[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Andrew Krause
andrew.krause at breakthroughfuel.com
Wed Apr 26 20:06:12 UTC 2017
I had to let this sit for a few days, but now that I try again I can remove and re-add the host (using CLI). The web UI still presents an error though IPA Error 4302: CertificateFormatError Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old unsupported format.
This is an error I ran into when working with renewing certs while referring to the wrong path for the certificate database (path changed with versions and I was unaware). Why this is happening in the web UI though still eludes me. The test host I removed via CLI and then added with the ipa-client-install command still does not show “Enrolled” status when I do a search for it in the UI, and the error above is displayed when this host shows up in results, or when I click on the link to the host page. Is it possible that Apache is misconfigured? I’m including my dirsrv and apache access log excerpts from when I try to load the host page. I do see some errors.
Apache:
[Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake failed: Not accepted by client!?
[Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] host/clienthost.domain2.com at DOMAIN.COM: cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=', principal=u'host/clienthost.domain2.com at DOMAIN.COM', add=True, version=u'2.51'): NetworkError
[Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol: Unknown protocol 'tlsv1.2' not supported
[Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher aes_128_sha_256
[Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher aes_256_sha_256
[Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher rsa_aes_256_gcm_sha_384
Dirsrv:
[26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 nentries=0 etime=0
[26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:00.146796240 -0500] conn=8 op=8119 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147035479 -0500] conn=8 op=8119 SORT notBefore
[26/Apr/2017:14:52:00.147051543 -0500] conn=8 op=8119 VLV 200:0:20170426145200Z 1:0 (0)
[26/Apr/2017:14:52:00.147092417 -0500] conn=8 op=8119 RESULT err=0 tag=101 nentries=0 etime=0
[26/Apr/2017:14:52:00.147826090 -0500] conn=8 op=8120 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147982635 -0500] conn=8 op=8120 SORT notAfter
[26/Apr/2017:14:52:00.147991868 -0500] conn=8 op=8120 VLV 200:0:20170426145200Z 1:35 (0)
[26/Apr/2017:14:52:00.148105485 -0500] conn=8 op=8120 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:00.148933905 -0500] conn=8 op=8121 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo notAfter notBefore duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.149043409 -0500] conn=8 op=8121 SORT notAfter
[26/Apr/2017:14:52:00.149052772 -0500] conn=8 op=8121 VLV 200:0:20170426145200Z 1:4 (0)
[26/Apr/2017:14:52:00.149160758 -0500] conn=8 op=8121 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:29.001182676 -0500] conn=19057 op=17 UNBIND
[26/Apr/2017:14:52:29.001203771 -0500] conn=19057 op=17 fd=122 closed - U1
[26/Apr/2017:14:52:43.956006475 -0500] conn=19059 fd=122 slot=122 connection from 10.11.10.6 to 10.11.10.3
[26/Apr/2017:14:52:43.956364716 -0500] conn=19059 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[26/Apr/2017:14:52:43.957812723 -0500] conn=19059 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.961326411 -0500] conn=4 op=33437 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/clienthost.domain2.com at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=host/clienthost.domain2.com at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.961883409 -0500] conn=4 op=33437 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.961970819 -0500] conn=4 op=33438 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[26/Apr/2017:14:52:43.962039666 -0500] conn=4 op=33438 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962141970 -0500] conn=4 op=33439 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.962369262 -0500] conn=4 op=33439 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962455322 -0500] conn=4 op=33440 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/DOMAIN.COM at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.COM at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.962718874 -0500] conn=4 op=33440 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962817682 -0500] conn=4 op=33441 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.962896540 -0500] conn=4 op=33441 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.963503712 -0500] conn=4 op=33442 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/clienthost.domain2.com at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=host/clienthost.domain2.com at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.963752103 -0500] conn=4 op=33442 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.963849295 -0500] conn=4 op=33443 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.963953657 -0500] conn=4 op=33443 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964039852 -0500] conn=4 op=33444 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/DOMAIN.COM at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.COM at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.964273302 -0500] conn=4 op=33444 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964362345 -0500] conn=4 op=33445 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.964435619 -0500] conn=4 op=33445 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964567590 -0500] conn=4 op=33446 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[26/Apr/2017:14:52:43.964851835 -0500] conn=4 op=33446 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964901338 -0500] conn=4 op=33447 SRCH base="cn=clienthost.domain2.com,cn=masters,cn=ipa,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[26/Apr/2017:14:52:43.964982222 -0500] conn=4 op=33447 RESULT err=32 tag=101 nentries=0 etime=0
