[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz tomek at pipebreaker.pl
Fri May 27 12:28:48 UTC 2016 

Hi,

  In my home environment I'm using two-server FreeIPA configuration on Fedora.
Initially installed on fedora 19 in November 2013, it have been upgraded every
Fedora release. It generally works OK, but somewhat degrades during operation.
Recently I've jumped to F24 in hope my problems will be resolved, but they weren't.
Thus this email and plea for assistance.

  In the meantime there was a problem with expired certificates, but it solved
with the help of rcrit on IRC.

  I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called
kaitain.pipebreaker.pl, the other okda.pipebreaker.pl.

  Currently I encounter following main problems:
1) named is not servicing all the records from LDAP
2) can't login to WebUI on kaitain.pipebreaker.pl
3) can't login to WebUI on okda.pipebreaker.pl
4) pycparser.lextab/lextab.py/yacctab.py permission errors

  More details:
-----
ad 1) named problems
  Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is
 visible in CLI, but named doesn't resolve it:

$ ipa dnsrecord-find pipebreaker.pl microstation 
  Record name: microstation
  AAAA record: 2001:6a0:200:d1::2
----------------------------
Number of entries returned 1
----------------------------

$ host microstation ; host microstation.pipebreaker.pl
Host microstation not found: 3(NXDOMAIN)
Host microstation.pipebreaker.pl not found: 3(NXDOMAIN)

  Entries added previously resolve fine.  I see no errors reported
 in named-pkcs11.service logs.
  
-----

ad 2) can't login to webui at kaitain
  When I open a WebUI while having valid ticket, I'm shown my user page,
i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened.
  But when I logout from WebUI and try to login as admin, I receive:
 
 The password or username you entered is incorrect.
  
  The password is certainly correct, I can use it for 'kinit admin' successfully. 
 /var/log/httpd/error log contains:

[Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last):
[Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/share/ipa/wsgi.py", line 63, in application
[Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]     return api.Backend.wsgi_dispatch(environ, start_response)
[Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__
[Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]     return self.route(environ, start_response)
[Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route
[Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]     return app(environ, start_response)
[Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__
[Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]     self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
[Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28]     raise CCacheError(message=unicode(e))
[Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639107): No credentials cache found

  What cache is it talking about?  How can I refresh it?

-----


ad 3) cannot login to webui on okda
   
  When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading…" screen
 for couple of seconds, and afterwards "Gateway timeout" message. Everything
 seems to be running on this server:

root at okda ~$ ipactl status
WARNING: yacc table file version is out of date
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

 There are no logs generated in httpd's error_log during login.
 There are some problems in system log:
May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess
May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 5ad7c518 background process
May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
May 27 14:25:48 okda.pipebreaker.pl server[2364]: 	at java.lang.Thread.run(Thread.java:745)

  as you can see, those logs do not contain any clue what's is wrong.


-----

ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors
  I observe following errors in dnskeysyncd logs:

May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py'
May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date
May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py'

  Also (related?) error during 'ipactl' invocations:
$ ipactl status
WARNING: yacc table file version is out of date
…

  Warnings appear even after switching SELinux to permissive.


  Please help me with resolving those problems.  What logs should I provide?
I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting

-- 
Tomasz Torcz              ,,If you try to upissue this patchset I shall be seeking
xmpp: zdzichubg at chrome.pl   an IP-routable hand grenade.'' -- Andrew Morton (LKML)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/0170e3ab/attachment.sig>

More information about the Freeipa-users mailing list