[Freeipa-users] Re: Ad user password authentication doesn't work

[Patrick Irish via FreeIPA-users]

I tried to reply earlier but the reply was rejected because of length.  Here is 
the complete log https://pastebin.com/c34RJZB2 . Let me know what else I can 
get you.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client on Ubuntu SSH fails

[Alex Georgopoulos via FreeIPA-users]

We have 16.04 working here.  We had to make changes to the following files
/etc/nsswitch.conf
/etc/ipa/default.conf
/etc/krb5.conf
/etc/ldap/ldap.conf
/etc/sssd/sssd.conf
/usr/share/pam-configs/mkhomedir

I'm guessing your nsswitch.conf is prob the issue if I had to guess.  Here is 
what ours looks like
#---
passwd: compat sss
group:  compat sss
shadow: compat

hosts:  files dns
networks:   files

protocols:  db files
services:   db sss files
ethers: db files
rpc:db files

netgroup:   sss
sudoers:sss files
#---
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] sss_ssh_authorizedkeys returns nothing on client

[Charles Ulrich via FreeIPA-users]

Hello, good people of FreeIPA-users,

Short version:

I've run into an issue where a SSH public key authentication doesn't work on 
the FreeIPA client. When I run `sss_ssh_authorizedkeys ` 
on the client, there is a brief hang (10-15 seconds, maybe?) and then it 
returns nothing. The same command run on the FreeIPA server does, however, 
correctly return the user's public key.

Long version:

The server is FreeIPA 4.6.4 on CentOS 7 (all packages up to date) with a 
one-way trust to active directory. The client is the ipa-server package version 
4.7.0 on Ubuntu 18.04. I added a user to the "Default Trust View" override and 
pasted in the public key.

The AD trust and client configuration seem to be working for the most part 
since I can log into the client with my AD username and password. It's just SSH 
public key authentication that doesn't work. As mentioned above, the 
`sss_ssh_authorizedkeys` command runs successfully on the server but not on the 
client.

From the client logs, it looks like the client is having trouble communicating 
with the server somehow. I don't see anything that looks like errors in the 
server logs. A sanitized version of the client logs at debug_level 4 are here: 
https://paste.fedoraproject.org/paste/y3nyxeb13wZMzaQNemhCNQ The sssd.conf from 
the client is here: 
https://paste.fedoraproject.org/paste/SK3qx0EcF19ggtrmssYZnw I can provide more 
detailed logs to individuals.

I double-checked the firewalls on both the client and server and it looks to me 
like all the necessary ports are open on both sides.

I have done a bunch of Googling and reading of documentation but nothing so far 
has led me in the right direction. This is something that *was* working just 
fine on a test deployment a few weeks ago. As far as I can tell, everything is 
set up the same. Is there any other information I can provide?

Thanks,
Charles
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Squid proxy digest authentication

[Edward Valley via FreeIPA-users]

Ok. I'll finish some work I'm involved with right now and I'll be back. Thanks Rob.10:59, March 5, 2019, "Rob Crittenden via FreeIPA-users" :Edward Valley via FreeIPA-users wrote: So that's the way to go. Let me read some code and I'll be back with a proposal. Is that ok or should I take it to another place? Thanks for your time Rob.Using this list is fine for now. If you file a PR the discussion willmove there.rob 11:29, March 4, 2019, "Rob Crittenden via FreeIPA-users" : Edward Valley wrote:  Thank you Rob. By extending ipa-pwd-extop are you sugesting that I  modify it (of course by submitting patches) or that I use it as the base  for a new plugin? Is the later posible without interference? Sorry if  it's a silly question, right now I really don't know nothing about  389-ds plugin architecture. I would probably be far easier to update the existing plugin, you'd just want to do a lot of due diligence about memory handling, variable re-use, etc (coverity and clang can be very helpful). rob  10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users"  >:  Edward Valley via FreeIPA-users wrote:   You're right, that's one of the options I've considered and  tested, but   going that way I need to setup several things, use a PAC file  in order   to Firefox and Chrome to work, take into account mobile  versions too,   configure browsers to trust the proxy's certificate, optionally  install   a client certificate in browsers (which firefox for Android  can't do)   and have the proxy to verify it, among other things that would  require a   PKI infrastructure that I'm not willing to deploy (for now).  Trust me, I   went through all of this, and it is secure enough, but it has a few   pitfalls that right now (without coding) there is no way to  solve. But,   don't you think kerberos authentication is a simpler and secure  enough   approach? For now, I'm just trying to migrate to FreeIPA  (because it fit   my needs and I think it's a better and tightly integrated  solution) an   existing OpenLDAP backend, which already have the required  hashes and   the automated way for generating it every time users change their   passwords. Thank you very much for your time.  To do this you'd need to write a 389-ds plugin to intercept the password  change and write out the hash. You could probably extend the  ipa-pwd-extop plugin to do this as we do something similar to keep the  userPassword and kerberos credentials in sync.  You just need to be sensitive to security issues here. Passwords are  available in the clear only in this plugin so any mistake could  potentially expose them.  rob   09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users"     freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org>>>:   On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:   Thanks for your answer. Doing it the way you propose,  squid uses   basic   authentication, which exposes user names and passwords  in the   network   because of the simple base64 encoding.   Just set up your clients to use HTTPS proxy connection in  the browser.   https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection   talks about it. Both Chrome-based browsers and Firefox do  work just fine   with HTTPS connection to the proxy for years now.   --   / Alexander Bokovoy   Sr. Principal Software Engineer   Security / Identity Management Engineering   Red Hat Limited, Finland   ___   FreeIPA-users mailing list --  

