Re: [Freeipa-users] Change Password problems (Unsupported Version)
On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: > >> Additionally, it seems some users can reset their passwords, but the error >> still appears in the logs, and on the client software: >> >> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version >> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version >> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded > > Are the users who can change their passwords using different client > software (specifically, versions of Kerberos, which supplies the kpasswd > command) compared to the users who can't? The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? > > If you can get a packet capture of a client request, we can examine the > first few bytes to check what's triggering the failure. > tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Thanks, Raal ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + You can place it around line 281, above the comment for the line Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: proxy_port 443 + + proxy_port + 443 + active true The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + You can place it around line 281, above the comment for the line name="Catalina" defaultHost="localhost"> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: proxy_port 443 + + proxy_port + 443 + active true The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 04:22 PM, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show . Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable . I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. "netstat -nat" agrees...nothing there. "/etc/init.d/pki-cad status" seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? 9447 was likely the right value. I think the problem is with the Proxy configuration. We are working on a script to upgrade a non-proxied PKI (Dogtag) to a proxied version, but the ports set in the config file need to match the ports that the pki-ca web app is using. I'm assuming from what you said above that you can talk to Dogtag directly of port 9443, but that the proxy is not set correctly for the HTTPD to AJP communication. Have your server.xml and web.xml files in the PKI configuration been modified to listen to AJP? It should be something like: redirectPort="[PKI_AJP_REDIRECT_PORT]" /> In the server.xml file.THE AJP port has to match what the file in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS port in your case, not the AJP port. AJP should be 9447. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We (Ade Lee) is working in a script to upgrade an existing Dogtag instance to use ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.red
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 10:46 PM, Simo Sorce wrote: On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show. Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable . I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. "netstat -nat" agrees...nothing there. "/etc/init.d/pki-cad status" seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. pki-setup-9.0.12-1.fc15.noarch pki-util-9.0.12-1.fc15.noarch pki-silent-9.0.12-1.fc15.noarch pki-symkey-9.0.12-1.fc15.x86_64 pki-selinux-9.0.12-1.fc15.noarch pki-java-tools-9.0.12-1.fc15.noarch pki-ca-9.0.12-1.fc15.noarch pki-native-tools-9.0.12-1.fc15.x86_64 pki-common-9.0.12-1.fc15.noarch ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: > On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: > > On 09/27/2011 12:34 AM, Dmitri Pal wrote: > > > On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: > > > > Hi, > > > > > > > > > > > > I have a host that refuses to be modified or deleted. I get the > > > > same error from the webui and the cli. I am using F15, FreeIPA > > > > 2.1.1 + all updates from the updates repository. I cannot find > > > > any error in any log. I have tried to reboot my ipa servers. All > > > > services seem to be running and have no issues. > > > > > > > > > > > > The error message I receive is: > > > > * Certificate operation cannot be completed: Unable to > > > > communicate with CMS (Not Found) > > > > > > > > I have looked in the Dogtag Certificate Manager, and I can see > > > > the certificate. It's still valid, and holds the same serial > > > > number as what is displayed using ipa host-show . > > > > > > > > Any suggestions? > > > > > > > > > > > > > > > > > > Can you please send the sanitized apache logs? > > > > > > > > > These are the apache log lines that correspond to # ipa host-disable > > . I have no config files in > > my /etc/httpd/conf.d/ directory that contains any reference to > > the /ca directory. Also /var/www/html/ca does not exist. > > > > I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a > > file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does > > not exist on any of my 3 IPA servers. > > > > Should that file contain an alias and proxy rules for /ca/ ? > > > > > > error_log: > > [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: > > ping(): SUCCESS > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: > > host_disable(u'bck01.ix.TEST.com'): CertificateOperationError > > [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: > > ping(): SUCCESS > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: > > cert_show(u'268369923'): CertificateOperationError > > > > access_log: > > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > > > > > > > I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I > copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port > numbers seemed incorrect. They we're pointing at > ajp://localhost:9447/, which is a port that's not reponding to > anything. "netstat -nat" agrees...nothing there. > > "/etc/init.d/pki-cad status" seem to indicate that the correct port is > 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, > and restarted httpd. And attempted to disable the host: > > # ipa host-disable bck01.ix.test.com > ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An > I/O error occurred during security authorization. > > Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca > yields: > > Secure Connection Failed > An error occurred during a connection to ipasrv01.ix.test.com:9443. > SSL peer cannot verify your certificate. > (Error code: ssl_error_bad_cert_alert) > > > Am I heading in the incorrect direction here? Or does the pki-cad > service have some cert issues? In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show . Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable . I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360 I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. "netstat -nat" agrees...nothing there. "/etc/init.d/pki-cad status" seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate error when modifying/deleting a host
On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show . Any suggestions? Can you please send the sanitized apache logs? These are the apache log lines that correspond to # ipa host-disable . I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: ad...@ix.test.com: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: ad...@ix.test.com: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: ad...@ix.test.com: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - ad...@ix.test.com [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote: > My IPA 2.0 master-slave setup has been working fine up until this week when > users started getting problems updating their password due to expiry. Users > get the following error when using kpasswd to update their passwords: > > kinit: krb5_get_init_creds: Unable to reach any changepw server in realm > EXAMPLE.COM > > The only error I seem to find in the logs is unhelpful: > > Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version > Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Those correlate - the ipa_kpasswd daemon logs these messages when it sees a password-change request with an internal version number that doesn't match the version of the protocol that it handles. The client gets no reply, and because it's connectionless, it assumes that it was not able to contact a server. > Additionally, it seems some users can reset their passwords, but the error > still appears in the logs, and on the client software: > > Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version > Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version > Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded Are the users who can change their passwords using different client software (specifically, versions of Kerberos, which supplies the kpasswd command) compared to the users who can't? If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change Password problems (Unsupported Version)
On 09/27/2011 03:24 AM, Goff, Raal wrote: > Hi, > > My IPA 2.0 master-slave setup has been working fine up until this week when > users started getting problems updating their password due to expiry. Users > get the following error when using kpasswd to update their passwords: > > kinit: krb5_get_init_creds: Unable to reach any changepw server in realm > EXAMPLE.COM > > The only error I seem to find in the logs is unhelpful: > > Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version > Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version > > Additionally, it seems some users can reset their passwords, but the error > still appears in the logs, and on the client software: > > Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version > Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version > Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded > > It looks like 'Unsupported version' is a reference to 'krb5_kdb_bad_version: > Unsupported version in database entry' in the kerberos software, but I can't > find any more information regarding it. > > Has anyone come across this before? Is there any way to recover from it? > Is there anything related to KRB4 around? Can it be that your client is KRB4? > Regards, > > -R > > > ZettaServe Disclaimer: This email and any files transmitted with it are > confidential and intended solely for the use of the individual or entity to > whom they are addressed. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately if you have received this email by mistake and delete this email > from your system. Computer viruses can be transmitted via email. The > recipient should check this email and any attachments for the presence of > viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any > virus transmitted by this email. > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Change Password problems (Unsupported Version)
Hi, My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM The only error I seem to find in the logs is unhelpful: Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded It looks like 'Unsupported version' is a reference to 'krb5_kdb_bad_version: Unsupported version in database entry' in the kerberos software, but I can't find any more information regarding it. Has anyone come across this before? Is there any way to recover from it? Regards, -R ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users