Hello,
I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem Any suggestion where to start looking?
Regards Peter
Start at the beginning:
- Is the install running? (ipactl status) - Is apache listening (ss -l or netstar -l or systemctl status apache2/httpd/apache/whatverthenameis) - Is the firewall letting you in? - What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to log to say?
John
On 20 Jun 2019, at 23:30, Peter Zoltan Keresztes (zozo) via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem Any suggestion where to start looking?
Regards Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
The service is up and running. I am able to access it via cli. Apache is also running. There is not yet firewall installed on the server. This is what I can now see in the apache access and error logs:
==> apache2/error.log <== [Thu Jun 20 17:35:14.632329 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] mod_wsgi (pid=13793): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Jun 20 17:35:14.632554 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] Traceback (most recent call last): [Thu Jun 20 17:35:14.632698 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Jun 20 17:35:14.632874 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Jun 20 17:35:14.632944 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Jun 20 17:35:14.632984 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return self.route(environ, start_response) [Thu Jun 20 17:35:14.633004 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Jun 20 17:35:14.633056 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return app(environ, start_response) [Thu Jun 20 17:35:14.633092 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__ [Thu Jun 20 17:35:14.633135 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] self.kinit(user_principal, password, ipa_ccache_name) [Thu Jun 20 17:35:14.633157 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit [Thu Jun 20 17:35:14.633191 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Jun 20 17:35:14.633214 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Jun 20 17:35:14.633294 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Jun 20 17:35:14.633330 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run [Thu Jun 20 17:35:14.633375 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] p.returncode, arg_string, output_log, error_log [Thu Jun 20 17:35:14.633554 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_13793', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\n")
==> apache2/access.log <== 79.119.170.85 - - [20/Jun/2019:17:35:14 -0400] "POST /ipa/session/login_password HTTP/1.1" 500 1221 "https://ipadev.redcapcloud.com/ipa/ui/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4”
On 21 Jun 2019, at 00:32, John Keates john@keates.nl wrote:
Start at the beginning:
- Is the install running? (ipactl status)
- Is apache listening (ss -l or netstar -l or systemctl status apache2/httpd/apache/whatverthenameis)
- Is the firewall letting you in?
- What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to log to say?
John
On 20 Jun 2019, at 23:30, Peter Zoltan Keresztes (zozo) via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem Any suggestion where to start looking?
Regards Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Peter Zoltan Keresztes (zozo) via FreeIPA-users wrote:
The service is up and running. I am able to access it via cli. Apache is also running. There is not yet firewall installed on the server. This is what I can now see in the apache access and error logs:
==> apache2/error.log <== [Thu Jun 20 17:35:14.632329 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] mod_wsgi (pid=13793): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Jun 20 17:35:14.632554 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] Traceback (most recent call last): [Thu Jun 20 17:35:14.632698 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Jun 20 17:35:14.632874 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Jun 20 17:35:14.632944 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Jun 20 17:35:14.632984 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return self.route(environ, start_response) [Thu Jun 20 17:35:14.633004 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Jun 20 17:35:14.633056 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] return app(environ, start_response) [Thu Jun 20 17:35:14.633092 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__ [Thu Jun 20 17:35:14.633135 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] self.kinit(user_principal, password, ipa_ccache_name) [Thu Jun 20 17:35:14.633157 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit [Thu Jun 20 17:35:14.633191 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Jun 20 17:35:14.633214 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Jun 20 17:35:14.633294 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Jun 20 17:35:14.633330 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run [Thu Jun 20 17:35:14.633375 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] p.returncode, arg_string, output_log, error_log [Thu Jun 20 17:35:14.633554 2019] [wsgi:error] [pid 13793:tid 139866363823872] [remote 79.119.170.85:50987] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_13793', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\n")
So does that file exist and is it readable? What is confusing is on Debian-based systems it looks like that should be /var/lib/iap/certs/kdc.crt.
I'd suggest looking closely at /var/log/ipaserver-install.log and /var/log/ipaclient-install.log to be sure that both were successful. If not then you have a partial install and will likely continue to run into issues like this.
rob
==> apache2/access.log <== 79.119.170.85 - - [20/Jun/2019:17:35:14 -0400] "POST /ipa/session/login_password HTTP/1.1" 500 1221 "https://ipadev.redcapcloud.com/ipa/ui/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4”
On 21 Jun 2019, at 00:32, John Keates john@keates.nl wrote:
Start at the beginning:
- Is the install running? (ipactl status)
- Is apache listening (ss -l or netstar -l or systemctl status apache2/httpd/apache/whatverthenameis)
- Is the firewall letting you in?
- What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to log to say?
John
On 20 Jun 2019, at 23:30, Peter Zoltan Keresztes (zozo) via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem Any suggestion where to start looking?
Regards Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Well the Web UI is one part of the IPA server. To debug IPA you might want to look at the SSSD.conf debug_level (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...).
Can you elaborate what you see when trying to log in? If you see the web interface then the firewall and apache stuff should be good. If you put in the credentials in the web login form then that another thing. Is the CLI access working on a seperate IPA client? Since you're on Ubuntu, I'd recommend temp disableing selinux via `setenforce 0` or something and then restarting the services. I say that to confirm out that selinux isn't blocking the processing of files due to context being a little different on debian-based Ubuntu than redhat-based Fedora. That and it's HTTP context mixing up with SSSD context.
freeipa-users@lists.fedorahosted.org