How to determine when host last checked in?
by Master Blaster
In large orginizations, hosts can sometimes be retired without following procedures, etc, which leaves host objects in FreeIPA for hosts that no longer exist.
Is there anyway to see when a host last checked in with FreeIPA? One could then delete host objects which haven't connected in say 30/60/90 days.
4 years, 4 months
ipa-server-install error [37/44] initializing group membership: [error] NotFound: no such entry
by Michael Schefczyk
Dear All,
Trying to install ipa-server (4.7.1-11.module_el8.0.0+79+bbd20d7b package from @AppStream) on a new virtual CentOS Linux 8.0.1905 server within my LAN (fresh test install, the previous version on CentOS 7 did work), I persistently get the following error message when freipa-install tries to configure the dirsrv:
[37/44]: initializing group membership
[error] NotFound: no such entry
I would very much welcome if anyone could point me to the right direction. I find the log content (below) not very telling.
Regards,
Michael Schefczyk
2019-10-13T07:21:07Z DEBUG step duration: dirsrv __add_topology_entries 0.05 sec
2019-10-13T07:21:07Z DEBUG [37/44]: initializing group membership
2019-10-13T07:21:07Z DEBUG Starting external process
2019-10-13T07:21:07Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpm2nl4f4x', '-H', 'ldapi://%2fvar%2frun%2fslapd-B72-COM.socket', '-Y', 'EXTERNAL']
2019-10-13T07:21:07Z DEBUG Process finished, return code=0
2019-10-13T07:21:07Z DEBUG stdout=add objectClass:
top
extensibleObject
add cn:
IPA install
add basedn:
dc=b72,dc=com
add filter:
(objectclass=*)
add ttl:
10
adding new entry "cn=IPA install 1570951250, cn=memberof task, cn=tasks, cn=config"
modify complete
2019-10-13T07:21:07Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-B72-COM.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
2019-10-13T07:21:07Z DEBUG Waiting for memberof task to complete.
2019-10-13T07:21:07Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1022, in error_handler
yield
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1514, in find_entries
raise e
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1474, in find_entries
result = self.conn.result3(id, 0)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'desc': 'No such object'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
ipalib.errors.NotFound: no such entry
2019-10-13T07:21:07Z DEBUG [error] NotFound: no such entry
2019-10-13T07:21:07Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 550, in main
master_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 253, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 800, in install
setup_pkinit=not options.no_pkinit)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 345, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof
replication.wait_for_task(conn, dn)
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task
entry = conn.get_entry(dn, attrlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
2019-10-13T07:21:07Z DEBUG The ipa-server-install command failed, exception: NotFound: no such entry
2019-10-13T07:21:07Z ERROR no such entry
2019-10-13T07:21:07Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
4 years, 4 months
Re: ipa-replica-install latest failure attempt:
by Rob Crittenden
Auerbach, Steven via FreeIPA-users wrote:
> Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server
> 3.0.0.1_51 (name : ipa01)
>
> Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the target
> Linux 7.6 server (name: ipa04)
>
> Copied the file to the target server to which ipa-server 4.6.5-11.0.1 is
> installed (ipa04)
>
> Copied the file :/usr/share/ipa/copy-schema-to-ca.py from ipa v4.6
> server to the ipa v3.0 server and executed it successfully.
>
> Edited the /etc/resolv.con on ipa04 to include ipa01. Did not reboot.
>
> Executed ipa-replica-install --setup-dns --forwarder=8.8.8.8 --setup-ca
> /var/lib/ipa/replica-info-ipa04.fbog.local.gpg (on ipa04)
>
>
> 2019-11-16T16:23:24Z DEBUG The ipa-replica-install command failed,
> exception: NotFound: wait_for_entry timeout on
> ldap://ipa01.fbog.local:389 for
> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
>
> 2019-11-16T16:23:24Z ERROR wait_for_entry timeout on
> ldap://ipa01.fbog.local:389 for
> krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
>
>
>
> Not sure where to go from here. Did I leave out some declaration or
> specification on the initial command?
The problem isn't in the command invocation, replication is just slow
enough for some reason that the new principal(s) weren't replicated to
the existing master.