[26/Apr/2017:14:52:43.965190437 -0500] conn=4 op=33448 MOD dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.971416149 -0500] conn=4 op=33448 RESULT err=0 tag=103 nentries=0 etime=0 csn=5900fab3000000040000
[26/Apr/2017:14:52:43.972903894 -0500] conn=4 op=33449 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/DOMAIN.COM at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.COM at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.973145956 -0500] conn=4 op=33449 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973372685 -0500] conn=4 op=33450 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipahost.domain.com at DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipahost.domain.com at DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.973601674 -0500] conn=4 op=33450 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973695925 -0500] conn=4 op=33451 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.973792556 -0500] conn=4 op=33451 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973887813 -0500] conn=4 op=33452 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/clienthost.domain2.com at DOMAIN.COM))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.974122262 -0500] conn=4 op=33452 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.974232772 -0500] conn=4 op=33453 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.974326465 -0500] conn=4 op=33453 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.974905377 -0500] conn=19059 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.980786355 -0500] conn=19059 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.981170143 -0500] conn=19059 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.982397706 -0500] conn=19059 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.982529305 -0500] conn=19059 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.983192932 -0500] conn=19059 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.983449296 -0500] conn=19059 op=4 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaHost)(fqdn=clienthost.domain2.com))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[26/Apr/2017:14:52:43.984109232 -0500] conn=19059 op=4 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.984622970 -0500] conn=19059 op=5 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[26/Apr/2017:14:52:43.984955433 -0500] conn=19059 op=5 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.985234170 -0500] conn=19059 op=6 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20038636))" attrs="objectClass ipaUniqueID cn member entryusn"
[26/Apr/2017:14:52:43.986861159 -0500] conn=19059 op=6 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.987119181 -0500] conn=19059 op=7 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com))(entryusn>=20038636))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup entryusn"
[26/Apr/2017:14:52:43.987828298 -0500] conn=19059 op=7 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:56:53.754308324 -0500] conn=8 op=8122 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[26/Apr/2017:14:56:53.758231493 -0500] conn=8 op=8122 RESULT err=0 tag=103 nentries=0 etime=0
[26/Apr/2017:14:56:54.141384397 -0500] conn=17 op=5298 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:56:54.141558862 -0500] conn=17 op=5298 RESULT err=32 tag=101 nentries=0 etime=0
> On Apr 20, 2017, at 1:03 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Andrew Krause wrote:
>> Sorry for the self bump but no one has any insight on this?
>>
>>
>>> On Apr 17, 2017, at 11:31 AM, Andrew Krause <andrew.krause at breakthroughfuel.com> wrote:
>>>
>>> Many hosts in our web ui show a null status for “enrolled”. When you do a search that includes any of these host objects the web UI posts errors, and if you click on one of the problem hosts the same error stops anything from loading on the host page.
>>>
>>> I’ve been trying to solve this problem on my own for quite some time and have not been successful. It’s impossible to remove the host through the web UI and using CLI commands seem to remove the entry from IPA (host is not found with ipa host-find), but it is still visible in the UI. One thing that may be common with all of these hosts is that they were enrolled with our IPA system back while we were running version 3.0 and likely have had issues for quite some time. Multiple updates have happened since then, and all of our hosts added within the last year are working fine. I suspect there’s an issue with a path somewhere for a certificate database, but I’m unable to pinpoint what is going wrong.
>
> It should not be possible to have different views in the UI and the CLI
> since they make the same backend calls. What you'd want to do, hopefully
> on a semi-quiet system, is to do a host-find on the CLI and then list
> all hosts in the UI and compare the logs in /var/log/httpd/error_log and
> look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
> a buffered log so be patient).
>
> They should be doing more or less the exact same set of queries.
>
> Very doubtful that this has anything to do with certs. Anything on the
> client would be completely separate from what is on the server.
>
> One thing you may be seeing though is that in 3.0 clients a host
> certificate was obtained for it. This was dropped with 4.0, but it
> wouldn't affect any visibility on the server.
>
> rob
>
More information about the Freeipa-users
mailing list