.pid -w 2 > > [root at ipa3 ~]# ps -ef | grep krb > root 2513 1 0 2015 ? 00:00:00 /usr/sbin/krb5kdc -P > /var/run/krb5kdc.pid -w 2 > root 2514 2513 0 2015 ? 00:01:20 /usr/sbin/krb5kdc -P > /var/run/krb5kdc.pid -w 2 > root 2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P > /var/run/krb5kdc.pid -w 2 > root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb > > slapd is running on both servers: > > [root at ipa3 ~]# ps -ef | grep slapd > dirsrv 2464 1 0 2015 ? 09:39:37 /usr/sbin/ns-slapd -D > /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w > /var/run/dirsrv/slapd-IDEF.startpid > root 5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd > [root at ipa3 ~]# > > > [root at ipa2 ~]# ps -ef | grep slapd > root 6024 5936 0 19:26 pts/5 00:00:00 grep slapd > dirsrv 22137 1 3 Feb06 ? 1-20:48:55 /usr/sbin/ns-slapd -D > /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w > /var/run/dirsrv/slapd-AAA .startpid > pkisrv 22209 1 0 Feb06 ? 00:44:54 /usr/sbin/ns-slapd -D > /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w > /var/run/dirsrv/slapd-PKI-IPA.startpid > [root at ipa2 ~]# > > System time is synchronized across all hosts. Check this https://fedorahosted.org/sssd/wiki/Troubleshooting > > For DNS, I have the following entries: > > [root at sharedone ~]# dig ipa.BBB.AAA +short > 192.168.120.253 > [root at sharedone ~]# dig ipa2.BBB.AAA +short > 192.168.120.253 > [root at sharedone ~]# dig ipa3.BBB.AAA +short > 192.168.120.139 > [root at sharedone ~]# > > Now the ipa.AAA.AAA server does not exist anymore because it died. But > if I remove that DNS entrey everything stops working and no one can > authenticate, versus the sporadic issues we are having. > > If you need more detials or specific information, please let me know. > I'm at a loss as to what causes this behavior. You probably need to remove old SRV records for this host. I assume you are working on switching the 3.0 host also to 4.x? rob From rcritten at redhat.com Mon Mar 28 15:00:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2016 11:00:33 -0400 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> References: <56B86DE0.4070909@redhat.com> <7F0EB8FC-8F2F-49D1-A124-562B5B0A55A2@accertify.com> <56B9AA53.1000400@redhat.com> <56BAFC6E.6030605@redhat.com> <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> Message-ID: <56F94711.6020005@redhat.com> Timothy Geier wrote: > >> On Feb 28, 2016, at 2:15 AM, Timothy Geier > > wrote: >> >> >>> On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz >> > wrote: >>> >>> >>> On 02/22/2016 11:51 PM, Timothy Geier wrote: >>>> >>>> What?s the established procedure to start a 389 instance without any >>>> replication agreements enabled? The only thing that seemed close on >>>> google >>>> (http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html) >>>> seems risky and couldn?t be done >>>> trivially in a production environment. >>> no, this is about how to get out of problems when replication could >>> no longer synchronize its csn time generation, either by too many >>> accumulate time drifts o playing with system time, hope you don't >>> have to go thru this. >>> >>> Enabling disabling a replication agreement can be done by setting the >>> configuration parameter: >>> >>> look for replication agreements (entries with >>> objectclass=nsDS5ReplicationAgreement) and set >>> nsds5ReplicaEnabled: off >>> >>> you can do this with an ldapmodify when the server is running or by >>> editing /etc/dirsrv/slapd-/dse.ldif when teh server is stopped >> >> Thanks for the procedure..the good news is this worked quite well in >> making sure that 389 didn?t crash immediately after startup. The bad >> news is that the certificates still didn?t renew due to >> >> Server at "http://master_server:8080/ca/ee/ca/profileSubmit >> " >> replied: Profile caServerCert Not Found >> >> which was the same error in getcert list I saw that one time 389 >> didn?t crash right away. At least now this can be further >> troubleshooted without worrying about 389. >> >> > > To follow up on this issue, we haven?t been able to get any further > since last month due to the missing caServerCert profile..the > configuration files /usr/share/pki/ca/profiles/ca/caServerCert.cfg > and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present > and are identical. The pki-ca package > passes rpm -V as well. Are there any other troubleshooting steps we > can take? Maybe Endi or Ade have some ideas why the CA isn't recognizing the profile. rob From edewata at redhat.com Mon Mar 28 15:55:06 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 28 Mar 2016 10:55:06 -0500 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <56F94711.6020005@redhat.com> References: <56B86DE0.4070909@redhat.com> <7F0EB8FC-8F2F-49D1-A124-562B5B0A55A2@accertify.com> <56B9AA53.1000400@redhat.com> <56BAFC6E.6030605@redhat.com> <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <56F94711.6020005@redhat.com> Message-ID: <56F953DA.9010402@redhat.com> On 3/28/2016 10:00 AM, Rob Crittenden wrote: > Timothy Geier wrote: >>> Thanks for the procedure..the good news is this worked quite well in >>> making sure that 389 didn?t crash immediately after startup. The bad >>> news is that the certificates still didn?t renew due to >>> >>> Server at "http://master_server:8080/ca/ee/ca/profileSubmit >>> " >>> >>> replied: Profile caServerCert Not Found >>> >>> which was the same error in getcert list I saw that one time 389 >>> didn?t crash right away. At least now this can be further >>> troubleshooted without worrying about 389. >>> >>> >> >> To follow up on this issue, we haven?t been able to get any further >> since last month due to the missing caServerCert profile..the >> configuration files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >> and are identical. The pki-ca package >> passes rpm -V as well. Are there any other troubleshooting steps we >> can take? > > Maybe Endi or Ade have some ideas why the CA isn't recognizing the profile. > > rob > Fraser, is it possible the profile is missing from LDAP? Timothy, could you provide us with the CA debug logs (/var/log/pki/pki-tomcat/ca/debug) and CA configuration file (/var/lib/pki/pki-tomcat/ca/conf/CS.cfg)? Thanks! -- Endi S. Dewata From tscherf at redhat.com Mon Mar 28 17:53:35 2016 From: tscherf at redhat.com (Thorsten Scherf) Date: Mon, 28 Mar 2016 19:53:35 +0200 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> References: <56BAFC6E.6030605@redhat.com> <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> Message-ID: <20160328175335.GA14509@kermit.tuxgeek.de> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: > To follow up on this issue, we haven?t been able to get any further since > last month due to the missing caServerCert profile..the configuration > files?/usr/share/pki/ca/profiles/ca/caServerCert.cfg > and?/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present > and are identical. ? The pki-ca package > passes rpm -V as well. ? Are there any other troubleshooting steps we can > take? Can you please check if the profile is available in the LDAP trees: # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca If this is the case, please check if the profile is accessable by the host: # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert I either suspect that the profiles have not been properly migrated to the LDAP tree or that some ACIs are missing to allow access to the profiles. Cheers, Thorsten From tgeier at accertify.com Mon Mar 28 18:18:57 2016 From: tgeier at accertify.com (Timothy Geier) Date: Mon, 28 Mar 2016 18:18:57 +0000 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <20160328175335.GA14509@kermit.tuxgeek.de> References: <56BAFC6E.6030605@redhat.com> <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <20160328175335.GA14509@kermit.tuxgeek.de> Message-ID: <1C9A066C-9AE2-490A-87B7-91BE3C9DE217@accertify.com> > On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: > > On [Sat, 26.03.2016 03:26], Timothy Geier wrote: >> To follow up on this issue, we haven?t been able to get any further since >> last month due to the missing caServerCert profile..the configuration >> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >> and are identical. The pki-ca package >> passes rpm -V as well. Are there any other troubleshooting steps we can >> take? > > Can you please check if the profile is available in the LDAP trees: > > # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix dn: cn=certprofiles,cn=ca,$suffix objectClass: nsContainer objectClass: top cn: certprofiles > # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca dn: ou=certificateProfiles,ou=ca,o=ipaca objectClass: top objectClass: organizationalUnit ou: certificateProfiles > > If this is the case, please check if the profile is accessable by the > host: > > # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert > ipa: ERROR: caIPAserviceCert: Certificate Profile not found > I either suspect that the profiles have not been properly migrated to > the LDAP tree or that some ACIs are missing to allow access to the > profiles. > I suspect you?re right..I ran these same commands on a reference system and there was a lot more output in the ldapsearches and the ipa certprofile-show command came back with Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE Thanks, > Cheers, > Thorsten > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project "This message and any attachments may contain confidential information. If you have received this message in error, any use or distribution is prohibited. Please notify us by reply e-mail if you have mistakenly received this message, and immediately and permanently delete it and any attachments. Thank you." From ftweedal at redhat.com Tue Mar 29 00:01:48 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Mar 2016 10:01:48 +1000 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <56F953DA.9010402@redhat.com> References: <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <56F94711.6020005@redhat.com> <56F953DA.9010402@redhat.com> Message-ID: <20160329000148.GO18277@dhcp-40-8.bne.redhat.com> On Mon, Mar 28, 2016 at 10:55:06AM -0500, Endi Sukma Dewata wrote: > On 3/28/2016 10:00 AM, Rob Crittenden wrote: > >Timothy Geier wrote: > >>>Thanks for the procedure..the good news is this worked quite > >>>well in making sure that 389 didn?t crash immediately after > >>>startup. The bad news is that the certificates still didn?t > >>>renew due to > >>> > >>>Server at "http://master_server:8080/ca/ee/ca/profileSubmit > >>>" > >>> > >>>replied: Profile caServerCert Not Found > >>> > >>>which was the same error in getcert list I saw that one time > >>>389 didn?t crash right away. At least now this can be further > >>>troubleshooted without worrying about 389. > >>> > >>> > >> > >>To follow up on this issue, we haven?t been able to get any > >>further since last month due to the missing caServerCert > >>profile..the configuration files > >>/usr/share/pki/ca/profiles/ca/caServerCert.cfg and > >>/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are > >>present and are identical. The pki-ca package passes rpm -V as > >>well. Are there any other troubleshooting steps we can take? > > > >Maybe Endi or Ade have some ideas why the CA isn't recognizing > >the profile. > > > >rob > > > > Fraser, is it possible the profile is missing from LDAP? > There is a ticket for a situation where migration of profiles to LDAP does not occur: https://bugzilla.redhat.com/show_bug.cgi?id=1300252 See also upstream ticket: https://fedorahosted.org/freeipa/ticket/5682 The fix is awaiting release for RHEL. A possible workaround is to modify /var/lib/pki/pki-tomcat/ca/conf/CS.cfg, replacing the value: com.netscape.cmscore.profile.LDAPProfileSubsystem with: com.netscape.cmscore.profile.ProfileSubsystem Then running `ipa-server-upgrade`. The upgrade program should observe that LDAP-based profiles are not enabled, re-enable the LDAPProfileSubsystem and import all file-based profiles into the database. If you are able to try this procedure, let me know how it goes. Cheers, Fraser > Timothy, could you provide us with the CA debug logs > (/var/log/pki/pki-tomcat/ca/debug) and CA configuration file > (/var/lib/pki/pki-tomcat/ca/conf/CS.cfg)? > > Thanks! > > -- > Endi S. Dewata From tscherf at redhat.com Tue Mar 29 07:00:20 2016 From: tscherf at redhat.com (Thorsten Scherf) Date: Tue, 29 Mar 2016 09:00:20 +0200 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <1C9A066C-9AE2-490A-87B7-91BE3C9DE217@accertify.com> References: <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <20160328175335.GA14509@kermit.tuxgeek.de> <1C9A066C-9AE2-490A-87B7-91BE3C9DE217@accertify.com> Message-ID: <20160329070020.GA9499@kermit.tuxgeek.de> On [Mon, 28.03.2016 18:18], Timothy Geier wrote: > >> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: >> >> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: >>> To follow up on this issue, we haven?t been able to get any further since >>> last month due to the missing caServerCert profile..the configuration >>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >>> and are identical. The pki-ca package >>> passes rpm -V as well. Are there any other troubleshooting steps we can >>> take? >> >> Can you please check if the profile is available in the LDAP trees: >> >> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix > >dn: cn=certprofiles,cn=ca,$suffix >objectClass: nsContainer >objectClass: top >cn: certprofiles > >> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca > >dn: ou=certificateProfiles,ou=ca,o=ipaca >objectClass: top >objectClass: