[Freeipa-users] Preparing for domain trust breaks IPA services, RHEL 6.4 IPA 3.0
Martin Kosek
mkosek at redhat.com
Thu Mar 7 09:49:12 UTC 2013
On 03/07/2013 10:26 AM, Dale Macartney wrote:
>
> Hi all
>
> I've been trying to document the domain trust process for the past two
> days and I am seeing the same results no matter the configuration.
>
> Basically I have nuked and rebuilt my environment several times and all
> yields the same results.
>
> Steps to reproduce
>
> 1, Clean install of RHEL 6.4 2, yum install ipa-server bind
> bind-dyndb-ldap 3, ipa-server-install --setup-dns 4, yum install
> ipa-server-trust-ad 5, kinit admin 6, ipa-adtrust-install
>
> all the above steps work perfectly, however I thought the problem was an
> issue in running "ipa trust-add" but I have just tried "ipa host-find" and
> get the same output.
>
> If someone is able to reproduce the issue to remove myself from the
> equation that would be fantastic. Its either something I'm doing wrong or
> there is a bug here somewhere.. (note, no problems at all with same
> procedure with Fedora 18 and IPA 3.1)
>
> output is below from adding "debug=true" to /etc/ipa/default.conf
>
> [root at ds01 ~]# ipa host-find ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing
> plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG:
> args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
>
> ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa:
> DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG:
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG:
> args=keyctl search @s user ipa_session_cookie:admin at EXAMPLE.COM ipa:
> DEBUG: stdout= ipa: DEBUG: stderr=keyctl_search: Required key not
> available
>
> ipa: DEBUG: failed to find session_cookie in persistent storage for
> principal 'admin at EXAMPLE.COM' ipa: INFO: trying
> https://ds01.example.com/ipa/xml ipa: DEBUG: Created connection
> context.xmlclient ipa: DEBUG: raw: host_find(None, all=False, raw=False,
> version=u'2.46') ipa: DEBUG: host_find(None, all=False, raw=False,
> version=u'2.46', pkey_only=False) ipa: INFO: Forwarding 'host_find' to
> server u'https://ds01.example.com/ipa/xml' ipa: DEBUG: NSSConnection init
> ds01.example.com ipa: DEBUG: Connecting: 10.0.1.11:0 ipa: DEBUG:
> auth_certificate_callback: check_sig=True is_server=False Data: Version:
> 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1
> SHA-256 With RSA Encryption Issuer: CN=Certificate
> Authority,O=EXAMPLE.COM Validity: Not Before: Wed Mar 06 14:55:15 2013
> UTC Not After: Sat Mar 07 14:55:15 2015 UTC Subject:
> CN=ds01.example.com,O=EXAMPLE.COM Subject Public Key Info: Public Key
> Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus:
> c0:68:63:da:ad:0a:97:9a:5c:9c:41:c7:f3:02:ef:1b:
> 7f:8d:eb:e9:49:b0:f5:be:30:8a:1a:c5:5d:b9:77:1d:
> 4e:50:50:76:a3:11:a7:ae:a4:92:92:ea:9b:03:b1:13:
> 38:a1:d9:6c:80:e0:2a:75:83:ad:3a:bd:e6:3c:ae:3e:
> fe:22:9f:48:41:85:a9:80:35:aa:af:e6:43:4e:d0:36:
> b9:8a:ab:22:98:cf:14:67:7b:0b:46:0e:cd:97:a2:57:
> 6b:fc:04:c1:59:75:91:c6:f7:0c:a9:8c:ed:3e:35:0e:
> 06:03:99:83:78:45:0d:af:ce:db:b3:c4:a7:2f:44:0d:
> 06:0c:8f:29:0a:9b:d6:a1:4b:55:55:33:a5:0f:6a:87:
> 9c:64:59:7d:dc:e8:4c:13:0b:31:0e:b1:0d:52:88:db:
