Recently, I was researching samba connections, and noticed that the Linux 'Domain Users' group was displaying as the Unix GID number instead of the name. I went to login to the admin-server express from 'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click on the link I get.
" Internal Server Error The server encountered an internal error ormisconfiguration and was unable to completeyour request.Please contact the server administrator, [no address given] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.More information about this error may be availablein the server error log.ADDRESS: Apache/2.2 Server at zigzag.ccbox.com Port 9830 " So I went over to the 389 Management Console on my Windows box and I enter cn=Directory Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL is not correct or the server is not running. For kicks and giggles I tried it with http instead of https and it gives an error that says,"Cannot logon because of an incorrect User ID, Incorrect password, or Directory problem. java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the correct protocol should be https: To further verify this I ran the following command at the Linux CLI on the server and a server that communicates with it. ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory manager" -W "objectclass=nsAdminConfig" This returns 129 responses, but I don't know if they are valid or make sense. They look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with stop-ds-admin and start-ds-admin. #357156 • Fedora Project Pastebin
| | | | | |
|
| | | | #357156 • Fedora Project Pastebin Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
I scheduled a reboot of the system during downtime last night. At startup I again got these messages in the error log.
[Tue Apr 19 04:05:37 2016] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot] for LDAPConnection [zigzag.ccbox.com:636]
We made some changes back in October 2015, but I don't remember what they were for. TLS maybe?In:/etc/dirsrv/admin-serv/we changed:cert8.dbconsole.confkey3.dblocal.conf I am going to check now to see if the errors are related to those changes, if my log files go back far enough. Any help is appreciated.
Thanks, Job Cacka
From: Job Cacka cacka2it@yahoo.com To: "389-users@lists.fedoraproject.org" 389-users@lists.fedoraproject.org Sent: Monday, April 18, 2016 4:34 PM Subject: Admin-server connection
Recently, I was researching samba connections, and noticed that the Linux 'Domain Users' group was displaying as the Unix GID number instead of the name. I went to login to the admin-server express from 'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click on the link I get.
" Internal Server Error The server encountered an internal error ormisconfiguration and was unable to completeyour request.Please contact the server administrator, [no address given] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.More information about this error may be availablein the server error log.ADDRESS: Apache/2.2 Server at zigzag.ccbox.com Port 9830 " So I went over to the 389 Management Console on my Windows box and I enter cn=Directory Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL is not correct or the server is not running. For kicks and giggles I tried it with http instead of https and it gives an error that says,"Cannot logon because of an incorrect User ID, Incorrect password, or Directory problem. java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the correct protocol should be https: To further verify this I ran the following command at the Linux CLI on the server and a server that communicates with it. ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory manager" -W "objectclass=nsAdminConfig" This returns 129 responses, but I don't know if they are valid or make sense. They look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with stop-ds-admin and start-ds-admin. #357156 • Fedora Project Pastebin
| | | | | |
|
| | | | #357156 • Fedora Project Pastebin Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
Touch! I check the error logs i mentioned before and they go back to October 4th, but they don't indicate to me the change created the problem. My inclination is that some change occurred that change a key. So how do I track that back?
I tested this on my 389 DS server. ldapsearch [-x] -D "cn=directory manager" -W -b "cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot" The result was: # search result search: 2 result: 0 Success
# numResponses: 31 # numEntries: 30
Then I tested this: ldapsearch -H ldaps://zigzag.ccbox.com [-x] -D "cn=directory manager" -W "cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was: # search result search: 2 result: 0 Success
# numResponses: 222 # numEntries: 221
Why do I get the populate error? Does the two tests above provide any indication? I also ran these tests from another linux system and received the same results. The error I am seeing at restarting the Admin server doesn't seem to make sense if I am searching correctly. I think it should have the records it needs to repopulate the server.
Also, I think I found an old admin server backup that was taken before any of these problems surfaced. Anyone have a link that would walk me through the restore process? Is this a good idea?
slapd-zigzag_2015-05-28: total 10308 drwx------ 4 root root 4096 Jun 11 2015 . drwxr-x--- 347 root root 20480 Apr 20 00:13 .. -rw------- 1 root root 49 Jun 11 2015 DBVERSION -rw------- 1 root root 20577 Jun 11 2015 dse_index.ldif -rw------- 1 root root 893 Jun 11 2015 dse_instance.ldif -rw------- 1 root root 10485760 Jun 11 2015 log.0000000001 drwx------ 2 root root 4096 Jun 11 2015 NetscapeRoot drwx------ 2 root root 4096 Jun 11 2015 userRoot
My assumption is the NetscapeRoot folder contains fix I need to take me back to before whatever change occurred to the admin server. Is this correct? [root: NetscapeRoot]# ls -la total 380 drwx------ 2 root root 4096 Jun 11 2015 . drwx------ 4 root root 4096 Jun 11 2015 .. -rw------- 1 root root 16384 Jun 11 2015 aci.db4 -rw------- 1 root root 32768 Jun 11 2015 ancestorid.db4 -rw------- 1 root root 49152 Jun 11 2015 cn.db4 -rw------- 1 root root 49 Jun 11 2015 DBVERSION -rw------- 1 root root 49152 Jun 11 2015 entryrdn.db4 -rw------- 1 root root 16384 Jun 11 2015 givenName.db4 -rw------- 1 root root 98304 Jun 11 2015 id2entry.db4 -rw------- 1 root root 16384 Jun 11 2015 nsuniqueid.db4 -rw------- 1 root root 16384 Jun 11 2015 numsubordinates.db4 -rw------- 1 root root 16384 Jun 11 2015 objectclass.db4 -rw------- 1 root root 16384 Jun 11 2015 parentid.db4 -rw------- 1 root root 16384 Jun 11 2015 sn.db4 -rw------- 1 root root 16384 Jun 11 2015 uid.db4 -rw------- 1 root root 16384 Jun 11 2015 uniquemember.db4
Thanks, Job Cacka
From: Job Cacka cacka2it@yahoo.com To: "389-users@lists.fedoraproject.org" 389-users@lists.fedoraproject.org Sent: Tuesday, April 19, 2016 11:24 AM Subject: Re: Admin-server connection
I scheduled a reboot of the system during downtime last night. At startup I again got these messages in the error log.
[Tue Apr 19 04:05:37 2016] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot] for LDAPConnection [zigzag.ccbox.com:636]
We made some changes back in October 2015, but I don't remember what they were for. TLS maybe?In:/etc/dirsrv/admin-serv/we changed:cert8.dbconsole.confkey3.dblocal.conf I am going to check now to see if the errors are related to those changes, if my log files go back far enough. Any help is appreciated.
Thanks, Job Cacka
From: Job Cacka cacka2it@yahoo.com To: "389-users@lists.fedoraproject.org" 389-users@lists.fedoraproject.org Sent: Monday, April 18, 2016 4:34 PM Subject: Admin-server connection
Recently, I was researching samba connections, and noticed that the Linux 'Domain Users' group was displaying as the Unix GID number instead of the name. I went to login to the admin-server express from 'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click on the link I get.
" Internal Server Error The server encountered an internal error ormisconfiguration and was unable to completeyour request.Please contact the server administrator, [no address given] and inform them of the time the error occurred,and anything you might have done that may havecaused the error.More information about this error may be availablein the server error log.ADDRESS: Apache/2.2 Server at zigzag.ccbox.com Port 9830 " So I went over to the 389 Management Console on my Windows box and I enter cn=Directory Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL is not correct or the server is not running. For kicks and giggles I tried it with http instead of https and it gives an error that says,"Cannot logon because of an incorrect User ID, Incorrect password, or Directory problem. java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the correct protocol should be https: To further verify this I ran the following command at the Linux CLI on the server and a server that communicates with it. ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory manager" -W "objectclass=nsAdminConfig" This returns 129 responses, but I don't know if they are valid or make sense. They look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with stop-ds-admin and start-ds-admin. #357156 • Fedora Project Pastebin
| | | | | |
|
| | | | #357156 • Fedora Project Pastebin Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
On Wed, 2016-04-20 at 16:37 +0000, Job Cacka wrote:
Touch! I check the error logs i mentioned before and they go back to October 4th, but they don't indicate to me the change created the problem. My inclination is that some change occurred that change a key. So how do I track that back?
Perhaps the server was never setup correctly to start with?
