[Freeipa-users] Web UI unavailable after 4.4 upgrade

Discussion:

[Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error

Pete Fuller

2017-05-08 16:59:20 UTC

I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are IPA replicas for my North American datacenters. All seem to have the same issue that I am now unable to connect to the web UI, with the following error in the browserâŠ

Bad Request

Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.

The maddening thing is I canât find any reference in the apache logs to what is generating the error and why a direct request to the UI would error.

As far as I can tell IPA is otherwise working. Logins seem to work, sudo rules are working, DNS is working.

[***@lb3 httpd]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING

I can see one file in the httpd/conf.d directory that was changed - nss.conf. I attempted reverting and that did not work.

Has anyone run upon this error?

Thanks

Rob Crittenden

2017-05-08 17:20:07 UTC

Permalink

Post by Pete Fuller
I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
IPA replicas for my North American datacenters. All seem to have the
same issue that I am now unable to connect to the web UI, with the
following error in the browser…
Bad Request
Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to
use an ErrorDocument to handle the request.
The maddening thing is I can’t find any reference in the apache logs to
what is generating the error and why a direct request to the UI would
error.
As far as I can tell IPA is otherwise working. Logins seem to work,
sudo rules are working, DNS is working.
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
I can see one file in the httpd/conf.d directory that was changed -
nss.conf. I attempted reverting and that did not work.
Has anyone run upon this error?

Does the ipa command-line tool work?

What are you seeing in the Apache error log?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info

Rob Crittenden

2017-05-08 17:43:53 UTC

Permalink

IPA command line seems to work. Have been able to use ipa user-find
and ipa cert-find. Can also sudo and kinit from other machines as IPA user.
Another clue here, looks like even when querying with the ipa cli tools,
I’m getting 400 errors in the access logs. The top one is obviously a
browser request. The next 4 were following a cli call to ipa user-find.
That request does respond back with users, so not sure what is failing
there. The 192.168.0.95 IP is the local ip of the IPA server itself.
192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
"-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
Gecko/20100101 Firefox/53.0"
192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).

Still need to see the error log.

rob

Post by Rob Crittenden

Does the ipa command-line tool work?
What are you seeing in the Apache error log?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-us

Pete Fuller

2017-05-08 17:49:28 UTC

Permalink

http error log has nothing. This is with http restart and a failed request for web ui. The request has no error. Is there a different log that I am overlooking that might have more information?

[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS START **

Post by Rob Crittenden

IPA command line seems to work. Have been able to use ipa user-find
and ipa cert-find. Can also sudo and kinit from other machines as IPA user.
Another clue here, looks like even when querying with the ipa cli tools,
Iâm getting 400 errors in the access logs. The top one is obviously a
browser request. The next 4 were following a cli call to ipa user-find.
That request does respond back with users, so not sure what is failing
there. The 192.168.0.95 IP is the local ip of the IPA server itself.
192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
"-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
Gecko/20100101 Firefox/53.0"
192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).
Still need to see the error log.
rob

Post by Rob Crittenden

Post by Pete Fuller
I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
IPA replicas for my North American datacenters. All seem to have the
same issue that I am now unable to connect to the web UI, with the
following error in the browserâŠ
Bad Request
Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to
use an ErrorDocument to handle the request.
The maddening thing is I canât find any reference in the apache logs to
what is generating the error and why a direct request to the UI would
error.
As far as I can tell IPA is otherwise working. Logins seem to work,
sudo rules are working, DNS is working.
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
I can see one file in the httpd/conf.d directory that was changed -
nss.conf. I attempted reverting and that did not work.
Has anyone run upon this error?

Does the ipa command-line tool work?
What are you seeing in the Apache error log?
rob

Rob Crittenden

2017-05-08 17:57:42 UTC

Permalink

Post by Pete Fuller
http error log has nothing. This is with http restart and a failed
request for web ui. The request has no error. Is there a different log
that I am overlooking that might have more information?

No.

Create /etc/ipa/server.conf with these contents:

[global]
debug = True

Restart Apache.

Try with a browser and see what gets logged, if anything.

