it appears your suspician was correct /var/log/httpd/error_log from the new replica [10.1.132.31]: [Thu Dec 06 08:17:17.119449 2018] [auth_gssapi:error] [pid 31454] [client 10.1.132.31:43394] Failed to unseal session data!, referer: https://ef-idm03.production.efilm.com/ipa/xml [Thu Dec 06 08:17:17.119476 2018] [auth_gssapi:error] [pid 31454] [client 10.1.132.31:43394] NO AUTH DATA Client did not send any authentication headers, referer: https://ef-idm03.production.efilm.com/ipa/xml [Thu Dec 06 08:17:17.131578 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] mod_wsgi (pid=31446): Failed to exec Python script file '/usr/share/ipa/wsgi.py'. [Thu Dec 06 08:17:17.131653 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] mod_wsgi (pid=31446): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Dec 06 08:17:17.131802 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] Traceback (most recent call last): [Thu Dec 06 08:17:17.131848 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] File "/usr/share/ipa/wsgi.py", line 26, in <module> [Thu Dec 06 08:17:17.131855 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] from ipaplatform.paths import paths [Thu Dec 06 08:17:17.131890 2018] [wsgi:error] [pid 31446] [remote 10.1.132.31:43394] ModuleNotFoundError: No module named 'ipaplatform'
/var/log/httpd/error_log from the first replica: [Thu Dec 06 08:17:17.138321 2018] [:warn] [pid 14292] [client 10.1.132.31:44768] failed to set perms (3140) on file (/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: https://ef-idm01.production.efilm.com/ipa/xml [Thu Dec 06 08:17:17.154228 2018] [:error] [pid 13610] ipa: INFO: [jsonserver_session] gr...@production.efilm.com: ping(): SUCCESS [Thu Dec 06 08:17:17.165320 2018] [:warn] [pid 14292] [client 10.1.132.31:44768] failed to set perms (3140) on file (/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: https://ef-idm01.production.efilm.com/ipa/xml [Thu Dec 06 08:17:17.178384 2018] [:error] [pid 13609] ipa: INFO: [jsonserver_session] gr...@production.efilm.com: command_defaults/1(u'user_add/1', params=(u'cn',), kw={u'givenname': u'Wiki', u'sn': u'User22'}, version=u'2.228'): SUCCESS [Thu Dec 06 08:17:43.935632 2018] [:warn] [pid 14292] [client 10.1.132.31:44768] failed to set perms (3140) on file (/var/run/ipa/ccaches/gr...@production.efilm.com)!, referer: https://ef-idm01.production.efilm.com/ipa/xml [Thu Dec 06 08:17:44.109673 2018] [:error] [pid 13610] ipa: INFO: [jsonserver_session] gr...@production.efilm.com: user_add/1(u'wikiuser22', givenname=u'Wiki', sn=u'User22', homedirectory=u'/home/wikiuser22', loginshell=u'/bin/tcsh', mail=(u'grant.jans...@efilm.com',), userpassword=u'********', gidnumber=1110, version=u'2.228'): SUCCESS I see an indication of “NO AUTH DATA”, but I can pull a ticket on the replica: grant@ef-idm03:~[20181206-13:59][#9]$ kinit Password for gr...@production.efilm.com: ******** grant@ef-idm03:~[20181206-13:59][#10]$ klist Ticket cache: KEYRING:persistent:555:555 Default principal: gr...@production.efilm.com Valid starting Expires Service principal 12/06/2018 13:59:56 12/07/2018 13:59:54 krbtgt/production.efilm....@production.efilm.com grant@ef-idm03:~[20181206-13:59][#11]$ I found a reference on the mod_wsgi as it relates to IPA. https://pagure.io/freeipa/issue/7161 The new server is a build vs the older ones upgraded to 4.5 so perhaps I have a library tug-o-war. original master: grant@ef-idm01:~[20181206-14:15][#764]$ ipa --version VERSION: 4.5.0, API_VERSION: 2.228 grant@ef-idm01:~[20181206-14:15][#765]$ rpm -qa | grep mod_wsgi mod_wsgi-3.4-12.el7_0.x86_64 grant@ef-idm01:~[20181206-14:15][#766]$ replica: grant@ef-idm03:~[20181206-14:15][#16]$ ipa --version VERSION: 4.5.0, API_VERSION: 2.228 grant@ef-idm03:~[20181206-14:15][#17]$ rpm -qa | grep mod_wsgi python36u-mod_wsgi-4.6.2-1.ius.el7.x86_64 grant@ef-idm03:~[20181206-14:15][#18]$ do you suppose that removing python36u and installing mod_wsgi-3.4-12 would remedy this issue? should I manually add the dnarange to idm03? thank you - grant > On Dec 6, 2018, at 13:35, Rob Crittenden <rcrit...@redhat.com> wrote: > > Ok, so this confirms the ipa-replica-manage output. These are the > starting values which means that this server may have never allocated a > user (even though you added one). > > If you want to get to the bottom of which master added the user find the > user_add in /var/log/httpd/error_log on one of the masters. I suspect it > was not idm03. > > rob This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org