[Freeipa-users] FreeIPA web UI Freezing up

Nathan Peters nathan at nathanpeters.com
Fri Jun 5 23:52:32 UTC 2015 

I had originally set this up with AD trust but when we found out that our 
alternative UPNs were not supported we switched to ad sync.  I removed the 
trust relationship from the webui by deleting all trusts showing in the ui.

I then set it up for sync.

Do I need to remove the trust from the command line as well?  Does deleting 
a trust in the web ui not remove *all* settings related to that trust?

-----Original Message----- 
From: Alexander Bokovoy
Sent: Friday, June 05, 2015 2:50 PM
To: nathan at nathanpeters.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA web UI Freezing up

On Fri, 05 Jun 2015, nathan at nathanpeters.com wrote:
>I have noticed that happen a couple times in the last few days.  FreeIPA
>server 4.1.3 on CentOS 7 with a sync relationship to a Windows server
>2008R2 domain controller.
>
>The web ui will stop working and just show a blank page.
>
>When I try to do a ipactl status the command just freezes and does nothing.
>
>In the exmaple I paste below, there was 5 minutes between when I entered
>the command and when I did ctrl-c after getting tired of waiting for
>nothing to happen.
>After the ipactl command failed to work at all, I decided to restart the
>httpd service manually, and then saw a whole pile of strange errors around
>failing to bind to ldap server and generic kerberos errors.
>
>Rebooting the server seems to work for 24 hours or so until things go
>wonky again.
>
>[username at dc1 ~]$ sudo su -
>Last login: Fri Jun  5 16:05:55 UTC 2015 on pts/0
>[root at dc1 ~]# ipactl status
>^CCancelled.
>[root at dc1 ~]# ipactl restart
>^CCancelled.
>[root at dc1 ~]# ipactl restart
>^CCancelled.
>[root at dc1 ~]# systemctl restart httpd
>[root at dc1 ~]#
>
>
>Jun 05 21:02:32 dc1.mydomain.net systemd[1]: Stopping The Apache HTTP
>Server...
>Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:03:01 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Created slice user-0.slice.
>Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Starting Session 161 of user
>root.
>Jun 05 21:03:19 dc1.mydomain.net systemd-logind[604]: New session 161 of
>user root.
>Jun 05 21:03:19 dc1.mydomain.net systemd[1]: Started Session 161 of user
>root.
>Jun 05 21:03:19 dc1.mydomain.net login[614]: pam_unix(login:session):
>session opened for user root by LOGIN(uid=0)
>Jun 05 21:03:19 dc1.mydomain.net login[614]: ROOT LOGIN ON tty1
>Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: [2015/06/05
>21:03:22.932855,  0] ipa_sam.c:4144(bind_callback_cleanup)
>Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: kerberos error:
>code=-1765328324, message=Generic error (see e-text)
>Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:03:22 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: [2015/06/05
>21:03:43.935800,  0] ipa_sam.c:4144(bind_callback_cleanup)
>Jun 05 21:03:43 dc1.mydomain.net winbindd[2171]: kerberos error:
>code=-1765328324, message=Generic error (see e-text)
>Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1
>Jun 05 21:03:46 dc1.mydomain.net smbd[2208]: GSSAPI client step 1
>Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service stopping timed
>out. Killing.
>Jun 05 21:04:02 dc1.mydomain.net systemd[1]: httpd.service: main process
>exited, code=killed, status=9/KILL
>Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Unit httpd.service entered
>failed state.
>Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Starting The Apache HTTP
>Server...
>Jun 05 21:04:02 dc1.mydomain.net systemd[1]: Started The Apache HTTP 
>Server.
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152666,
>0] ipa_sam.c:4144(bind_callback_cleanup)
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: kerberos error:
>code=-1765328324, message=Generic error (see e-text)
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.152995,
>0] ../source3/lib/smbldap.c:998(smbldap_connect_system)
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: failed to bind to server
>ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-NET.socket with dn="[Anonymous
>bind]" Error: Local error
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: (unknown)
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: [2015/06/05 21:04:07.153407,
>0]
>../source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3)
>Jun 05 21:04:07 dc1.mydomain.net smbd[2208]: _netr_ServerAuthenticate3:
>failed to get machine password for account office.mydomain.net.:
>NT_STATUS_NONE_MAPPED
>Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:08:02 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: [2015/06/05
>21:08:23.034001,  0] ipa_sam.c:4144(bind_callback_cleanup)
>Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: kerberos error:
>code=-1765328324, message=Generic error (see e-text)
>Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>Jun 05 21:08:23 dc1.mydomain.net winbindd[2171]: GSSAPI client step 1
>
>I also got this error from the web ui after restarting httpd:
>
>Runtime error
>
>Web UI got in unrecoverable state during "metadata" phase
You said you have winsync relationship but the log output above talks
about Samba being unable to connect to IPA LDAP and that looks like you
did run ipa-adtrust-install on this server. Am I right? It looks like
you are also using this smbd setup to join non-Linux machines
(office.mydomain.net is one of them?)

Do you see anything like SID filtering in /var/log/krb5kdc.log?

If so, do you see anywhere in the logs that krb5kdc process has crashed?

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list