I tested this on my 389 DS server. ldapsearch [-x] -D "cn=directory manager" -W -b "cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot" The result was: # search result search: 2 result: 0 Success
# numResponses: 31 # numEntries: 30
Then I tested this: ldapsearch -H ldaps://zigzag.ccbox.com [-x] -D "cn=directory manager" -W "cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was: # search result search: 2 result: 0 Success
# numResponses: 222 # numEntries: 221
Why do I get the populate error? Does the two tests above provide any indication? I also ran these tests from another linux system and received the same results. The error I am seeing at restarting the Admin server doesn't seem to make sense if I am searching correctly. I think it should have the records it needs to repopulate the server.
I think that at this point, if you have a damaged netscaperoot, there is other things going. Some kind of admin failure or mistake.
I think that it may be worth investigating backup of your userRoot, and then re- initialise the server.
Also, I think I found an old admin server backup that was taken before any of these problems surfaced. Anyone have a link that would walk me through the restore process? Is this a good idea?
It's not a good idea to restore the db4 directly into NetscapeRoot unless you really, really, know what you are doing.
It's better to have backups as db2bak or db2ldif. I highly advise that you have scheduled tasks to take these backups for the future.
This was setup 10-2013 and the 'Domain users' group used to populate at the samba client. The error I am seeing in the error log is relatively new, within the last 6 months.
Looking at my cron.daily directory it says my backups are generated using the built-in db2bak.pl perl script.
It looks like this is stored in: /usr/lib64/dirsrv/slapd-zigzag/ and there is a file called bak2db.pl as well. It is dated oct-4-2013 and the 389-base version is 1.2.11.15-22.el6_4
Are these scripts changed much per 389-ds version? If I look up the information at home tonight will it be the same
We rebooted Feb 18th and just prior to that we used the IDEALX scripts to create a samba/unix user. Those scripts now return:
Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 271.
I suppose I could trace back the script and see if that leads anywhere.
thanks, Job cacka
The Idealx config file /usr/local/etc/smbldap-tools/smbldap.conf shows this:
# Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="zigzag.ccbox.com"
# Master LDAP port # If not defined, parameter is set to "389" masterPort="389"
# Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "1" ldapTLS="1"
So that looks like it means it is doing TLS over 389 instead of ldaps:// Can I use ldapsearch to simulate that connection?
Can I use the procedure in this link: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht...
to successfully restore the NetscapeRoot? and is that the admin-serv?
Thanks, Job Cacka
Today I attempted to restore the dirsrv-admin to a previous version.
I used this Documentation, "4.3.4. Restoring a Single Database" from Redhat's web site.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
I stopped the dirsrv-admin with: # service dirsrv-admin stop Shutting down dirsrv-admin: [ OK ]
I ran the following from the location of the script: # ./bak2db /var/lib/dirsrv/slapd-zigzag/bak/2013_10_14_14_14_13/ -n NetscapeRoot [02/May/2016:09:59:38 -0700] 389-Directory/1.2.11.15 - debug level: backend (524288) [02/May/2016:09:59:38 -0700] - Unable to import the database because it is being used by another slapd process. [02/May/2016:09:59:38 -0700] - Shutting down due to possible conflicts with other slapd processes
and since it looked like it failed I restarted the server with: #service dirsrv-admin start
What did I do wrong? Isn't NetscapeRoot the dirsrv-admin data?
Should I plan on doing this after hours when I can stop both servers?
If this is the dirsrv-admin then how do I restore it? If it is not the correct procedure then what is?
Thanks, Job Cacka
On 05/02/2016 01:14 PM, Job Cacka wrote:
Today I attempted to restore the dirsrv-admin to a previous version.
I used this Documentation, "4.3.4. Restoring a Single Database" from Redhat's web site.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
I stopped the dirsrv-admin with: # service dirsrv-admin stop Shutting down dirsrv-admin: [ OK ]
You must stop the Directory Server, not the HTTP Admin server(dirsrv-admin)
I ran the following from the location of the script: # ./bak2db /var/lib/dirsrv/slapd-zigzag/bak/2013_10_14_14_14_13/ -n NetscapeRoot [02/May/2016:09:59:38 -0700] 389-Directory/1.2.11.15 - debug level: backend (524288) [02/May/2016:09:59:38 -0700] - Unable to import the database because it is being used by another slapd process. [02/May/2016:09:59:38 -0700] - Shutting down due to possible conflicts with other slapd processes
The directory is not stopped, so the bak2db is aborted. To stop the directory server use:
# stop-dirsrv
or
# service dirsrv stop
and since it looked like it failed I restarted the server with: #service dirsrv-admin start
What did I do wrong? Isn't NetscapeRoot the dirsrv-admin data?
No, dirsrv-admin is the HTTP administration server. The netscaperoot data is stored in the directory server instance.
Should I plan on doing this after hours when I can stop both servers?
That is probably best, but the restore should be a quick process.
If this is the dirsrv-admin then how do I restore it? If it is not the correct procedure then what is?
Your restore process looks okay, you just didn't stop the DS before attempting it.
Mark
Thanks, Job Cacka
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Thanks for the quick reply Mark.
Perhaps I do not understand the layout of 389 DS correctly.
Should there be a separate backup of the dirsrv-admin data?
I think I may have changed a setting in the 389-ds console that took affect after one of the reboots we had this winter/spring.
My hope was to restore that back to an earlier backup. My understanding was that those settings are in NetscapeRoot. Am I confusing two different things? Where should I look for a dirsrv-admin backup? What script creates it?
Thanks, Job
On 05/02/2016 01:44 PM, Job Cacka wrote:
Thanks for the quick reply Mark.
Perhaps I do not understand the layout of 389 DS correctly.
Should there be a separate backup of the dirsrv-admin data?
No - there is no backup functionality for the HTTP admin server.
I think I may have changed a setting in the 389-ds console that took affect after one of the reboots we had this winter/spring.
My hope was to restore that back to an earlier backup. My understanding was that those settings are in NetscapeRoot. Am I confusing two different things? Where should I look for a dirsrv-admin backup? What script creates it?
There are config files for the admin server: /etc/dirsrv/admin-serv but these are not backed up. "netscaperoot" just contains the information needed by the console to access/manage your Directory Servers.
Note - if you are using the console on Windows and trying to use SSL, you NEED to use the latest console version for windows (v1.1.15).
You can verify your version of the console by running this command on the windows system:
389-console -D 9
then look for:**"389-Management-Console/1.1."
Regards, Mark
Thanks, Job -- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
"There are config files for the admin server: /etc/dirsrv/admin-serv"
That directory has many files that have changed recently. It looks like I have two "backup" directories in there. One is labeled 10-21-15 and the other is 10-7-2013 from the original installation. So I could stop the dirsrv-admin, copy the files back into this directory, restart it and it should take me back to the beginning. Is that correct?
I will be adding this directory to my backup routine. Should the dirsrv-admin be off to back it up?
"You can verify your version of the console by running this command on the windows system: 389-console -D 9 then look for:**"389-Management-Console/1.1." "
Interesting. I downloaded the windows version of the console last week and it said: 389-Console-1.1.15-i386.msi
When I run this it tells me: 389-Management-Console/1.1.14 B2015.147.2124
I looked at this directory location and only two config files are changed since "go live". When I ran a diff against the originals in the backup file it contains differences that turn on SSL and other related settings. There are some anomalies though some parameters are in quotes and some are not.
Thanks, Job
Can someone look at their /etc/dirsrv/admin-serv/local.conf and tell me what is set on: configuration.encryption.nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
configuration.encryption.nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,-rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_aes_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha
also in /etc/dirsrv/admin-serv should the setting be: NSSEngine "on" or NSSEngine on
or does it matter?
in that same file what do you have set for: NSSCipherSuite
I reinstalled the 389 Windows Management Console. I also reran the command:
certutil -A -d "C:\Users<useracct>.389-console" -n "CA Certificate" -t CT,, -i cacert.asc -a
from the administrative command line within the "C:\Program Files (x86)\389 Management Console" directory. This system has another certutil that was getting in the way.
This allowed me to connect with the "cn=Directory Manager" userdn and the "https://zigzag.ccbox.com:9830" URL
However when I go to the samba server I still see where it is not translating the LDAP Group ID of 513 into the name "Domain Users". While I was in the console I verified the Group still exists, and I think it exists in the correct place.
I think that PAM handles this, but please correct me if I am wrong.
389-users@lists.fedoraproject.org