Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 35 | update | 2017-08-07 09:07 | E, I, O, U | 470 EE
Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help! Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka pvomacka@redhat.com wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka pvomacka@redhat.com wrote:
Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
- By default, SELinux policy does not allow named to modify the
/var/named directory,
- so put the default debug log file in data/ :
*/ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and without them):
" dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject "
and change the nsslapd-pluginVersion value to the same as other plugins have.
Then you will probably need to restart ipa service or at least dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka