[Freeipa-users] ipa host-del

Wed Sep 5 13:41:40 UTC 2012

there are somethign like these:

type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for  pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for  pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for  pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for  pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

And yes, I did yum update recently.
Where else should I look?
Thanks,
George

>________________________________
> From: Rob Crittenden <rcritten at redhat.com>
>To: george he <george_he7 at yahoo.com> 
>Cc: Ade Lee <alee at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
>Sent: Wednesday, September 5, 2012 8:40 AM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>george he wrote:
>> here are the new errors:
>> # rm /var/log/pki-ca/*
>> # service dirsrv restart
>> # service pki-cad restart
>> # grep -i error /var/log/pki-ca/*
>> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing
>> context [/ca]
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing
>> socket factory
>> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol
>> handler initialization failed: java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
>> application directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application
>> directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>
>Hmm. Is there any additional information in the debug log? Any AVCs in 
>/var/log/audit/audit.log?
>
>Have you updated any packages recently? I'm not sure why dogtag would be 
>throwing this exception.
>
>rob
>
>>
>>     ------------------------------------------------------------------------
>>     *From:* Rob Crittenden <rcritten at redhat.com>
>>     *To:* george he <george_he7 at yahoo.com>
>>     *Cc:* John Dennis <jdennis at redhat.com>; "freeipa-users at redhat.com"
>>     <freeipa-users at redhat.com>
>>     *Sent:* Tuesday, September 4, 2012 9:49 PM
>>     *Subject:* Re: [Freeipa-users] ipa host-del
>>
>>     george he wrote:
>>      > both of the commands "service dirsrv restart" and "service pki-cad
>>      > restart" reported:
>>      > stopping ... OK
>>      > starting ... OK
>>      > but host-del still has the same error.
>>      > More suggestions?
>>
>>     Check the logs again. The service starting does not mean it kept
>>     running.
>>
>>     rob
>>
>>      > Thanks,
>>      > George
>>      >
>>      >
>>     ------------------------------------------------------------------------
>>      >    *From:* Rob Crittenden <rcritten at redhat.com
>>     <mailto:rcritten at redhat.com>>
>>      >    *To:* george he <george_he7 at yahoo.com
>>     <mailto:george_he7 at yahoo.com>>
>>      >    *Cc:* John Dennis <jdennis at redhat.com
>>     <mailto:jdennis at redhat.com>>; "freeipa-users at redhat.com
>>     <mailto:freeipa-users at redhat.com>"
>>      >    <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>>      >    *Sent:* Tuesday, September 4, 2012 4:20 PM
>>      >    *Subject:* Re: [Freeipa-users] ipa host-del
>>      >
>>      >    george he wrote:
>>      >      > I'm running centos 6.3
>>      >      > # uname -r
>>      >      > 2.6.32-279.5.2.el6.x86_64
>>      >     >
>>      >      > pki-ca: unrecognized service
>>      >      >
>>      >      > There are tons of errors in /var/log/pki-ca/*, some of
>>     them are:
>>      >      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
>>      >    [3] [3]
>>      >      > Cannot build CA chain. Error
>>     java.security.cert.CertificateException:
>>      >      > Certificate is not a PKCS #11 certificate
>>      >      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
>>      >    [13] [3]
>>      >      > authz instance DirAclAuthz initialization failed and skipped,
>>      >      > error=Property internaldb.ldapconn.port missing value
>>      >      > /var/log/pki-ca/system:11605.http-9445-1 -
>>     [30/Aug/2012:16:35:01 EDT]
>>      >      > [3] [3] Cannot build CA chain. Error
>>      >      > java.security.cert.CertificateException: Certificate is not a
>>      >    PKCS #11
>>      >      > certificate
>>      >      > /var/log/pki-ca/system:11605.http-9445-1 -
>>     [30/Aug/2012:16:35:10 EDT]
>>      >      > [3] [3] CASigningUnit: Object certificate not found. Error
>>      >      > org.mozilla.jss.crypto.ObjectNotFoundException
>>      >      > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28
>>     EDT] [8]
>>      >    [3] In
>>      >      > Ldap (bound) connection pool to host
>>     cushing.psych.yale.edu port
>>      >    7389,
>>      >      > Cannot connect to LDAP server. Error:
>>     netscape.ldap.LDAPException:
>>      >      > failed to connect to server
>>     ldap://cushing.psych.yale.edu:7389 (91)
>>      > >
>>      >      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
>>     initializing
>>      >      > socket factory
>>      >      >
>>      >
>>     /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:
>>      >    Error
>>      >      > loading SSL Implementation
>>      >      > org.apache.tomcat.util.net.jss.JSSImplementation
>>      >      > :java.lang.ClassNotFoundException:
>>     org.mozilla.jss.ssl.SSLSocket
>>      >      >
>>     /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol
>>      >      > handler initialization failed:
>>     java.lang.ClassNotFoundException:
>>      >    Error
>>      >      > loading SSL Implementation
>>      >      > org.apache.tomcat.util.net.jss.JSSImplementation
>>      >      > :java.lang.ClassNotFoundException:
>>     org.mozilla.jss.ssl.SSLSocket
>>      >      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
>>     deploying web
>>      >      > application directory ca
>>      >
>>      >    The problem looks to be that the dogtag 389-ds instance is not
>>     started.
>>      >    I'd try: service dirsrv restart PKI-IPA
>>      >
>>      >    Then service pki-cad restart
>>      >
>>      >    rob
>>      >
>>      >
>>      >
>>      >
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120905/6a6426f9/attachment.htm>