[Freeipa-users] My IPA installation doesn't work after upgrade
Morgan Marodin
morgan at marodin.it
Thu Nov 17 14:25:33 UTC 2016
Hi Florence.
Thanks for your support.
Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
permissions and certificates are good:
*[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r-- 1 root
root 1345 Sep 7 2015 cacert.asc-rw-rw---- 1 root apache 65536 Nov 17
11:06 cert8.db-rw-r-----. 1 root apache 65536 Sep 4 2015
cert8.db.orig-rw-------. 1 root root 4833 Sep 4 2015
install.log-rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db-rw-r-----.
1 root apache 16384 Sep 4 2015 key3.db.origlrwxrwxrwx 1 root root
24 Nov 17 10:24 libnssckbi.so -> /usr/lib64/libnssckbi.so-rw-rw---- 1 root
apache 20 Sep 7 2015 pwdfile.txt-rw-rw---- 1 root apache 16384 Sep
7 2015 secmod.db-rw-r-----. 1 root apache 16384 Sep 4 2015
secmod.db.orig*
And password validations seems ok, too:
*[root at mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txtcertutil: Checking token "NSS Certificate DB"
in slot "NSS User Private Key and Certificate Services"< 0> rsa
**************************************** NSS Certificate DB:Server-Cert<
1> rsa **************************************** NSS Certificate
DB:Signing-Cert< 2> rsa **************************************** NSS
Certificate DB:ipaCert*
Enabling mod-nss debug I can see these logs:
*[root at mlv-ipa01 ~]# tail -f /var/log/httpd/error_log[Thu Nov 17
15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17 15:05:10.807958 2016]
[:warn] [pid 10660] NSSSessionCacheTimeout is deprecated. Ignoring.[Thu Nov
17 15:05:10.807991 2016] [:debug] [pid 10660] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> ->
Server-Cert[Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
Configuring server for SSL protocol[Thu Nov 17 15:05:11.002817 2016]
[:debug] [pid 10660] nss_engine_init.c(770): NSSProtocol: Enabling
TLSv1.0[Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Thu Nov 17
15:05:11.002847 2016] [:debug] [pid 10660] nss_engine_init.c(780):
NSSProtocol: Enabling TLSv1.2[Thu Nov 17 15:05:11.002856 2016] [:debug]
[pid 10660] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Thu
Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] nss_engine_init.c(866):
NSSProtocol: [TLS 1.2] (maximum)[Thu Nov 17 15:05:11.003099 2016] [:debug]
[pid 10660] nss_engine_init.c(906): Disabling TLS Session Tickets[Thu Nov
17 15:05:11.003198 2016] [:debug] [pid 10660] nss_engine_init.c(916):
Enabling DHE key exchange[Thu Nov 17 15:05:11.003313 2016] [:debug] [pid
10660] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Thu
Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5[Thu Nov 17 15:05:11.003483 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_null_sha[Thu Nov 17
15:05:11.003491 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_40_md5[Thu Nov 17 15:05:11.003509 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_md5[Thu Nov 17
15:05:11.003632 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_128_sha[Thu Nov 17 15:05:11.003740 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc2_40_md5[Thu Nov 17
15:05:11.003747 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_des_sha[Thu Nov 17 15:05:11.003802 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: rsa_3des_sha[Thu Nov 17
15:05:11.003902 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: dhe_rsa_des_sha[Thu Nov 17 15:05:11.004001 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_sha[Thu Nov 17
15:05:11.004167 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: rsa_aes_256_sha[Thu Nov 17 15:05:11.004180 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: null_sha_256[Thu Nov 17
15:05:11.004191 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: aes_128_sha_256[Thu Nov 17 15:05:11.004285 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: aes_256_sha_256[Thu Nov 17
15:05:11.004352 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: camelia_128_sha[Thu Nov 17 15:05:11.004437 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_des_56_sha[Thu Nov 17
15:05:11.004509 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_56_sha[Thu Nov 17 15:05:11.004606 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: camelia_256_sha[Thu Nov 17
15:05:11.004668 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.004724 2016] [:debug]
[pid 10660] nss_engine_init.c(1140): Enable cipher:
rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.004806 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: fips_3des_sha[Thu Nov 17
15:05:11.004881 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: fips_des_sha[Thu Nov 17 15:05:11.004956 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: dhe_rsa_3des_sha[Thu Nov 17
15:05:11.005027 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: dhe_rsa_aes_128_sha[Thu Nov 17 15:05:11.005106 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_sha[Thu Nov