organizationalUnit >ou: certificateProfiles > >> >> If this is the case, please check if the profile is accessable by the >> host: >> >> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert >> > >ipa: ERROR: caIPAserviceCert: Certificate Profile not found > >> I either suspect that the profiles have not been properly migrated to >> the LDAP tree or that some ACIs are missing to allow access to the >> profiles. >> > >I suspect you?re right..I ran these same commands on a reference system and there was >a lot more output in the ldapsearches and the ipa certprofile-show command came back with > Profile ID: caIPAserviceCert > Profile description: Standard profile for network services > Store issued certificates: TRUE Yes, this is a known issue which has been fixed in the most recent FreeIPA releases 4.2.4 and 4.3.1. I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually. Cheers, Thorsten From Shahzad.Malik at m5networks.com.au Tue Mar 29 07:07:49 2016 From: Shahzad.Malik at m5networks.com.au (Shahzad Malik) Date: Tue, 29 Mar 2016 18:07:49 +1100 Subject: [Freeipa-users] IPA users central Home Directories Message-ID: Hi I have recently configured IPA master and replica server. I am trying to configure IPA users central home directories which means when a user authenticate through IPA on any client, will have same home directory. To achieve this goal, I have configured a NFS server, joined and configured nfs with IPA. I have Rhel 7 and CentOS 7 clients. Rhel clients are working as expected, when IPA users are authenticated on Rhel clients they can get home directory from nfs server. df -h shows any entry of nfs user home directory mounted. When a client is Centos 7, users are able to authenticated from IPA and can login but can't get home directory from NFS server. I can manually mount a dir with nfs server which verifies communication is working between centos client and nfs. All neccesary ports are open and centos configurations are pretty much same as Rhel clients. I even disabled selinux, but no luck. Has anyone experienced same issue? Another question: At the moment, there is single nfs serve which is single point of failure, what best method I can use for HA of user home directories? Many Thanks Regards, Shez From peljasz at yahoo.co.uk Tue Mar 29 09:12:36 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 29 Mar 2016 10:12:36 +0100 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <20160315143634.GF4492@redhat.com> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <20160315143634.GF4492@redhat.com> Message-ID: <56FA4704.3010601@yahoo.co.uk> On 15/03/16 14:36, Alexander Bokovoy wrote: > On Tue, 15 Mar 2016, lejeczek wrote: >> On 15/03/16 13:42, Rob Crittenden wrote: >>> lejeczek wrote: >>>> On 14/03/16 17:06, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> with... >>>>>> >>>>>> ipa: ERROR: group LDAP search did not return any >>>>>> result (search base: >>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: >>>>>> groupofuniquenames, >>>>>> groupofnames) >>>>>> >>>>>> I see users went in but later I realized that current >>>>>> samba's ou was >>>>>> "group" not groups. >>>>>> Can I just re-run migrations? >>>>> Yes. It will skip over anything that already exists in >>>>> IPA. >>>> thanks Rob, may I ask why process by defaults looks up >>>> only objectclass: >>>> groupofuniquenames, groupofnames? >>> It is conservative but this is why it can be overridden. >>> >>>> Is there a reason it skips ldap+samba typical posixGroup & >>>> sambaGroupMapping? >>> We haven't had many (any?) reports of migrating from >>> ldap+samba. >>> >>>> Lastly, is there a way to preserve account >>>> locked/disabled status for >>>> posix/samba? >>> I don't know how it is stored but as long as the schema >>> is available in >>> IPA then the values should be preserved on migration >>> unless the >>> attributes are associated with a blacklisted objectclass. >>> >>> rob >>> >> last - this must most FAQ people wonder - can IPA's 389 >> backend be used in the same/similar fashion samba uses >> ldap? skipping all the kerberos bits? (samba & IPA on the >> same one box) > For Samba and IPA on the same box, this is configured > properly with > ipa-adtrust-install. when I started I thought to make this samba<=>ipa chatter more constructive I should do ... so I wound up with samba(@openldap) having/using the same DN as IPA has in 389. Will it work to do ipa-addtrust-install on that one box with samba+ipa ? many thanks L. > > It uses ipasam PASSDB module instead of ldapsam. This > module knows IPA > LDAP schema and is capable to do more than ldapsam, but > effectively you > can use resulting Samba setup in the same way as you do > with ldapsam. > > The configuration is: > > 1. Install ipa-server-trust-ad (freeipa-server-trust-ad on > Fedora) > 2. Run ipa-adtrust-install to configure both IPA and Samba. > 3. Use 'net conf' tool to manage shares. > 4. Use POSIX ACLs to set up access rights on the file > system. See > https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html > > for inspiration. > From abokovoy at redhat.com Tue Mar 29 09:37:19 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 29 Mar 2016 12:37:19 +0300 Subject: [Freeipa-users] can migrate-ds be safely re-run if it failed... In-Reply-To: <56FA4704.3010601@yahoo.co.uk> References: <56E6EDE1.6060103@yahoo.co.uk> <56E6EFA6.2050203@redhat.com> <56E7D4B8.80707@yahoo.co.uk> <56E8114F.9000304@redhat.com> <56E818B6.4040200@yahoo.co.uk> <20160315143634.GF4492@redhat.com> <56FA4704.3010601@yahoo.co.uk> Message-ID: <20160329093719.GH27275@redhat.com> On Tue, 29 Mar 2016, lejeczek wrote: >>>last - this must most FAQ people wonder - can IPA's 389 backend be >>>used in the same/similar fashion samba uses ldap? skipping all the >>>kerberos bits? (samba & IPA on the same one box) >>For Samba and IPA on the same box, this is configured properly with >>ipa-adtrust-install. >when I started I thought to make this samba<=>ipa chatter more >constructive I should do ... so I wound up with samba(@openldap) >having/using the same DN as IPA has in 389. >Will it work to do ipa-addtrust-install on that one box with samba+ipa >? Can you please re-phrase your question? What "it"? What "would work"? I've said several times that on IPA master all you need to run is ipa-adtrust-install and then user 'net conf addshare/delshare/setparm' to configure specific shares, and use POSIX ACLs in your file system to define access rules. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for a demo -- / Alexander Bokovoy From pvoborni at redhat.com Tue Mar 29 10:42:55 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 29 Mar 2016 12:42:55 +0200 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: Message-ID: <56FA5C2F.3070200@redhat.com> On 03/24/2016 04:29 PM, Ott, Dennis wrote: > I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working > through and solving a few issues, my current efforts fail when setting up the > replica CA. > > If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x > replica without any problem. However, if I try to create a replica from my two > year old test lab instance (production will be another matter for the future) it > fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x > and has been upgraded to the latest versions in the 6.x chain. It is old enough > to have had all the certificates renewed, but I believe I have worked through > all the issues related to that. > > Below is what I believe are the useful portions of the pertinent logs. I?ve not > been able to find anything online that speaks to the errors I am seeing > > Thanks for your help. Hello Dennis, what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > > /var/log/ipareplica-install.log > > 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). > Estimated time: 3 minutes 30 seconds > > 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user > > 2016-03-23T21:55:11Z DEBUG group pkiuser exists > > 2016-03-23T21:55:11Z DEBUG user pkiuser exists > > 2016-03-23T21:55:11Z DEBUG duration: 0 seconds > > 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance > > 2016-03-23T21:55:11Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-03-23T21:55:11Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): > > [CA] > > pki_security_domain_name = IPA > > pki_enable_proxy = True > > pki_restart_configured_instance = False > > pki_backup_keys = True > > pki_backup_password = XXXXXXXX > > pki_profiles_in_ldap = True > > pki_client_database_dir = /tmp/tmp-g0CKZ3 > > pki_client_database_password = XXXXXXXX > > pki_client_database_purge = False > > pki_client_pkcs12_password = XXXXXXXX > > pki_admin_name = admin > > pki_admin_uid = admin > > pki_admin_email = root at localhost > > pki_admin_password = XXXXXXXX > > pki_admin_nickname = ipa-ca-agent > > pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM > > pki_client_admin_cert_p12 = /root/ca-agent.p12 > > pki_ds_ldap_port = 389 > > pki_ds_password = XXXXXXXX > > pki_ds_base_dn = o=ipaca > > pki_ds_database = ipaca > > pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM > > pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM > > pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM > > pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM > > pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM > > pki_subsystem_nickname = subsystemCert cert-pki-ca > > pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca > > pki_ssl_server_nickname = Server-Cert cert-pki-ca > > pki_audit_signing_nickname = auditSigningCert cert-pki-ca > > pki_ca_signing_nickname = caSigningCert cert-pki-ca > > pki_ca_signing_key_algorithm = SHA256withRSA > > pki_security_domain_hostname = ptipa1.example.com > > pki_security_domain_https_port = 443 > > pki_security_domain_user = admin > > pki_security_domain_password = XXXXXXXX > > pki_clone = True > > pki_clone_pkcs12_path = /tmp/ca.p12 > > pki_clone_pkcs12_password = XXXXXXXX > > pki_clone_replication_security = TLS > > pki_clone_replication_master_port = 7389 > > pki_clone_replication_clone_port = 389 > > pki_clone_replicate_schema = False > > pki_clone_uri = https://ptipa1.example.com:443 > > 2016-03-23T21:55:11Z DEBUG Starting external process > > 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' > > 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 > > 2016-03-23T21:56:51Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160323175511.log > > Loading deployment configuration from /tmp/tmpGQ59ZC. > > Installing CA into /var/lib/pki/pki-tomcat. > > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > 2016-03-23T21:56:51Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > > InsecureRequestWarning) > > pkispawn : WARNING ....... unable to validate security domain user/password > through REST interface. Interface not available > > pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 > Server Error: Internal Server Error > > pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line > 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit > status 1 > > 2016-03-23T21:56:51Z CRITICAL See the installation logs and the following > files/directories for more information: > > 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log > > 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat > > 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 408, in run_step > > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > > self.handle_setup_error(e) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, > in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, > in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, > in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, > in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, > in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, > in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, > in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, > in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, > in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, > in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, > in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, > in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, > in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, > in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, > in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, > in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, > in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, > in _install > > for nothing in self._installer(self.parent): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 879, in main > > install(self) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 295, in decorated > > func(installer) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 584, in install > > ca.install(False, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in > install > > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in > install_step_0 > > ra_p12=getattr(options, 'ra_p12', None)) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1543, in install_replica_ca > > subject_base=config.subject_base) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 486, in configure_instance > > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 408, in run_step > > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > > self.handle_setup_error(e) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: > RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z ERROR CA configuration failed. > > /var/log/pki/pki-ca-spawn..log > > 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > /etc/pki/pki-tomcat/ca/noise > > 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile > > 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s > /lib/systemd/system/pki-tomcatd at .service > /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 > /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service > > 2016-03-23 17:55:12 pkispawn : INFO ... configuring > 'pki.server.deployment.scriptlets.configuration' > > 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : INFO ....... generating > '/root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > '/root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > /root/.dogtag/pki-tomcat/ca/password.conf > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > /root/.dogtag/pki-tomcat/ca/password.conf > > 2016-03-23 17:55:12 pkispawn : INFO ....... generating > '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 > /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d > /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl > daemon-reload' > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start > pki-tomcatd at pki-tomcat.service' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server > may still be down > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception > thrown: ('Connection aborted.', error(111, 'Connection refused')) > > 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server > may still be down > > 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception > thrown: ('Connection aborted.', error(111, 'Connection refused')) > > 2016-03-23 17:55:24 pkispawn : DEBUG ........... encoding="UTF-8" > standalone="no"?>0CArunning10.2.5-6.el7 > > 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI > configuration data. > > 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration > data. > > 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java > Configuration Servlet: 500 Server Error: Internal Server Error > > 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed > (invalid token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not > well-formed (invalid token): line 1, column 0 > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", > line 597, in main > > rv = instance.spawn(deployer) > > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 116, in spawn > > json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > > File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", > line 3906, in configure_pki_data > > root = ET.fromstring(e.response.text) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML > > parser.feed(text) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed > > self._raiseerror(v) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror > > raise err > > /var/log/pki/pki-tomcat/ca/debug > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store > in memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using > basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory > Manager > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and > maximum 15 connections to host pt-idm-vm01.example.com port 389, secure > connection, false, authentication type 1 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > param=preop.internaldb.manager_ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = > /usr/share/pki/server/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to > /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in > importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in > adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in > modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating > LdapBoundConnFactor(ConfigurationUtils) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is > internaldb > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting > from memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password > from memory > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password found > for prompt. > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store > in memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using > basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory > Manager > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and > maximum 15 connections to host pt-idm-vm01.example.com port 389, secure > connection, false, authentication type 1 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > param=preop.internaldb.post_ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = > /usr/share/pki/ca/conf/vlv.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to > /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file = > /usr/share/pki/ca/conf/vlvtasks.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to > /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn > cn=index1160589769, cn=index, cn=tasks, cn=config > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: > SystemConfigService:processCerts(): san_server_cert not found for tag sslserver > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote (revised) > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for > certTag sslserver > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA, > always use its Master CA to generate the 'sslserver' certificate to avoid any > changes which may have been made to the X500Name directory string encoding order. > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: injectSAN=false > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: content > requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: status=0 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: > MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: > handleCertRequest() begins > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: > privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert > request > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag > 'sslserver' using cert type 'remote' > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process > remote...import cert > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert > cert-pki-ca > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted successfully > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate > successfully, certTag=sslserver > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert Panel/SavePKCS12 > Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting > domain.xml from CA... > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo= version="1.0" encoding="UTF-8" > standalone="no"?>IPAptipa1.example.com44344344344380FALSEpki-cadTRUE100000 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML > start hostname=ptipa1.example.com port=443 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to > update security domain using admin port 443: org.xml.sax.SAXParseException; > lineNumber: 1; columnNumber: 50; White spaces are required between publicId and > systemId. > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying > agent port with client auth > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML > start hostname=ptipa1.example.com port=443 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() > nickname=subsystemCert cert-pki-ca > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: > status=1 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security > domain: java.io.IOException: 2 > > [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, authorization > for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. > > /var/log/pki/pki-tomcat/ca/system > > 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA > chain. Error java.security.cert.CertificateException: Certificate is not a PKCS > #11 certificate > > 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance > DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > > *Dennis M Ott* > Infrastructure Administrator > Infrastructure and Security Operations > > *McKesson Corporation > McKesson Pharmacy Systems and Automation* > www.mckesson.com > > > -- Petr Vobornik From Adam.Bishop at jisc.ac.uk Tue Mar 29 13:29:02 2016 From: Adam.Bishop at jisc.ac.uk (Adam Bishop) Date: Tue, 29 Mar 2016 13:29:02 +0000 Subject: [Freeipa-users] Unable to join FreeIPA client to server Message-ID: Client is running ipa-client-3.0.0-47.el6.centos.1.x86_64 on CentOS 6 Servers are running ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 on CentOS 7 When I try to join the CentOS 6 client to the CentOS 7 servers, ipa-client-install is unable to access /ipa/xml, throwing the following error: ... Connecting: [2001:630:1:177::98]:0 Failed to set TLS range to tls1.0, tls1.2 Could not connect socket to [2001:630:1:177::98]:443, error: (SSL_ERROR_INVALID_VERSION_RANGE) SSL version range is not valid. ... The full log follows, but I don't see anything interesting or unusual, other than HTTPS connections are established OK earlier in the installation process. I could use a bit of help resolving this - full client debug follows. Both systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure where to start fixing this. Thanks, Adam Bishop gpg: 0x6609D460 jisc.ac.uk --- Starting IPA discovery with domain=example.org, servers=None, hostname=rms1.example.org Search for LDAP SRV record in example.org Search DNS for SRV record of _ldap._tcp.example.org. DNS record found: DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.} DNS record found: DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.} [Kerberos realm search] Search DNS for TXT record of _kerberos.example.org. DNS record found: DNSResult::name:_kerberos.example.org.,type:16,class:1,rdata={data:example.org} Search DNS for SRV record of _kerberos._udp.example.org. DNS record found: DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:swi-ipa-001.example.org.} DNS record found: DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:atl-ipa-001.example.org.} [LDAP server check] Verifying that atl-ipa-001.example.org (realm example.org) is an IPA server Init LDAP connection with: ldap://atl-ipa-001.example.org:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=org' is for IPA Naming context 'dc=example,dc=org' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=org (sub) Found: cn=example.org,cn=kerberos,dc=example,dc=org Discovery result: Success; server=atl-ipa-001.example.org, domain=example.org, kdc=swi-ipa-001.example.org,atl-ipa-001.example.org, basedn=dc=example,dc=org Validated servers: atl-ipa-001.example.org will use discovered domain: example.org Start searching for LDAP SRV record in "example.org" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.example.org. DNS record found: DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.} DNS record found: DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.} DNS validated, enabling discovery will use discovered server: atl-ipa-001.example.org Discovery was successful! will use discovered realm: example.org will use discovered basedn: dc=example,dc=org Hostname: rms1.example.org Hostname source: Machine's FQDN Realm: example.org Realm source: Discovered from LDAP DNS records in atl-ipa-001.example.org DNS Domain: example.org DNS Domain source: Discovered LDAP SRV records from example.org IPA Server: atl-ipa-001.example.org IPA Server source: Discovered from LDAP DNS records in atl-ipa-001.example.org BaseDN: dc=example,dc=org BaseDN source: From IPA server ldap://atl-ipa-001.example.org:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.org stdout= stderr=realm not found User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.example.org. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org stdout= stderr= Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Writing Kerberos configuration to /tmp/tmpX2eUdM: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = example.org dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] example.org = { kdc = atl-ipa-001.example.org:88 master_kdc = atl-ipa-001.example.org:88 admin_server = atl-ipa-001.example.org:749 default_domain = example.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.org = example.org example.org = example.org .example.org = example.org example.org = example.org Password for admin at example.org: args=kinit admin at example.org stdout=Password for admin at example.org: stderr= trying to retrieve CA cert via LDAP from ldap://atl-ipa-001.example.org Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s atl-ipa-001.example.org -b dc=example,dc=org -d stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n rms1.example.org\r\n \r\n \r\n nsosversion\r\n 2.6.32-358.23.2.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to atl-ipa-001.example.org port 443 (#0) * Trying 2001:630:1:177::98... * Connected to atl-ipa-001.example.org (2001:630:1:177::98) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=atl-ipa-001.example.org,O=example.org * start date: Sep 23 16:55:31 2014 GMT * expire date: Sep 23 16:55:31 2016 GMT * common name: atl-ipa-001.example.org * issuer: CN=Certificate Authority,O=example.org > POST /ipa/xml HTTP/1.1 Host: atl-ipa-001.example.org Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://atl-ipa-001.example.org/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 476 < HTTP/1.1 401 Unauthorized < Date: Tue, 29 Mar 2016 13:05:17 GMT < Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.3.1 mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.19.1 Basic ECC mod_wsgi/3.4 Python/2.7.5 < WWW-Authenticate: Negotiate < Last-Modified: Thu, 10 Mar 2016 12:37:22 GMT < Accept-Ranges: bytes < Content-Length: 1474 < Content-Type: text/html; charset=UTF-8 < * Ignoring the response-body * Connection #0 to host atl-ipa-001.example.org left intact * Issue another request to this URL: 'https://atl-ipa-001.example.org:443/ipa/xml' * Re-using existing connection! (#0) with host atl-ipa-001.example.org * Connected to atl-ipa-001.example.org (2001:630:1:177::98) port 443 (#0) * Server auth using GSS-Negotiate with user '' > POST /ipa/xml HTTP/1.1 Authorization: Negotiate YIIFAgYJKoZIhvcSAQICAQBuggTxMIIE7aADAgEFoQMCAQ6iBwMFAAAAAACjggFfYYIBWzCCAVegAwIBBaENGwtWSVJULkpBLk5FVKIqMCigAwIBA6EhMB8bBEhUVFAbF2F0bC1pcGEtMDAxLnZpcnQuamEubmV0o4IBEzCCAQ+gAwIBEqEDAgECooIBAQSB/k2UZiys2Grav2w4Pd5Kc8a/z0XZVYEqEeL/j82jLTpD5WAq8hIjdtpzAqpFR/3GDeyPfpW/z4RqAFPCp1B/cvyXCkAyshkaZ9srZdPMp0tqpZUbJkOtosiEz3p//dDlNU1Mbpj5Wz/IXSffSHjpsVVXswraMtc/qG0Cy9MBlUhn1hiNxGe8xDVIIjQ0gtu6aWan4UI6UtIQ7AQB1QPzJfc67y3u2vTdWS6s0wjhD0JI3+Fifzgm3uM0upO0pG7nxxkdzniTWqymgzsh8JIRFjb5yqw80Tr4SdRvNyjbqojZ6dOVa8cbv8/R2NkO+QB1R+Pm8S5IK+AhfVcvO51KpIIDczCCA2+gAwIBEqKCA2YEggNir5X7ay33SZaMMbBoWyXEasUeGtwCkSJE9zUdA5I8Q9MsOzsdrriY9ZT8tHO5xZxyZpq9iaTFpOBlkn+Np2vXkQ8Wbj1j3rDyeDPiR/qQKVm/obBdxUcfBHHXX9H4lhydsMpGQjgSwTUZmLb4yoMxXOWMLjoMq8W9CN2l+MITjBd/P6rWbcG1sagFE6B9chSJLXNHCnBE39e1BXWLSIRZ1e0bK+v1Wzqw98QPRv/KkJoKAM17KuTOci/hQ60iDrOGrFL0k5iAl1o+AvYorloKXa5Iup1KlOA6q1tkloI+5/eJciEdTQDq7uiRQnKvQucEE8S0Rh2G5MQXgvzE8daRUrQ410adwHe+eUKCslVTQSeZ+NA+Y5Vhgj4aIHLcyZ60940gA+uL/sItPFqZCT7/uB/NOlsFaSHU5WITvj4ZnNpL2wbd0Jc/+PKUgrz9ZHKAUtTXeaHP8YsfJ8OGoWScntwG6cCgZRE3JcLyg+Lo1N/1cHFf0+04uRPx19oxzTeu5JqkLkPqZOiSFOUIltJG7xov0aBYStFUOchuDMQDhZqC6603OuF7uZR6MrHfXK/MtxMPbX6FY7VapDp2CTmKFa80x8b7wCe0xhXgCkjUny5H8/aYha5QHMXUY9tSh/kb+q1f885cWRlS3Y5DIL80ypu1x/Bs4fEOHRdk8qrmXRduRyZi0+oPHVh8WFqjtfxpzscBFinF0awzLmK56byh7pLt3XD0gjabqDV54ALz0IbeH60woeSJW7aLmuSz0qFHFBlRUnTnYMN0dt75f+9BT3DvMq02VGGUkDwb5JsZHBBKQJa748QrZ//RGV5JnJfxj1MlHPSGZnMlKNq4VaPMT2g3H6iLtNsE0E+HlcY987BXDEWgZOfT77Z+MCTf6Ztt8MMK+lKlQOKmM9ISMsJdvgrSywdkCy2ZK7phJqu+GNH38GRjAZMESslJGJxaq/5QjAn4ylCWzm83eOmS1HG/+oRgwUP49QisyBVYuurFVICjaTxNsTaFIiWkpRL/iStUW6D/ULRpS70pB+nNonna4FOus+73YXTA5LohGwYLodAykHv5juxj70LYvvxMDwGjV4Tdx8wAZZjIZw+fR7+rfMqnrnAtZjyO2hjqoy2sgqCyLL3RJtiJXCIeWQWaKSOAXrc= Host: atl-ipa-001.example.org Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://atl-ipa-001.example.org/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 476 < HTTP/1.1 200 Success < Date: Tue, 29 Mar 2016 13:05:17 GMT < Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.3.1 mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.19.1 Basic ECC mod_wsgi/3.4 Python/2.7.5 * Added cookie ipa_session="d92ff3c8a2e52ba19450e4d607b495b2" for domain atl-ipa-001.example.org, path /ipa, expire 1459257920 < Set-Cookie: ipa_session=d92ff3c8a2e52ba19450e4d607b495b2; Domain=atl-ipa-001.example.org; Path=/ipa; Expires=Tue, 29 Mar 2016 13:25:20 GMT; Secure; HttpOnly < Vary: Accept-Encoding < Content-Length: 2763 < Content-Type: text/xml; charset=utf-8 < * Expire cleared * Connection #0 to host atl-ipa-001.example.org left intact XML-RPC RESPONSE: \n \n \n \n \n fqdn=rms1.example.org,cn=computers,cn=accounts,dc=example,dc=org\n \n \n dn\n fqdn=rms1.example.org,cn=computers,cn=accounts,dc=example,dc=org\n \n \n ipacertificatesubjectbase\n \n O=example.org\n \n \n \n krbextradata\n \n \n AAIre/pWaG9zdC9ybXMxLmRldi5qYS5uZXRAVklSVC5KQS5ORVQA\n \n \n \n \n cn\n \n rms1.example.org\n \n \n \n objectclass\n \n ipaSshGroupOfPubKeys\n ipaobject\n ieee802device\n nshost\n top\n ipaservice\n pkiuser\n ipahost\n krbprincipal\n krbprincipalaux\n ipasshhost\n \n \n \n ipakrbokasdelegate\n 0\n \n \n fqdn\n \n rms1.example.org\n \n \n \n managing_host\n \n rms1.example.org\n \n \n \n has_keytab\n 0\n \n \n has_password\n 0\n \n \n ipauniqueid\n \n 76cdb40e-f5ad-11e5-a8ad-005056b12d16\n \n \n \n krbprincipalname\n \n host/rms1.example.org at example.org\n \n \n \n managedby_host\n \n rms1.example.org\n \n \n \n serverhostname\n \n rms1\n \n \n \n enrolledby_user\n \n admin\n \n \n \n ipakrbrequirespreauth\n 1\n \n \n \n \n \n \n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=example.org Enrolled in IPA realm example.org args=kdestroy stdout= stderr= Attempting to get host TGT... args=/usr/bin/kinit -k -t /etc/krb5.keytab host/rms1.example.org at example.org stdout= stderr= Attempt 1/5 succeeded. Backing up system configuration file '/etc/ipa/default.conf' -> Not backing up - '/etc/ipa/default.conf' doesn't exist Created /etc/ipa/default.conf importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' args=klist -V stdout=Kerberos 5 version 1.10.3 stderr= importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Backing up system configuration file '/etc/sssd/sssd.conf' -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist New SSSD config will be created Backing up system configuration file '/etc/nsswitch.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt stdout= stderr= Backing up system configuration file '/etc/krb5.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Writing Kerberos configuration to /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = example.org dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] example.org = { kdc = atl-ipa-001.example.org:88 master_kdc = atl-ipa-001.example.org:88 admin_server = atl-ipa-001.example.org:749 default_domain = example.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.org = example.org example.org = example.org .example.org = example.org example.org = example.org Configured /etc/krb5.conf for IPA realm example.org args=keyctl search @s user ipa_session_cookie:host/rms1.example.org at example.org stdout= stderr=keyctl_search: Required key not available args=keyctl search @s user ipa_session_cookie:host/rms1.example.org at example.org stdout= stderr=keyctl_search: Required key not available failed to find session_cookie in persistent storage for principal 'host/rms1.example.org at example.org' trying https://atl-ipa-001.example.org/ipa/xml NSSConnection init atl-ipa-001.example.org Connecting: [2001:630:1:177::98]:0 Failed to set TLS range to tls1.0, tls1.2 Could not connect socket to [2001:630:1:177::98]:443, error: (SSL_ERROR_INVALID_VERSION_RANGE) SSL version range is not valid. Try to continue with next family... Connecting: 193.63.72.98:0 Failed to set TLS range to tls1.0, tls1.2 Could not connect socket to 193.63.72.98:443, error: (SSL_ERROR_INVALID_VERSION_RANGE) SSL version range is not valid. Try to continue with next family... Connection to https://atl-ipa-001.example.org/ipa/xml failed with NSPRError() argument 1 must be string or None, not int trying https://swi-ipa-001.example.org/ipa/xml NSSConnection init swi-ipa-001.example.org Connection to https://swi-ipa-001.example.org/ipa/xml failed with (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. Cannot connect to the server due to generic error: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://atl-ipa-001.example.org/ipa/xml, https://swi-ipa-001.example.org/ipa/xml Installation failed. Force set so not rolling back changes. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc?s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. From Adam.Bishop at jisc.ac.uk Tue Mar 29 14:42:37 2016 From: Adam.Bishop at jisc.ac.uk (Adam Bishop) Date: Tue, 29 Mar 2016 14:42:37 +0000 Subject: [Freeipa-users] Unable to join FreeIPA client to server In-Reply-To: References: Message-ID: <25DE3B98-88EA-49C0-A0E6-E37094C1C94A@jisc.ac.uk> On 29 Mar 2016, at 14:29, Adam Bishop wrote: > I could use a bit of help resolving this - full client debug follows. Both systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure where to start fixing this. Turns out to be a little easier to solve than I thought; the CentOS 6 client was running an older version of NSS than I thought it was. ipa-client-3.0.0-47.el6.centos.1.x86_64 defaults to requiring tls1.2 , but does not depend on a version of NSS that actually supports tls1.2. Manually installing an updated version of NSS has resolved the problem. Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc?s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. From junkmafia89 at gmail.com Tue Mar 29 14:51:04 2016 From: junkmafia89 at gmail.com (Master P.) Date: Tue, 29 Mar 2016 08:51:04 -0600 Subject: [Freeipa-users] freeipa unsecured ports & MITM Message-ID: Hello, I am using FreeIPA on the cloud and am worried about MITM attacks. I'm assuming all network traffic can be easily read and possibly manipulated by an attacker. When following https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html, some of the listed ports for FreeIPA (80 and 389) are unencrypted ports. Should this be a concern or does FreeIPA only use those ports to send non-sensitive information. If I disable just the unencrypted ports on my clients will everything still work? I don't understand Kerberos much so the same question applies to its ports as well (88 and 464). I am also using FreeIPA for DNS but it looks like DNSSEC is not enabled by default, does this mean an attacker hijacking the DNS connections can get into my system? Thanks, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Tue Mar 29 14:53:46 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 29 Mar 2016 15:53:46 +0100 Subject: [Freeipa-users] rollback a migration? Message-ID: <56FA96FA.8090608@yahoo.co.uk> hi everybody looking at docs/mans - I don't suppose there in ipa user tool set is a clean way/mechanism to roll back "migrate-ds" ? many thanks L. From rcritten at redhat.com Tue Mar 29 15:18:21 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2016 11:18:21 -0400 Subject: [Freeipa-users] rollback a migration? In-Reply-To: <56FA96FA.8090608@yahoo.co.uk> References: <56FA96FA.8090608@yahoo.co.uk> Message-ID: <56FA9CBD.5000305@redhat.com> lejeczek wrote: > hi everybody > > looking at docs/mans - I don't suppose there in ipa user tool set is a > clean way/mechanism to roll back "migrate-ds" ? No, it would need to be done manually. rob From simo at redhat.com Tue Mar 29 15:31:25 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 29 Mar 2016 11:31:25 -0400 Subject: [Freeipa-users] freeipa unsecured ports & MITM In-Reply-To: References: Message-ID: <1459265485.7463.10.camel@redhat.com> On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote: > Hello, > > I am using FreeIPA on the cloud and am worried about MITM attacks. I'm > assuming all network traffic can be easily read and possibly manipulated by > an attacker. > > When following > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html, > some of the listed ports for FreeIPA (80 and 389) are unencrypted ports. The only thing port 80 does is redirect to 443. Port 389 is the only use LDAP port and clients will use the STARTTLS command to transition to to a TLS encrypted connection or use GSSAPI and confidentiality to encrypt the traffic. > Should this be a concern or does FreeIPA only use those ports to send > non-sensitive information. If I disable just the unencrypted ports on my > clients will everything still work? > > I don't understand Kerberos much so the same question applies to its ports > as well (88 and 464). The kerberos protocol was conceived and built to be able to run on a non trusted network, all communication is secured. > I am also using FreeIPA for DNS but it looks like DNSSEC is not enabled by > default, does this mean an attacker hijacking the DNS connections can get > into my system? You should define what "get into" means, A DNS server w/o DNSSEC is pretty much what you have in the wild, almost no client yet uses DNSSEC validation, for any of the internet activity you see people doing every day. DNSSEC can give you extra protection but lack of it is not necessarily a concern unless you have evidence you need it for specific DNS records. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Tue Mar 29 15:48:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 29 Mar 2016 18:48:12 +0300 Subject: [Freeipa-users] freeipa unsecured ports & MITM In-Reply-To: <1459265485.7463.10.camel@redhat.com> References: <1459265485.7463.10.camel@redhat.com> Message-ID: <20160329154812.GK27275@redhat.com> On Tue, 29 Mar 2016, Simo Sorce wrote: >On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote: >> Hello, >> >> I am using FreeIPA on the cloud and am worried about MITM attacks. I'm >> assuming all network traffic can be easily read and possibly manipulated by >> an attacker. >> >> When following >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html, >> some of the listed ports for FreeIPA (80 and 389) are unencrypted ports. > >The only thing port 80 does is redirect to 443. There is also a CA certificate access on port 80 in case LDAP-based access didn't work. >Port 389 is the only use LDAP port and clients will use the STARTTLS >command to transition to to a TLS encrypted connection or use GSSAPI and >confidentiality to encrypt the traffic. Also, any LDAP BIND with password will be refused without STARTTLS command. -- / Alexander Bokovoy From junkmafia89 at gmail.com Tue Mar 29 15:53:34 2016 From: junkmafia89 at gmail.com (Master P.) Date: Tue, 29 Mar 2016 09:53:34 -0600 Subject: [Freeipa-users] freeipa unsecured ports & MITM In-Reply-To: <20160329154812.GK27275@redhat.com> References: <1459265485.7463.10.camel@redhat.com> <20160329154812.GK27275@redhat.com> Message-ID: Thanks for the quick responses, you have both answered everything I was looking for! On Tue, Mar 29, 2016 at 9:48 AM, Alexander Bokovoy wrote: > On Tue, 29 Mar 2016, Simo Sorce wrote: > >> On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote: >> >>> Hello, >>> >>> I am using FreeIPA on the cloud and am worried about MITM attacks. I'm >>> assuming all network traffic can be easily read and possibly manipulated >>> by >>> an attacker. >>> >>> When following >>> >>> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html >>> , >>> some of the listed ports for FreeIPA (80 and 389) are unencrypted ports. >>> >> >> The only thing port 80 does is redirect to 443. >> > There is also a CA certificate access on port 80 in case LDAP-based > access didn't work. > > Port 389 is the only use LDAP port and clients will use the STARTTLS >> command to transition to to a TLS encrypted connection or use GSSAPI and >> confidentiality to encrypt the traffic. >> > Also, any LDAP BIND with password will be refused without STARTTLS > command. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.boorshtein at tremolosecurity.com Tue Mar 29 19:02:58 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Tue, 29 Mar 2016 15:02:58 -0400 Subject: [Freeipa-users] Request for Feedback - Managing FreeIPA accounts with OpenUnison Message-ID: FreeIPAers, We've built an open source integration "provisioning target" that works with the JSON web service to provision users and roles inside of FreeIPA/RH IdM. We also have a prototype of SSO into the IPAWeb console using constrained delegation (both thanks to the help received on this list). We put together a demo of the capability by deploying FreeIPA to manage RHEL servers running on Azure. We also integrated Cockpit and Graylog into the POC as well. I'd really appreciate feedback on the integration. Especially on the use cases and other features you think would add value to the integration (and of course any place you think we went terribly wrong!). Here's a link to the demo: https://vimeo.com/160002916 The white-paper that details how we deployed everything: https://www.tremolosecurity.com/wiki/#!azure.md and of course the source code: OpenUnison - https://github.com/TremoloSecurity/OpenUnison FreeIPA Provisioning Target - https://github.com/TremoloSecurity/Unison-FreeIPA S4U2Self LastMile - https://github.com/TremoloSecurity/Unison-LastMile-Kerberos Again, any feedback on the integration would be greatly appreciated! Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From tgeier at accertify.com Tue Mar 29 20:53:50 2016 From: tgeier at accertify.com (Timothy Geier) Date: Tue, 29 Mar 2016 20:53:50 +0000 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: <20160329070020.GA9499@kermit.tuxgeek.de> References: <56BE04AD.2020700@redhat.com> <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <20160328175335.GA14509@kermit.tuxgeek.de> <1C9A066C-9AE2-490A-87B7-91BE3C9DE217@accertify.com> <20160329070020.GA9499@kermit.tuxgeek.de> Message-ID: > On Mar 29, 2016, at 2:00 AM, Thorsten Scherf wrote: > > On [Mon, 28.03.2016 18:18], Timothy Geier wrote: >> >>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: >>> >>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: >>>> To follow up on this issue, we haven?t been able to get any further since >>>> last month due to the missing caServerCert profile..the configuration >>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >>>> and are identical. The pki-ca package >>>> passes rpm -V as well. Are there any other troubleshooting steps we can >>>> take? >>> >>> Can you please check if the profile is available in the LDAP trees: >>> >>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix >> >> dn: cn=certprofiles,cn=ca,$suffix >> objectClass: nsContainer >> objectClass: top >> cn: certprofiles >> >>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca >> >> dn: ou=certificateProfiles,ou=ca,o=ipaca >> objectClass: top >> objectClass: organizationalUnit >> ou: certificateProfiles >> >>> >>> If this is the case, please check if the profile is accessable by the >>> host: >>> >>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert >>> >> >> ipa: ERROR: caIPAserviceCert: Certificate Profile not found >> >>> I either suspect that the profiles have not been properly migrated to >>> the LDAP tree or that some ACIs are missing to allow access to the >>> profiles. >>> >> >> I suspect you?re right..I ran these same commands on a reference system and there was >> a lot more output in the ldapsearches and the ipa certprofile-show command came back with >> Profile ID: caIPAserviceCert >> Profile description: Standard profile for network services >> Store issued certificates: TRUE > > Yes, this is a known issue which has been fixed in the most recent > FreeIPA releases 4.2.4 and 4.3.1. > I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually. > It?s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported? Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand? Thanks, > Cheers, > Thorsten > "This message and any attachments may contain confidential information. If you have received this message in error, any use or distribution is prohibited. Please notify us by reply e-mail if you have mistakenly received this message, and immediately and permanently delete it and any attachments. Thank you." From prasun.gera at gmail.com Wed Mar 30 07:07:12 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 30 Mar 2016 03:07:12 -0400 Subject: [Freeipa-users] IPA users central Home Directories In-Reply-To: References: Message-ID: NFS and ipa are sort of orthogonal unless you mix nfsv4 with kerberos. If you aren't using kerberos, and don't need kerberos, then the nfs home setup is pretty straightforward. ipa just controls authentication. If you have a simple enough environment, you can just add your nfs mounts in the fstab of clients. If you have something more complex, you can use autofs too, but that will involve using sssd as the automount provider. There is an ipa automount setup command which does that configuration. All of this should also work with nfsv4 and kerberos too, but that just adds another variable to the mix for debugging. HA for home directories: There are a lot of file systems with different properties. That is again pretty orthogonal to ipa. On Tue, Mar 29, 2016 at 3:07 AM, Shahzad Malik < Shahzad.Malik at m5networks.com.au> wrote: > Hi > > > I have recently configured IPA master and replica server. I am trying to > configure IPA users central home directories which means when a user > authenticate through IPA on any client, will have same home directory. To > achieve this goal, I have configured a NFS server, joined and configured > nfs with IPA. > > I have Rhel 7 and CentOS 7 clients. Rhel clients are working as expected, > when IPA users are authenticated on Rhel clients they can get home > directory from nfs server. df -h shows any entry of nfs user home directory > mounted. > > When a client is Centos 7, users are able to authenticated from IPA and > can login but can't get home directory from NFS server. I can manually > mount a dir with nfs server which verifies communication is working between > centos client and nfs. > > All neccesary ports are open and centos configurations are pretty much > same as Rhel clients. I even disabled selinux, but no luck. Has anyone > experienced same issue? > > Another question: At the moment, there is single nfs serve which is single > point of failure, what best method I can use for HA of user home > directories? > > Many Thanks > > > Regards, > > > Shez > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tscherf at redhat.com Wed Mar 30 10:42:31 2016 From: tscherf at redhat.com (Thorsten Scherf) Date: Wed, 30 Mar 2016 12:42:31 +0200 Subject: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape In-Reply-To: References: <1455951442.25282.2.camel@accertify.com> <56CB277F.2000309@redhat.com> <56CC3300.9060608@redhat.com> <661F440B-58F9-4982-9AF8-A915F8C50918@accertify.com> <20160328175335.GA14509@kermit.tuxgeek.de> <1C9A066C-9AE2-490A-87B7-91BE3C9DE217@accertify.com> <20160329070020.GA9499@kermit.tuxgeek.de> Message-ID: <20160330104231.GA10056@kermit.tuxgeek.de> On [Tue, 29.03.2016 20:53], Timothy Geier wrote: > >> On Mar 29, 2016, at 2:00 AM, Thorsten Scherf wrote: >> >> On [Mon, 28.03.2016 18:18], Timothy Geier wrote: >>> >>>> On Mar 28, 2016, at 12:53 PM, Thorsten Scherf wrote: >>>> >>>> On [Sat, 26.03.2016 03:26], Timothy Geier wrote: >>>>> To follow up on this issue, we haven?t been able to get any further since >>>>> last month due to the missing caServerCert profile..the configuration >>>>> files /usr/share/pki/ca/profiles/ca/caServerCert.cfg >>>>> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present >>>>> and are identical. The pki-ca package >>>>> passes rpm -V as well. Are there any other troubleshooting steps we can >>>>> take? >>>> >>>> Can you please check if the profile is available in the LDAP trees: >>>> >>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b cn=certprofiles,cn=ca,$suffix >>> >>> dn: cn=certprofiles,cn=ca,$suffix >>> objectClass: nsContainer >>> objectClass: top >>> cn: certprofiles >>> >>>> # ldapsearch -LLLx -D "cn=Directory Manager" -W -b ou=certificateProfiles,ou=ca,o=ipaca >>> >>> dn: ou=certificateProfiles,ou=ca,o=ipaca >>> objectClass: top >>> objectClass: organizationalUnit >>> ou: certificateProfiles >>> >>>> >>>> If this is the case, please check if the profile is accessable by the >>>> host: >>>> >>>> # kinit -kt /etc/krb5.keytab; klist; ipa certprofile-show caIPAserviceCert >>>> >>> >>> ipa: ERROR: caIPAserviceCert: Certificate Profile not found >>> >>>> I either suspect that the profiles have not been properly migrated to >>>> the LDAP tree or that some ACIs are missing to allow access to the >>>> profiles. >>>> >>> >>> I suspect you?re right..I ran these same commands on a reference system and there was >>> a lot more output in the ldapsearches and the ipa certprofile-show command came back with >>> Profile ID: caIPAserviceCert >>> Profile description: Standard profile for network services >>> Store issued certificates: TRUE >> >> Yes, this is a known issue which has been fixed in the most recent >> FreeIPA releases 4.2.4 and 4.3.1. >> I would recommend to upgrade your system to one of those releases. If this is not feasible, I can send you instructions how to fix the issue manually. >> > >It?s currently at 4.2.0-15.el7.centos.3..would the update 4.2.0-15.0.1.el7.centos.6 have the fix backported? The CentOS and Red Hat updates won't be released before May. The FreeIPA updates are already available: http://www.freeipa.org/page/Releases/4.2.4 http://www.freeipa.org/page/Releases/4.3.1 >Also, should com.netscape.cmscore.profile be changed in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg beforehand? This is only necessary if you want to fix it manually. You don't need to change it when you apply the updated packages. Cheers, Thorsten > >Thanks, > >> Cheers, >> Thorsten >> > > > > > >"This message and any attachments may contain confidential information. If you >have received this message in error, any use or distribution is prohibited. >Please notify us by reply e-mail if you have mistakenly received this message, >and immediately and permanently delete it and any attachments. Thank you." From mkosek at redhat.com Wed Mar 30 12:00:06 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 30 Mar 2016 14:00:06 +0200 Subject: [Freeipa-users] Unable to join FreeIPA client to server In-Reply-To: <25DE3B98-88EA-49C0-A0E6-E37094C1C94A@jisc.ac.uk> References: <25DE3B98-88EA-49C0-A0E6-E37094C1C94A@jisc.ac.uk> Message-ID: <56FBBFC6.3010902@redhat.com> On 03/29/2016 04:42 PM, Adam Bishop wrote: > On 29 Mar 2016, at 14:29, Adam Bishop wrote: >> I could use a bit of help resolving this - full client debug follows. Both systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure where to start fixing this. > > Turns out to be a little easier to solve than I thought; the CentOS 6 client was running an older version of NSS than I thought it was. > > ipa-client-3.0.0-47.el6.centos.1.x86_64 defaults to requiring tls1.2 , but does not depend on a version of NSS that actually supports tls1.2. I do not think it *requires* TLS 1.2, rather allows the said range - from TLS 1.0 to 1.2. This is the bug where the change was made: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 If an NSS Requires was not bumped properly (IIRC, we bumped just python-nss Requires), it sounds as a bug. Bugzilla welcome! Thanks, Martin From jgoddard at emerlyn.com Wed Mar 30 19:09:25 2016 From: jgoddard at emerlyn.com (Jeff Goddard) Date: Wed, 30 Mar 2016 15:09:25 -0400 Subject: [Freeipa-users] DNA plugin undo instructions Message-ID: I followed the same instructions and have the same problem described in this thread: https://www.redhat.com/archives/freeipa-users/2010-June/msg00024.html What I don't find is instructions on how to make changes to my existing dna plugin configuration and how to change the configuration so that dna assigns a consistent sambaGroupType value. I see this: http://www.freeipa.org/page/FreeIPAv2:DNA_plugin_default_configuration but it's depricated so I don't want to keep shooting my feet :) Can anyone point me in the right direction? Server:Centos7, Freeipa:4.2 Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From wgraboyes at cenic.org Wed Mar 30 19:48:52 2016 From: wgraboyes at cenic.org (William Graboyes) Date: Wed, 30 Mar 2016 12:48:52 -0700 Subject: [Freeipa-users] 2FA Host based? Message-ID: <56FC2DA4.6090109@cenic.org> Hi All, I have done some searching around, and I am wondering if there is a way to require OTP for certain hosts, and not for others. Example: Lets say that I want foo.example.com to force using 2FA because it is an entry point into the network. However bar.example.com is only used internally, and should not need 2FA authentication. Is there a way to do this with OTP/2FA implementation, or is it only on a user by user basis? Thanks, Bill G. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 868 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Mar 30 19:57:12 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2016 15:57:12 -0400 Subject: [Freeipa-users] 2FA Host based? In-Reply-To: <56FC2DA4.6090109@cenic.org> References: <56FC2DA4.6090109@cenic.org> Message-ID: <56FC2F98.7080408@redhat.com> William Graboyes wrote: > Hi All, > > I have done some searching around, and I am wondering if there is a way > to require OTP for certain hosts, and not for others. > > Example: > > Lets say that I want foo.example.com to force using 2FA because it is an > entry point into the network. However bar.example.com is only used > internally, and should not need 2FA authentication. > > Is there a way to do this with OTP/2FA implementation, or is it only on > a user by user basis? Not yet, see https://fedorahosted.org/freeipa/ticket/4875 rob From ftweedal at redhat.com Thu Mar 31 07:41:57 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 31 Mar 2016 17:41:57 +1000 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: <1459106087.18839.25.camel@stefany.eu> References: <1459106087.18839.25.camel@stefany.eu> Message-ID: <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > Hello, > > I seem to be having some issues with IPA CA feature not generating > certificates with DNS SubjectAltNames. > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under > CentOS 7.2 / IPA 4.2 something's different. > > Here are the original steps which worked fine for my first use case :: > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > $ ipa host-add mail.example.com > $ ipa service-add?smtp/mail.example.com > $ ipa service-add?smtp/mail1.example.com > $?ipa service-add-host?smtp/mail.example.com --hosts=mail1.example.com > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > ? ? ? ? ? ? ? ? ? ? ? -f /etc/pki/tls/certs/postfix.pem???\ > ? ? ? ? ? ? ? ? ? ? ? -N CN=mail1.example.com,O=EXAMPLE.COM \ > ? ? ? ? ? ? ? ? ? ? ? -D mail1.example.com -D mail.example.com \ > ? ? ? ? ? ? ? ? ? ? ? -K smtp/mail1.example.com > (and repeat for every next member of the cluster...) > > After this, I would get certificate with something like :: > $ sudo ipa-getcert list > Number of certificates and requests being tracked: 3. > Request ID '20150419153933': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/etc/pki/tls/private/postfix.key' > certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=mail1.example.com,O=EXAMPLE.COM > expires: 2017-04-19 15:39:35 UTC > dns: mail1.example.com,mail.example.com > principal name: smtp/mail1.example.com at EXAMPLE.COM > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command:? > post-save command:? > track: yes > auto-renew: yes > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns' > info line present. > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm > getting this :: > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- > reverse > $ ipa host-add?w3.example.com > $ ipa service-add?HTTP/w3.example.com > $ ipa service-add HTTP/http1.example.com > $ ipa service-add-host?HTTP/w3.example.com --hosts=http1.example.com > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > ? ? ? ? ? ? ? ? ? ? ? -f /etc/pki/tls/certs/httpd.pem???\ > ? ? ? ? ? ? ? ? ? ? ? -N CN=http1.example.com,O=EXAMPLE.COM \ > ? ? ? ? ? ? ? ? ? ? ? -D http1.example.com -D w3.example.com \ > ? ? ? ? ? ? ? ? ? ? ? -K HTTP/http1.example.com > $ sudo ipa-getcert list > Number of certificates and requests being tracked: 3. > Request ID '20160327095125': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/etc/pki/tls/private/http.key' > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > expires: 2018-03-28 09:51:27 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command:? > post-save command:? > track: yes > auto-renew: yes > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing? > > To be clear, if I don't do :: > $ ipa service-add-host?HTTP/w3.example.com --hosts=http1.example.com > > then certificate is just not issued with 'REJECTED', but once this is > done properly in described steps, DNS SANs are not happening. > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only > against my current IPA 4.2 on CentOS 7.2. > > For the actual certificates :: > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text > Certificate: > ????Data: > ????????Version: 3 (0x2) > ????????Serial Number: 15 (0xf) > ????Signature Algorithm: sha256WithRSAEncryption > ????????Issuer: O=EXAMPLE.COM, CN=Certificate Authority > ????????Validity > ????????????Not Before: Apr 19 15:39:35 2015 GMT > ????????????Not After : Apr 19 15:39:35 2017 GMT > ????????Subject: O=EXAMPLE.COM, CN=mail1.example.com > ????????Subject Public Key Info: > ????????????Public Key Algorithm: rsaEncryption > ????????????????Public-Key: (2048 bit) > ????????????????Modulus: > ? ? ? ? ? ? ? ? ? ? [cut] > ????????????????Exponent: 65537 (0x10001) > ????????X509v3 extensions: > ????????????X509v3 Authority Key Identifier:? > ????????????????keyid:[cut] > > ????????????Authority Information Access:? > ????????????????OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > ????????????X509v3 Key Usage: critical > ????????????????Digital Signature, Non Repudiation, Key Encipherment, > Data Encipherment > ????????????X509v3 Extended Key Usage:? > ????????????????TLS Web Server Authentication, TLS Web Client > Authentication > ????????????X509v3 CRL Distribution Points:? > > ????????????????Full Name: > ??????????????????URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > ????????????????CRL Issuer: > ??????????????????DirName: O = ipaca, CN = Certificate Authority > > ????????????X509v3 Subject Key Identifier:? > ????????????????[cut] > ????????????X509v3 Subject Alternative Name:? > ????????????????DNS:mail1.example.com, DNS:mail.example.com, > othername:, othername: > ????Signature Algorithm: sha256WithRSAEncryption > ? ? ? ? ?[cut] > > vs. > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > Certificate: > ????Data: > ????????Version: 3 (0x2) > ????????Serial Number: 71 (0x47) > ????Signature Algorithm: sha256WithRSAEncryption > ????????Issuer: O=EXAMPLE.COM, CN=Certificate Authority > ????????Validity > ????????????Not Before: Mar 27 09:51:27 2016 GMT > ????????????Not After : Mar 28 09:51:27 2018 GMT > ????????Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > ????????Subject Public Key Info: > ????????????Public Key Algorithm: rsaEncryption > ????????????????Public-Key: (2048 bit) > ????????????????Modulus: > ? ? ? ? ? ? ? ? ? ? [cut] > ????????????????Exponent: 65537 (0x10001) > ????????X509v3 extensions: > ????????????X509v3 Authority Key Identifier:? > ????????????????keyid:[cut] > > ????????????Authority Information Access:? > ????????????????OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > ????????????X509v3 Key Usage: critical > ????????????????Digital Signature, Non Repudiation, Key Encipherment, > Data Encipherment > ????????????X509v3 Extended Key Usage:? > ????????????????TLS Web Server Authentication, TLS Web Client > Authentication > ????Signature Algorithm: sha256WithRSAEncryption > ? ? ? ? ?[cut] > > so even reference to CRL is missing here, but OCSP is present. > > > Sorry if this is duplicate, but from what I was able to find, DNS > SubjectAltNames are reported working since CentOS 7.1, and I think I'm > consistent with?http://www.freeipa.org/page/PKI, unless I miss something > obvious here. > > For new features like certificate profiles and ACLs, I haven't changed > any defaults as far as I know as there was no need for that. > > > Thank you for any support in advance! And Happy Easter! > > Martin Hi Martin, Thanks for the detailed info. Could you please provide the Dogtag configuration for the default profile, `caIPAserviceCert'? ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert (Then provide the contents of caIPAserviceCert.cfg) Could you also provide the contents of file `/etc/pki/pki-tomcat/ca/CS.cfg'? Regards, Fraser From peljasz at yahoo.co.uk Thu Mar 31 08:40:01 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 31 Mar 2016 09:40:01 +0100 Subject: [Freeipa-users] control (auth) over part(s) of a forest/domain Message-ID: <56FCE261.50203@yahoo.co.uk> hi everybody I'm still new to this complex concept of cross-trust & domains, I wonder... Would having own OU inside a win domain be any good in terms of controlling/allowing access to IPA boxes? Or... probably best would be if I put it this way - if you want to plug yourself in, with your IPA domain, into a win AD (you could only have the authority over your own OU) and you have a bunch of people you look after (whose accounts exist already in AD) and they all (almost) use poor windows and they need to use your IPA linuxes (mostly samba but not only) then... how do you go about it? for your thoughts & advices many thanks L. From ftweedal at redhat.com Thu Mar 31 09:56:59 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 31 Mar 2016 19:56:59 +1000 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates - private files In-Reply-To: <20160331074920.BD9214120ED@idmc1.stefany.eu> References: <20160331074920.BD9214120ED@idmc1.stefany.eu> Message-ID: <20160331095658.GB18277@dhcp-40-8.bne.redhat.com> On Thu, Mar 31, 2016 at 09:49:20AM +0200, Martin ?tefany wrote: > Hello Fraser, > > here are the files for real, thank you for help. > > Martin > Thanks Martin, So what appears to have happened is somehow the default profile `caIPAserviceCert`, which is shipped with Dogtag, was imported into LDAP instead of the version shipped with IPA. I do not know how this might have occurred - it will help to know the history of your installation e.g. was it a fresh install, upgrade from a Centos/RHEL 7.1, migration (ipa-replica-install) of an earlier version, etc. In any case, how to resolve? You can import a corrected version of the profile. I have attached an example config, but you should check it to make sure it is what you want; in particular check the following values: policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=EXAMPLE.COM policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca You can update the profile with the new profile data by executing: ipa certprofile-mod caIPAserviceCert --file=/path/to/caIPAserviceCert.cfg Hopefully this fixes the issue. A fallback suggestion: if the above command fails, and if `ipa certprofile-find` shows no objects, then you may be able to resolve the issue by setting, in `/etc/pki/pki-tomcat/ca/CS.cfg`: subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem and then running `ipa-server-upgrade` manually. I am on PTO tomorrow but look forward to learning on Monday how you fared. Others may be able to help in the meantime. Cheers, Fraser -------------- next part -------------- profileId=caIPAserviceCert classId=caEnrollImpl desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. visible=false enable=true enableBy=admin auth.instance_id=raCertAuth name=IPA-RA Agent-Authenticated Server Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=EXAMPLE.COM policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.range=740 policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=731 policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyType=RSA policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl policyset.serverCertSet.4.constraint.name=No Constraint policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.4.default.name=Authority Key Identifier Default policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.6.constraint.params.keyUsageCritical=true policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false policyset.serverCertSet.6.default.params.keyUsageCrlSign=false policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false policyset.serverCertSet.7.constraint.class_id=noConstraintImpl policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= policyset.serverCertSet.10.constraint.class_id=noConstraintImpl policyset.serverCertSet.10.constraint.name=No Constraint policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default policyset.serverCertSet.10.default.params.critical=false policyset.serverCertSet.11.constraint.class_id=noConstraintImpl policyset.serverCertSet.11.constraint.name=No Constraint policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.11.default.name=User Supplied Extension Default policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 From martin at stefany.eu Thu Mar 31 11:51:27 2016 From: martin at stefany.eu (martin at stefany.eu) Date: Thu, 31 Mar 2016 13:51:27 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates - private files In-Reply-To: <20160331095658.GB18277@dhcp-40-8.bne.redhat.com> References: <20160331074920.BD9214120ED@idmc1.stefany.eu> <20160331095658.GB18277@dhcp-40-8.bne.redhat.com> Message-ID: <968ddc96c5080e5f43975a123baad7df@stefany.eu> On 2016-03-31 11:56, Fraser Tweedale wrote: > On Thu, Mar 31, 2016 at 09:49:20AM +0200, Martin ?tefany wrote: >> Hello Fraser, >> >> here are the files for real, thank you for help. >> >> Martin >> > Thanks Martin, > > So what appears to have happened is somehow the default profile > `caIPAserviceCert`, which is shipped with Dogtag, was imported into > LDAP instead of the version shipped with IPA. I do not know how > this might have occurred - it will help to know the history of your > installation e.g. was it a fresh install, upgrade from a Centos/RHEL > 7.1, migration (ipa-replica-install) of an earlier version, etc. > > In any case, how to resolve? You can import a corrected version of > the profile. I have attached an example config, but you should > check it to make sure it is what you want; in particular check the > following values: > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > O=EXAMPLE.COM > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate > Authority,o=ipaca > > You can update the profile with the new profile data by executing: > > ipa certprofile-mod caIPAserviceCert > --file=/path/to/caIPAserviceCert.cfg > > Hopefully this fixes the issue. > > A fallback suggestion: if the above command fails, and if `ipa > certprofile-find` shows no objects, then you may be able to resolve > the issue by setting, in `/etc/pki/pki-tomcat/ca/CS.cfg`: > > subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem > > and then running `ipa-server-upgrade` manually. > > I am on PTO tomorrow but look forward to learning on Monday how you > fared. Others may be able to help in the meantime. > > Cheers, > Fraser Hello Fraser, yes, that solves the issue. 