[Freeipa-users] freeipa client on Ubuntu SSH fails

[Will Kay via FreeIPA-users]

Hi all,

Issue:
We have freeipa servers set and tests are good with CentOS 7.6 clients.  We are 
trying to test Ubuntu 16.04 and 18.04 clients.  After running 
ipa-client-install, we can't ssh login the Ubuntu's with ipa user accounts.  If 
we login as root, `ipa user-show xxx` looks fine on the Ubuntu's.  Where should 
we start looking from here?

Background:
One freeipa 4.6.4 master and two replicas setup on CentOS 7.6.1810.  All seems 
to work fine.   `ipa user-show xxx` test works across the replicas.  I also 
have two CentOS client installed.  SSH login and sudo command group tests are 
good.  We are very happy with the test result so far.  we just need to move on 
to client tests with Ubuntu 16.04, 18.04 and RH7

thanks
Wil
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd no longer working

[Sina Owolabi via FreeIPA-users]

Ah.. the server has SELinux disabled.
Curious why its not recreating its log directories after a restart.

On Wed, Mar 6, 2019 at 4:33 PM Rob Crittenden  wrote:
>
> Sina Owolabi via FreeIPA-users wrote:
> > Hi Rob
> >
> > Sorry I missed the full question:
> > What are the contents of /var/log/pki/pki-tomcat/ca ?
> >
> > Could it be that the CA can't write its own logs? What does the latest
> > catalina log show in the parent directory?
> >
> > /var/log/pki/pki-tomcat/ca was empty until I created
> > /var/log/pki/pki-tomcat/ca/logs and
> > /var/log/pki/pki-tomcat/ca/debug directories.
> > I dont think the ca would have trouble writing its logs, the structure
> > is all owned by pkiuser:
> > drwxrwx---. 4 pkiuser pkiuser 4096 Nov 14 08:23 /var/log/pki/pki-tomcat/ca
> >
> > Now that I think about it, I do remember some issues with runaway logs
> > filling up /var/log, and
> > I deleted some directories, and recreated them, but I dont think
> > pki-tomcat suffered then.
>
> Hard to know. If the process was already running at the time things may
> have appeared ok until it was restarted.
>
> debug is a log file, not a directory.
>
> My 4.4.4 install contains the following in /var/log/pki:
>
> drwxr-xr-x. 3 root root 21 Mar 30  2017 ./server
> drwxrwx---. 3 pkiuser pkiuser 12288 Mar  6 01:22 ./pki-tomcat
> drwxrwx---. 4 pkiuser pkiuser 4096 Feb  7 11:27 ./pki-tomcat/ca
> drwxrwx---. 2 pkiuser pkiuser 86 Dec  4 11:00 ./pki-tomcat/ca/archive
> drwxrwx---. 2 pkiuser pkiuser 84 Feb  7 11:27 ./pki-tomcat/ca/signedAudit
>
> Be sure to run restorecon -R on /var/log/pki to ensure the SELinux
> contexts are correct.
>
> rob
>
> >
> > On Tue, Mar 5, 2019 at 11:46 PM Sina Owolabi  wrote:
> >>
> >> Hi Rob
> >>
> >> Today's catalina log file writes:
> >>
> >> WARNING: Exception processing realm
> >> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
> >> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
> >> at 
> >> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> >> at 
> >> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
> >> at 
> >> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
> >> at java.lang.Thread.run(Thread.java:748)
> >>
> >> Mar 05, 2019 11:44:19 PM org.apache.catalina.core.ContainerBase
> >> backgroundProcess
> >> WARNING: Exception processing realm
> >> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
> >> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
> >> at 
> >> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> >> at 
> >> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
> >> at 
> >> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
> >> at java.lang.Thread.run(Thread.java:748)
> >>
> >> Mar 05, 2019 11:44:29 PM org.apache.catalina.core.ContainerBase
> >> backgroundProcess
> >> WARNING: Exception processing realm
> >> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
> >> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
> >> at 
> >> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> >> at 
> >> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
> >> at 
> >> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> at 
> >> 