17 15:05:11.005173 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: dhe_rsa_camellia_128_sha[Thu Nov 17 15:05:11.005238 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
dhe_rsa_camellia_256_sha[Thu Nov 17 15:05:11.005309 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_sha256[Thu
Nov 17 15:05:11.005380 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: dhe_rsa_aes_256_sha256[Thu Nov 17 15:05:11.005452 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
dhe_rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.005524 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher:
dhe_rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.005596 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_null_sha[Thu Nov
17 15:05:11.005655 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: ecdh_ecdsa_rc4_128_sha[Thu Nov 17 15:05:11.005698 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdh_ecdsa_3des_sha[Thu Nov 17 15:05:11.005814 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_aes_128_sha[Thu Nov 17
15:05:11.005859 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: ecdh_ecdsa_aes_256_sha[Thu Nov 17 15:05:11.005904 2016] [:debug]
[pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_ecdsa_null_sha[Thu Nov 17 15:05:11.005948 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_rc4_128_sha[Thu Nov 17
15:05:11.005993 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: ecdhe_ecdsa_3des_sha[Thu Nov 17 15:05:11.006037 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_128_sha[Thu
Nov 17 15:05:11.006081 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Enable cipher: ecdhe_ecdsa_aes_256_sha[Thu Nov 17 15:05:11.006124 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdh_rsa_null_sha[Thu Nov 17 15:05:11.006181 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: ecdh_rsa_128_sha[Thu Nov 17
15:05:11.006223 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: ecdh_rsa_3des_sha[Thu Nov 17 15:05:11.006261 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_aes_128_sha[Thu
Nov 17 15:05:11.006304 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: ecdh_rsa_aes_256_sha[Thu Nov 17 15:05:11.006348 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_rsa_null[Thu Nov 17 15:05:11.006391 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_rc4_128_sha[Thu Nov 17
15:05:11.006428 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: ecdhe_rsa_3des_sha[Thu Nov 17 15:05:11.006466 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_sha[Thu
Nov 17 15:05:11.006503 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Enable cipher: ecdhe_rsa_aes_256_sha[Thu Nov 17 15:05:11.006541 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdh_anon_null_sha[Thu Nov 17 15:05:11.006580 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: ecdh_anon_rc4_128sha[Thu Nov 17
15:05:11.006622 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: ecdh_anon_3des_sha[Thu Nov 17 15:05:11.006649 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_aes_128_sha[Thu
Nov 17 15:05:11.006682 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: ecdh_anon_aes_256_sha[Thu Nov 17 15:05:11.006725 2016]
[:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_ecdsa_aes_128_sha_256[Thu Nov 17 15:05:11.006730 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_rsa_aes_128_sha_256[Thu Nov 17 15:05:11.006734 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher:
ecdhe_ecdsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.006737 2016] [:debug]
[pid 10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_ecdsa_aes_256_sha_384[Thu Nov 17 15:05:11.006740 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher:
ecdhe_rsa_aes_256_sha_384[Thu Nov 17 15:05:11.006743 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher:
ecdhe_ecdsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.006746 2016] [:debug]
[pid 10660] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.006749 2016] [:debug]
[pid 10660] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.006759 2016] [:info] [pid
10660] Using nickname Server-Cert.[Thu Nov 17 15:05:11.006771 2016]
[:error] [pid 10660] Certificate not found: 'Server-Cert'[root at mlv-ipa01
~]# tail -f /var/log/messagesNov 17 15:05:04 mlv-ipa01 systemd[1]: Starting
Identity, Policy, Audit...Nov 17 15:05:07 mlv-ipa01 ipactl: Existing
service file detected!Nov 17 15:05:07 mlv-ipa01 ipactl: Assuming stale,
cleaning and proceedingNov 17 15:05:07 mlv-ipa01 systemd[1]: Starting 389
Directory Server IPA-MYDOMAIN-COM....Nov 17 15:05:07 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:07.799208210 +0100] SSL alert: Sending pin request to
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the
password.Nov 17 15:05:07 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:07.803853873 +0100] SSL alert: Security Initialization:
Enabling default cipher set.Nov 17 15:05:07 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:07.805145890 +0100] SSL alert: Configured NSS CiphersNov