'ipa certprofile-mod caIPAserviceCert --file=/path/to/caIPAserviceCert.cfg' was successful, and newly issued certificate is with correct attributes as before. # ipa-getcert request -k /etc/pki/tls/private/http.key -f /etc/pki/tls/certs/http.pem -N CN=$(hostname -f) -D $(hostname -f) -D www.example.com -K HTTP/$(hostname -f) # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20160331113029': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/http.key' certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=http2.example.com,O=EXAMPLE.COM expires: 2018-04-01 11:30:33 UTC dns: http2.example.com,www.example.com principal name: HTTP/http2.example.com at EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Great job! The history would be: - idmc1 was installed first on CentOS 7.1 as IPA 4.0 - replica file was created from this idmc1 and replica was provisioned as idmc2 again on CentOS 7.1 as IPA 4.0 - upon release of CentOS 7.2, idmc2 was "yum" upgraded to CentOS 7.2 / FreeIPA 4.2, everything was OK, so - idmc1 was "yum" upgraded to CentOS 7.2 / FreeIPA 4.2 - time flies... - recently I've created another replica file from idmc1 for idmc3 and replica idmc3 was provisioned on fresh CentOS 7.2 / IPA 4.2, and this might have been the moment when something got broken. :( - http1, http2, etc. were provisioned only after idmc3 was deployed Thank you for the steps! I will also mail you ipa-server install/upgrade logs from all three systems in separate mail, if you don't mind, to try to see what exactly happened. btw, after I executed 'ipa certprofile-mod caIPAserviceCert --file=/path/to/caIPAserviceCert.cfg', certmonger stopped to see/track all 'CN=*,OU=pki-ipa,O=IPA' certificates and reported 'Number of certificates and requests being tracked: 0.', but I was going to re-provision the certificates anyway. Enjoy your longer weekend! Regards, Martin From craig.mcniel at pearson.com Thu Mar 31 14:09:23 2016 From: craig.mcniel at pearson.com (McNiel, Craig) Date: Thu, 31 Mar 2016 09:09:23 -0500 Subject: [Freeipa-users] Install/promote new CA old one corrupted before backups Message-ID: I was installing a 7 host IPA with ipa01 being the CA and the others being replicas of this node. This was to be the production installation of IPA and the admins/users started using it prior to the installation being completed and before I had snapshots/backup created of the servers. The ipa01 host disk was corrupted so I no longer have a CA just the other 6 nodes. How can I install/promote or otherwise recreate the CA? I have looked online for instructions but, I run into issues almost immediately with the accuracy for the version I'm using in the documenation as many of the files it indicates need updates don't even exist. Thanks ipa-python-4.2.0-15.el7.centos.3.x86_64 ipa-admintools-4.2.0-15.el7.centos.3.x86_64 ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-server-4.2.0-15.el7.centos.3.x86_64 libipa_hbac-1.13.0-40.el7_2.1.x86_64 ipa-client-4.2.0-15.el7.centos.3.x86_64 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dennis.Ott at mckesson.com Thu Mar 31 19:07:40 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Thu, 31 Mar 2016 19:07:40 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: <56FA5C2F.3070200@redhat.com> References: <56FA5C2F.3070200@redhat.com> Message-ID: Petr, Original 6.x master installed at: ipa-server-2.1.3-9 pki-ca-9.0.3-20 At the time the migration was attempted, the 6.x master had been updated to: ipa-server-3.0.0-47 pki-ca-9.0.3-45 The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: ipa-server-4.2.0-15.0.1 pki-ca-10.2.5-6 It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, 'subject': None, 'no_forwarders': False, 'persistent_search': True, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, 'forwarders': None, 'idstart': 900000000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2013-09-04T18:41:20Z DEBUG missing options might be asked for interactively later -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Tuesday, March 29, 2016 6:43 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails On 03/24/2016 04:29 PM, Ott, Dennis wrote: > I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. > After working through and solving a few issues, my current efforts > fail when setting up the replica CA. > > If I set up a new, pristine master on OS 6.7, I am able to create an > OS 7.x replica without any problem. However, if I try to create a > replica from my two year old test lab instance (production will be > another matter for the future) it fails. The test lab master was > created a couple of years ago on OS 6.3 / IPA 2.x and has been > upgraded to the latest versions in the 6.x chain. It is old enough to > have had all the certificates renewed, but I believe I have worked through all the issues related to that. > > Below is what I believe are the useful portions of the pertinent logs. > I?ve not been able to find anything online that speaks to the errors I > am seeing > > Thanks for your help. Hello Dennis, what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > > /var/log/ipareplica-install.log > > 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). > Estimated time: 3 minutes 30 seconds > > 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user > > 2016-03-23T21:55:11Z DEBUG group pkiuser exists > > 2016-03-23T21:55:11Z DEBUG user pkiuser exists > > 2016-03-23T21:55:11Z DEBUG duration: 0 seconds > > 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance > > 2016-03-23T21:55:11Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-03-23T21:55:11Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): > > [CA] > > pki_security_domain_name = IPA > > pki_enable_proxy = True > > pki_restart_configured_instance = False > > pki_backup_keys = True > > pki_backup_password = XXXXXXXX > > pki_profiles_in_ldap = True > > pki_client_database_dir = /tmp/tmp-g0CKZ3 > > pki_client_database_password = XXXXXXXX > > pki_client_database_purge = False > > pki_client_pkcs12_password = XXXXXXXX > > pki_admin_name = admin > > pki_admin_uid = admin > > pki_admin_email = root at localhost > > pki_admin_password = XXXXXXXX > > pki_admin_nickname = ipa-ca-agent > > pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM > > pki_client_admin_cert_p12 = /root/ca-agent.p12 > > pki_ds_ldap_port = 389 > > pki_ds_password = XXXXXXXX > > pki_ds_base_dn = o=ipaca > > pki_ds_database = ipaca > > pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM > > pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM > > pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM > > pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM > > pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM > > pki_subsystem_nickname = subsystemCert cert-pki-ca > > pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca > > pki_ssl_server_nickname = Server-Cert cert-pki-ca > > pki_audit_signing_nickname = auditSigningCert cert-pki-ca > > pki_ca_signing_nickname = caSigningCert cert-pki-ca > > pki_ca_signing_key_algorithm = SHA256withRSA > > pki_security_domain_hostname = ptipa1.example.com > > pki_security_domain_https_port = 443 > > pki_security_domain_user = admin > > pki_security_domain_password = XXXXXXXX > > pki_clone = True > > pki_clone_pkcs12_path = /tmp/ca.p12 > > pki_clone_pkcs12_password = XXXXXXXX > > pki_clone_replication_security = TLS > > pki_clone_replication_master_port = 7389 > > pki_clone_replication_clone_port = 389 > > pki_clone_replicate_schema = False > > pki_clone_uri = > http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrdG > Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcmD > 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN_ > VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJ > USyrh > > 2016-03-23T21:55:11Z DEBUG Starting external process > > 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' > > 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 > > 2016-03-23T21:56:51Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160323175511.log > > Loading deployment configuration from /tmp/tmpGQ59ZC. > > Installing CA into /var/lib/pki/pki-tomcat. > > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > 2016-03-23T21:56:51Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOyr > dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVHk > iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2gaz > W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0 > VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > > InsecureRequestWarning) > > pkispawn : WARNING ....... unable to validate security domain user/password > through REST interface. Interface not available > > pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 > Server Error: Internal Server Error > > pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line > 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned > non-zero exit status 1 > > 2016-03-23T21:56:51Z CRITICAL See the installation logs and the > following files/directories for more information: > > 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log > > 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat > > 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > , > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > , > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 311, in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 281, in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 303, in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 524, in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 421, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 418, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File > "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line > 63, in _install > > for nothing in self._installer(self.parent): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst > all.py", > line 879, in main > > install(self) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst > all.py", > line 295, in decorated > > func(installer) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst > all.py", > line 584, in install > > ca.install(False, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > line 106, in install > > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > line 130, in > install_step_0 > > ra_p12=getattr(options, 'ra_p12', None)) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1543, in install_replica_ca > > subject_base=config.subject_base) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 486, in configure_instance > > self.start_creation(runtime=210) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > , > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > , > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: > RuntimeError: CA configuration failed. > > 2016-03-23T21:56:51Z ERROR CA configuration failed. > > /var/log/pki/pki-ca-spawn..log > > 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > /etc/pki/pki-tomcat/ca/noise > > 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile > > 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s > /lib/systemd/system/pki-tomcatd at .service > /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se > rvice > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 > /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se > rvice > > 2016-03-23 17:55:12 pkispawn : INFO ... configuring > 'pki.server.deployment.scriptlets.configuration' > > 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > /root/.dogtag/pki-tomcat/ca > > 2016-03-23 17:55:12 pkispawn : INFO ....... generating > '/root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > '/root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > /root/.dogtag/pki-tomcat/ca/password.conf > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > /root/.dogtag/pki-tomcat/ca/password.conf > > 2016-03-23 17:55:12 pkispawn : INFO ....... generating > '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 > /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d > /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl > daemon-reload' > > 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start > pki-tomcatd at pki-tomcat.service' > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server > may still be down > > 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception > thrown: ('Connection aborted.', error(111, 'Connection refused')) > > 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server > may still be down > > 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception > thrown: ('Connection aborted.', error(111, 'Connection refused')) > > 2016-03-23 17:55:24 pkispawn : DEBUG ........... encoding="UTF-8" > standalone="no"?