I seem to recall a 389-ds option to mitigate this but I can't remember
it off the to of my head (or maybe it isn't applicable for RHEL 6
master). cc'ing someone who would know.
rob
4 years, 4 months
openvpn-auth-ldap + FreeIPA - Cannot get 'RequireGroup' to work at all ! (tried everything..)
by Morgan Cox
HI.
I have a freeIPA server, on the server I have a group 'ovpn-users' which is designed to be a group to allow access to our OpenVPN server and to enforce OTP when connecting to the VPN.
My current setup works 'fine' - however it is allowing any user from any group access to the VPN, as soon as I enable
RequireGroup True
I cannot login at all.
I have tried every combination I can think of and altered the Group BaseDN, whatever I try doesn't work.
My workaround/hack to get this to work is to leave 'RequireGroup False' and change the user search filter to
SearchFilter "(uid=ovpn-%u)"
As all VPN usernames start with prefix ovpn-
i.e
ovpn-user1
Which means when they login to VPN then omit the prefix ovpn- (i.e in above case use = user1)
Can anyone help get 'RequireGroup' working ?
With ldapsearch I can see ovpn-users user uid's using (I have omitted domain/user names)
---
# ldapsearch -Y gssapi -b cn=groups,cn=accounts,dc=xxxx,dc=xxxx '(cn=ovpn-users)'
SASL/GSSAPI authentication started
SASL username: xxxx(a)xxxx.xxxx
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=xxxx,dc=xxxx> with scope subtree
# filter: (cn=ovpn-users)
# requesting: ALL
#
# ovpn-users, groups, accounts, xxxx.xxxx
dn: cn=ovpn-users,cn=groups,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
memberOf: ipaUniqueID=d1fbb816-1071-11ea-ab30-063361404bd4,cn=hbac,dc=xxxx,dc=
xxxx
cn: ovpn-users
description: OpenVPN users
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: e6415bdc-1071-11ea-814c-063361404bd4
gidNumber: 1928600030
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
---
And I have tried in the config
---
<Group>
BaseDN "cn=groups,cn=accounts,dc=xxxx,dc=xxxx"
SearchFilter "(cn=ovpn-users)"
MemberAttribute member
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
--
I have also tried replacing the 'MemberAttribute' field with
- member
- memberUid
- memberOF
And have tried (probably over 100) different values in Group and user BaseDN
[1] Has anyone got RequireGroup to work ?
Also I have these oquestions ..
[2] Also : What can I do about RHEL8 ? with the auth-ldap package ? There is no package on rhel/centos8 and you cannot compile it as objective C support is removed from rhel8
[3] Are there going to be changes to IPA and PAM so I can use openvpn+IPA+OTP without need for auth-ldap?
Thanks
---
4 years, 4 months
krb5kdc segfault
by David Harvey
Hi FreeIPA users,
I've been haunted across installs by a sporadic krb5kdc segfault, the
especially fun part is that it seems to bring the service down on all of
the servers at once! Restarting it brings everything back again quite
happily..
The last and only useful krb5kdc.log entry is:
Nov 29 12:12:13 ipa1.redacted.net krb5kdc[20700](Error): worker 20705
exited with status 139
and in terms of segfault related, dmesg:
[271761.231312] krb5kdc[20705]: segfault at fffffffffffffff8 ip
00007fe492d56b80 sp 00007ffc55c38c80 error 5 in ipadb.so[7fe492d4c000+19000]
I was hoping that moving from our Fedora based install to CentOS would make
this go away, but it seems to have followed us!
Any advice as to where best to seek more useful log data?
Best,
David
4 years, 4 months
Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run
by Fraser Tweedale
On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote:
> Of course.