I'd also try with the cli to compare. With the client you can add -vvv
to get a lot more client-side logging: ipa -vvv user-show admin

rob

Post by Pete Fuller
[Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471]
AH01757: generating secret for digest authentication ...
[Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid
25471] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471]
AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS START **

Post by Rob Crittenden

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).
Still need to see the error log.
rob

Post by Rob Crittenden

Does the ipa command-line tool work?
What are you seeing in the Apache error log?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for

Pete Fuller

2017-05-08 18:16:07 UTC

Permalink

From the cli - it looks like the answers Iâm getting are actually coming from one of my non-upgraded servers.The window for those servers is later tonight. The request gets denied on the localhost it seems.

(Lb3 is the local server. Ipa11 is offsite server that has not been upgraded)

[***@lb3 ~]$ ipa -vvv user-show admin
ipa: INFO: trying https://lb3.sac.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACAAAACjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}], "method": "ping", "id": 0}'
reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Date: Mon, 08 May 2017 18:04:19 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
header: Content-Length: 347
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
ipa: INFO: trying https://ipa11.be.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}

Not seeing much in the http logs

[Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471] AH00170: caught SIGWINCH, shutting down gracefully
[Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007] AH01757: generating secret for digest authentication ...
[Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid 26007] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.automember
[Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.automount
[Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
[Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
[Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
[Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.batch
[Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ca
[Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
[Mon May 08 10:59:15.451621 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.cert
[Mon May 08 10:59:15.451817 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
[Mon May 08 10:59:15.451978 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.config
[Mon May 08 10:59:15.462890 2017] [:error] [pid 26013] ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
[Mon May 08 10:59:15.463836 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.aci
[Mon May 08 10:59:15.471193 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
[Mon May 08 10:59:15.473733 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dns
[Mon May 08 10:59:15.487747 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.automember
[Mon May 08 10:59:15.545605 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.automount
[Mon May 08 10:59:15.551746 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
[Mon May 08 10:59:15.551868 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
[Mon May 08 10:59:15.551933 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
[Mon May 08 10:59:15.585986 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.batch
[Mon May 08 10:59:15.586780 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ca
[Mon May 08 10:59:15.618924 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
[Mon May 08 10:59:15.619251 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.cert
[Mon May 08 10:59:15.619444 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
[Mon May 08 10:59:15.619593 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.config
[Mon May 08 10:59:15.628108 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
[Mon May 08 10:59:15.630461 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dns
[Mon May 08 10:59:15.638060 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
[Mon May 08 10:59:15.639672 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
[Mon May 08 10:59:15.702799 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
[Mon May 08 10:59:15.704065 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.group
[Mon May 08 10:59:15.734874 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
[Mon May 08 10:59:15.735067 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
[Mon May 08 10:59:15.735130 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
[Mon May 08 10:59:15.735438 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
[Mon May 08 10:59:15.736517 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
[Mon May 08 10:59:15.739023 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
[Mon May 08 10:59:15.741672 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.host
[Mon May 08 10:59:15.753983 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
[Mon May 08 10:59:15.754187 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
[Mon May 08 10:59:15.757489 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
[Mon May 08 10:59:15.757839 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.internal
[Mon May 08 10:59:15.761469 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.join
[Mon May 08 10:59:15.762598 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
[Mon May 08 10:59:15.763800 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
[Mon May 08 10:59:15.764794 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.location
[Mon May 08 10:59:15.766411 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.migration
[Mon May 08 10:59:15.770396 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
[Mon May 08 10:59:15.771955 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
[Mon May 08 10:59:15.775364 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.misc
[Mon May 08 10:59:15.776219 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
[Mon May 08 10:59:15.776408 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otp
[Mon May 08 10:59:15.776572 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
[Mon May 08 10:59:15.776635 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
[Mon May 08 10:59:15.777846 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
[Mon May 08 10:59:15.783145 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
[Mon May 08 10:59:15.784323 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.permission
[Mon May 08 10:59:15.791777 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ping
[Mon May 08 10:59:15.792052 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
[Mon May 08 10:59:15.792211 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module
[Mon May 08 10:59:15.792278 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
[Mon May 08 10:59:15.792476 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
[Mon May 08 10:59:15.794119 2017] [:error] [pid 26014] ipa: DEBUG: Starting external process
[Mon May 08 10:59:15.794199 2017] [:error] [pid 26014] ipa: DEBUG: args=klist -V
[Mon May 08 10:59:15.799162 2017] [:error] [pid 26014] ipa: DEBUG: Process finished, return code=0
[Mon May 08 10:59:15.799259 2017] [:error] [pid 26014] ipa: DEBUG: stdout=Kerberos 5 version 1.14.1
[Mon May 08 10:59:15.799265 2017] [:error] [pid 26014]
[Mon May 08 10:59:15.799321 2017] [:error] [pid 26014] ipa: DEBUG: stderr=
[Mon May 08 10:59:15.802573 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
[Mon May 08 10:59:15.802689 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
[Mon May 08 10:59:15.802750 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
[Mon May 08 10:59:15.805507 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
[Mon May 08 10:59:15.809372 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.role
[Mon May 08 10:59:15.810962 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.schema
[Mon May 08 10:59:15.837359 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
[Mon May 08 10:59:15.838697 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.group
[Mon May 08 10:59:15.845807 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
[Mon May 08 10:59:15.847834 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
[Mon May 08 10:59:15.848073 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.server
[Mon May 08 10:59:15.869002 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
[Mon May 08 10:59:15.869202 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
[Mon May 08 10:59:15.869281 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
[Mon May 08 10:59:15.869568 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
[Mon May 08 10:59:15.870643 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
[Mon May 08 10:59:15.873201 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
[Mon May 08 10:59:15.875843 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.host
[Mon May 08 10:59:15.888407 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
[Mon May 08 10:59:15.888593 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
