I had this same problem. After the most recent update I was getting Authentication Failed (48) in the tomcat debug log during the database upgrade. Rolling back 389-ds-base from 1.4.3.16-16 to 1.4.3.16-13 resolved that issue. Thank you.
On Thu, Jul 1, 2021, 1:02 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Tiemen Ruiten via FreeIPA-users wrote: > > Hello, > > > > On a newly installed CentOS 8 IPA master (a few days ago), the > > pki-tomcatd@pki-tomcat service fails to start and logs LDAP > > authentication failed (48) in > > /var/log/pki/pki-tomcat/ca/debug.2021-07-01.log. See below. This > > happened after I dnf upgraded the master and replica at the same time, > > my mistake. > > Try downgrading 389-ds-base. > > rob > > > > > I've gone through the troubleshooting steps described > > here: > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > > but all certificates appear to be correct. > > > > What else can I do? > > > > RPM versions: > > [root@ipa-01 ca]# rpm -qa | grep ipa > > ipa-healthcheck-0.7-3.module_el8.5.0+750+c59b186b.noarch > > python3-libipa_hbac-2.4.0-9.el8_4.1.x86_64 > > sssd-ipa-2.4.0-9.el8_4.1.x86_64 > > python3-ipalib-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > > centos-logos-ipa-85.8-1.el8.noarch > > ipa-healthcheck-core-0.7-3.module_el8.5.0+750+c59b186b.noarch > > ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > > python3-ipaclient-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > python3-ipaserver-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > libipa_hbac-2.4.0-9.el8_4.1.x86_64 > > ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > > ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > > > > > > <...> > > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store > > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store > > for internaldb > > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store > > for replicationdb > > 2021-07-01 17:28:20 [main] INFO: CMSEngine: Java version: 1.8.0_292 > > 2021-07-01 17:28:20 [main] INFO: CMSEngine: security providers: > > 2021-07-01 17:28:20 [main] INFO: PluginRegistry: Loading plugin registry > > from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg > > 2021-07-01 17:28:21 [main] SEVERE: LdapBoundConnFactory: Unable to > > connect to LDAP server: Authentication failed > > netscape.ldap.LDAPException: Authentication failed (48) > > at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown > > Source) > > at netscape.ldap.LDAPSaslBind.bind(Unknown Source) > > at netscape.ldap.LDAPSaslBind.bind(Unknown Source) > > at netscape.ldap.LDAPConnection.authenticate(Unknown Source) > > at netscape.ldap.LDAPConnection.authenticate(Unknown Source) > > at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source) > > at netscape.ldap.LDAPConnection.connect(Unknown Source) > > at netscape.ldap.LDAPConnection.connect(Unknown Source) > > at netscape.ldap.LDAPConnection.connect(Unknown Source) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:105) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:284) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:260) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:223) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:192) > > at org.dogtagpki.server.ca > .CAEngine.initDatabase(CAEngine.java:186) > > at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1002) > > at > > > com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1643) > > at > > > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685) > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) > > at > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631) > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831) > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > > at > > > java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526) > > at > > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425) > > at > > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576) > > at > > > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309) > > at > > > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > > at > > > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) > > at > > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) > > at > > > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936) > > at > > > org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > > > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384) > > at > > > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > > at > > > java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) > > at > > > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909) > > at > > > org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > > > org.apache.catalina.core.StandardService.startInternal(StandardService.java:421) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at > > > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:633) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) > > <...> > > > > > > -- > > Tiemen Ruiten > > Infrastructure Engineer > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure