[Freeipa-users] backing up and starting over...

Robert Story rstory at tislabs.com
Thu Dec 22 13:29:15 UTC 2016 

On Thu, 22 Dec 2016 13:02:18 +0100 Martin wrote:
MB> On 22.12.2016 09:25, Florence Blanc-Renaud wrote:
MB> > On 12/21/2016 10:26 PM, Robert Story wrote:  
MB> >> I'm running a small instance of freeipa on CentOS 7 in our lab, for 
MB> >> about 20
MB> >> machines. Since CentOS 7.3 came out and upgraded from 4.2 to 4.4, things
MB> >> have gotten flaky. e.g. clicking on a user get the spinning 'Working'
MB> >> dialog and can take 3-5 minutes to load the page. But often it will die
MB> >> with 'internal error'.  
MB> 
MB> Could you check in /var/log/httpd/error_log what is it?
MB> Does cli work well? ipa user-find

Yes, cli works, and ldap mostly works, but not always. GUI works
occasionally.

Here's one:


mod_wsgi (pid=6358): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
  File "/usr/share/ipa/wsgi.py", line 49, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
    return app(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 833, in __call__
    self.create_context(ccache=ipa_ccache_name)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 123, in create_context
    self.Backend.ldap2.connect(ccache=ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
    client_controls=clientctrls)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
    '', auth_tokens, server_controls, client_controls)
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler
    raise errors.DatabaseError(desc=desc, info=info)
DatabaseError: Server is unwilling to perform: Too many failed logins.

and this:

ipa: INFO: 401 Unauthorized: kinit: Clients credentials have been revoked while getting initial credentials

and

ipa: ERROR: non-public: IOError: request data read error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 358, in wsgi_execute
    data = read_input(environ)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 195, in read_input
    return environ['wsgi.input'].read(length)
IOError: request data read error
rstory at EXAMPLE: None: IOError

and

AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
ipa: INFO: *** PROCESS START ***
ipa: INFO: *** PROCESS START ***
ipa: INFO: 401 Unauthorized: kinit: Cannot contact any KDC for realm 'EXAMPLE' while getting initial credentials
[pid 3714]
ipa: INFO: 401 Unauthorized: kinit: Cannot contact any KDC for realm 'EXAMPLE' while getting initial credentials
[pid 3715]
ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3714) != KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache)
ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'EXAMPLE')
mod_wsgi (pid=3714): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
  File "/usr/share/ipa/wsgi.py", line 49, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
    return app(environ, start_response)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 978, in __call__
    self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 1010, in kinit
    raise CCacheError(message=unicode(e))
CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'EXAMPLE'
AH00170: caught SIGWINCH, shutting down gracefully

and

Script timed out before returning headers: wsgi.py, referer: https://auth-1.example/ipa/ui/
Script timed out before returning headers: wsgi.py, referer: https://auth-1.example/ipa/ui/
Script timed out before returning headers: wsgi.py, referer: https://auth-1.example/ipa/ui/

and

SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate




Robert

-- 
Senior Software Engineer @ Parsons
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161222/52bb7fca/attachment.sig>

More information about the Freeipa-users mailing list