On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
Pavel,
Thanks for the help, that solved the problem. Now I can access the web ui.
I'm glad that it works again.
The upgrade took place yesterday and it was a release upgrade from
rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of
package updates):
Thank you for info. I have one additional question: What was the first
y-version of RHEL 7 you used?
ID | Command line | Date and time | Action(s) |
Altered
-------------------------------------------------------------------------------
35 | update | 2017-08-07 09:07 | E, I, O, U
| 470 EE
Acording to yum history info, this are the ipa packages that where
updated:
Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7
Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7
Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7
Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7
Update 4.5.0-21.el7.x86_64 @rhel7
Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64 @rhel7
Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64 @rhel7
Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7
Update 4.5.0-21.el7.noarch @rhel7
Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7
Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help!
Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com
<mailto:pvoma...@redhat.com>> wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka
<pvoma...@redhat.com <mailto:pvoma...@redhat.com>> wrote:
Hello Gustavo,
From what I can see, the issue would be PROTOCOL ERROR in
whoami command. Could you please check whether all services
running? Please run
# ipactl status
and post the output.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially
everything after
dyndb "ipa"
line is interesting for us.
This is from /etc/named.conf
options {
// turns on IPv6 for port 53, IPv4 is on by default for
all ifaces
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/
directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
forward only;
forwarders {
10.73.2.100;
10.73.2.102;
10.73.2.101;
};
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace'
command,
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca <http://named.ca>";
};
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
base "cn=dns, dc=fisica,dc=cabib";
fake_mname "ipaserver.fisica.cabib.";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/ipaserver.fisica.cabib";
server_id "ipaserver.fisica.cabib";
};
include "/etc/named.root.key";
key "rndc-key" {
algorithm hmac-md5;
secret "#########################";
};
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is
not loaded. Please check whether you have following line:
dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and
without them):
"
dn: cn=whoami,cn=plugins,cn=config
cn: whoami
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: whoami extended operation plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: whoami-plugin
nsslapd-pluginInitfunc: whoami_init
nsslapd-pluginPath: libwhoami-plugin
nsslapd-pluginType: extendedop
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 1.3.5.18
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
"
and change the nsslapd-pluginVersion value to the same as other
plugins have.
Then you will probably need to restart ipa service or at least
dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which
version did you upgrade to 4.5 and which OS do you use? Which
version of IPA did you have when you started using IPA?
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
--
Pavel^3 Vomacka
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
Pavel^3 Vomacka
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
