6:34 p.m.
Recently, I was researching samba connections, and noticed that the Linux 'Domain
Users' group was displaying as the Unix GID number instead of the name. I went to
login to the admin-server express from
'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click
on the link I get.
"
Internal Server Error
The server encountered an internal error ormisconfiguration and was unable to completeyour
request.Please contact the server administrator, [no address given] and inform them of the
time the error occurred,and anything you might have done that may havecaused the
error.More information about this error may be availablein the server error log.ADDRESS:
Apache/2.2 Server at zigzag.ccbox.com Port 9830
"
So I went over to the 389 Management Console on my Windows box and I enter cn=Directory
Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL
is not correct or the server is not running. For kicks and giggles I tried it with http
instead of https and it gives an error that says,"Cannot logon because of an
incorrect User ID, Incorrect password, or Directory problem.
java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the
correct protocol should be https:
To further verify this I ran the following command at the Linux CLI on the server and a
server that communicates with it.
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory
manager" -W "objectclass=nsAdminConfig"
This returns 129 responses, but I don't know if they are valid or make sense. They
look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with
stop-ds-admin and start-ds-admin.
#357156 • Fedora Project Pastebin
|
|
|
| | |
|
|
|
| |
#357156 • Fedora Project Pastebin
Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
1:24 p.m.
I scheduled a reboot of the system during downtime last night. At startup I again got
these messages in the error log.
[Tue Apr 19 04:05:37 2016] [crit] populate_tasks_from_server(): Unable to search
[cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot] for LDAPConnection
[zigzag.ccbox.com:636]
We made some changes back in October 2015, but I don't remember what they were for.
TLS maybe?In:/etc/dirsrv/admin-serv/we changed:cert8.dbconsole.confkey3.dblocal.conf
I am going to check now to see if the errors are related to those changes, if my log files
go back far enough.
Any help is appreciated.
Thanks,
Job Cacka
From: Job Cacka <cacka2it(a)yahoo.com>
To: "389-users(a)lists.fedoraproject.org"
<389-users(a)lists.fedoraproject.org>
Sent: Monday, April 18, 2016 4:34 PM
Subject: Admin-server connection
Recently, I was researching samba connections, and noticed that the Linux 'Domain
Users' group was displaying as the Unix GID number instead of the name. I went to
login to the admin-server express from
'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click
on the link I get.
"
Internal Server Error
The server encountered an internal error ormisconfiguration and was unable to completeyour
request.Please contact the server administrator, [no address given] and inform them of the
time the error occurred,and anything you might have done that may havecaused the
error.More information about this error may be availablein the server error log.ADDRESS:
Apache/2.2 Server at zigzag.ccbox.com Port 9830
"
So I went over to the 389 Management Console on my Windows box and I enter cn=Directory
Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL
is not correct or the server is not running. For kicks and giggles I tried it with http
instead of https and it gives an error that says,"Cannot logon because of an
incorrect User ID, Incorrect password, or Directory problem.
java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the
correct protocol should be https:
To further verify this I ran the following command at the Linux CLI on the server and a
server that communicates with it.
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory
manager" -W "objectclass=nsAdminConfig"
This returns 129 responses, but I don't know if they are valid or make sense. They
look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with
stop-ds-admin and start-ds-admin.
#357156 • Fedora Project Pastebin
|
|
|
| | |
|
|
|
| |
#357156 • Fedora Project Pastebin
Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
11:37 a.m.
Touch!
I check the error logs i mentioned before and they go back to October 4th, but they
don't indicate to me the change created the problem. My inclination is that some
change occurred that change a key. So how do I track that back?
I tested this on my 389 DS server.
ldapsearch [-x] -D "cn=directory manager" -W -b
"cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was:
# search result
search: 2
result: 0 Success
# numResponses: 31
# numEntries: 30
Then I tested this:
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -D "cn=directory manager" -W
"cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was:
# search result
search: 2
result: 0 Success
# numResponses: 222
# numEntries: 221
Why do I get the populate error? Does the two tests above provide any indication? I also
ran these tests from another linux system and received the same results. The error I am
seeing at restarting the Admin server doesn't seem to make sense if I am searching
correctly. I think it should have the records it needs to repopulate the server.
Also, I think I found an old admin server backup that was taken before any of these
problems surfaced. Anyone have a link that would walk me through the restore process? Is
this a good idea?
slapd-zigzag_2015-05-28:
total 10308
drwx------ 4 root root 4096 Jun 11 2015 .
drwxr-x--- 347 root root 20480 Apr 20 00:13 ..
