[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 @ Fedora 24
Petr Spacek
pspacek at redhat.com
Mon May 30 11:45:40 UTC 2016
On 27.5.2016 14:28, Tomasz Torcz wrote:
> Hi,
>
> In my home environment I'm using two-server FreeIPA configuration on Fedora.
> Initially installed on fedora 19 in November 2013, it have been upgraded every
> Fedora release. It generally works OK, but somewhat degrades during operation.
> Recently I've jumped to F24 in hope my problems will be resolved, but they weren't.
> Thus this email and plea for assistance.
>
> In the meantime there was a problem with expired certificates, but it solved
> with the help of rcrit on IRC.
>
> I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called
> kaitain.pipebreaker.pl, the other okda.pipebreaker.pl.
>
> Currently I encounter following main problems:
> 1) named is not servicing all the records from LDAP
> 2) can't login to WebUI on kaitain.pipebreaker.pl
> 3) can't login to WebUI on okda.pipebreaker.pl
> 4) pycparser.lextab/lextab.py/yacctab.py permission errors
>
> More details:
> -----
> ad 1) named problems
> Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is
> visible in CLI, but named doesn't resolve it:
>
> $ ipa dnsrecord-find pipebreaker.pl microstation
> Record name: microstation
> AAAA record: 2001:6a0:200:d1::2
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> $ host microstation ; host microstation.pipebreaker.pl
> Host microstation not found: 3(NXDOMAIN)
> Host microstation.pipebreaker.pl not found: 3(NXDOMAIN)
>
> Entries added previously resolve fine. I see no errors reported
> in named-pkcs11.service logs.
>
> -----
>
> ad 2) can't login to webui at kaitain
> When I open a WebUI while having valid ticket, I'm shown my user page,
> i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened.
> But when I logout from WebUI and try to login as admin, I receive:
>
> The password or username you entered is incorrect.
>
> The password is certainly correct, I can use it for 'kinit admin' successfully.
> /var/log/httpd/error log contains:
>
> [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
> [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last):
> [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line 63, in application
> [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return api.Backend.wsgi_dispatch(environ, start_response)
> [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__
> [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, start_response)
> [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route
> [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response)
> [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__
> [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
> [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
> [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] raise CCacheError(message=unicode(e))
> [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639107): No credentials cache found
>
> What cache is it talking about? How can I refresh it?
>
> -----
>
>
> ad 3) cannot login to webui on okda
>
> When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading…" screen
> for couple of seconds, and afterwards "Gateway timeout" message. Everything
> seems to be running on this server:
>
> root at okda ~$ ipactl status
> WARNING: yacc table file version is out of date
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> There are no logs generated in httpd's error_log during login.
> There are some problems in system log:
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 5ad7c518 background process
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
> May 27 14:25:48 okda.pipebreaker.pl server[2364]: at java.lang.Thread.run(Thread.java:745)
>
> as you can see, those logs do not contain any clue what's is wrong.
>
>
> -----
>
> ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors
> I observe following errors in dnskeysyncd logs:
>
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py'
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py'
>
> Also (related?) error during 'ipactl' invocations:
> $ ipactl status
> WARNING: yacc table file version is out of date
> …
>
> Warnings appear even after switching SELinux to permissive.
>
>
> Please help me with resolving those problems. What logs should I provide?
> I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting
Fedora 24 is broken at the moment so there is nothing you can do before it is
fixed & released.
Sorry.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list