>
> dn: uid=ipara,ou=people,o=ipaca
> cn: ipara
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: cmsuser
> userCertificate:
> MIIDXDCCAkSgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZUS
> VMuUksxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTExMDUwOTI3NTBaFw0yMT
> EwMjUwOTI3NTBaMCIxDzANBgNVBAoMBlRJUy5SSzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhki
> G9w0BAQEFAAOCAQ8AMIIBCgKCAQEA61dhtR4A8SqnP7t/L3xhg07moXfwvDBD+jOnY45GarO9DM0+
> y+YRdJ1duMC7QYcEcvFuVonW2ZhNF4flS4isf7dweMTsHexDz/0sfuEZGNW+yBpDEZUSRMiTDbYYi
> kGv298Bbp1NmNHiUTayrsA1IlweESPmwR8r67n3qkWG+yIQ8Fz0iFue5GzK97/Gg7i+FJaFCeqaZR
> UB6RTeM/DPyBG50hLWfqt3CSh2S5J+3Ch9ZtsRM+iEqtE2JNJRAef1VmbufS9xkweg9OAVw1oJrzN
> 3wP/un3hmceH/DvxFETOk9FmT9AaXf/XCDwptxCJ+A7cV80vwG8zigLYrKpUgQQIDAQABo4GNMIGK
> MB8GA1UdIwQYMBaAFMLNVVXxp/y1I2CbR7V3sf7Ak/9iMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFB
> QcwAYYcaHR0cDovL2lwYS1jYS50aXMucmsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBB
> YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAFv2Vl7DIc0s7YCdNmA07
> SrM/GIKeDbmgLqzinFqjMEH6/oR6bGqBcwDXr+0ss0lXYz2ndhRbEG1MI52POT/+sbJG48xJyQehd
> /r+VeWNgMzKRUGQoLLiHctevxn9ugJHLBpxZzgTqm7tG8r/O71JgHlY1u9b7a/j6uXFCjAz5yuu0h
> EHNYCaAViSwbAUFXu8906qOK087CFr8eFAY6Ng5oNLp8cAEkOQctoe1+Nubns2h5KN/W3fISnjOH/
> ATjJo1dsJGdlRN5rlatKpi7ryijXAeA7M5+8WMwF+PIhVBULhFSLXQj3MT4mU5HBp9PJj0n+uyhWY
> PNrY+sTNX7U3S
> userstate: 1
> usertype: agentType
> sn: ipara
> uid: ipara
> description: 2;16;CN=Certificate Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK
> userPassword::
> e1NTSEE1MTJ9b3dvbTJCcXZQczljaW91OFVVMkFVdWxZUVg4b2FkY0Q0a1MwaDM
> xS2FkYU0wNTcxaVFGK0M5L213M2hnMHBZNkhBVFlrclBlckJucGtPYTVRWGYzYWZta2haNnRjMVlW
>
Hi Alexander,
I just noticed what the problem (probably) is. The userCertificate
attribute is binary data. It should be represented with TWO colons
("::") after the attribute name, i.e.:
userCertificate:: MII...
Could you please update the LDAP entry and try again?
Thanks,
Fraser
4 years, 5 months
FreeIPA regularly fails to restart after ipa-backup
by LHEUREUX Bernard
Hi all,
I regularly face a problem where FreeIPA fails to restart just after the completion of ipa-backup, smb semms to have troubles restarting and ipa fails, if I run ipactl restart everything is restarting correctly...
That happens randomly on any server of our IPA domain
What could I do to solve it ?
Thanks for your help.
Ce message transmis par voie ?lectronique ainsi que toutes ses annexes contiennent des informations qui peuvent ?tre confidentielles ou prot?g?es. Ces informations sont uniquement destin?es ? l'usage des personnes ou des entit?s pr?cis?es dans les champs 'A', 'Cc' et 'Cci'. Si vous n'?tes pas l'un de ces destinataires, soyez conscient que toute forme, partielle ou compl?te, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez re?u ce message par erreur, veuillez nous en informer par t?l?phone ou par message ?lectronique et d?truire les informations imm?diatement. Ce message n'engage que son signataire et aucunement son employeur.
4 years, 5 months
Re: FreeIPA having problem after upgrading from Fedora 30 to 31
by Patrick Dung
Hello all,
1) Resent, I used reply instead of reply all in the last mail.
2) I tailed the dirsrv log and perform a manual ipa-server-upgrade.
I didn't found connection refused log in the dirsrv.
3)
BTW, I had another ipa server that is a replica. Originally both freeipa
server had upgrade problem.
