[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Mon Jul 20 16:59:45 UTC 2015 

> Le 20 juil. 2015 à 17:58, Petr Vobornik <pvoborni at redhat.com> a écrit :
> 
> On 07/20/2015 05:17 PM, Alexander Bokovoy wrote:
>> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>>> 
>>>> Can you please show output from
>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>>> 
>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
>> 
>> This is original 'dc' definition:
>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>> 
>> This is the offending one:
>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>> 
>>> In 00core.ldif, I have :
>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc'
>>> 'domaincomponent' )
>>> EQUALITY caseIgnoreIA5Match
>>> SUBSTR caseIgnoreIA5SubstringsMatch
>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>>> SINGLE-VALUE
>>> X-ORIGIN 'RFC 4519'
>>> X-DEPRECATED 'domaincomponent' )
>> If you look into 99user.ldif, you'll see the wrong definition there.
>> 
>> 99user.ldif accumulates definitions coming from replication or updates.
>> You can check other IPA masters, do they have 'dc' attribute defined in
>> a wrong way?
>> 
>>> As far as I remember, the only modification I made was to disable
>>> read-only access without authentication.  I don’t need any other
>>> special customization.
>> Something brought the wrong definition into your IPA masters.
>> May be someone tried to add support for some old application?
>> 
> 
> Probably caused by migration from 6.6 to 7.x. See https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause any issue but looks scary.

I confirm this was a migration from CentOS 6.6 to 7.1. Every thing else worked just fine following the RedHat migration procedure (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html>)

> 
> I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the time the following CA error happened (could be new start).
> 
> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
> Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org <http://ipa.mydomain.org/>

I restarted IPA :

/var/log/pki/pki-tomcat/ca/debug  :
[20/Jul/2015:18:12:17][localhost-startStop-1]: CMS:Caught EBaseException

/var/log/krb5kdc.log :
otp: Loaded
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): setting up network...
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 9: udp fe80::250:56ff:fe93:357e%ens160.88
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 11: tcp 0.0.0.0.88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 10: tcp ::.88
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): set up 4 sockets
Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16636](info): commencing operation
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR
Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Additional pre-authentication required
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR
Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12
Jul 20 18:13:00 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: ISSUE: authtime 1437408779, etypes {rep=18 tkt=18 ses=18}, host/mut-web-2.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR
Jul 20 18:17:02 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 37.59.203.170: ISSUE: authtime 1437409022, etypes {rep=18 tkt=18 ses=18}, host/ded-web-8.numeezy.fr at NUMEEZY.FR for ldap/inf-ipa.numeezy.fr at NUMEEZY.FR
Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: PREAUTH_FAILED: admin at NUMEEZY.FR for krbtgt/NUMEEZY.FR at NUMEEZY.FR, Decrypt integrity check failed

Thanks for your investigation.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150720/54221dc8/attachment.htm>

More information about the Freeipa-users mailing list