date:20120905

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread george he

here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context 
[/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket 
factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error 
loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol handler 
initialization failed: java.lang.ClassNotFoundException: Error loading SSL 
Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application 
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading 
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler 
initialization failed: java.lang.ClassNotFoundException: Error loading SSL 
Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory 
ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading 
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler 
initialization failed: java.lang.ClassNotFoundException: Error loading SSL 
Implementation org.apache.tomcat.util.net.jss.JSSImplementation 
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket




>
> From: Rob Crittenden 
>To: george he  
>Cc: John Dennis ; "freeipa-users@redhat.com" 
> 
>Sent: Tuesday, September 4, 2012 9:49 PM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>george he wrote:
>> both of the commands "service dirsrv restart" and "service pki-cad
>> restart" reported:
>> stopping ... OK
>> starting ... OK
>> but host-del still has the same error.
>> More suggestions?
>
>Check the logs again. The service starting does not mean it kept running.
>
>rob
>
>> Thanks,
>> George
>>
>>     
>>     *From:* Rob Crittenden 
>>     *To:* george he 
>>     *Cc:* John Dennis ; "freeipa-users@redhat.com"
>>     
>>     *Sent:* Tuesday, September 4, 2012 4:20 PM
>>     *Subject:* Re: [Freeipa-users] ipa host-del
>>
>>     george he wrote:
>>      > I'm running centos 6.3
>>      > # uname -r
>>      > 2.6.32-279.5.2.el6.x86_64
>>      >
>>      > pki-ca: unrecognized service
>>      >
>>      > There are tons of errors in /var/log/pki-ca/*, some of them are:
>>      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
>>     [3] [3]
>>      > Cannot build CA chain. Error java.security.cert.CertificateException:
>>      > Certificate is not a PKCS #11 certificate
>>      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
>>     [13] [3]
>>      > authz instance DirAclAuthz initialization failed and skipped,
>>      > error=Property internaldb.ldapconn.port missing value
>>      > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT]
>>      > [3] [3] Cannot build CA chain. Error
>>      > java.security.cert.CertificateException: Certificate is not a
>>     PKCS #11
>>      > certificate
>>      > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT]
>>      > [3] [3] CASigningUnit: Object certificate not found. Error
>>      > org.mozilla.jss.crypto.ObjectNotFoundException
>>      > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8]
>>     [3] In
>>      > Ldap (bound) connection pool to host cushing.psych.yale.edu port
>>     7389,
>>      > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException:
>>      > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)
>>      >
>>      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing
>>      > socket factory
>>      >
>>     /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:
>>     Error
>>      > loading SSL Implementation
>>      > org.apache.tomcat.util.net.jss.JSSImplementation
>>      > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>>      > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol
>>      > handler initialization failed: java.lang.ClassNotFoundException:
>>     Error
>>      > loading SSL Implementation

[Freeipa-users] RHEV-M + service accounts in IPA

2012-09-05 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
ipa-server-2.2-16)

I have an api script that handles all my deployments and I am trying to
set up a role account for my script to run within a jenkins environment.

I have created an ldap sysaccount, however that doesn't appear in the
RHEV users list when I do a search. So its clear its looking for
specific IPA users.

Is there a way (or on the roadmap), to create service/role accounts in
IPA where the password doesn't expire?

I'm trying to avoid scenarios like this

https://access.redhat.com/knowledge/solutions/67562

Any comments / suggestions are welcome

Thanks everyone

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQRz5OAAoJEAJsWS61tB+qt78QALc+ocH5PAKbhHKJ24QeYzfe
pZNeyQZ98UwTfCCdWrr4hwPrILhqZwCFogBsQPnM5uiAT1n+pbfvAaypsbBtsJM1
Gw9bajHkkb663twOlsOdetXxQt/jzKo8FdxHgAhTU7PSA6sr3O/SEjAaObUBw3yd
wS1XOErGD/6IkKCbLZVO0gkoyt29Ir8HTq1dTX9JYAmG+i0XseZ1C5be9vtUvT7E
G/am0ICyd4mErSwaA/RRyrRxDzjfbi0XtlqlAuMsirDGyPTqPhisoB2ZMmY00ix3
nAaJp/fECqW20jmPJ1u+YktCYRou4LC4vZUnbmMWMJTOhRO5J90GhIh74OjjHMnp
kmj6r88QpSl7QDVRjWxTZdPj60WvhAp1/FRDZnBjUlfR0ENk2xxemLq9Ek2SRkJQ
FqS++FQ1+lIERx4ng5rPR0DBLvd7xnaTvcGjRou/h/5tvmERbrUVtCKn9kJ6b6jJ
KY0o89uJRgdiH1eEwIasq8zUnrrEPIxJXzl6iJV52kN705bob3rSXacGDWr9poOE
eALPQQzxv743TKr4O41owOienwxw9pWR2Yw/pSvCua4rTJ+ryiZztWAX9HNVClBt
krtgn+GHjAukxVdhboXTHabF1zGj1REle36sK0+0/NMYxTYgdZrPkwAhv0kp/n36
WWl86kBI+IhIxvlbKTs+
=TUAu
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEV-M + service accounts in IPA

2012-09-05 Thread Rob Crittenden


Dale Macartney wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
ipa-server-2.2-16)

I have an api script that handles all my deployments and I am trying to
set up a role account for my script to run within a jenkins environment.

I have created an ldap sysaccount, however that doesn't appear in the
RHEV users list when I do a search. So its clear its looking for
specific IPA users.

Is there a way (or on the roadmap), to create service/role accounts in
IPA where the password doesn't expire?

I'm trying to avoid scenarios like this

https://access.redhat.com/knowledge/solutions/67562

Any comments / suggestions are welcome

Thanks everyone

Dale



A work-around is to set krbpasswordexpiration of the user somewhere far 
in the future to prevent expiration.


We have a ticket open on this, 
https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA 
3.3.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Rob Crittenden


george he wrote:

here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket


Hmm. Is there any additional information in the debug log? Any AVCs in 
/var/log/audit/audit.log?


Have you updated any packages recently? I'm not sure why dogtag would be 
throwing this exception.


rob




*From:* Rob Crittenden 
*To:* george he 
*Cc:* John Dennis ; "freeipa-users@redhat.com"

*Sent:* Tuesday, September 4, 2012 9:49 PM
*Subject:* Re: [Freeipa-users] ipa host-del

george he wrote:
 > both of the commands "service dirsrv restart" and "service pki-cad
 > restart" reported:
 > stopping ... OK
 > starting ... OK
 > but host-del still has the same error.
 > More suggestions?

Check the logs again. The service starting does not mean it kept
running.

rob

 > Thanks,
 > George
 >
 >

 >*From:* Rob Crittenden mailto:rcrit...@redhat.com>>
 >*To:* george he mailto:george_...@yahoo.com>>
 >*Cc:* John Dennis mailto:jden...@redhat.com>>; "freeipa-users@redhat.com
"
 >mailto:freeipa-users@redhat.com>>
 >*Sent:* Tuesday, September 4, 2012 4:20 PM
 >*Subject:* Re: [Freeipa-users] ipa host-del
 >
 >george he wrote:
 >  > I'm running centos 6.3
 >  > # uname -r
 >  > 2.6.32-279.5.2.el6.x86_64
 > >
 >  > pki-ca: unrecognized service
 >  >
 >  > There are tons of errors in /var/log/pki-ca/*, some of
them are:
 >  > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
 >[3] [3]
 >  > Cannot build CA chain. Error
java.security.cert.CertificateException:
 >  > Certificate is not a PKCS #11 certificate
 >  > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
 >[13] [3]
 >  > authz instance DirAclAuthz initialization failed and skipped,
 >  > error=Property internaldb.ldapconn.port missing value
 >  > /var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:01 EDT]
 >  > [3] [3] Cannot build CA chain. Error
 >  > java.security.cert.CertificateException: Certificate is not a
 >PKCS #11
 >  > certificate
 >  > /var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:10 EDT]
 >  > [3] [3] CASigningUnit: Object certificate not found. Error
 >  > org.mozilla.jss.crypto.ObjectNotFoundException
 >  > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28
EDT] [8]
 >[3] In
 >  > Ldap (bound) connection pool to host
cushing.psych.yale.edu port
 >7389,
 >  > Cannot connect to LDAP server. Error:
netscape.ldap.LDAPException:
 >  > failed to connect to

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread george he

there are somethign like these:

type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for  pid=4243 
comm="gdm" name="arch" dev=dm-0 ino=786829 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for  pid=4243 
comm="gdm" name="arch" dev=dm-0 ino=786829 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for  
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 
scontext=unconfined_u:system_r:pki_ca_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for  
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 
scontext=unconfined_u:system_r:pki_ca_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


And yes, I did yum update recently.
Where else should I look?
Thanks,
George



>
> From: Rob Crittenden 
>To: george he  
>Cc: Ade Lee ; "freeipa-users@redhat.com" 
> 
>Sent: Wednesday, September 5, 2012 8:40 AM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>george he wrote:
>> here are the new errors:
>> # rm /var/log/pki-ca/*
>> # service dirsrv restart
>> # service pki-cad restart
>> # grep -i error /var/log/pki-ca/*
>> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing
>> context [/ca]
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing
>> socket factory
>> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: 
>> Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol
>> handler initialization failed: java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
>> application directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application
>> directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>
>Hmm. Is there any additional information in the debug log? Any AVCs in 
>/var/log/audit/audit.log?
>
>Have you updated any packages recently? I'm not sure why dogtag would be 
>throwing this exception.
>
>rob
>
>>
>>     
>>     *From:* Rob Crittenden 
>>     *To:* george he 
>>     *Cc:* John Dennis ; "freeipa-users@redhat.com"
>>     
>>     *Sent:* Tuesday, September 4, 2012 9:49 PM
>>     *Subject:* Re: [Freeipa-users] ipa host-del
>>
>>     george he wrote:
>>      > both of the commands "service dirsrv restart" and "service pki-cad
>>      > restart" reported:
>>      > stopping ... OK
>>      > starting ... OK
>>      > but host-del still has the same error.
>>      > More suggestions?
>>
>>     Check the logs again. The service starting does not mean it kept
>>     running.
>>
>>     rob
>>
>>      > Thanks,
>>      > George
>>      >
>>      >
>>     
>>      >    *From:* Rob Crittenden >     >
>>      >    *To:* george he >     >
>>      >    *Cc:* John Dennis >     >; "freeipa-users@redhat.com
>>     "
>>      >    mailto:freeipa-users@redhat.com>>
>>      >    *Sent:* Tuesday, September 4, 2012 4:20 PM
>>      >    *Subject:* Re: [Freeipa-users] ipa host-del
>>      >
>>      >    george he wrot

Re: [Freeipa-users] RHEV-M + service accounts in IPA

2012-09-05 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 05/09/12 13:39, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Afternoon all
>>
>> I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
>> ipa-server-2.2-16)
>>
>> I have an api script that handles all my deployments and I am trying to
>> set up a role account for my script to run within a jenkins environment.
>>
>> I have created an ldap sysaccount, however that doesn't appear in the
>> RHEV users list when I do a search. So its clear its looking for
>> specific IPA users.
>>
>> Is there a way (or on the roadmap), to create service/role accounts in
>> IPA where the password doesn't expire?
>>
>> I'm trying to avoid scenarios like this
>>
>> https://access.redhat.com/knowledge/solutions/67562
>>
>> Any comments / suggestions are welcome
>>
>> Thanks everyone
>>
>> Dale
>>
>
> A work-around is to set krbpasswordexpiration of the user somewhere
far in the future to prevent expiration.
That'll work.. Do I need to do anything fancy though? I tried running
the below on a new user called rhev-build but it keeps erroring out. I
know I have a current TGT otherwise I wouldn't be able to add the user
in the first place.

[root@ds01 ~]# ipa user-mod rhev-build
--setattr=krbPasswordExpiration=20131231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
[root@ds01 ~]#

>
> We have a ticket open on this,
https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
3.3.
Good to know its on its way. This is a demo lab so setting a long
password expiry addresses my needs.
>
> rob



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQR2UNAAoJEAJsWS61tB+qAkEQAIc5mY45SckcSw97SOCIdbKE
TDEX5Fl40EYPX7uqwJRa0VFtQukslpL2U9oQMyYY7uCA8KxNh7RbffgJVZb7H588
qGvrsOcK3zLt6lXkxJdIV/YsupkA23HDJgomZHLchwoBEQmwfioz3dguEdIt+lFt
X9x6ZN80PV6K2BrOtKmUAGUB/yjFCZyImIqTUxi/uZU+Pf64KHA0bPcJFbi2+JI7
pZytlxmXKFKjks8650Mb+RJsDw+lb8k7fqV9TnwjmQGOYHjrK89znIwoSosPTzGJ
r6oI1PCNKWwWFzC3UeNx6TSBBfNlGRdm6a+EuWzq50LzrhYzp7NWudtX4Hu6C7we
bpG/umQaaHTlLzK/MGon0RH8Q20foaJCDALBhQk1S7IFmVgtjWraTaxCwtio1d2v
CHPFSpe4v+Gl/JypU42V+2nC5qBLYkeAukEKjhHOVPcbS04lZpy2nfJjWMEOBTXo
ow2tUCMkPHojE5qQl1DM7pzb2luW3wARTtBnpMNtHnaLz++VwbH6vW6J6MZCCFnu
yBtJ8vuClYobdVzh6NLlQCpCn5zGopkIDFO25VUoPqMgfRH8v9TlkNb1VKOIB/3u
4GaYeNX3k7weG6UFyReKCA2QSOqh8r2RjaW0s9vuPvk0l5yka0jmrojog6bfZDDm
7KJE5xzMlLXdqu+Ivo+D
=P57b
-END PGP SIGNATURE-



0xB5B41FAA.asc
Description: application/pgp-keys


0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Ade Lee

The logs seem to show that the CA cannot find JSS.