[Mon May 08 10:59:15.891897 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
[Mon May 08 10:59:15.892257 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.internal
[Mon May 08 10:59:15.895872 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.join
[Mon May 08 10:59:15.897012 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
[Mon May 08 10:59:15.898211 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
[Mon May 08 10:59:15.899184 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.location
[Mon May 08 10:59:15.900768 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.migration
[Mon May 08 10:59:15.909770 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.misc
[Mon May 08 10:59:15.910620 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
[Mon May 08 10:59:15.910806 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otp
[Mon May 08 10:59:15.910969 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
[Mon May 08 10:59:15.911032 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
[Mon May 08 10:59:15.912261 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
[Mon May 08 10:59:15.917579 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
[Mon May 08 10:59:15.918743 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.permission
[Mon May 08 10:59:15.926286 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ping
[Mon May 08 10:59:15.926569 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
[Mon May 08 10:59:15.926719 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module
[Mon May 08 10:59:15.926783 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
[Mon May 08 10:59:15.926983 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
[Mon May 08 10:59:15.928679 2017] [:error] [pid 26013] ipa: DEBUG: Starting external process
[Mon May 08 10:59:15.928750 2017] [:error] [pid 26013] ipa: DEBUG: args=klist -V
[Mon May 08 10:59:15.933325 2017] [:error] [pid 26013] ipa: DEBUG: Process finished, return code=0
[Mon May 08 10:59:15.933413 2017] [:error] [pid 26013] ipa: DEBUG: stdout=Kerberos 5 version 1.14.1
[Mon May 08 10:59:15.933418 2017] [:error] [pid 26013]
[Mon May 08 10:59:15.933474 2017] [:error] [pid 26013] ipa: DEBUG: stderr=
[Mon May 08 10:59:15.936616 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
[Mon May 08 10:59:15.936729 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
[Mon May 08 10:59:15.936790 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
[Mon May 08 10:59:15.939491 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
[Mon May 08 10:59:15.943097 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.role
[Mon May 08 10:59:15.944624 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.schema
[Mon May 08 10:59:15.978072 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
[Mon May 08 10:59:15.980171 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
[Mon May 08 10:59:15.980410 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.server
[Mon May 08 10:59:16.249070 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
[Mon May 08 10:59:16.250937 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
[Mon May 08 10:59:16.251262 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.service
[Mon May 08 10:59:16.251595 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
[Mon May 08 10:59:16.254904 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.session
[Mon May 08 10:59:16.256507 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
[Mon May 08 10:59:16.258356 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
[Mon May 08 10:59:16.258539 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
[Mon May 08 10:59:16.258602 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
[Mon May 08 10:59:16.259726 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
[Mon May 08 10:59:16.261571 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
[Mon May 08 10:59:16.269844 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.topology
[Mon May 08 10:59:16.274894 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.trust
[Mon May 08 10:59:16.286224 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.user
[Mon May 08 10:59:16.286572 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.vault
[Mon May 08 10:59:16.296978 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
[Mon May 08 10:59:16.297081 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
[Mon May 08 10:59:16.297150 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
[Mon May 08 10:59:16.364668 2017] [:error] [pid 26014] ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_139942843997200
[Mon May 08 10:59:16.365568 2017] [:error] [pid 26014] ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_139942844019152
[Mon May 08 10:59:16.382070 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
[Mon May 08 10:59:16.383939 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
[Mon May 08 10:59:16.384270 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.service
[Mon May 08 10:59:16.384597 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
[Mon May 08 10:59:16.387879 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.session
[Mon May 08 10:59:16.389506 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
[Mon May 08 10:59:16.391398 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
[Mon May 08 10:59:16.391582 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
[Mon May 08 10:59:16.391644 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
[Mon May 08 10:59:16.392779 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
[Mon May 08 10:59:16.394587 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
[Mon May 08 10:59:16.402782 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.topology
[Mon May 08 10:59:16.407910 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.trust
[Mon May 08 10:59:16.419428 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.user
[Mon May 08 10:59:16.419772 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.vault
[Mon May 08 10:59:16.430208 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
[Mon May 08 10:59:16.430311 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
[Mon May 08 10:59:16.430372 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
[Mon May 08 10:59:16.451416 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
[Mon May 08 10:59:16.451555 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:16.497682 2017] [:error] [pid 26013] ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_139942843997200
[Mon May 08 10:59:16.498514 2017] [:error] [pid 26013] ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_139942844019152
[Mon May 08 10:59:16.582967 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
[Mon May 08 10:59:16.583114 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.103275 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
[Mon May 08 10:59:17.148714 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
[Mon May 08 10:59:17.234845 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
[Mon May 08 10:59:17.280518 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
[Mon May 08 10:59:17.397722 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
[Mon May 08 10:59:17.397862 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.397953 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.504097 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
[Mon May 08 10:59:17.504234 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.531236 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
[Mon May 08 10:59:17.531357 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.531447 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.602015 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509'
[Mon May 08 10:59:17.602158 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.638029 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
[Mon May 08 10:59:17.638166 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.665313 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml'
[Mon May 08 10:59:17.665430 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.736510 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509'
[Mon May 08 10:59:17.736656 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.737976 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
[Mon May 08 10:59:17.738089 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.799767 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml'
[Mon May 08 10:59:17.799902 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.800287 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
[Mon May 08 10:59:17.800404 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.872938 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
[Mon May 08 10:59:17.873074 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:17.935616 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
[Mon May 08 10:59:17.935746 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00
[Mon May 08 10:59:18.179768 2017] [:error] [pid 26014] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:59:18.313005 2017] [:error] [pid 26013] ipa: INFO: *** PROCESS START ***