>0CAr > unning10.2.5-6.el7 > > 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI > configuration data. > > 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration > data. > > 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java > Configuration Servlet: 500 Server Error: Internal Server Error > > 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed > (invalid token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not > well-formed (invalid token): line 1, column 0 > > 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", > line 597, in main > > rv = instance.spawn(deployer) > > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/con > figuration.py", > line 116, in spawn > > json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", > line 3906, in configure_pki_data > > root = ET.fromstring(e.response.text) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, > in XML > > parser.feed(text) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, > in feed > > self._raiseerror(v) > > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, > in _raiseerror > > raise err > > /var/log/pki/pki-tomcat/ca/debug > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password > ok: store in memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > makeConnection errorIfDown is false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > errorIfDown false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > connection using basic authentication to host pt-idm-vm01.example.com > port 389 as cn=Directory Manager > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com > port 389, secure connection, false, authentication type 1 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > connections by 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > LdapBoundConnFactory::getConn() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > connected true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > param=preop.internaldb.manager_ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file > = /usr/share/pki/server/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file > copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP > Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in adding entry > ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in modifying entry o=ipaca:netscape.ldap.LDAPException: > error result (20) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): > start > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating > LdapBoundConnFactor(ConfigurationUtils) > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: > init > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: > LdapBoundConnFactory:doCloning true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > begins > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > prompt is internaldb > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try > getting from memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got > password from memory > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > password found for prompt. > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password > ok: store in memory cache > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > makeConnection errorIfDown is false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > errorIfDown false > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > connection using basic authentication to host pt-idm-vm01.example.com > port 389 as cn=Directory Manager > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com > port 389, secure connection, false, authentication type 1 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > connections by 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > connections 3 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > LdapBoundConnFactory::getConn() > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > connected true > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > param=preop.internaldb.post_ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file > = /usr/share/pki/ca/conf/vlv.ldif > > [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file > copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file > = /usr/share/pki/ca/conf/vlvtasks.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file > copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif > > [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn > cn=index1160589769, cn=index, cn=tasks, cn=config > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: > SystemConfigService:processCerts(): san_server_cert not found for tag > sslserver > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > local > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > remote (revised) > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: > updateConfig() for certTag sslserver > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > public key > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > private key > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this > Cloned CA, always use its Master CA to generate the 'sslserver' > certificate to avoid any changes which may have been made to the X500Name directory string encoding order. > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: > injectSAN=false > > [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil > createRemoteCert: content > requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAut > hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&s > essionID=-4495713718673639316 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil > createRemoteCert: status=0 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: > MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: > handleCertRequest() begins > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > tag=sslserver > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: > privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > created cert request > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert > tag 'sslserver' using cert type 'remote' > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process > remote...import cert > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: > nickname=Server-Cert cert-pki-ca > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted > successfully > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): > certchains length=2 > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import > certificate successfully, certTag=sslserver > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert > Panel/SavePKCS12 Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing > security domain > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): > Getting domain.xml from CA... > > [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: > domainInfo= standalone="no"?>IPAptipa1. > example.com443443 cureAgentPort>443 hPort>44380 e>FALSEpki-cadTR > UE1 PList>0 Count>00 Count>0 PSList>0 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML start hostname=ptipa1.example.com port=443 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > failed to update security domain using admin port 443: > org.xml.sax.SAXParseException; > lineNumber: 1; columnNumber: 50; White spaces are required between > publicId and systemId. > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > now trying agent port with client auth > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML start hostname=ptipa1.example.com port=443 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() > nickname=subsystemCert cert-pki-ca > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: > status=1 > > [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating > security > domain: java.io.IOException: 2 > > [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, > authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. > > /var/log/pki/pki-tomcat/ca/system > > 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot > build CA chain. Error java.security.cert.CertificateException: > Certificate is not a PKCS > #11 certificate > > 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz > instance DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > > *Dennis M Ott* > Infrastructure Administrator > Infrastructure and Security Operations > > *McKesson Corporation > McKesson Pharmacy Systems and Automation* www.mckesson.com > > > > -- Petr Vobornik From michael at sykosoft.com Thu Mar 31 22:22:05 2016 From: michael at sykosoft.com (Michael S. Moody) Date: Thu, 31 Mar 2016 18:22:05 -0400 Subject: [Freeipa-users] FreeIPA Deployment Proposal (request for recommendations) Message-ID: Hello FreeIPA Devs/Mailing List, We use FreeIPA to great success in several places, but we want to roll it out for us. Thus, we want to ask about best practices for the type of deployment we?re planning. First, FreeIPA is truly awesome, and the glue that holds all these pieces together is really a phenomenal achievement. We want to set up our FreeIPA deployment according to best practices. As it stands today, we want to implement FreeIPA to take over the authentication duties and DNS duties of an infrastructure which we are in the process of rebuilding from scratch, so we?re not worried about retroactively making things work on older systems. This is an important point for us, basically consider that we?re doing everything from scratch, and re-basing off of CentOS 7. (Apologies in advance for the wall-of-text). Who we are: We are a Managed Services Provider with multiple clients, and manage our clients? systems end-to-end. This enables us to have full control over the infrastructure. Topology: We currently have 3 (where we?ll place FreeIPA at least) datacenter facilities in the USA, and are bringing a 4th DC online in the EU shortly. These datacenters are protected via enterprise-grade hardware firewalls, and we have VPNs across the DCs to allow our various infrastructure pieces to communicate on internal subnets vs across the public WAN. Additionally, we advertise our own IP addresses via BGP. We also have (bind-based) DNS in each DC, but primarily for external purposes. Private: US-EAST: 172.29.0.0/19 US-WEST: 172.29.32.0/19 US-SOUTH: 172.29.64.0/19 EU-WEST: 172.29.96.0/19 Public: US-EAST: 1.1.1.0/24 US-WEST: 1.1.2.0/24 US-SOUTH: 1.1.3.0/24 EU-WEST: 1.1.4.0/24 Goals: 1. We want to have centralized authentication for our entire infrastructure. 2. We want the authentication to be highly available (FreeIPA replicas) 3. We want to have a drastically improved DNS system that handles both external (domain names) and internal (systems). 4. We want that DNS system to also be highly available (FreeIPA replicas with bind-ldap as the backend seems to be the best way) 5. We want to use our own SSL certificates if at all possible (wildcard certificates, letsencrypt, etc) 6. We would like to be multi-tenant with domains/realms/whatever so that CLIENT1 can have their authentication of their systems centralized through our FreeIPA. Similar for CLIENT2, CLIENT3, etc. The clients don?t care, so how this is set up is up to us/best practices. 7. As part of the multi-tenancy, we don?t want all users to be able to see all users. To be more clear, we want to have 1 FreeIPA infrastructure that can use our domain (let?s call it GREATMSP.COM), and have systems for CLIENT1 as part of CLIENT1.GREATMSP.COM or whatever the best way is. We also want where if they login to FreeIPA, they?ll only see their users/systems. 8. If we use GREATMSP.COM as the domain, we of course want to still have all of our normal DNS records (MX, NS, etc, etc). We?re perfectly good with (and prefer) using the more robust FreeIPA as nameservers for our root domain name. 9. We would like users to be able to self manage (FreeIPA web ui) 10. We plan to have at least 2 x FreeIPA servers in each DC, with the more likely scenario being 4 x in each DC. 11. We want to use DNSSEC wherever possible. Because security. 12. Ideally, can we use the FreeIPA servers as NTP servers? Questions: 1. What services/ports can we safely expose to the outside world, and what services/ports NEED to be exposed to the outside world for this to work effectively with systems in multiple DCs? 2. As part of the above, should authentication only be done across the VPN? 3. Can we safely use our main domain name (GREATMSP.COM) as the domain for FreeIPA? As part of this, we have say, TICKETING.GREATMSP.COM (a web app which will remain the same), and for systems, we might have SSH01.US-EAST.PRODUCTION.GREATMSP.COM (or perhaps SSH01.DC.US-EAST.PRODUCTION.GREATMSP.COM for the internal, and SSH01.US-EAST.PRODUCTION.GREATMSP.COM for the external). 4. Can we use this as a more generalized DNS system for other customer domains as opposed to our current bind system? If so, is it as simple as registering all of the FreeIPA servers (replicas) as NS servers with the registrar? 5. Since we want to be effectively multi-tenant, can we make it so that all authentication from the CLIENT1 infrastructure uses external addresses vs us needing to open holes into our FreeIPA infrastructure via VPN? How safe is/can this be? 6. We see some notes about CA-Less being somewhat broken. Is this true? (Things we don?t really need/want to do): 1. Have each Client have their own SSL certs (complete non issue) Things we don?t know we don?t know: 1. Robustness? 2. Security? 3. Performance? 4. Anything else we haven?t thought of? Any help you can provide would be wonderful. We have attached a proposed diagram of what we're thinking of trying to accomplish. Thanks in advance, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: FreeIPA Proposal.png Type: image/png Size: 1794929 bytes Desc: not available URL: