Hey guys,
I set up my very first FreeIPA installation and I'm currently dealing with an issue I hope you can help me with. I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been working fine up until a few days ago (after a restart).
I'm encountering several symptoms:
The WebUI won't let me log in anymore ("Login failed due to an unknown reason.") This was the first error I noticed... since it only happened for users not already logged in, I suspected wrong password entries. After a server restart everyone got locked out though.
Other post-restart commands that are not working any more:
certutil -L certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
ipa ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection refused
ipa-getkeytab -p HTTP/*@*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab Failed to load translations SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Failed to get keytab (works with binddn though)
kinit, klist and other kerberos/ldap logins are working fine!
Logfiles: /var/log/httpd/error_log [Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS [Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection refused',))
/var/log/krb5kdc.log Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@*.* for krbtgt/*.*@*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@*.* for krbtgt/*.*@*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: *@*.* for krbtgt/*.*@*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *@*.* for krbtgt/*.*@*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *@*.* for HTTP/ipa.*.*@*.* Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12
I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all non-http authorizations seem to work. I have been working on a samba configuration for the same server; I have a feeling that some of my experiments (ipa-adtrust-install, authconfig, chmod on keytab, net sam provision) messed with the rest of the system... I tried to backtrack/revert as much as I could, but nothing helped so far. I also think the first WebUI errors occured before already.
I'd be so happy if anyone could help! So far I've been able to find solutions for every issue, but this seems to be a tough one. Thanks!
-Tristan
Tristan Weis via FreeIPA-users wrote:
Hey guys,
I set up my very first FreeIPA installation and I'm currently dealing with an issue I hope you can help me with. I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been working fine up until a few days ago (after a restart).
I'm encountering several symptoms:
The WebUI won't let me log in anymore ("Login failed due to an unknown reason.") This was the first error I noticed... since it only happened for users not already logged in, I suspected wrong password entries. After a server restart everyone got locked out though.
Other post-restart commands that are not working any more:
certutil -L certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
This is a red herring. certutil without a -d assumes ~/.netscape as the database location (yes, that Netscape).
ipa ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection refused
Suggests the web server isn't up at all.
What does ipactl status say?
ipa-getkeytab -p HTTP/*@*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab Failed to load translations SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Failed to get keytab (works with binddn though)
Are you just trying random commands?
kinit, klist and other kerberos/ldap logins are working fine!
Based on above I'm guessing you didn't kinit first. I wouldn't use ipa-getkeytab as a troubleshooting tool though.
Logfiles: /var/log/httpd/error_log [Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS [Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*@*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection refused',))
Not a lot of context. Knowing what services are running is more important at this point.
I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all non-http authorizations seem to work. I have been working on a samba configuration for the same server; I have a feeling that some of my experiments (ipa-adtrust-install, authconfig, chmod on keytab, net sam provision) messed with the rest of the system... I tried to backtrack/revert as much as I could, but nothing helped so far. I also think the first WebUI errors occured before already.
Doesn't sound cert related and you said the KDC is working.
RHEL 8 uses authselect, not authconfig, but that probably wouldn't affect the web server.
rob
Hey Rob, thank you so much for your help!
I just checked certutil... it works with the added -d database location. Upon trying to create a new certificate for HTTP, ipa-getcert list gives me:
Request ID '20191115101517': status: CA_UNREACHABLE ca-error: Server at https://ipa.*.*/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://ipa.*.*/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: Failed to connect to ipa.*.* port 443: Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
Output of ipactl status:
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING
And to answer:
Are you just trying random commands?
Those are outputs I collected during all my attempts to fix it. Also I tried various (afaik) non-destructive commands to see what works and what doesn't to hopefully close in on what's wrong.
Based on above I'm guessing you didn't kinit first.
Always made sure to have active Kerberos credentials! Definitely used kinit first.
Knowing what services are running is more
important at this point.
Here's the output of systemctl status for the relevant processes: gssproxy
gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-11-15 11:41:16 CET; 7s ago Process: 2656 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 20319 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 20320 (gssproxy) Tasks: 6 (limit: 52428) Memory: 1.6M CGroup: /system.slice/gssproxy.service └─20320 /usr/sbin/gssproxy -D
ipa
ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2019-11-14 15:10:30 CET; 20h ago Process: 11849 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) Main PID: 11849 (code=exited, status=0/SUCCESS)
Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting Directory Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting krb5kdc Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting kadmin Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting httpd Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-custodia Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting pki-tomcatd Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting smb Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting winbind Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-otpd Service Nov 14 15:10:30 ipa.*.* systemd[1]: Started Identity, Policy, Audit.
httpd
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d └─ipa.conf /usr/lib/systemd/system/httpd.service.d └─php-fpm.conf Active: active (running) since Fri 2019-11-15 11:38:13 CET; 7min ago Docs: man:httpd.service(8) Process: 19582 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 19587 (httpd) Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.00437; Bytes served/sec: 16 B/se> Tasks: 330 (limit: 52428) Memory: 386.6M CGroup: /system.slice/httpd.service ├─19587 /usr/sbin/httpd -DFOREGROUND ├─19592 /usr/sbin/httpd -DFOREGROUND ├─19593 (wsgi:kdcproxy) -DFOREGROUND ├─19594 (wsgi:kdcproxy) -DFOREGROUND ├─19595 (wsgi:ipa) -DFOREGROUND ├─19596 (wsgi:ipa) -DFOREGROUND ├─19597 (wsgi:ipa) -DFOREGROUND ├─19598 (wsgi:ipa) -DFOREGROUND ├─19599 /usr/sbin/httpd -DFOREGROUND ├─19601 /usr/sbin/httpd -DFOREGROUND ├─19602 /usr/sbin/httpd -DFOREGROUND └─19935 /usr/sbin/httpd -DFOREGROUND
Nov 15 11:38:12 ipa.*.* systemd[1]: Starting The Apache HTTP Server... Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa: INFO: KDC proxy enabled Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa-httpd-kdcproxy: INFO KDC proxy e> Nov 15 11:38:13 ipa.*.* httpd[19587]: AH00558: httpd: Could not reliably determine the serv> Nov 15 11:38:13 ipa.*.* httpd[19587]: Server configured, listening on: 192.168.178.101 port> Nov 15 11:38:13 ipa.*.* systemd[1]: Started The Apache HTTP Server.
Nov 15 11:41:15 ipa.*.* systemd[1]: Starting GSSAPI Proxy Daemon... Nov 15 11:41:16 ipa.*.* systemd[1]: Started GSSAPI Proxy Daemon.
The whole systemctl status
UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Au> init.scope loaded active running System and Service Manager session-1015.scope loaded active running Session 1015 of user eelocal session-37.scope loaded active running Session 37 of user eelocal atd.service loaded active running Job spooling tools auditd.service loaded active running Security Auditing Service certmonger.service loaded active running Certificate monitoring and PKI enrollment chronyd.service loaded active running NTP client/server crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus dirsrv@EAGLEEYE-FILM-DE.service loaded active running 389 Directory Server EAGLEEYE-FILM-DE. firewalld.service loaded active running firewalld - dynamic firewall daemon getty@tty1.service loaded active running Getty on tty1 gssproxy.service loaded active running GSSAPI Proxy Daemon httpd.service loaded active running The Apache HTTP Server ipa-custodia.service loaded active running IPA Custodia Service irqbalance.service loaded active running irqbalance daemon kadmin.service loaded active running Kerberos 5 Password-changing and Administration krb5kdc.service loaded active running Kerberos 5 KDC libstoragemgmt.service loaded active running libstoragemgmt plug-in server daemon mcelog.service loaded active running Machine Check Exception Logging Daemon multipathd.service loaded active running Device-Mapper Multipath Device Controller mysqld.service loaded active running MySQL 8.0 database server NetworkManager.service loaded active running Network Manager nfs-idmapd.service loaded active running NFSv4 ID-name mapping service nfs-mountd.service loaded active running NFS Mount Daemon nginx.service loaded active running The nginx HTTP and reverse proxy server nmb.service loaded active running Samba NMB Daemon oddjobd.service loaded active running privileged operations for unprivileged applicati> php-fpm.service loaded active running The PHP FastCGI Process Manager pki-tomcatd@pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent postgresql.service loaded active running PostgreSQL database server redis.service loaded active running Redis persistent key-value database rngd.service loaded active running Hardware RNG Entropy Gatherer Daemon rpc-gssd.service loaded active running RPC security service for NFS client and server rpc-statd.service loaded active running NFS status monitor for NFSv2/3 locking. rpcbind.service loaded active running RPC Bind rsyslog.service loaded active running System Logging Service smartd.service loaded active running Self Monitoring and Reporting Technology (SMART)> smb.service loaded active running Samba SMB Daemon sshd.service loaded active running OpenSSH server daemon sssd.service loaded active running System Security Services Daemon systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-udevd.service loaded active running udev Kernel Device Manager tuned.service loaded active running Dynamic System Tuning Daemon user@1000.service loaded active running User Manager for UID 1000 winbind.service loaded active running Samba Winbind Daemon zou-events.service loaded active running Gunicorn instance to serve the Zou Events API zou-jobs.service loaded active running RQ Job queue to run asynchronous job from Zou zou.service loaded active running Gunicorn instance to serve the Zou API dbus.socket loaded active running D-Bus System Message Bus Socket multipathd.socket loaded active running multipathd control socket rpcbind.socket loaded active running RPCbind Server Activation Socket systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log) systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket
There are no degraded services. Everything seems to be running fine. Nginx is listening on a different network interface than apache; had no problems with that setup before. Tried with nginx disabled as well, no difference. Tried disabling the firewall; problem persists. SELinux is set to 'permissive'.
Doesn't sound cert related and you said the KDC is working.
It seems to ONLY affect authorization via HTTP (preauth?). Apache itself is running without any other errors. I can access the FreeIPA WebUI from any browser. ONLY when I try to login it produces an error. Before the server restart, all browsers with log in cookies for the WebUI were still logged in and could operate the WebUI; only the 'Authentication' tab already gave me a http error while trying to list certificates.
I hope that's enough info for a good overview.
All the best and thanks, Tristan
Tristan Weis via FreeIPA-users wrote:
Hey Rob, thank you so much for your help!
I just checked certutil... it works with the added -d database location. Upon trying to create a new certificate for HTTP, ipa-getcert list gives me:
Request ID '20191115101517': status: CA_UNREACHABLE ca-error: Server at https://ipa.*.*/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://ipa.*.*/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: Failed to connect to ipa.*.* port 443: Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
Apache doesn't seem to be listening on port 443.
VirtualHost configuration: *:443 ipa.example.test (/etc/httpd/conf.d/ssl.conf:56)
For RHEL/CentOS 7 you'll see nss.conf instead of ssl.conf.
This is not the way to get a new certificate for an IPA service. You are quite likely to break something further doing this if per chance it were successful.
rob
Output of ipactl status:
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING
And to answer:
Are you just trying random commands?
Those are outputs I collected during all my attempts to fix it. Also I tried various (afaik) non-destructive commands to see what works and what doesn't to hopefully close in on what's wrong.
Based on above I'm guessing you didn't kinit first.
Always made sure to have active Kerberos credentials! Definitely used kinit first.
Knowing what services are running is more
important at this point.
Here's the output of systemctl status for the relevant processes: gssproxy
gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-11-15 11:41:16 CET; 7s ago Process: 2656 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 20319 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 20320 (gssproxy) Tasks: 6 (limit: 52428) Memory: 1.6M CGroup: /system.slice/gssproxy.service └─20320 /usr/sbin/gssproxy -D
ipa
ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2019-11-14 15:10:30 CET; 20h ago Process: 11849 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) Main PID: 11849 (code=exited, status=0/SUCCESS)
Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting Directory Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting krb5kdc Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting kadmin Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting httpd Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-custodia Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting pki-tomcatd Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting smb Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting winbind Service Nov 14 15:10:30 ipa.*.* ipactl[11849]: Starting ipa-otpd Service Nov 14 15:10:30 ipa.*.* systemd[1]: Started Identity, Policy, Audit.
httpd
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d └─ipa.conf /usr/lib/systemd/system/httpd.service.d └─php-fpm.conf Active: active (running) since Fri 2019-11-15 11:38:13 CET; 7min ago Docs: man:httpd.service(8) Process: 19582 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 19587 (httpd) Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.00437; Bytes served/sec: 16 B/se> Tasks: 330 (limit: 52428) Memory: 386.6M CGroup: /system.slice/httpd.service ├─19587 /usr/sbin/httpd -DFOREGROUND ├─19592 /usr/sbin/httpd -DFOREGROUND ├─19593 (wsgi:kdcproxy) -DFOREGROUND ├─19594 (wsgi:kdcproxy) -DFOREGROUND ├─19595 (wsgi:ipa) -DFOREGROUND ├─19596 (wsgi:ipa) -DFOREGROUND ├─19597 (wsgi:ipa) -DFOREGROUND ├─19598 (wsgi:ipa) -DFOREGROUND ├─19599 /usr/sbin/httpd -DFOREGROUND ├─19601 /usr/sbin/httpd -DFOREGROUND ├─19602 /usr/sbin/httpd -DFOREGROUND └─19935 /usr/sbin/httpd -DFOREGROUND
Nov 15 11:38:12 ipa.*.* systemd[1]: Starting The Apache HTTP Server... Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa: INFO: KDC proxy enabled Nov 15 11:38:13 ipa.*.* ipa-httpd-kdcproxy[19582]: ipa-httpd-kdcproxy: INFO KDC proxy e> Nov 15 11:38:13 ipa.*.* httpd[19587]: AH00558: httpd: Could not reliably determine the serv> Nov 15 11:38:13 ipa.*.* httpd[19587]: Server configured, listening on: 192.168.178.101 port> Nov 15 11:38:13 ipa.*.* systemd[1]: Started The Apache HTTP Server.