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

[François Cami via FreeIPA-users]

On Wed, Mar 6, 2019 at 5:52 PM Rob van Halteren via FreeIPA-users
 wrote:
>
> thanks for the responce
>
> dig SRV _ldap._tcp.ipa_domain ran from a ipa-client
> ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> SRV _ldap._tcp.ipa_domain

Can you please re-run that after replacing ipa_domain with your domain?

> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45128
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;_ldap._tcp.ipa_domain. IN  SRV
>
> ;; AUTHORITY SECTION:
> .   10800   IN  SOA a.root-servers.net. 
> nstld.verisign-grs.com. 2019030600 1800 900 604800 86400
>
> ;; Query time: 16 msec
> ;; SERVER: 192.168.xxx.xx5#53(192.168.xxx.xx5)
> ;; WHEN: wo mrt 06 17:40:44 CET 2019
> ;; MSG SIZE  rcvd: 125
>
> 192.168.xxx.xx5 is the new ipa-master
>
> yes automount and homedirs will work when the old replica is offline, at 
> least for some hours.
> I need to check if they still do next day.

I'm asking because Firefox does not typically need DNS to start, but
having no read/write access to home would disrupt it.

We might need to know more about your setup and especially what
features of FreeIPA did you depend on for this infrastructure.

>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

[Rob van Halteren via FreeIPA-users]

thanks for the responce

dig SRV _ldap._tcp.ipa_domain ran from a ipa-client
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> SRV _ldap._tcp.ipa_domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45128
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ipa_domain. IN  SRV

;; AUTHORITY SECTION:
.   10800   IN  SOA a.root-servers.net. 
nstld.verisign-grs.com. 2019030600 1800 900 604800 86400

;; Query time: 16 msec
;; SERVER: 192.168.xxx.xx5#53(192.168.xxx.xx5)
;; WHEN: wo mrt 06 17:40:44 CET 2019
;; MSG SIZE  rcvd: 125

192.168.xxx.xx5 is the new ipa-master

yes automount and homedirs will work when the old replica is offline, at least 
for some hours.
I need to check if they still do next day.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replace ipa-server and relink clients on same realm

[François Cami via FreeIPA-users]

On Wed, Mar 6, 2019 at 5:35 PM Rob van Halteren via FreeIPA-users
 wrote:
>
> I had to replace the IPA-server due to loss of CA
>
> Original setup was that all clients were connected to a replica-server v3.0 
> on centos 6 that hosted the domain and realm OURDOMAIN.EXAMPLE
>
> I configured a new IPA-master v4.6.4 on centos 7 with the same domain,realm, 
> and id-range and reconnected all clients to the new master.
> I used ipa-client-install --uninstall , cleared /var/lib/sss/db/*, and ran 
> ipa-client-install
>
> All clients now login from the new ipa-master. All woks fine as long as I 
> leave the old replica-server online. As soon as I turn it off, my clients 
> start to suffer problems after a couple of hours or next day that
> cause several applications to stall when opening. Eg Firefox browser will not 
> start any more. DNS is online and resolves requests

What does the following say:
dig SRV _ldap._tcp.ipa_domain

when both old and new instances are online?

> When I then start the old replica again all function restore almost 
> immediately as it comes online.

Is /home an NFS share mounted on these clients?

> Does someone has any idea what could be happening ?
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] replace ipa-server and relink clients on same realm

[Rob van Halteren via FreeIPA-users]

I had to replace the IPA-server due to loss of CA

Original setup was that all clients were connected to a replica-server v3.0 on 
centos 6 that hosted the domain and realm OURDOMAIN.EXAMPLE

I configured a new IPA-master v4.6.4 on centos 7 with the same domain,realm, 
and id-range and reconnected all clients to the new master.
I used ipa-client-install --uninstall , cleared /var/lib/sss/db/*, and ran 
ipa-client-install

All clients now login from the new ipa-master. All woks fine as long as I leave 
the old replica-server online. As soon as I turn it off, my clients start to 
suffer problems after a couple of hours or next day that
cause several applications to stall when opening. Eg Firefox browser will not 
start any more. DNS is online and resolves requests
When I then start the old replica again all function restore almost immediately 
as it comes online.

Does someone has any idea what could be happening ?

 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd no longer working

[Rob Crittenden via FreeIPA-users]

Sina Owolabi via FreeIPA-users wrote:
> Hi Rob
> 
> Sorry I missed the full question:
> What are the contents of /var/log/pki/pki-tomcat/ca ?
> 
> Could it be that the CA can't write its own logs? What does the latest
> catalina log show in the parent directory?
> 
> /var/log/pki/pki-tomcat/ca was empty until I created
> /var/log/pki/pki-tomcat/ca/logs and
> /var/log/pki/pki-tomcat/ca/debug directories.
> I dont think the ca would have trouble writing its logs, the structure
> is all owned by pkiuser:
> drwxrwx---. 4 pkiuser pkiuser 4096 Nov 14 08:23 /var/log/pki/pki-tomcat/ca
> 
> Now that I think about it, I do remember some issues with runaway logs
> filling up /var/log, and
> I deleted some directories, and recreated them, but I dont think
> pki-tomcat suffered then.

Hard to know. If the process was already running at the time things may
have appeared ok until it was restarted.

debug is a log file, not a directory.

My 4.4.4 install contains the following in /var/log/pki:

drwxr-xr-x. 3 root root 21 Mar 30  2017 ./server
drwxrwx---. 3 pkiuser pkiuser 12288 Mar  6 01:22 ./pki-tomcat
drwxrwx---. 4 pkiuser pkiuser 4096 Feb  7 11:27 ./pki-tomcat/ca
drwxrwx---. 2 pkiuser pkiuser 86 Dec  4 11:00 ./pki-tomcat/ca/archive
drwxrwx---. 2 pkiuser pkiuser 84 Feb  7 11:27 ./pki-tomcat/ca/signedAudit

Be sure to run restorecon -R on /var/log/pki to ensure the SELinux
contexts are correct.

rob

> 
> On Tue, Mar 5, 2019 at 11:46 PM Sina Owolabi  wrote:
>>
>> Hi Rob
>>
>> Today's catalina log file writes:
>>
>> WARNING: Exception processing realm
>> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
>> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>> at 
>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>> at 
>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>> at 
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>> at java.lang.Thread.run(Thread.java:748)
>>
>> Mar 05, 2019 11:44:19 PM org.apache.catalina.core.ContainerBase
>> backgroundProcess
>> WARNING: Exception processing realm
>> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
>> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>> at 
>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>> at 
>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>> at 
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>> at java.lang.Thread.run(Thread.java:748)
>>
>> Mar 05, 2019 11:44:29 PM org.apache.catalina.core.ContainerBase
>> backgroundProcess
>> WARNING: Exception processing realm
>> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
>> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>> at 
>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>> at 
>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>> at 
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>> at 
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>> at java.lang.Thread.run(Thread.java:748)
>>
>> Mar 05, 2019 11:44:39 PM org.apache.catalina.core.ContainerBase
>> backgroundProcess
>> WARNING: Exception processing realm
>> com.netscape.cms.tomcat.ProxyRealm@2bfea12f background process
>> javax.ws.rs.ServiceUnavailableException: 

[Freeipa-users] Re: Lost IPA master Left with replica only

[Rob van Halteren via FreeIPA-users]

thanks for the hint.

I ran stuck during the search for the needed files in 
/var/lib/pki-ca/conf/CS.cfg on the master
in the CS.cfg file the related ca.crl items do not exist. and the 
ca.listenToCloneModifications=true.
This would implicate that its not the ca-master. 

Unfortunately it is the ca-master.
Appart from this, I also was not able to install a CA on the replica with 
ipa-ca-install.

I abbondoned the effort to promote this replica and decided to install a new 
ipa-server.

This leads to an other problems for which i will open a new tread.


Regards,

Rob.


 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org