> f3:84:0c:fc:71:bd:46:49:60:29:48:d2:00:0a:6a:a2:
> 75:fd:51:51:0b:d1:7d:8a:de:c6:96:61:71:7a:4a:d8:
> d7:ae:16:2f:7c:61:73:34:98:bd:dc:0a:c4:36:04:98:
> 6b:ed:19:45:d6:94:c2:75:85:32:a1:20:06:6a:ec:ce:
> f2:ef:35:b1:bc:08:e5:87:87:14:02:3e:62:5e:0e:c9:
> a5:13:89:bd:c9:b3:fb:1e:3e:f0:e7:08:61:73:46:6f Exponent: 65537 (0x10001)
> Signed Extensions: (5) Name: Certificate Authority Key Identifier
> Critical: False Key ID: ee:91:e7:1c:8b:37:ff:ce:ce:2a:5e:5b:9e:50:b2:87:
> 8c:6e:7b:fa Serial Number: None General Names: [0 total]
>
> Name: Authority Information Access Critical: False
>
> Name: Certificate Key Usage Critical: True Usages: Digital Signature
> Non-Repudiation Key Encipherment Data Encipherment
>
> Name: Extended Key Usage Critical: False Usages: TLS Web Server
> Authentication Certificate TLS Web Client Authentication Certificate
>
> Name: Certificate Subject Key ID Critical: False Data:
> b2:de:43:35:0d:ab:02:03:c7:d0:b4:cf:bb:bd:06:37: 79:fd:58:e6
>
> Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA
> Encryption Signature: 72:dc:84:fd:65:d3:72:6b:6a:5c:b0:fb:6b:51:db:28:
> bf:d7:69:e5:ea:ec:a0:3d:1a:b9:50:b6:82:1c:38:9b:
> 70:3c:0e:c4:ba:c7:05:92:12:b6:b5:e5:c9:b3:fc:d0:
> 30:80:f2:32:d6:c1:68:56:c1:ae:c5:b6:b3:1a:ce:04:
> 4a:fb:68:5c:25:11:a9:44:41:b8:1b:75:d5:29:2c:12:
> 5d:c8:2a:10:ab:88:ce:ee:50:dc:9c:7a:3b:62:10:97:
> 26:10:49:d7:ea:7a:3e:de:d8:c4:65:bf:e7:a1:57:77:
> d0:35:94:13:54:1c:ec:05:e8:ba:23:6e:f3:19:c4:99:
> 73:d2:3a:56:38:e4:4b:a2:ea:d4:e4:43:64:c8:19:de:
> 91:5f:e5:85:11:7b:86:3e:ed:92:96:63:42:3c:f1:8b:
> 8b:96:10:d1:0c:4d:6c:57:ac:3d:b4:b0:03:de:45:10:
> 0c:8a:c7:c9:57:5c:8a:09:11:94:c3:f2:48:6e:1a:10:
> ac:60:34:3d:03:0a:b6:bd:79:18:ca:67:06:d9:36:a2:
> 31:6d:a3:f6:d3:66:02:27:fc:12:b4:1f:df:b7:5d:19:
> d2:42:11:53:39:0c:dd:32:82:98:a0:5d:26:1b:78:c5:
> 15:9e:71:53:b2:2b:fb:58:80:60:b9:4b:d6:3a:a2:e8 Fingerprint (MD5):
> ce:83:b5:4a:ae:27:c0:dd:f4:67:a5:53:3b:3a:2f:aa Fingerprint (SHA1):
> 2f:49:8e:05:18:1b:fa:6a:5f:13:4d:1a:96:7c:36:e1: 65:c8:bc:d3 ipa: DEBUG:
> approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert
> valid True for "CN=ds01.example.com,O=EXAMPLE.COM" ipa: DEBUG: handshake
> complete, peer = 10.0.1.11:443 ipa: DEBUG: Caught fault 907 from server
> https://ds01.example.com/ipa/xml: cannot connect to
> u'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': LDAP Server Down ipa:
> DEBUG: Destroyed connection context.xmlclient ipa: ERROR: cannot connect
> to u'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': LDAP Server Down
> [root at ds01 ~]#
>
>
> Any thoughts?
>
> Dale
>
Hello Dale,
I did not manage to reproduce this on my RHEL-6.4 VM - I used the same steps
as you did. ipa host-find returned a proper result.
The log you sent suggests that IPA cannot connect to the Directory Server
ldapi socket. I would advise to check the following:
Is the DS running? Are there any relevant SELinux failures in
/var/log/audit/audit.log? Is there anything suspicious in
/var/log/dirsrv-EXAMPLE-COM/errors?
When on IPA server, can you bind to the Directory Server via LDAPI socket?
# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "" -x -b
"" -s base
Thanks,
Martin
More information about the Freeipa-users
mailing list