Nov 15 11:41:15 ipa.*.* systemd[1]: Starting GSSAPI Proxy Daemon... Nov 15 11:41:16 ipa.*.* systemd[1]: Started GSSAPI Proxy Daemon.
The whole systemctl status
UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Au> init.scope loaded active running System and Service Manager session-1015.scope loaded active running Session 1015 of user eelocal session-37.scope loaded active running Session 37 of user eelocal atd.service loaded active running Job spooling tools auditd.service loaded active running Security Auditing Service certmonger.service loaded active running Certificate monitoring and PKI enrollment chronyd.service loaded active running NTP client/server crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus dirsrv@EAGLEEYE-FILM-DE.service loaded active running 389 Directory Server EAGLEEYE-FILM-DE. firewalld.service loaded active running firewalld - dynamic firewall daemon getty@tty1.service loaded active running Getty on tty1 gssproxy.service loaded active running GSSAPI Proxy Daemon httpd.service loaded active running The Apache HTTP Server ipa-custodia.service loaded active running IPA Custodia Service irqbalance.service loaded active running irqbalance daemon kadmin.service loaded active running Kerberos 5 Password-changing and Administration krb5kdc.service loaded active running Kerberos 5 KDC libstoragemgmt.service loaded active running libstoragemgmt plug-in server daemon mcelog.service loaded active running Machine Check Exception Logging Daemon multipathd.service loaded active running Device-Mapper Multipath Device Controller mysqld.service loaded active running MySQL 8.0 database server NetworkManager.service loaded active running Network Manager nfs-idmapd.service loaded active running NFSv4 ID-name mapping service nfs-mountd.service loaded active running NFS Mount Daemon nginx.service loaded active running The nginx HTTP and reverse proxy server nmb.service loaded active running Samba NMB Daemon oddjobd.service loaded active running privileged operations for unprivileged applicati> php-fpm.service loaded active running The PHP FastCGI Process Manager pki-tomcatd@pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent postgresql.service loaded active running PostgreSQL database server redis.service loaded active running Redis persistent key-value database rngd.service loaded active running Hardware RNG Entropy Gatherer Daemon rpc-gssd.service loaded active running RPC security service for NFS client and server rpc-statd.service loaded active running NFS status monitor for NFSv2/3 locking. rpcbind.service loaded active running RPC Bind rsyslog.service loaded active running System Logging Service smartd.service loaded active running Self Monitoring and Reporting Technology (SMART)> smb.service loaded active running Samba SMB Daemon sshd.service loaded active running OpenSSH server daemon sssd.service loaded active running System Security Services Daemon systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-udevd.service loaded active running udev Kernel Device Manager tuned.service loaded active running Dynamic System Tuning Daemon user@1000.service loaded active running User Manager for UID 1000 winbind.service loaded active running Samba Winbind Daemon zou-events.service loaded active running Gunicorn instance to serve the Zou Events API zou-jobs.service loaded active running RQ Job queue to run asynchronous job from Zou zou.service loaded active running Gunicorn instance to serve the Zou API dbus.socket loaded active running D-Bus System Message Bus Socket multipathd.socket loaded active running multipathd control socket rpcbind.socket loaded active running RPCbind Server Activation Socket systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log) systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket
There are no degraded services. Everything seems to be running fine. Nginx is listening on a different network interface than apache; had no problems with that setup before. Tried with nginx disabled as well, no difference. Tried disabling the firewall; problem persists. SELinux is set to 'permissive'.
Doesn't sound cert related and you said the KDC is working.
It seems to ONLY affect authorization via HTTP (preauth?). Apache itself is running without any other errors. I can access the FreeIPA WebUI from any browser. ONLY when I try to login it produces an error. Before the server restart, all browsers with log in cookies for the WebUI were still logged in and could operate the WebUI; only the 'Authentication' tab already gave me a http error while trying to list certificates.
I hope that's enough info for a good overview.
All the best and thanks, Tristan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org