17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.806316182 +0100] SSL
alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.807723387 +0100] SSL alert:
#011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.808923825 +0100] SSL alert:
#011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.810155882 +0100] SSL alert:
#011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.811325853 +0100] SSL alert:
#011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.812784224 +0100] SSL alert:
#011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.813976726 +0100] SSL alert:
#011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.815120447 +0100] SSL alert:
#011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.816327755 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.817977411 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.819254448 +0100] SSL alert:
#011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.820464679 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.821632382 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.822786869 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.823971028 +0100] SSL alert:
#011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.825053303 +0100] SSL alert:
#011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.826194181 +0100] SSL alert:
#011TLS_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.827825315 +0100] SSL alert:
#011TLS_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.829462992 +0100] SSL alert:
#011TLS_RSA_WITH_AES_256_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.830793383 +0100] SSL alert:
#011TLS_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.832242224 +0100] SSL alert:
#011TLS_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.833873583 +0100] SSL alert:
#011TLS_RSA_WITH_AES_128_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:07.885093482 +0100] SSL Initialization -
Configured SSL version range: min: TLS1.0, max: TLS1.2Nov 17 15:05:07
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.886826410 +0100]
389-Directory/1.3.5.10 <http://1.3.5.10> B2016.309.1527 starting upNov 17
15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.924968051 +0100]
default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not
handle caseExactIA5MatchNov 17 15:05:07 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:07.960936427 +0100] WARNING: changelog: entry cache size
2097152 B is less than db size 15654912 B; We recommend to increase the
entry cache size nsslapd-cachememsize.Nov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.051517901 +0100] schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server
startup!Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.088107275
+0100] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.089975405 +0100] NSACLPlugin -
The ACL target cn=computers,cn=compat,dc=ipa,dc=mydomain,dc=com does not
existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.091605059
+0100] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.093396173 +0100] NSACLPlugin -
The ACL target ou=sudoers,dc=ipa,dc=mydomain,dc=com does not existNov 17
15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.095072910 +0100]
NSACLPlugin - The ACL target cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com
does not existNov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.097647403 +0100] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.099159503 +0100] NSACLPlugin -
The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov
17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.100703471 +0100]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com
does not existNov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.102286938 +0100] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.103852482 +0100] NSACLPlugin -
The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov
17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.105586463 +0100]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com
does not existNov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.107026360 +0100] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.108476210 +0100] NSACLPlugin -
The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov
17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.110187640 +0100]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com
does not existNov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.111655019 +0100] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.113841889 +0100] NSACLPlugin -
The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov
17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.133500119 +0100]
NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not
existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.135098802
+0100] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not
existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.363531779
+0100] NSACLPlugin - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not existNov 17 15:05:08 mlv-ipa01
ns-slapd: [17/Nov/2016:15:05:08.373037600 +0100] Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=ipa,dc=mydomain,dc=com--no CoS Templates
found, which should be added before the CoS Definition.Nov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.412160395 +0100] set_krb5_creds -
Could not get initial credentials for principal
[ldap/mlv-ipa01.ipa.mydomain.com at IPA.MYDOMAIN.COM
<mlv-ipa01.ipa.mydomain.com at IPA.MYDOMAIN.COM>] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)Nov 17 15:05:08 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:08.417620890 +0100] schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!Nov 17
15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.430081973 +0100] slapd
started. Listening on All Interfaces port 389 for LDAP requestsNov 17
15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.431273848 +0100]
Listening on All Interfaces port 636 for LDAPS requestsNov 17 15:05:08
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.432861124 +0100] Listening on
/var/run/slapd-IPA-MYDOMAIN-COM.socket for LDAPI requestsNov 17 15:05:08
mlv-ipa01 systemd[1]: Started 389 Directory Server IPA-MYDOMAIN-COM..Nov 17
15:05:09 mlv-ipa01 systemd[1]: Starting Kerberos 5 KDC...Nov 17 15:05:09
mlv-ipa01 systemd[1]: Started Kerberos 5 KDC.Nov 17 15:05:09 mlv-ipa01
systemd[1]: Starting Kerberos 5 Password-changing and Administration...Nov
17 15:05:09 mlv-ipa01 systemd[1]: Started Kerberos 5 Password-changing and
Administration.Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Generate rndc
key for BIND (DNS)...Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Generate
rndc key for BIND (DNS).Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting
Berkeley Internet Name Domain (DNS) with native PKCS#11...Nov 17 15:05:09
mlv-ipa01 bash: zone localhost.localdomain/IN: loaded serial 0Nov 17
15:05:09 mlv-ipa01 bash: zone localhost/IN: loaded serial 0Nov 17 15:05:09
mlv-ipa01 bash: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash:
zone 0.in-addr.arpa/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3 -u namedNov
17 15:05:09 mlv-ipa01 named-pkcs11[10634]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa'
'--enable-rrl' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--enable-exportlib'
'--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
'--includedir=/usr/include/bind9' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
'--disable-isc-spnego' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'Nov
17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
----------------------------------------------------Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: BIND 9 is maintained by Internet Systems
Consortium,Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: Inc. (ISC), a
non-profit 501(c)(3) public-benefitNov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: corporation. Support and training for BIND 9 areNov
17 15:05:09 mlv-ipa01 named-pkcs11[10634]: available at
https://www.isc.org/support <https://www.isc.org/support>Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]:
----------------------------------------------------Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: adjusted limit on open files from 4096 to
1048576Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: found 8 CPUs, using 8
worker threadsNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using 8 UDP
listeners per interfaceNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using
up to 4096 socketsNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: loading
configuration from '/etc/named.conf'Nov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: reading built-in trusted keys from file
'/etc/named.iscdlv.key'Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
initializing GeoIP Country (IPv4) (type 1) DBNov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016
MaxMindNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: initializing GeoIP
Country (IPv6) (type 12) DBNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
GEO-106FREE 20160607 Build 1 CopyNov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: GeoIP City (IPv4) (type 2) DB not availableNov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv4) (type 6) DB not
availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv6)
(type 30) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
GeoIP City (IPv6) (type 31) DB not availableNov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: GeoIP Region (type 3) DB not availableNov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: GeoIP Region (type 7) DB not availableNov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP ISP (type 4) DB not
availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Org (type 5)
DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP AS
(type 9) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