-rw------- 1 root root 49 Jun 11 2015 DBVERSION
-rw------- 1 root root 20577 Jun 11 2015 dse_index.ldif
-rw------- 1 root root 893 Jun 11 2015 dse_instance.ldif
-rw------- 1 root root 10485760 Jun 11 2015 log.0000000001
drwx------ 2 root root 4096 Jun 11 2015 NetscapeRoot
drwx------ 2 root root 4096 Jun 11 2015 userRoot
My assumption is the NetscapeRoot folder contains fix I need to take me back to before
whatever change occurred to the admin server. Is this correct?
[root: NetscapeRoot]# ls -la
total 380
drwx------ 2 root root 4096 Jun 11 2015 .
drwx------ 4 root root 4096 Jun 11 2015 ..
-rw------- 1 root root 16384 Jun 11 2015 aci.db4
-rw------- 1 root root 32768 Jun 11 2015 ancestorid.db4
-rw------- 1 root root 49152 Jun 11 2015 cn.db4
-rw------- 1 root root 49 Jun 11 2015 DBVERSION
-rw------- 1 root root 49152 Jun 11 2015 entryrdn.db4
-rw------- 1 root root 16384 Jun 11 2015 givenName.db4
-rw------- 1 root root 98304 Jun 11 2015 id2entry.db4
-rw------- 1 root root 16384 Jun 11 2015 nsuniqueid.db4
-rw------- 1 root root 16384 Jun 11 2015 numsubordinates.db4
-rw------- 1 root root 16384 Jun 11 2015 objectclass.db4
-rw------- 1 root root 16384 Jun 11 2015 parentid.db4
-rw------- 1 root root 16384 Jun 11 2015 sn.db4
-rw------- 1 root root 16384 Jun 11 2015 uid.db4
-rw------- 1 root root 16384 Jun 11 2015 uniquemember.db4
Thanks,
Job Cacka
From: Job Cacka <cacka2it(a)yahoo.com>
To: "389-users(a)lists.fedoraproject.org"
<389-users(a)lists.fedoraproject.org>
Sent: Tuesday, April 19, 2016 11:24 AM
Subject: Re: Admin-server connection
I scheduled a reboot of the system during downtime last night. At startup I again got
these messages in the error log.
[Tue Apr 19 04:05:37 2016] [crit] populate_tasks_from_server(): Unable to search
[cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot] for LDAPConnection
[zigzag.ccbox.com:636]
We made some changes back in October 2015, but I don't remember what they were for.
TLS maybe?In:/etc/dirsrv/admin-serv/we changed:cert8.dbconsole.confkey3.dblocal.conf
I am going to check now to see if the errors are related to those changes, if my log files
go back far enough.
Any help is appreciated.
Thanks,
Job Cacka
From: Job Cacka <cacka2it(a)yahoo.com>
To: "389-users(a)lists.fedoraproject.org"
<389-users(a)lists.fedoraproject.org>
Sent: Monday, April 18, 2016 4:34 PM
Subject: Admin-server connection
Recently, I was researching samba connections, and noticed that the Linux 'Domain
Users' group was displaying as the Unix GID number instead of the name. I went to
login to the admin-server express from
'https://zigzag.ccbox.com:9830/dist/download' and that page loads but when I click
on the link I get.
"
Internal Server Error
The server encountered an internal error ormisconfiguration and was unable to completeyour
request.Please contact the server administrator, [no address given] and inform them of the
time the error occurred,and anything you might have done that may havecaused the
error.More information about this error may be availablein the server error log.ADDRESS:
Apache/2.2 Server at zigzag.ccbox.com Port 9830
"
So I went over to the 389 Management Console on my Windows box and I enter cn=Directory
Manager the password and https://zigzag.ccbox.com:9830 and I get a message saying the URL
is not correct or the server is not running. For kicks and giggles I tried it with http
instead of https and it gives an error that says,"Cannot logon because of an
incorrect User ID, Incorrect password, or Directory problem.
java.io.InterruptedIOExceptio: HTTP response timeout"Which indicates to me that the
correct protocol should be https:
To further verify this I ran the following command at the Linux CLI on the server and a
server that communicates with it.
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -b o=netscaperoot -D "cn=directory
manager" -W "objectclass=nsAdminConfig"
This returns 129 responses, but I don't know if they are valid or make sense. They
look like they are unique to my system.
Here is a pastbin of some error logs I noticed after I restarted the admin server with
stop-ds-admin and start-ds-admin.
#357156 • Fedora Project Pastebin
|
|
|
| | |
|
|
|
| |
#357156 • Fedora Project Pastebin
Fedora Sticky Notes is a feature-rich, yet lightweight paste utility | |
|
|
Job Cacka
4:43 p.m.
On Wed, 2016-04-20 at 16:37 +0000, Job Cacka wrote:
Touch!
I check the error logs i mentioned before and they go back to October 4th, but
they don't indicate to me the change created the problem. My inclination is
that some change occurred that change a key. So how do I track that back?