What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java

Is this a system that was working and now fails to work?  Or is this a
new instance?

Ade
On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
> there are somethign like these:
> 
> type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for
> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for
> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> 
> 
> 
> and some others like these:
> type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for
> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> scontext=unconfined_u:system_r:pki_ca_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for
> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> scontext=unconfined_u:system_r:pki_ca_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> 
> 
> 
> And yes, I did yum update recently.
> Where else should I look?
> Thanks,
> George
> 
> 
> __
> From: Rob Crittenden 
> To: george he  
> Cc: Ade Lee ; "freeipa-users@redhat.com"
>  
> Sent: Wednesday, September 5, 2012 8:40 AM
> Subject: Re: [Freeipa-users] ipa host-del
> 
> 
> george he wrote:
> > here are the new errors:
> > # rm /var/log/pki-ca/*
> > # service dirsrv restart
> > # service pki-cad restart
> > # grep -i error /var/log/pki-ca/*
> > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
> removing
> > context [/ca]
> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
> initializing
> > socket factory
> > 
> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: 
> Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
> Protocol
> > handler initialization failed:
> java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
> deploying web
> > application directory ca
> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
> socket factory
> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:LifecycleException:  Protocol
> handler
> > initialization failed: java.lang.ClassNotFoundException:
> Error loading
> > SSL Implementation
> org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web
> application
> > directory ca
> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
> socket factory
> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:LifecycleException:  Protocol
> handler
> > initialization failed: java.lang.ClassNotFoundException:
> Error loading
> > SSL Implementation
> org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> 
> Hmm. Is there any additional information in the debug log? Any
> AVCs in 
> /var/log/audit/audit.log?
> 
> Have you updated any packages recently? I'm not sure why
> dogtag would be 
> throwing this exception.
> 
> rob
> 
> >
> >
> 
> 
> >*From:* Rob Critt

Re: [Freeipa-users] RHEV-M + service accounts in IPA

2012-09-05 Thread Rob Crittenden


Dale Macartney wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 05/09/12 13:39, Rob Crittenden wrote:

Dale Macartney wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Afternoon all

I have a demo lab set up with RHEV 3.0 and IPA running on RHEL 6.3 (
ipa-server-2.2-16)

I have an api script that handles all my deployments and I am trying to
set up a role account for my script to run within a jenkins environment.

I have created an ldap sysaccount, however that doesn't appear in the
RHEV users list when I do a search. So its clear its looking for
specific IPA users.

Is there a way (or on the roadmap), to create service/role accounts in
IPA where the password doesn't expire?

I'm trying to avoid scenarios like this

https://access.redhat.com/knowledge/solutions/67562

Any comments / suggestions are welcome

Thanks everyone

Dale



A work-around is to set krbpasswordexpiration of the user somewhere

far in the future to prevent expiration.
That'll work.. Do I need to do anything fancy though? I tried running
the below on a new user called rhev-build but it keeps erroring out. I
know I have a current TGT otherwise I wouldn't be able to add the user
in the first place.

[root@ds01 ~]# ipa user-mod rhev-build
--setattr=krbPasswordExpiration=20131231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=rhev-build,cn=users,cn=accounts,dc=example,dc=com'.
[root@ds01 ~]#


We don't let admins muck with the expiration date. Please file an RFE 
ticket if you'd like that capability.