GeoIP Domain (type 11) DB not availableNov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: GeoIP NetSpeed (type 10) DB not availableNov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: using default UDP/IPv4 port range:
[1024, 65535]Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using default
UDP/IPv6 port range: [1024, 65535]Nov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: listening on IPv6 interfaces, port 53Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: listening on IPv4 interface lo,
127.0.0.1#53Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on
IPv4 interface eth0, 192.168.0.65#53Nov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: generating session key for dynamic DNSNov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: sizing zone task pool based on 6 zonesNov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: set up managed keys zone for view
_default, file '/var/named/dynamic/managed-keys.bind'Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: bind-dyndb-ldap version 10.0 compiled at
16:25:21 Nov 4 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11)Nov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: option 'serial_autoincrement' is
not supported, ignoringNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]:
automatic empty zone: 10.IN-ADDR.ARPA...Nov 17 15:05:09 mlv-ipa01
named-pkcs11[10634]: command channel listening on 127.0.0.1#953Nov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: command channel listening on
::1#953Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: managed-keys-zone:
loaded serial 10165Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ignoring
inherited 'forward first;' for zone '.' - did you want 'forward only;' to
override automatic empty zone '10.IN-ADDR.ARPA'?...Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: zone ipa.mydomain.com/IN
<http://ipa.mydomain.com/IN>: loaded serial 1479391509Nov 17 15:05:09
mlv-ipa01 named-pkcs11[10634]: zone ipa.mydomain.com/IN
<http://ipa.mydomain.com/IN>: sending notifies (serial 1479391509)Nov 17
15:05:09 mlv-ipa01 named-pkcs11[10634]: 1 master zones from LDAP instance
'ipa' loaded (1 zones defined, 0 inactive, 0 failed to load)Nov 17 15:05:10
mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov
17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: main process exited,
code=exited, status=1/FAILURENov 17 15:05:11 mlv-ipa01 kill: kill: cannot
find process ""Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: control
process exited, code=exited status=1Nov 17 15:05:11 mlv-ipa01 systemd[1]:
Failed to start The Apache HTTP Server.Nov 17 15:05:11 mlv-ipa01
systemd[1]: Unit httpd.service entered failed state.Nov 17 15:05:11
mlv-ipa01 systemd[1]: httpd.service failed.Nov 17 15:05:11 mlv-ipa01
systemctl[10657]: Job for httpd.service failed because the control process
exited with error code. See "systemctl status httpd.service" and
"journalctl -xe" for details.Nov 17 15:05:11 mlv-ipa01 ipactl: Failed to
start httpd ServiceNov 17 15:05:11 mlv-ipa01 ipactl: Shutting downNov 17
15:05:11 mlv-ipa01 systemd[1]: Stopping Kerberos 5 KDC...Nov 17 15:05:11
mlv-ipa01 systemd[1]: Stopped Kerberos 5 KDC.Nov 17 15:05:11 mlv-ipa01
systemd[1]: Stopping Kerberos 5 Password-changing and Administration...Nov
17 15:05:11 mlv-ipa01 systemd[1]: kadmin.service: main process exited,
code=exited, status=2/INVALIDARGUMENTNov 17 15:05:11 mlv-ipa01 systemd[1]:
Stopped Kerberos 5 Password-changing and Administration.Nov 17 15:05:11
mlv-ipa01 systemd[1]: Unit kadmin.service entered failed state.Nov 17
15:05:11 mlv-ipa01 systemd[1]: kadmin.service failed.Nov 17 15:05:11
mlv-ipa01 systemd[1]: Stopping Berkeley Internet Name Domain (DNS) with
native PKCS#11...Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: received
control channel command 'stop'Nov 17 15:05:11 mlv-ipa01
named-pkcs11[10634]: shutting down: flushing changesNov 17 15:05:11
mlv-ipa01 named-pkcs11[10634]: stopping command channel on 127.0.0.1#953Nov
17 15:05:11 mlv-ipa01 named-pkcs11[10634]: stopping command channel on
::1#953Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: zone
ipa.mydomain.com/IN <http://ipa.mydomain.com/IN>: shutting downNov 17
15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on ::#53Nov 17
15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on
127.0.0.1#53Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer
listening on 192.168.0.65#53Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]:
exitingNov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Berkeley Internet Name
Domain (DNS) with native PKCS#11.Nov 17 15:05:11 mlv-ipa01 systemd[1]:
Stopping IPA memcached daemon, increases IPA server performance...Nov 17
15:05:11 mlv-ipa01 systemd[1]: Stopped IPA memcached daemon, increases IPA
server performance.Nov 17 15:05:11 mlv-ipa01 systemctl[10685]: Warning:
httpd.service changed on disk. Run 'systemctl daemon-reload' to reload