Perhaps the server was never setup correctly to start with?
I tested this on my 389 DS server.
ldapsearch [-x] -D "cn=directory manager" -W -b
"cn=admin-serv-zigzag,cn=389
Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was:
# search result
search: 2
result: 0 Success
# numResponses: 31
# numEntries: 30
Then I tested this:
ldapsearch -H ldaps://zigzag.ccbox.com [-x] -D "cn=directory manager" -W
"cn=admin-serv-zigzag,cn=389 Administration Server,cn=Server
Group,cn=zigzag.ccbox.com,ou=ccbox.com,o=NetscapeRoot"
The result was:
# search result
search: 2
result: 0 Success
# numResponses: 222
# numEntries: 221
Why do I get the populate error? Does the two tests above provide any
indication? I also ran these tests from another linux system and received the
same results. The error I am seeing at restarting the Admin server doesn't seem
to make sense if I am searching correctly. I think it should have the records
it needs to repopulate the server.
I think that at this point, if you have a damaged netscaperoot, there is other
things going. Some kind of admin failure or mistake.
I think that it may be worth investigating backup of your userRoot, and then re-
initialise the server.
Also, I think I found an old admin server backup that was taken before any of
these problems surfaced. Anyone have a link that would walk me through the
restore process? Is this a good idea?
It's not a good idea to restore the db4 directly into NetscapeRoot unless you
really, really, know what you are doing.
It's better to have backups as db2bak or db2ldif. I highly advise that you have
scheduled tasks to take these backups for the future.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
6 p.m.
This was setup 10-2013 and the 'Domain users' group used to populate at the samba
client. The error I am seeing in the error log is relatively new, within the last 6
months.
Looking at my cron.daily directory it says my backups are generated using the built-in
db2bak.pl perl script.
It looks like this is stored in:
/usr/lib64/dirsrv/slapd-zigzag/
and there is a file called bak2db.pl as well. It is dated oct-4-2013 and the 389-base
version is 1.2.11.15-22.el6_4
Are these scripts changed much per 389-ds version? If I look up the information at home
tonight will it be the same
We rebooted Feb 18th and just prior to that we used the IDEALX scripts to create a
samba/unix user. Those scripts now return:
Can't call method "get_value" on an undefined value at
/usr/sbin/smbldap-useradd line 271.
I suppose I could trace back the script and see if that leads anywhere.
thanks,
Job cacka
6:31 p.m.
The Idealx config file /usr/local/etc/smbldap-tools/smbldap.conf shows this:
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="zigzag.ccbox.com"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="1"
So that looks like it means it is doing TLS over 389 instead of ldaps://
Can I use ldapsearch to simulate that connection?
5:44 p.m.
Can I use the procedure in this link:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
to successfully restore the NetscapeRoot? and is that the admin-serv?
Thanks,
Job Cacka
12:14 p.m.
Today I attempted to restore the dirsrv-admin to a previous version.
I used this Documentation, "4.3.4. Restoring a Single Database" from
Redhat's web site.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
I stopped the dirsrv-admin with:
# service dirsrv-admin stop
Shutting down dirsrv-admin:
[ OK ]
I ran the following from the location of the script:
# ./bak2db /var/lib/dirsrv/slapd-zigzag/bak/2013_10_14_14_14_13/ -n NetscapeRoot
[02/May/2016:09:59:38 -0700] 389-Directory/1.2.11.15 - debug level: backend (524288)
[02/May/2016:09:59:38 -0700] - Unable to import the database because it is being used by
another slapd process.
[02/May/2016:09:59:38 -0700] - Shutting down due to possible conflicts with other slapd
processes
and since it looked like it failed I restarted the server with:
#service dirsrv-admin start
What did I do wrong?
Isn't NetscapeRoot the dirsrv-admin data?
Should I plan on doing this after hours when I can stop both servers?
If this is the dirsrv-admin then how do I restore it?
If it is not the correct procedure then what is?
Thanks,
Job Cacka
12:26 p.m.
On 05/02/2016 01:14 PM, Job Cacka wrote:
Today I attempted to restore the dirsrv-admin to a previous version.
I used this Documentation, "4.3.4. Restoring a Single Database" from
Redhat's web site.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
I stopped the dirsrv-admin with:
# service dirsrv-admin stop
Shutting down dirsrv-admin:
[ OK ]
You must stop
the Directory Server, not the HTTP Admin server(dirsrv-admin)
I ran the following from the location of the script:
# ./bak2db /var/lib/dirsrv/slapd-zigzag/bak/2013_10_14_14_14_13/ -n NetscapeRoot
[02/May/2016:09:59:38 -0700] 389-Directory/1.2.11.15 - debug level: backend (524288)
[02/May/2016:09:59:38 -0700] - Unable to import the database because it is being used by
another slapd process.