You'll have to resort to ldapmodify:

$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20131231011529Z

modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com"

You might want to consider 2037 as the year. 2014 will be here before 
you know it.


rob





We have a ticket open on this,

https://fedorahosted.org/freeipa/ticket/2111, currently targeted for IPA
3.3.
Good to know its on its way. This is a demo lab so setting a long
password expiry addresses my needs.


rob





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread george he

This is a newly installed system. It does most of the things, but I just cannot 
del the host that I have uninstalled ipa-client, which prvents me from 
re-installing ipa-client.
Here are the versions:

pki-ca.noarch            9.0.3-24.el6
pki-common.noarch  9.0.3-24.el6
jss.x86_64     4.2.6-22.el6
nss.x86_64    3.13.5-1.el6_3
tomcat6.noarch  6.0.24-45.el6
java-1.5.0-gcj.x86_64   1.5.0.0-29.1.el6 
java-1.6.0-openjdk.x86_64   1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64              1:0.10k-5.el6
Thanks for your help.
George



>
> From: Ade Lee 
>To: george he  
>Cc: Rob Crittenden ; "freeipa-users@redhat.com" 
> 
>Sent: Wednesday, September 5, 2012 10:46 AM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>The logs seem to show that the CA cannot find JSS.
>
>What versions of the following are on your system?
>pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
>
>Is this a system that was working and now fails to work?  Or is this a
>new instance?
>
>Ade
>On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
>> there are somethign like these:
>> 
>> type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for
>> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for
>> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>> 
>> 
>> 
>> and some others like these:
>> type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for
>> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> scontext=unconfined_u:system_r:pki_ca_t:s0
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>> type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for
>> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> scontext=unconfined_u:system_r:pki_ca_t:s0
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>> 
>> 
>> 
>> And yes, I did yum update recently.
>> Where else should I look?
>> Thanks,
>> George
>> 
>>        
>>         __
>>         From: Rob Crittenden 
>>         To: george he  
>>         Cc: Ade Lee ; "freeipa-users@redhat.com"
>>          
>>         Sent: Wednesday, September 5, 2012 8:40 AM
>>         Subject: Re: [Freeipa-users] ipa host-del
>>        
>>        
>>         george he wrote:
>>         > here are the new errors:
>>         > # rm /var/log/pki-ca/*
>>         > # service dirsrv restart
>>         > # service pki-cad restart
>>         > # grep -i error /var/log/pki-ca/*
>>         > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
>>         removing
>>         > context [/ca]
>>         > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
>>         initializing
>>         > socket factory
>>         > 
>>/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: 
>>Error
>>         > loading SSL Implementation
>>         > org.apache.tomcat.util.net.jss.JSSImplementation
>>         > :java.lang.ClassNotFoundException:
>>         org.mozilla.jss.ssl.SSLSocket
>>         > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
>>         Protocol
>>         > handler initialization failed:
>>         java.lang.ClassNotFoundException: Error
>>         > loading SSL Implementation
>>         > org.apache.tomcat.util.net.jss.JSSImplementation
>>         > :java.lang.ClassNotFoundException:
>>         org.mozilla.jss.ssl.SSLSocket
>>         > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
>>         deploying web
>>         > application directory ca
>>         > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
>>         socket factory
>>         > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: 
>>Error
>>         > loading SSL Implementation
>>         > org.apache.tomcat.util.net.jss.JSSImplementation
>>         > :java.lang.ClassNotFoundException:
>>         org.mozilla.jss.ssl.SSLSocket
>>         > /var/log/pki-ca/catalina.out:LifecycleException:  Protocol
>>         handler
>>         > initialization failed: java.lang.ClassNotFoundException:
>>         Error loading
>>         > SSL Implementation
>>         org.apache.tomcat.util.net.jss.JSSImplementation
>>         > :java.lang.ClassNotFoundException:
>>         org.mozilla.jss.ssl.SSLSocket
>>         > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web
>>         application
>>         > directory ca
>>         > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
>>         socket factory
>>         > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: 
>>Error
>>         > loading SSL Implementation
>>         > org.apache.tomcat.u

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Ade Lee

weird.  Can you try putting selinux in permissive mode, and then
restarting ipa?

On Wed, 2012-09-05 at 08:21 -0700, george he wrote:
> This is a newly installed system. It does most of the things, but I
> just cannot del the host that I have uninstalled ipa-client, which
> prvents me from re-installing ipa-client.
> Here are the versions:
> 
> pki-ca.noarch9.0.3-24.el6
> pki-common.noarch  9.0.3-24.el6
> jss.x86_64 4.2.6-22.el6
> nss.x86_643.13.5-1.el6_3
> tomcat6.noarch  6.0.24-45.el6
> java-1.5.0-gcj.x86_64   1.5.0.0-29.1.el6 
> java-1.6.0-openjdk.x86_64   1:1.6.0.0-1.48.1.11.3.el6_2
> java_cup.x86_64  1:0.10k-5.el6
> Thanks for your help.
> George
> 
> 
> __
> From: Ade Lee 
> To: george he  
> Cc: Rob Crittenden ;
> "freeipa-users@redhat.com"  
> Sent: Wednesday, September 5, 2012 10:46 AM
> Subject: Re: [Freeipa-users] ipa host-del
> 
> 
> The logs seem to show that the CA cannot find JSS.
> 
> What versions of the following are on your system?
> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
> 
> Is this a system that was working and now fails to work?  Or
> is this a
> new instance?
> 
> Ade
> On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
> > there are somethign like these:
> > 
> > type=AVC msg=audit(1346710042.243:56): avc:  denied
> { execute } for
> > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1346710042.243:57): avc:  denied
> { execute } for
> > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> > 
> > 
> > 
> > and some others like these:
> > type=AVC msg=audit(1346838993.154:2567): avc:  denied
> { search } for
> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> > scontext=unconfined_u:system_r:pki_ca_t:s0
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> > type=AVC msg=audit(1346838993.154:2568): avc:  denied
> { search } for
> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> > scontext=unconfined_u:system_r:pki_ca_t:s0
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> > 
> > 
> > 
> > And yes, I did yum update recently.
> > Where else should I look?
> > Thanks,
> > George
> > 
> >
> >
> __
> >From: Rob Crittenden 
> >To: george he  
> >Cc: Ade Lee ;
> "freeipa-users@redhat.com"
> > 
> >Sent: Wednesday, September 5, 2012 8:40 AM
> >Subject: Re: [Freeipa-users] ipa host-del
> >
> >
> >george he wrote:
> >> here are the new errors:
> >> # rm /var/log/pki-ca/*
> >> # service dirsrv restart
> >> # service pki-cad restart
> >> # grep -i error /var/log/pki-ca/*
> >> /var/log/pki-ca/catalina.2012-09-05.log:WARNING:
> Error while
> >removing
> >> context [/ca]
> >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
> Error
> >initializing
> >> socket factory
> >
> > 
> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: 
> Error
> >> loading SSL Implementation
> >> org.apache.tomcat.util.net.jss.JSSImplementation
> >> :java.lang.ClassNotFoundException:
> >org.mozilla.jss.ssl.SSLSocket
> >
> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
> >Protocol
> >> handler initialization failed:
> >java.lang.ClassNotFoundException: Error
> >> loading SSL Implementation
> >> org.apache.tomcat.util.net.jss.JSSImplementation
> >> :java.lang.ClassNotFoundException:
> >org.mozilla.jss.ssl.SSLSocket
> >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
> Error
> >deploying web
> >> application directory ca
> >> /var/log/pki-ca/catalina.out:SEVERE: Error

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread John Dennis


On 09/05/2012 10:46 AM, Ade Lee wrote:

The logs seem to show that the CA cannot find JSS.

What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java

Is this a system that was working and now fails to work?  Or is this a
new instance?


Let's verify the link to the jss4.jar is in place. Note this is an 
x86_64 system, Mathew did make some adjustments to where native (i.e. 
arch specific) jars are located. I think it moved from /usr/lib/java to 
/usr/lib64/java. pki-create would have been modified to set up links to 
them on a new install but it's possible the links weren't updated on an 
existing install. Not sure, guessing at the moment but I think it's 
worth pursuing.


Please do this, it will list all the jars which should be visible to the 
CA tomcat instance, the jss4.jar should have a link under 
/var/lib/pki-ca/common/lib.


sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib

We want to verify none of the symbolic links listed above are dangling 
(point to a non-existent file). Pay particular attention to 
/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file 
that's a valid jar? If not can you locate jss4.jar? Is it now under 
/var/lib64/java? If so adjust the symbolic link under 
/var/lib/pki-ca/common/lib to point to it. Do thinks work now after 
restarting?


John


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] netapp filer AD + ipa: possible?

2012-09-05 Thread Natxo Asenjo

hi,

the subject says it all, I guess.

I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) this
setup working.

--
Groeten,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread george he

Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to 
/usr/lib/..., but when I was struggling, I read on the web there was a post 
saying they should point to /usr/lib64/..., so I changed them. The weird thing 
is I THINK they were pointing to existing files, but now they are not. 