On the replica server, I tried to install jss-4.6.2-2.fc31.x86_64
(according to https://bugzilla.redhat.com/show_bug.cgi?id=1766451)
The ipa-server-upgrade is successfully run on the replica server. But there
is problem when I access:
https://replica:8443, the error message is shown in below.
HTTP Status 500 – Internal Server Error
------------------------------
*Type* Exception Report
*Message* org.apache.jasper.JasperException: Unable to compile class for JSP
*Description* The server encountered an unexpected condition that prevented
it from fulfilling the request.
*Exception*
org.apache.jasper.JasperException: org.apache.jasper.JasperException:
Unable to compile class for JSP
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
*Root Cause*
org.apache.jasper.JasperException: Unable to compile class for JSP
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:619)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
*Root Cause*
java.security.AccessControlException: access denied
("java.util.PropertyPermission"
"tolerateIllegalAmbiguousVarargsInvocation" "read")
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
java.security.AccessController.checkPermission(AccessController.java:886)
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
java.lang.System.getProperty(System.java:717)
org.eclipse.jdt.internal.compiler.impl.CompilerOptions.<init>(CompilerOptions.java:513)
org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:483)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:392)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:362)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:346)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:603)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
*Note* The full stack trace of the root cause is available in the server
logs.
4) On the main server, I tried to upgrade jss and run ipa-server-upgrade
but the error is still there. The error is the same as the original mail a
few days ago.
Thanks,
Patrick
On Thu, Oct 31, 2019 at 12:25 PM Patrick Dung <patdung100(a)gmail.com> wrote:
> I tail the dirsrv log and perform a manual ipa-server-upgrade.
> I didn't found connection refused log in the dirsrv.
>
> Thanks,
> Patrick
>
> On Thu, Oct 31, 2019 at 7:43 AM Fraser Tweedale <ftweedal(a)redhat.com>
> wrote:
>
>> Is there anything in the dirsrv log relating to the connection
>> attempt? Connection Refused could in fact be a TLS handshake error
>> (the TLS handshake also includes certificate authentication).
>>
>> Cheers,
>> Fraser
>>
>> On Wed, Oct 30, 2019 at 10:47:54PM +0800, Patrick Dung via FreeIPA-users
>> wrote:
>> > Hello Endi,
>> >
>> > The DS is up.
>> >
>> > $ ldapsearch -LLL -x -H ldaps://home.local.nonet:636 -b
>> > "cn=users,cn=accounts,dc=local,dc=nonet"
>> > dn: cn=users,cn=accounts,dc=local,dc=nonet
>> > objectClass: top
>> > objectClass: nsContainer
>> > cn: users
>> >
>> > dn: uid=admin,cn=users,cn=accounts,dc=local,dc=nonet
>> > objectClass: top
>> > objectClass: person
>> > objectClass: posixaccount
>> > objectClass: krbprincipalaux
>> > objectClass: krbticketpolicyaux
>> > objectClass: inetuser
>> > objectClass: ipaobject
>> > objectClass: ipasshuser
>> > objectClass: ipaSshGroupOfPubKeys
>> > uid: admin
>> > cn: Administrator
>> > sn: Administrator
>> > uidNumber: 700000
>> > gidNumber: 700000
>> > homeDirectory: /home/admin
>> > loginShell: /bin/bash
>> > gecos: Administrator
>> >
>> > I had include more logs as attachment.
>> >
>> > Thanks,
>> > Patrick
>> >
>> > On Wed, Oct 30, 2019 at 10:23 PM Endi Sukma Dewata <edewata(a)redhat.com>
>> > wrote:
>> >
>> > > Hi Patrick,
>> > >
>> > > I see that you included the CA debug log:
>> > >
>> > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnection: Connecting to
>> > > home.local.nonet:636 with client cert auth
>> > > 2019-10-30 05:03:50 [main] FINE:
>> ldapconn/PKISocketFactory.makeSSLSocket:
>> > > begins
>> > > 2019-10-30 05:03:50 [main] SEVERE: Unable to create socket:
>> > > java.net.ConnectException: Connection refused (Connection refused)
>> > > java.net.ConnectException: Connection refused (Connection refused)
>> > > at java.net.PlainSocketImpl.socketConnect(Native Method)
>> > > at java.net
>> > > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>> > > at java.net
>> > >
>> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>> > > at java.net
>> > > .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>> > > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> > > at java.net.Socket.connect(Socket.java:607)
>> > > at java.net.Socket.connect(Socket.java:556)
>> > > at java.net.Socket.<init>(Socket.java:452)
>> > > at java.net.Socket.<init>(Socket.java:262)
>> > >
>> > > The stack trace above is incomplete so it's hard to tell exactly where
>> > > in PKI code the exception happened, but the earlier message seem to
>> > > indicate that it's trying to connect to the the DS, so you need to
>> make
>> > > sure the DS is running and accessible.
