Hi, I just had the same issue as Gustavo with the webui after upgrading from 7.3 to 7.4, and came across this thread. Adding the whoami plugin to dse.ldif solved the issue.
Thanks. Regards, Siggi > On 9 Aug 2017, at 17:15, Pavel Vomacka via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > > On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote: >> Pavel, >> Thanks for the help, that solved the problem. Now I can access the web ui. > I'm glad that it works again. >> The upgrade took place yesterday and it was a release upgrade from rhel 7.3 >> (last update was last week) to rhel 7.4 (so we had a lot of package updates): >> > Thank you for info. I have one additional question: What was the first > y-version of RHEL 7 you used? > >> ID | Command line | Date and time | Action(s) | >> Altered >> ------------------------------------------------------------------------------- >> 35 | update | 2017-08-07 09:07 | E, I, O, U | 470 >> EE >> >> >> Acording to yum history info, this are the ipa packages that where updated: >> Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Updated ipa-client-4.4.0-14.el7_3.7.x86_64 >> @rhel7 >> Obsoleting ipa-client-4.5.0-21.el7.x86_64 >> @rhel7 >> Updated ipa-client-common-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated ipa-common-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated ipa-server-4.4.0-14.el7_3.7.x86_64 >> @rhel7 >> Update 4.5.0-21.el7.x86_64 >> @rhel7 >> Updated ipa-server-common-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 >> @rhel7 >> Update 1.15.2-50.el7.x86_64 >> @rhel7 >> Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 >> @rhel7 >> Update 1.15.2-50.el7.x86_64 >> @rhel7 >> Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated python2-ipalib-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch >> @rhel7 >> Update 4.5.0-21.el7.noarch >> @rhel7 >> Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 >> @rhel7 >> Update 1.15.2-50.el7.x86_64 >> @rhel7 >> >> >> Again, thanks for the help! >> Kind regards >> >> >> On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvoma...@redhat.com >> <mailto:pvoma...@redhat.com>> wrote: >> >> >> >> On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote: >>> Hello Pavel >>> >>> On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com >>> <mailto:pvoma...@redhat.com>> wrote: >>> >>> Hello Gustavo, >>> >>> From what I can see, the issue would be PROTOCOL ERROR in whoami command. >>> Could you please check whether all services running? Please run >>> # ipactl status >>> >>> and post the output. >>> >>> >>> # ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: RUNNING >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> >>> >>> >>> And please could you send me the /etc/named.conf? Especially everything >>> after >>> dyndb "ipa" >>> line is interesting for us. >>> >>> This is from /etc/named.conf >>> >>> options { >>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces >>> listen-on-v6 {any;}; >>> >>> // Put files that named is allowed to write in the data/ directory: >>> directory "/var/named"; // the default >>> dump-file "data/cache_dump.db"; >>> statistics-file "data/named_stats.txt"; >>> memstatistics-file "data/named_mem_stats.txt"; >>> >>> forward only; >>> forwarders { >>> 10.73.2.100; >>> 10.73.2.102; >>> 10.73.2.101; >>> }; >>> >>> // Any host is permitted to issue recursive queries >>> allow-recursion { any; }; >>> >>> tkey-gssapi-keytab "/etc/named.keytab"; >>> pid-file "/run/named/named.pid"; >>> dnssec-enable yes; >>> dnssec-validation no; >>> bindkeys-file "/etc/named.iscdlv.key"; >>> managed-keys-directory "/var/named/dynamic"; >>> }; >>> >>> /* If you want to enable debugging, eg. using the 'rndc trace' command, >>> * By default, SELinux policy does not allow named to modify the /var/named >>> directory, >>> * so put the default debug log file in data/ : >>> */ >>> logging { >>> channel default_debug { >>> file "data/named.run"; >>> severity dynamic; >>> print-time yes; >>> }; >>> }; >>> >>> zone "." IN { >>> type hint; >>> file "named.ca <http://named.ca/>"; >>> }; >>> >>> include "/etc/named.rfc1912.zones"; >>> >>> dyndb "ipa" "/usr/lib64/bind/ldap.so" { >>> uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; >>> base "cn=dns, dc=fisica,dc=cabib"; >>> fake_mname "ipaserver.fisica.cabib."; >>> auth_method "sasl"; >>> sasl_mech "GSSAPI"; >>> sasl_user "DNS/ipaserver.fisica.cabib"; >>> server_id "ipaserver.fisica.cabib"; >>> }; >>> include "/etc/named.root.key"; >>> >>> key "rndc-key" { >>> algorithm hmac-md5; >>> secret "#########################"; >>> }; >>> >>> >> Thank you for the configuration. It looks good. >> >> Another thing that might be incorrect is that the whoami plugin is not >> loaded. Please check whether you have following line: >> dn: cn=whoami,cn=plugins,cn=config >> >> in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif >> >> If not please add there following lines (between double quotes and without >> them): >> >> " >> dn: cn=whoami,cn=plugins,cn=config >> cn: whoami >> nsslapd-plugin-depends-on-type: database >> nsslapd-pluginDescription: whoami extended operation plugin >> nsslapd-pluginEnabled: on >> nsslapd-pluginId: whoami-plugin >> nsslapd-pluginInitfunc: whoami_init >> nsslapd-pluginPath: libwhoami-plugin >> nsslapd-pluginType: extendedop >> nsslapd-pluginVendor: 389 Project >> nsslapd-pluginVersion: 1.3.5.18 >> objectClass: top >> objectClass: nsSlapdPlugin >> objectClass: extensibleObject >> " >> >> and change the nsslapd-pluginVersion value to the same as other plugins have. >> >> Then you will probably need to restart ipa service or at least dirsrv. >> >> Did that help? >> >> Could you please tell us more about upgrade? Especially from which version >> did you upgrade to 4.5 and which OS do you use? Which version of IPA did you >> have when you started using IPA? >>> >>> -- >>> Gustavo Berman >>> Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to freeipa-users-le...@lists..fedorahosted.org >>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> -- >> Pavel^3 Vomacka >> >> >> >> -- >> Gustavo Berman >> Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > > -- > Pavel^3 Vomacka > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
