[Freeipa-users] pki-tomcatd fails to start

Jeff Goddard jgoddard at emerlyn.com
Fri Jan 6 13:41:57 UTC 2017 

My environment is freeipa 4.4; centos 7.3. This system was upgraded as of
yesterday afternoon. I'm unable to start pki-tomcat. The debug log show
this entry:

Internal Database Error encountered: Could not connect to LDAP server host
id-management-1.internal.emerlyn.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
        at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
        at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
        at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
        at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
        at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)


I'm able to get a kerberos ticket using kinit but ldap search gives this
error:

 ldapsearch -h id-manaement-1.internal.emerlyn.com -x -b
"cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

adding the -d1 debugging tag results in:

ldap_create
ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
ldap_connect_to_host: getaddrinfo failed: Name or service not known
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I'm able to resolve the hostname via nslookup and /etc/hosts has the
correct mapping entry.

I'm kind of lost at this point and could use some help.

Thanks in advance.



Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/c5a4163d/attachment.htm>

More information about the Freeipa-users mailing list