units.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping 389 Directory Server
IPA-MYDOMAIN-COM....Nov 17 15:05:11 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:11.357603144 +0100] slapd shutting down - signaling
operation threads - op stack size 1 max work q size 1 max work q stack size
1Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.359785218 +0100]
slapd shutting down - waiting for 25 threads to terminateNov 17 15:05:11
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.361826680 +0100] slapd shutting
down - closing down internal subsystems and pluginsNov 17 15:05:13
mlv-ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_996))Nov 17 15:05:13 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:13.811837199 +0100] Waiting for 4 database threads to
stopNov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.000534924
+0100] All database threads now stoppedNov 17 15:05:14 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:14.015405431 +0100] slapd shutting down - freed 1 work q
stack objects - freed 1 op stack objectsNov 17 15:05:14 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:14.437288197 +0100] slapd stopped.Nov 17 15:05:14
mlv-ipa01 systemd[1]: Stopped 389 Directory Server IPA-MYDOMAIN-COM..Nov 17
15:05:14 mlv-ipa01 ipactl: Hint: You can use --ignore-service-failure
option for forced start in case that a non-critical service failedNov 17
15:05:14 mlv-ipa01 ipactl: Aborting ipactlNov 17 15:05:14 mlv-ipa01 ipactl:
Starting Directory ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting
krb5kdc ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting kadmin ServiceNov
17 15:05:14 mlv-ipa01 ipactl: Starting named ServiceNov 17 15:05:14
mlv-ipa01 ipactl: Starting ipa_memcached ServiceNov 17 15:05:14 mlv-ipa01
ipactl: Starting httpd ServiceNov 17 15:05:14 mlv-ipa01 systemd[1]:
ipa.service: main process exited, code=exited, status=1/FAILURENov 17
15:05:14 mlv-ipa01 systemd[1]: Failed to start Identity, Policy, Audit.Nov
17 15:05:14 mlv-ipa01 systemd[1]: Unit ipa.service entered failed state.Nov
17 15:05:14 mlv-ipa01 systemd[1]: ipa.service failed*.
Do you think there is a kerberos problem?
Please let me know, thanks.
Bye, Morgan
2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>
>> Hello.
>>
>> This morning I've tried to upgrade my IPA server, but the upgrade
>> failed, and now the service doesn't start! :(
>>
>> If I try lo launch the upgrade manually this is the output:
>> /[root at mlv-ipa01 download]# ipa-server-upgrade
>>
>> Upgrading IPA:
>> [1/8]: saving configuration
>> [2/8]: disabling listeners
>> [3/8]: enabling DS global lock
>> [4/8]: starting directory server
>> [5/8]: updating schema
>> [6/8]: upgrading server
>> [7/8]: stopping directory server
>> [8/8]: restoring configuration
>> Done.
>> Update complete
>> Upgrading IPA services
>> Upgrading the configuration of the IPA services
>> [Verifying that root certificate is published]
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Enable sidgen and extdom plugins by default]
>> [Updating HTTPD service IPA configuration]
>> [Updating mod_nss protocol versions]
>> Protocol versions already updated
>> [Updating mod_nss cipher suite]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Exporting KRA agent PEM file]
>> KRA is not enabled
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>> command ipa-server-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> CalledProcessError: Command '/bin/systemctl start httpd.service'
>> returned non-zero exit status 1
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>> more information/
>>
>> These are error logs of Apache:
>> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
>> found: 'Server-Cert'/
>>
>> The problem seems to be the /Server-Cert /that could not be found.
>> But if I try to execute the certutil command manually I can see it:/
>> [root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>> Signing-Cert u,u,u
>> ipaCert u,u,u
>> Server-Cert Pu,u,u
>> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> IPA
>> CA CT,C,C/
>>
>> Could you help me?
>> What could I try to do to restart my service?
>>
>> Hi,
>
> I would first make sure that httpd is using /etc/httpd/alias as NSS DB
> (check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf).
> Then it may be a file permission issue: the NSS DB should belong to
> root:apache (the relevant files are cert8.db, key3.db and secmod.db).
> You should also find a pwdfile.txt in the same directory, containing the
> NSS DB password. Check that the password is valid using
> certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
> (if the command succeeds then the password in pwdfile is OK).
>
> You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting
> "LogLevel debug", and check the output in /var/log/httpd/error_log.
>
> HTH,
> Flo.
>
>> Thanks, Morgan
>>
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/c9dcffe7/attachment.htm>
More information about the Freeipa-users
mailing list