So I changed the links one more times to make them pointing to /usr/lib/..., 
restarted ipa, and host-del worked.
Thanks again, guys.
George




>
> From: John Dennis 
>To: a...@redhat.com 
>Cc: george he ; "freeipa-users@redhat.com" 
> 
>Sent: Wednesday, September 5, 2012 2:04 PM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>On 09/05/2012 10:46 AM, Ade Lee wrote:
>> The logs seem to show that the CA cannot find JSS.
>> 
>> What versions of the following are on your system?
>> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
>> 
>> Is this a system that was working and now fails to work?  Or is this a
>> new instance?
>
>Let's verify the link to the jss4.jar is in place. Note this is an x86_64 
>system, Mathew did make some adjustments to where native (i.e. arch specific) 
>jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. 
>pki-create would have been modified to set up links to them on a new install 
>but it's possible the links weren't updated on an existing install. Not sure, 
>guessing at the moment but I think it's worth pursuing.
>
>Please do this, it will list all the jars which should be visible to the CA 
>tomcat instance, the jss4.jar should have a link under 
>/var/lib/pki-ca/common/lib.
>
>sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib
>
>We want to verify none of the symbolic links listed above are dangling (point 
>to a non-existent file). Pay particular attention to 
>/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's 
>a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? 
>If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to 
>it. Do thinks work now after restarting?
>
>John
>
>
>-- John Dennis 
>
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Rob Crittenden


george he wrote:

Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
to /usr/lib/..., but when I was struggling, I read on the web there was
a post saying they should point to /usr/lib64/..., so I changed them.
The weird thing is I THINK they were pointing to existing files, but now
they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.


Glad it's working.

I just wanted to follow up on this though. The host-del failure was just 
one symptom of the problem. Eventually you'd have hit a harder wall, 
such as not being able to prepare a new replica.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread John Dennis

On 09/05/2012 02:40 PM, george he wrote:

Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
to /usr/lib/..., but when I was struggling, I read on the web there was
a post saying they should point to /usr/lib64/..., so I changed them.
The weird thing is I THINK they were pointing to existing files, but now
they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.
Thanks again, guys.
George

Glad it's working. Obviously we would like to know how you got into this 
situation and perhaps open a bug. But unfortunately since you've 
manually changed links it's hard to know if the logic used to update an 
existing system is robust or not. I recall when the issue of where to 
locate native jars on 64bit came up there was a fair amount of back and 
forth over where things would be installed and which links to introduce. 
Unfortunately I do not recall the final resolution, it might be that the 
tomcat instances were supposed to continue to point to /usr/lib/java and 
links would be set up there to point to the 64bit version. In any event 
I don't think we can file a bug at this point, but perhaps we need to 
pay attention and see if anyone else gets bitten by this.

John

*From:* John Dennis 
*To:* a...@redhat.com
*Cc:* george he ; "freeipa-users@redhat.com"

*Sent:* Wednesday, September 5, 2012 2:04 PM
*Subject:* Re: [Freeipa-users] ipa host-del

On 09/05/2012 10:46 AM, Ade Lee wrote:
 > The logs seem to show that the CA cannot find JSS.
 >
 > What versions of the following are on your system?
 > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
 >
 > Is this a system that was working and now fails to work?  Or is
this a
 > new instance?

Let's verify the link to the jss4.jar is in place. Note this is an
x86_64 system, Mathew did make some adjustments to where native
(i.e. arch specific) jars are located. I think it moved from
/usr/lib/java to /usr/lib64/java. pki-create would have been
modified to set up links to them on a new install but it's possible
the links weren't updated on an existing install. Not sure, guessing
at the moment but I think it's worth pursuing.

Please do this, it will list all the jars which should be visible to
the CA tomcat instance, the jss4.jar should have a link under
/var/lib/pki-ca/common/lib.

sudo ls -l /var/lib/pki-ca/common/lib
/var/lib/pki-ca/webapps/ca/WEB-INF/lib

We want to verify none of the symbolic links listed above are
dangling (point to a non-existent file). Pay particular attention to
/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing
file that's a valid jar? If not can you locate jss4.jar? Is it now
under /var/lib64/java? If so adjust the symbolic link under
/var/lib/pki-ca/common/lib to point to it. Do thinks work now after
restarting?

John

-- John Dennis mailto:jden...@redhat.com>>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] openindiana ldap client

2012-09-05 Thread Natxo Asenjo

On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo  wrote:

> On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie  wrote:
>
>>
>>  Thank for your tips. I think there might just be something broken with
>> the ldap/client service in openindiana. This DUAProfile thing is really
>> nice to use
>>
>>
>> Agreed, it sounds like a bug in OpenIndiana.
>>
>> That's odd. A service becomes temporarily disabled usually when a service
>> it depends on cannot start due to failed depedencies or fails to start. On
>> the SPARC platform you can boot with "boot -v" to get a verbose startup.
>> Adding "-v" to the $kernel line in GRUB manually at startup will display a
>> verbose startup on the X86 platform. Be aware, it will get really verbose.
>>
>> ok, I'll give that a try, thanks.
>
>
>> Are you using a static IP or DHCP?
>>
>
> dhcp so far, just testing. I'll try with a fixed ip. This should just work
> with dhcp too, obviously.
>

following up, using a fixed ip address 'fixed' the problem :)

no dhcp workstations with openindiana until this is 'fixed' then.