>> > >
>> > > --
>> > > Endi S. Dewata
>> > >
>> > > ----- Original Message -----
>> > > > Hi Patrick,
>> > > >
>> > > > The "javax.ws.rs.ServiceUnavailableException: Subsystem
>> unavailable"
>> > > > suggests that the CA subsystem got undeployed automatically from
>> > > > Tomcat due to an error in CA (the Tomcat itself seems to be running
>> > > > just fine).
>> > > >
>> > > > You'll need to check the CA debug log in
>> /var/log/pki/pki-tomcat/ca/*,
>> > > > hopefully it will show the actual problem. Once it's fixed, you just
>> > > > need to restart Tomcat and the CA should be redeployed
>> automatically.
>> > > >
>> > > > Also check the upgrade log in /var/log/pki/pki-server-upgrade-* to
>> see
>> > > > if there's any PKI upgrade issue.
>> > > >
>> > > > Hope this helps.
>> > > >
>> > > > --
>> > > > Endi S. Dewata
>> > > >
>> > > > ----- Original Message -----
>> > > > > Looks like it's the second problem (on pagure)
>> > > > >
>> > > > > -- Logs begin at Wed 2019-10-30 02:34:10 HKT, end at Wed
>> 2019-10-30
>> > > > > 06:28:21
>> > > > > HKT. --
>> > > > > Oct 30 03:39:43 home.local.nonet systemd[1]: Starting PKI Tomcat
>> Server
>> > > > > pki-tomcat...
>> > > > > Oct 30 03:39:44 home.local.nonet pki-server[57211]:
>> > > > > ----------------------------
>> > > > > Oct 30 03:39:44 home.local.nonet pki-server[57211]: pki-tomcat
>> instance
>> > > > > migrated
>> > > > > Oct 30 03:39:44 home.local.nonet pki-server[57211]:
>> > > > > ----------------------------
>> > > > > Oct 30 03:39:44 home.local.nonet systemd[1]: Started PKI Tomcat
>> Server
>> > > > > pki-tomcat.
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: Java virtual
>> machine
>> > > used:
>> > > > > /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: classpath used:
>> > > > >
>> > >
>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: main class used:
>> > > > > org.apache.catalina.startup.Bootstrap
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: flags used:
>> > > > > -Djava.library.path=/usr/lib64/nuxwdog-jni
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: options used:
>> > > > > -Dcatalina.base=/var/lib/pki/pki-tomcat
>> > > -Dcatalina.home=/usr/share/tomcat
>> > > > > -Djava.endorsed.dirs=
>> -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
>> > > > >
>> > >
>> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
>> > > > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>> > > > > -Djava.security.manager
>> > > > >
>> -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
>> > > > > Oct 30 03:39:44 home.local.nonet server[57330]: arguments used:
>> start
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: WARNING: Exception
>> > > > > processing
>> > > > > realm [com.netscape.cms.tomcat.ProxyRealm@296c31c9] background
>> process
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]:
>> > > > > javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > >
>> > >
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> > > > > Oct 30 03:40:03 home.local.nonet server[57330]: at
>> > > > > java.lang.Thread.run(Thread.java:748)
>> > > > >
>> > > > > The pki-tomcat instance is running. It would output error when I
>> browse
>> > > > > https://home.local.nonet:8443/ca , but
>> > > https://home.local.nonet:8443/pki/
>> > > > > is
>> > > > > ok
>> > > > > Instance ID: pki-tomcat
>> > > > > Active: True
>> > > > > Unsecure Port: 8080
>> > > > > Secure Port: 8443
>> > > > > AJP Port: 8009
>> > > > > Tomcat Port: 8005
>> > > > >
>> > > > > CA Subsystem:
>> > > > > Type: Subordinate CA (Security Domain)
>> > > > > SD Registration URL: https://home.local.nonet:443
>> > > > > Enabled: True
>> > > > > Unsecure URL: http://home.local.nonet:8080/ca/ee/ca
>> > > > > Secure Agent URL: https://home.local.nonet:8443/ca/agent/ca
>> > > > > Secure EE URL: https://home.local.nonet:8443/ca/ee/ca
>> > > > > Secure Admin URL: https://home.local.nonet:8443/ca/services
>> > > > > PKI Console URL: https://home.local.nonet:8443/ca
>> > > > >
>> > > > > Thanks,
>> > > > > Patrick
>> > > > >
>> > > > > On Wed, Oct 30, 2019 at 5:44 AM Alex Scheel < ascheel(a)redhat.com
>> >
>> > > wrote:
>> > > > >
>> > > > >
>> > > > > You might try checking journalctl output.