[02/May/2016:09:59:38 -0700] - Shutting down due to possible conflicts with other slapd
processes
The directory is not stopped, so the bak2db is aborted. To stop the
directory server use:
# stop-dirsrv
or
# service dirsrv stop
and since it looked like it failed I restarted the server with:
#service dirsrv-admin start
What did I do wrong?
Isn't NetscapeRoot the dirsrv-admin data?
No, dirsrv-admin is the HTTP
administration server. The netscaperoot
data is stored in the directory server instance.
Should I plan on doing this after hours when I can stop both servers?
That is
probably best, but the restore should be a quick process.
If this is the dirsrv-admin then how do I restore it?
If it is not the correct procedure then what is?
Your restore process looks okay,
you just didn't stop the DS before
attempting it.
Mark
Thanks,
Job Cacka
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
12:44 p.m.
Thanks for the quick reply Mark.
Perhaps I do not understand the layout of 389 DS correctly.
Should there be a separate backup of the dirsrv-admin data?
I think I may have changed a setting in the 389-ds console that took affect after one of
the reboots we had this winter/spring.
My hope was to restore that back to an earlier backup. My understanding was that those
settings are in NetscapeRoot. Am I confusing two different things? Where should I look
for a dirsrv-admin backup? What script creates it?
Thanks,
Job
1:03 p.m.
On 05/02/2016 01:44 PM, Job Cacka wrote:
Thanks for the quick reply Mark.
Perhaps I do not understand the layout of 389 DS correctly.
Should there be a separate backup of the dirsrv-admin data?
No - there is no backup
functionality for the HTTP admin server.
I think I may have changed a setting in the 389-ds console that took affect after one of
the reboots we had this winter/spring.
My hope was to restore that back to an earlier backup. My understanding was that those
settings are in NetscapeRoot. Am I confusing two different things? Where should I look
for a dirsrv-admin backup? What script creates it?
There are config files for the
admin server: /etc/dirsrv/admin-serv but
these are not backed up. "netscaperoot" just contains the information
needed by the console to access/manage your Directory Servers.
Note - if you are using the console on Windows and trying to use SSL,
you NEED to use the latest console version for windows (v1.1.15).
You can verify your version of the console by running this command on
the windows system:
389-console -D 9
then look for:**"389-Management-Console/1.1."
Regards,
Mark
Thanks,
Job
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
5:13 p.m.
"There are config files for the admin server: /etc/dirsrv/admin-serv"
That directory has many files that have changed recently. It looks like I have two
"backup" directories in there. One is labeled 10-21-15 and the other is
10-7-2013 from the original installation. So I could stop the dirsrv-admin, copy the files
back into this directory, restart it and it should take me back to the beginning. Is that
correct?
I will be adding this directory to my backup routine. Should the dirsrv-admin be off to
back it up?
"You can verify your version of the console by running this command on the windows
system: 389-console -D 9 then look for:**"389-Management-Console/1.1." "
Interesting.
I downloaded the windows version of the console last week and it said:
389-Console-1.1.15-i386.msi
When I run this it tells me:
389-Management-Console/1.1.14 B2015.147.2124
6:06 p.m.
I looked at this directory location and only two config files are changed since "go
live". When I ran a diff against the originals in the backup file it contains
differences that turn on SSL and other related settings. There are some anomalies though
some parameters are in quotes and some are not.
Thanks,
Job
9:48 a.m.
Can someone look at their /etc/dirsrv/admin-serv/local.conf and tell me what is set on:
configuration.encryption.nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
configuration.encryption.nsSSL3Ciphers:
+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,-rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_aes_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha
also in /etc/dirsrv/admin-serv should the setting be:
NSSEngine "on"
or
NSSEngine on
or does it matter?
in that same file what do you have set for:
NSSCipherSuite
3:53 p.m.
I reinstalled the 389 Windows Management Console. I also reran the command:
certutil -A -d "C:\Users\<useracct>\.389-console" -n "CA
Certificate" -t CT,, -i cacert.asc -a
from the administrative command line within the "C:\Program Files (x86)\389
Management Console" directory. This system has another certutil that was getting in
the way.
This allowed me to connect with the "cn=Directory Manager" userdn and the
"https://zigzag.ccbox.com:9830" URL
However when I go to the samba server I still see where it is not translating the LDAP
Group ID of 513 into the name "Domain Users".
While I was in the console I verified the Group still exists, and I think it exists in the
correct place.
I think that PAM handles this, but please correct me if I am wrong.
1830
days inactive
1845
days old
389-users@lists.fedoraproject.org
14 comments
3 participants
participants (3)
-
Job Cacka -
Mark Reynolds -
William Brown