-- 
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Simo Sorce

On Wed, 2012-09-05 at 15:41 -0400, John Dennis wrote:
> On 09/05/2012 02:40 PM, george he wrote:
> > Thanks a lot. It's deleted now!
> > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
> > to /usr/lib/..., but when I was struggling, I read on the web there was
> > a post saying they should point to /usr/lib64/..., so I changed them.
> > The weird thing is I THINK they were pointing to existing files, but now
> > they are not.
> > So I changed the links one more times to make them pointing to
> > /usr/lib/..., restarted ipa, and host-del worked.
> > Thanks again, guys.
> > George
> 
> Glad it's working. Obviously we would like to know how you got into this 
> situation and perhaps open a bug. But unfortunately since you've 
> manually changed links it's hard to know if the logic used to update an 
> existing system is robust or not. I recall when the issue of where to 
> locate native jars on 64bit came up there was a fair amount of back and 
> forth over where things would be installed and which links to introduce. 
> Unfortunately I do not recall the final resolution, it might be that the 
> tomcat instances were supposed to continue to point to /usr/lib/java and 
> links would be set up there to point to the 64bit version. In any event 
> I don't think we can file a bug at this point, but perhaps we need to 
> pay attention and see if anyone else gets bitten by this.

I just recently had to fix this for my 'stable' install too, seem like
we need to do better on upgrades going forward.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Alexander Bokovoy

I did fix this for Fedora with F16 release in past -- in 
/usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate 
code to handle these updates of the symlinks.
Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use 
systemd but the code for jss upgrade is the same).
-- 
/ Alexander Bokovoy

- Original Message -
> From: "george he" 
> To: "John Dennis" , a...@redhat.com
> Cc: freeipa-users@redhat.com
> Sent: Wednesday, September 5, 2012 9:40:10 PM
> Subject: Re: [Freeipa-users] ipa host-del
> 
> Thanks a lot. It's deleted now!
> The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was
> pointing to /usr/lib/..., but when I was struggling, I read on the
> web there was a post saying they should point to /usr/lib64/..., so
> I changed them. The weird thing is I THINK they were pointing to
> existing files, but now they are not.
> 
> So I changed the links one more times to make them pointing to
> /usr/lib/..., restarted ipa, and host-del worked.
> Thanks again, guys.
> George
> 
> 
> 
> 
> 
> 
> 
> 
> From: John Dennis 
> To: a...@redhat.com
> Cc: george he ; "freeipa-users@redhat.com"
> 
> Sent: Wednesday, September 5, 2012 2:04 PM
> Subject: Re: [Freeipa-users] ipa host-del
> 
> On 09/05/2012 10:46 AM, Ade Lee wrote:
> 
> Let's verify the link to the jss4.jar is in place. Note this is an
> x86_64 system, Mathew did make some adjustments to where native
> (i.e. arch specific) jars are located. I think it moved from
> /usr/lib/java to /usr/lib64/java. pki-create would have been
> modified to set up links to them on a new install but it's possible
> the links weren't updated on an existing install. Not sure, guessing
> at the moment but I think it's worth pursuing.
> 
> Please do this, it will list all the jars which should be visible to
> the CA tomcat instance, the jss4.jar should have a link under
> /var/lib/pki-ca/common/lib.
> 
> sudo ls -l /var/lib/pki-ca/common/lib
> /var/lib/pki-ca/webapps/ca/WEB-INF/lib
> 
> We want to verify none of the symbolic links listed above are
> dangling (point to a non-existent file). Pay particular attention to
> /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing
> file that's a valid jar? If not can you locate jss4.jar? Is it now
> under /var/lib64/java? If so adjust the symbolic link under
> /var/lib/pki-ca/common/lib to point to it. Do thinks work now after
> restarting?
> 
> John
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa host-del

[Freeipa-users] RHEV-M + service accounts in IPA

Re: [Freeipa-users] RHEV-M + service accounts in IPA

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] RHEV-M + service accounts in IPA

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] RHEV-M + service accounts in IPA

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

[Freeipa-users] netapp filer AD + ipa: possible?

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] openindiana ldap client

Re: [Freeipa-users] ipa host-del

Re: [Freeipa-users] ipa host-del

18 matches

Site Navigation

Mail list logo

Footer information