Sorry Martin, I rebooted the IdM server: [root@lead sssd]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
I checked DNS and it is ok I can login from any host. Unfortunately when trying to run any ipa command: [root@lead ~]# ipa service-find lead.bioinf.local ipa: ERROR: cert validation failed for "[email protected],CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. Is anybody has an idea on where and what to check next ? Thx, Seli On Tue, May 31, 2016 at 8:33 AM, Martin Kosek <[email protected]> wrote: > Hello Seli, > > Please reply to mailing list directly so that others can benefit from the > thread as well. > > Thanks, > Martin > > On 05/30/2016 06:17 PM, seli irithyl wrote: > > Freeipa version : 4.2.0-15.0.1.el7.centos.6.1 > > FF: 45.1.1 > > Could this problem be related to mod_ssl and mod_nss for httpd ? > > Looking the logs, it seems there are lots of problems, here are some > parts that > > look strange to me (and are probably unrelated) : > > 1 sssd: > > 1.1 krb5_child.log > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [unpack_buffer] > > (0x0100): cmd [249] uid [1713400053] gid [1713400053] validate [true] > enterprise > > principal [false] offline [false] UPN [[email protected]] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/[email protected]] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [check_fast_ccache] (0x0200): FAST TGT is still valid. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [become_user] > > (0x0200): Trying to become user [1713400053][1713400053]. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_RENEWABLE_LIFETIME is set to > [7d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_LIFETIME is set to [1d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_send_data] > > (0x0200): Received error code 0 > > 1.2 sssd_bioinf.local.log > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400031]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400053]. > > ... > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No KDC explicitly configured, using > defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No kpasswd server explicitly > configured, > > using the KDC or defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [SUDO][ou=SUDOers,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv4_addr] > > (0x0200): Loopback IPv4 address 127.0.0.1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv6_addr] > > (0x0200): Loopback IPv6 address ::1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [AUTOFS][cn=default,cn=automount,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > ... > > 1.3 sssd_nss.log > > (Mon May 30 17:18:07 2016) [sssd[nss]] [calc_flat_name] > (0x0080): Flat > > name requested but domain has noflat name set, falling back to domain > name > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] > (0x0100): > > Requesting info for [root] from [<ALL>] > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] > (0x0100): > > Requesting info for [root] from [<ALL>] > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > > > 2 pki : catalina.2016-05-30.log > > May 30, 2016 2:18:10 PM org.apache.coyote.AbstractProtocol init > > SEVERE: Failed to initialize end point associated with > ProtocolHandler > > ["http-bio-8443"] > > java.net.BindException: Could not bind to address: (-5982) Local > Network > > address is in use. <null>:8443 > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.<init>(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > May 30, 2016 2:18:10 PM org.apache.catalina.core.StandardService > initInternal > > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Failed to initialize > component > > [Connector[HTTP/1.1-8443]] > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > ... 12 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. <null>:8443 > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > ... 13 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.<init>(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > > > 3. dirsrv > > [26/May/2016:12:14:10 +0200] - WARNING: userRoot: entry cache size > 512000B > > is less than db size 1163264B; We recommend to increase the entry cache > size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: ipaca: entry cache size > 512000B is > > less than db size 1015808B; We recommend to increase the entry cache size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: changelog: entry cache size > 512000B > > is less than db size 10100736B; We recommend to increase the entry cache > size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - scheduled > > schema-compat-plugin tree scan in about 5 seconds after the server > startup! > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=keys,cn=sec,cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=groups,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=computers,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ng,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > ou=sudoers,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=users,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ad,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=automember > > rebuild membership,cn=tasks,cn=config does not exist > > [26/May/2016:12:14:10 +0200] - Skipping CoS Definition cn=Password > > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, which > should be > > added before the CoS Definition. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - > schema-compat-plugin > > tree scan will start in about 5 seconds! > > [26/May/2016:12:14:10 +0200] - slapd started. Listening on All > Interfaces > > port 389 for LDAP requests > > [26/May/2016:12:14:10 +0200] - Listening on All Interfaces port 636 > for > > LDAPS requests > > [26/May/2016:12:14:10 +0200] - Listening on > > /var/run/slapd-BIOINF-LOCAL.socket for LDAPI requests > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under ou=sudoers,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under cn=ng, cn=compat,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - Finished plugin > > initialization. > > > > > > On Mon, May 30, 2016 at 4:46 PM, Martin Kosek <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 05/30/2016 04:36 PM, Martin Basti wrote: > > > > > > > > > On 30.05.2016 14:20, seli irithyl wrote: > > >> Hi, > > >> > > >> Since last update, I'am unable to log in to web ui with FF (e.g. > blank page) > > >> Any idea where too look for ? > > >> > > >> Best regards, > > >> > > >> Seli > > >> > > >> > > >> > > >> > > >> > > > Hello, > > > > > > can you provide version of the freeIPA, firefox. Does it work from > different > > > browser? does it work from private mode? > > > > + does [CTRL]+F5 helps? Do advise in > > http://www.freeipa.org/page/Troubleshooting#Web_UI > > help? > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