>> > > > >
>> > > > > It might be this bug:
>> > > https://bugzilla.redhat.com/show_bug.cgi?id=1766451
>> > > > >
>> > > > > Otherwise, it is a perfect match for this bug:
>> > > > > https://pagure.io/dogtagpki/issue/3111
>> > > > >
>> > > > > Which I'd also like journalctl output on, if you have any to
>> share. :)
>> > > > >
>> > > > >
>> > > > > I should have a Bodhi update out tonight yet for the issue in the
>> BZ.
>> > > > > Without
>> > > > > more information, I'm not sure we'd know what cause for the second
>> > > issue
>> > > > > is.
>> > > > >
>> > > > > - Alex
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Patrick Dung via FreeIPA-users" <
>> > > > > > freeipa-users(a)lists.fedorahosted.org >
>> > > > > > To: freeipa-users(a)lists.fedorahosted.org
>> > > > > > Cc: "Patrick Dung" < patdung100(a)gmail.com >
>> > > > > > Sent: Tuesday, October 29, 2019 5:29:09 PM
>> > > > > > Subject: [Freeipa-users] FreeIPA having problem after upgrading
>> from
>> > > > > > Fedora
>> > > > > > 30 to 31
>> > > > > >
>> > > > > > Hello,
>> > > > > >
>> > > > > > I got problem upgrading from FC30 to FC31.
>> > > > > > Before upgrade the FreeIPA in FC30 is running fine.
>> > > > > >
>> > > > > > After OS upgrade, IPA cannot start and checked that it stuck at
>> the
>> > > CA
>> > > > > > part.
>> > > > > > I run ipa-server-upgrade manually but there is problem.
>> > > > > >
>> > > > > > 2019-10-29T21:03:58Z DEBUG request GET
>> > > > > > https://home.local.nonet:8443/ca/rest/account/login
>> > > > > > 2019-10-29T21:03:58Z DEBUG request body ''
>> > > > > > 2019-10-29T21:03:58Z DEBUG response status 500
>> > > > > > 2019-10-29T21:03:58Z DEBUG response headers Content-Type:
>> > > > > > text/html;charset=utf-8
>> > > > > > Content-Language: en
>> > > > > > Content-Length: 2481
>> > > > > > Date: Tue, 29 Oct 2019 21:03:58 GMT
>> > > > > > Connection: close
>> > > > > >
>> > > > > >
>> > > > > > 2019-10-29T21:03:58Z DEBUG response body (decoded): b'<!doctype
>> > > > > > html><html
>> > > > > > lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal
>> Server
>> > > > > > Error</title><style type="text/css">h1
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
>> > > > > > h2
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
>> > > > > > h3
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
>> > > > > > body
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
>> > > > > > b
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
>> > > > > > p
>> > > > > >
>> > >
>> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
>> > > > > > a {color:black;} a.name {color:black;} .line
>> > > > > >
>> > >
>> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
>> > > > > > Status 500 \xe2\x80\x93 Internal Server Error</h1><hr
>> class="line"
>> > > > > > /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem
>> > > > > > unavailable</p><p><b>Description</b> The server encountered an
>> > > unexpected
>> > > > > > condition that prevented it from fulfilling the
>> > > > > > request.</p><p><b>Exception</b></p><pre> javax.ws.rs
>> > > > > > .ServiceUnavailableException:
>> > > > > > Subsystem
>> > > > > >
>> > >
>> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:515)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\
>> > > > > > torg.apache.tomcat.util.net
>> > > > > > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)\n\
>> > > > > > torg.apache.tomcat.util.net
>> > > > > >
>> > >
>> .SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
>> > > > > > The full stack trace of the root cause is available in the
>> server
>> > > > > > logs.</p><hr class="line" /><h3>Apache
>> > > Tomcat/9.0.26</h3></body></html>'
>> > > > > > 2019-10-29T21:03:58Z ERROR IPA server upgrade failed: Inspect
>> > > > > > /var/log/ipaupgrade.log and run command ipa-server-upgrade
>> manually.
>> > > > > > 2019-10-29T21:03:58Z DEBUG File
>> > > > > > "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line
>> 179,
>> > > in
>> > > > > > execute
>> > > > > > return_value = self.run()
>> > > > > > File
>> > > > > >
>> > >
>> "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> > > > > > line 54, in run
>> > > > > > server.upgrade()
>> > > > > > File
>> > > > > >
>> > >
>> "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
>> > > > > > line 2223, in upgrade
>> > > > > > upgrade_configuration()
>> > > > > > File
>> > > > > >
>> > >
>> "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
>> > > > > > line 2093, in upgrade_configuration
>> > > > > > ca_enable_ldap_profile_subsystem(ca)
>> > > > > > File
>> > > > > >
>> > >
>> "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
>> > > > > > line 414, in ca_enable_ldap_profile_subsystem
>> > > > > > cainstance.migrate_profiles_to_ldap()
>> > > > > > File
>> > > "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py",
>> > > > > > line 1937, in migrate_profiles_to_ldap
>> > > > > > _create_dogtag_profile(profile_id, profile_data,
>> overwrite=False)
>> > > > > > File
>> > > "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py",
>> > > > > > line 1943, in _create_dogtag_profile
>> > > > > > with api.Backend.ra_certprofile as profile_api:
>> > > > > > File
>> "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py",
>> > > line
>> > > > > > 1315, in __enter__
>> > > > > > raise errors.RemoteRetrieveError(reason=_('Failed to
>> authenticate to
>> > > CA
>> > > > > > REST API'))
>> > > > > >
>> > > > > > 2019-10-29T21:03:58Z DEBUG The ipa-server-upgrade command
>> failed,
>> > > > > > exception: RemoteRetrieveError: Failed to authenticate to CA
>> REST API
>> > > > > > 2019-10-29T21:03:58Z ERROR Unexpected error - see
>> > > /var/log/ipaupgrade.log
>> > > > > > for details:
>> > > > > > RemoteRetrieveError: Failed to authenticate to CA REST API
>> > > > > > 2019-10-29T21:03:58Z ERROR The ipa-server-upgrade command
>> failed. See
>> > > > > > /var/log/ipaupgrade.log for more information
>> > > > > >
>> > > > > > From /var/log/pki/pki-tomcat/ca/debug log file:
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init()
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init begins
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Getting
>> > > > > > internaldb.ldapauth.authtype=SslClientAuth
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init ends
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Property
>> internaldb.errorIfDown
>> > > not
>> > > > > > found
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Getting
>> > > internaldb.errorIfDown=true
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Property
>> internaldb.doCloning not
>> > > > > > found
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Getting
>> internaldb.doCloning=true
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory:
>> doCloning:
>> > > true
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: mininum:
>> 3
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: maximum:
>> 15
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: host:
>> > > > > > home.local.nonet
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: port: 636
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: secure:
>> true
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory:
>> > > authentication: 2
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory:
>> > > > > > makeConnection(true)
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Getting
>> > > > > > internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Property tcp.keepAlive not
>> found
>> > > > > > 2019-10-30 05:03:50 [main] FINEST: Getting tcp.keepAlive=true
>> > > > > > 2019-10-30 05:03:50 [main] FINE: TCP Keep-Alive: true
>> > > > > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnection:
>> Connecting to
>> > > > > > home.local.nonet:636 with client cert auth
>> > > > > > 2019-10-30 05:03:50 [main] FINE:
>> > > ldapconn/PKISocketFactory.makeSSLSocket:
>> > > > > > begins
>> > > > > > 2019-10-30 05:03:50 [main] SEVERE: Unable to create socket:
>> > > > > > java.net.ConnectException: Connection refused (Connection
>> refused)
>> > > > > > java.net.ConnectException: Connection refused (Connection
>> refused)
