[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error

Discussion:

Andrew Krause

2017-04-17 16:31:22 UTC

Many hosts in our web ui show a null status for “enrolled”. When you do a search that includes any of these host objects the web UI posts errors, and if you click on one of the problem hosts the same error stops anything from loading on the host page.

I’ve been trying to solve this problem on my own for quite some time and have not been successful. It’s impossible to remove the host through the web UI and using CLI commands seem to remove the entry from IPA (host is not found with ipa host-find), but it is still visible in the UI. One thing that may be common with all of these hosts is that they were enrolled with our IPA system back while we were running version 3.0 and likely have had issues for quite some time. Multiple updates have happened since then, and all of our hosts added within the last year are working fine. I suspect there’s an issue with a path somewhere for a certificate database, but I’m unable to pinpoint what is going wrong.

I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so I can try things without worry...

1. Realized we had many certificates that were expired and not renewing with “getcert list” on primary IPA server
2. Tried every document I could find on renewing the certificates but was never completely successful (on version 4.1 which is our current in production)
3. Upgraded to 4.4 and was actually able to renew all certificates listed on the main IPA server showing current below
4. After having success with #3 I was able to start the CA service without error and everything on the server seems to be working as expected
5. Have attempted many variations of removing a problem host and adding it back, but the errors in the web UI persist.

Output from "getcert list":

Number of certificates and requests being tracked: 8.
Request ID '20160901214852':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2018-08-22 22:13:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214853':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:26 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214854':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:18 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214855':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2036-09-01 05:05:00 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214856':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2018-08-22 22:15:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20160901214857':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-07-31 23:31:17 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20160901214858':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-08-22 23:31:28 UTC
principal name: ldap/***@DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
track: yes
auto-renew: yes
Request ID '20160901214859':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-08-22 23:31:19 UTC
principal name: HTTP/***@DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Output for "certutil -L -d /var/lib/pki/pki-tomcat/alias/"

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca u,u,u
Certificate Authority - DOMAIN.COM CTu,cu,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u

Output for latest selftests.log for pki-tomcatd:

0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!

Any assistance would be greatly appreciated.

Andrew Krause

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info

Andrew Krause

2017-04-20 17:47:52 UTC

Permalink

Sorry for the self bump but no one has any insight on this?

Post by Andrew Krause
Many hosts in our web ui show a null status for “enrolled”. When you do a search that includes any of these host objects the web UI posts errors, and if you click on one of the problem hosts the same error stops anything from loading on the host page.
I’ve been trying to solve this problem on my own for quite some time and have not been successful. It’s impossible to remove the host through the web UI and using CLI commands seem to remove the entry from IPA (host is not found with ipa host-find), but it is still visible in the UI. One thing that may be common with all of these hosts is that they were enrolled with our IPA system back while we were running version 3.0 and likely have had issues for quite some time. Multiple updates have happened since then, and all of our hosts added within the last year are working fine. I suspect there’s an issue with a path somewhere for a certificate database, but I’m unable to pinpoint what is going wrong.
I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so I can try things without worry...
1. Realized we had many certificates that were expired and not renewing with “getcert list” on primary IPA server
2. Tried every document I could find on renewing the certificates but was never completely successful (on version 4.1 which is our current in production)
3. Upgraded to 4.4 and was actually able to renew all certificates listed on the main IPA server showing current below
4. After having success with #3 I was able to start the CA service without error and everything on the server seems to be working as expected
5. Have attempted many variations of removing a problem host and adding it back, but the errors in the web UI persist.
Number of certificates and requests being tracked: 8.
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2018-08-22 22:13:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:26 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2018-08-22 21:49:18 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2036-09-01 05:05:00 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2018-08-22 22:15:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-07-31 23:31:17 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-08-22 23:31:28 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
track: yes
auto-renew: yes
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=hostname07.domain.com,O=DOMAIN.COM
expires: 2018-08-22 23:31:19 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Output for "certutil -L -d /var/lib/pki/pki-tomcat/alias/"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
Certificate Authority - DOMAIN.COM CTu,cu,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!
Any assistance would be greatly appreciated.
Andrew Krause
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info

Rob Crittenden

2017-04-20 18:03:33 UTC

Permalink

Post by Andrew Krause
Sorry for the self bump but no one has any insight on this?

It should not be possible to have different views in the UI and the CLI
since they make the same backend calls. What you'd want to do, hopefully
on a semi-quiet system, is to do a host-find on the CLI and then list
all hosts in the UI and compare the logs in /var/log/httpd/error_log and
look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
a buffered log so be patient).

They should be doing more or less the exact same set of queries.

Very doubtful that this has anything to do with certs. Anything on the
client would be completely separate from what is on the server.

One thing you may be seeing though is that in 3.0 clients a host
certificate was obtained for it. This was dropped with 4.0, but it
wouldn't affect any visibility on the server.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info o

Andrew Krause

2017-04-26 20:06:12 UTC

Permalink

I had to let this sit for a few days, but now that I try again I can remove and re-add the host (using CLI). The web UI still presents an error though IPA Error 4302: CertificateFormatError Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old unsupported format.

This is an error I ran into when working with renewing certs while referring to the wrong path for the certificate database (path changed with versions and I was unaware). Why this is happening in the web UI though still eludes me. The test host I removed via CLI and then added with the ipa-client-install command still does not show “Enrolled” status when I do a search for it in the UI, and the error above is displayed when this host shows up in results, or when I click on the link to the host page. Is it possible that Apache is misconfigured? I’m including my dirsrv and apache access log excerpts from when I try to load the host page. I do see some errors.

Apache:

[Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake failed: Not accepted by client!?
[Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] host/***@DOMAIN.COM: cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=', principal=u'host/***@DOMAIN.COM', add=True, version=u'2.51'): NetworkError
[Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server certificate: -8179
[Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer
[Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol: Unknown protocol 'tlsv1.2' not supported
[Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher aes_128_sha_256
[Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher aes_256_sha_256
[Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_256_gcm_sha_384
[Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher rsa_aes_128_gcm_sha_256
[Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher rsa_aes_256_gcm_sha_384

Dirsrv:

[26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 nentries=0 etime=0
[26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:00.146796240 -0500] conn=8 op=8119 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147035479 -0500] conn=8 op=8119 SORT notBefore
[26/Apr/2017:14:52:00.147051543 -0500] conn=8 op=8119 VLV 200:0:20170426145200Z 1:0 (0)
[26/Apr/2017:14:52:00.147092417 -0500] conn=8 op=8119 RESULT err=0 tag=101 nentries=0 etime=0
[26/Apr/2017:14:52:00.147826090 -0500] conn=8 op=8120 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.147982635 -0500] conn=8 op=8120 SORT notAfter
[26/Apr/2017:14:52:00.147991868 -0500] conn=8 op=8120 VLV 200:0:20170426145200Z 1:35 (0)
[26/Apr/2017:14:52:00.148105485 -0500] conn=8 op=8120 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:00.148933905 -0500] conn=8 op=8121 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo notAfter notBefore duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[26/Apr/2017:14:52:00.149043409 -0500] conn=8 op=8121 SORT notAfter
[26/Apr/2017:14:52:00.149052772 -0500] conn=8 op=8121 VLV 200:0:20170426145200Z 1:4 (0)
[26/Apr/2017:14:52:00.149160758 -0500] conn=8 op=8121 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:29.001182676 -0500] conn=19057 op=17 UNBIND
[26/Apr/2017:14:52:29.001203771 -0500] conn=19057 op=17 fd=122 closed - U1
[26/Apr/2017:14:52:43.956006475 -0500] conn=19059 fd=122 slot=122 connection from 10.11.10.6 to 10.11.10.3
[26/Apr/2017:14:52:43.956364716 -0500] conn=19059 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[26/Apr/2017:14:52:43.957812723 -0500] conn=19059 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.961326411 -0500] conn=4 op=33437 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=host/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.961883409 -0500] conn=4 op=33437 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.961970819 -0500] conn=4 op=33438 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[26/Apr/2017:14:52:43.962039666 -0500] conn=4 op=33438 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962141970 -0500] conn=4 op=33439 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.962369262 -0500] conn=4 op=33439 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962455322 -0500] conn=4 op=33440 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.962718874 -0500] conn=4 op=33440 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.962817682 -0500] conn=4 op=33441 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.962896540 -0500] conn=4 op=33441 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.963503712 -0500] conn=4 op=33442 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=host/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.963752103 -0500] conn=4 op=33442 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.963849295 -0500] conn=4 op=33443 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.963953657 -0500] conn=4 op=33443 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964039852 -0500] conn=4 op=33444 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.964273302 -0500] conn=4 op=33444 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964362345 -0500] conn=4 op=33445 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[26/Apr/2017:14:52:43.964435619 -0500] conn=4 op=33445 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964567590 -0500] conn=4 op=33446 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[26/Apr/2017:14:52:43.964851835 -0500] conn=4 op=33446 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.964901338 -0500] conn=4 op=33447 SRCH base="cn=clienthost.domain2.com,cn=masters,cn=ipa,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[26/Apr/2017:14:52:43.964982222 -0500] conn=4 op=33447 RESULT err=32 tag=101 nentries=0 etime=0
[26/Apr/2017:14:52:43.965190437 -0500] conn=4 op=33448 MOD dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.971416149 -0500] conn=4 op=33448 RESULT err=0 tag=103 nentries=0 etime=0 csn=5900fab3000000040000
[26/Apr/2017:14:52:43.972903894 -0500] conn=4 op=33449 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.973145956 -0500] conn=4 op=33449 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973372685 -0500] conn=4 op=33450 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/***@DOMAIN.COM)(krbPrincipalName:caseIgnoreIA5Match:=ldap/***@DOMAIN.COM)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.973601674 -0500] conn=4 op=33450 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973695925 -0500] conn=4 op=33451 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.973792556 -0500] conn=4 op=33451 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.973887813 -0500] conn=4 op=33452 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/***@DOMAIN.COM))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[26/Apr/2017:14:52:43.974122262 -0500] conn=4 op=33452 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.974232772 -0500] conn=4 op=33453 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[26/Apr/2017:14:52:43.974326465 -0500] conn=4 op=33453 RESULT err=0 tag=101 nentries=1 etime=0
[26/Apr/2017:14:52:43.974905377 -0500] conn=19059 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.980786355 -0500] conn=19059 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.981170143 -0500] conn=19059 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.982397706 -0500] conn=19059 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[26/Apr/2017:14:52:43.982529305 -0500] conn=19059 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[26/Apr/2017:14:52:43.983192932 -0500] conn=19059 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com"
[26/Apr/2017:14:52:43.983449296 -0500] conn=19059 op=4 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaHost)(fqdn=clienthost.domain2.com))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[26/Apr/2017:14:52:43.984109232 -0500] conn=19059 op=4 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.984622970 -0500] conn=19059 op=5 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[26/Apr/2017:14:52:43.984955433 -0500] conn=19059 op=5 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.985234170 -0500] conn=19059 op=6 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20038636))" attrs="objectClass ipaUniqueID cn member entryusn"
[26/Apr/2017:14:52:43.986861159 -0500] conn=19059 op=6 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:52:43.987119181 -0500] conn=19059 op=7 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com))(entryusn>=20038636))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup entryusn"
[26/Apr/2017:14:52:43.987828298 -0500] conn=19059 op=7 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1
[26/Apr/2017:14:56:53.754308324 -0500] conn=8 op=8122 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[26/Apr/2017:14:56:53.758231493 -0500] conn=8 op=8122 RESULT err=0 tag=103 nentries=0 etime=0
[26/Apr/2017:14:56:54.141384397 -0500] conn=17 op=5298 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Apr/2017:14:56:54.141558862 -0500] conn=17 op=5298 RESULT err=32 tag=101 nentries=0 etime=0

Post by Rob Crittenden

Post by Andrew Krause
Sorry for the self bump but no one has any insight on this?

It should not be possible to have different views in the UI and the CLI
since they make the same backend calls. What you'd want to do, hopefully
on a semi-quiet system, is to do a host-find on the CLI and then list
all hosts in the UI and compare the logs in /var/log/httpd/error_log and
look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
a buffered log so be patient).
They should be doing more or less the exact same set of queries.
Very doubtful that this has anything to do with certs. Anything on the
client would be completely separate from what is on the server.
One thing you may be seeing though is that in 3.0 clients a host
certificate was obtained for it. This was dropped with 4.0, but it
wouldn't affect any visibility on the server.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.o