>> > > > > > at java.net.PlainSocketImpl.socketConnect(Native Method)
>> > > > > > at
>> > > > > > java.net
>> > > > > >
>> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>> > > > > > at
>> > > > > > java.net
>> > > > > >
>> > >
>> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>> > > > > > at
>> > > > > > java.net
>> > > > > >
>> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>> > > > > > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> > > > > > at java.net.Socket.connect(Socket.java:607)
>> > > > > > at java.net.Socket.connect(Socket.java:556)
>> > > > > > at java.net.Socket.<init>(Socket.java:452)
>> > > > > > at java.net.Socket.<init>(Socket.java:262)
>> > > > > >
>> > > > > > Some error is logged to /var/log/messages:
>> > > > > > Oct 30 05:26:50 home server[65722]: WARNING: Exception
>> processing
>> > > realm
>> > > > > > [com.netscape.cms.tomcat.ProxyRealm@5647a92b] background
>> process
>> > > > > > Oct 30 05:26:50 home server[65722]:
>> > > > > > javax.ws.rs .ServiceUnavailableException: Subsystem unavailable
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > >
>> > >
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> > > > > > Oct 30 05:26:50 home server[65722]: #011at
>> > > > > > java.lang.Thread.run(Thread.java:748)
>> > > > > >
>> > > > > > I am able to connect to my ldap server port 636 with TLS without
>> > > problem.
>> > > > > >
>> > > > > > Thanks,
>> > > > > > Patrick
>> > > > > >
>> > > > > > _______________________________________________
>> > > > > > FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> > > > > > To unsubscribe send an email to
>> > > > > > freeipa-users-leave(a)lists.fedorahosted.org
>> > > > > > Fedora Code of Conduct:
>> > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > > > List Guidelines:
>> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > > > List Archives:
>> > > > > >
>> > >
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> > > > > >
>> > > > >
>> > > > >
>> > > > > _______________________________________________
>> > > > > FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> > > > > To unsubscribe send an email to
>> > > freeipa-users-leave(a)lists.fedorahosted.org
>> > > > > Fedora Code of Conduct:
>> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > > List Guidelines:
>> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > > List Archives:
>> > > > >
>> > >
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> > > > >
>> > > > _______________________________________________
>> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> > > > To unsubscribe send an email to
>> > > freeipa-users-leave(a)lists.fedorahosted.org
>> > > > Fedora Code of Conduct:
>> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > > List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > > List Archives:
>> > > >
>> > >
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> > > >
>> > >
>> > >
>>
>>
>> > _______________________________________________
>> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> > To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> > Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>>
4 years, 5 months
OTP implementation
by Mizuki Karasawa
Hi all,
We started looking into OTP features provided by IPA in our facility. In our environment, majority of our machines are located in the private network, users access them via external-facing Gateways. We want to enforce MFA on our gateway and allow users to have freedom SSH-ing into any internal nodes using their regular password (or keys). Then add HBAC rules for certain hosts/services who require MFA authentications using OTP (for example, protected web resource access. NX etc) In order to achieve that, it seems to me we need turn on both 'password' and 'otp' for individual users or globally. This will then trigger 'password' for SSH and 'otp' auth for WebApps/NX and so on.
However when I looked at the online document @ https://www.freeipa.org/page/V4/OTP#Implementation , it stated "Mixing the "password" and "otp" user auth types should not be used", I wonder why "mixing" is not recommended, and what is the downside if we implement this way(in order to achieve what we're trying to do), or any other better strategies in this case?
Can some advice? Thank you in advance!
Mizuki
4 years, 5 months