Post by Rob Crittenden

No.
[global]
debug = True
Restart Apache.
Try with a browser and see what gets logged, if anything.
I'd also try with the cli to compare. With the client you can add -vvv
to get a lot more client-side logging: ipa -vvv user-show admin
rob

Post by Rob Crittenden

IPA command line seems to work. Have been able to use ipa user-find
and ipa cert-find. Can also sudo and kinit from other machines as IPA user.
Another clue here, looks like even when querying with the ipa cli tools,
Iâm getting 400 errors in the access logs. The top one is obviously a
browser request. The next 4 were following a cli call to ipa user-find.
That request does respond back with users, so not sure what is failing
there. The 192.168.0.95 IP is the local ip of the IPA server itself.
192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347
"-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
Gecko/20100101 Firefox/53.0"
192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1"
400 347
192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1"
400 347

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).
Still need to see the error log.
rob

Post by Rob Crittenden

Post by Pete Fuller
I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are
IPA replicas for my North American datacenters. All seem to have the
same issue that I am now unable to connect to the web UI, with the
following error in the browserâŠ
Bad Request
Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to
use an ErrorDocument to handle the request.
The maddening thing is I canât find any reference in the apache logs to
what is generating the error and why a direct request to the UI would
error.
As far as I can tell IPA is otherwise working. Logins seem to work,
sudo rules are working, DNS is working.
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
I can see one file in the httpd/conf.d directory that was changed -
nss.conf. I attempted reverting and that did not work.
Has anyone run upon this error?

Does the ipa command-line tool work?
What are you seeing in the Apache error log?
rob

Rob Crittenden

2017-05-09 18:18:03 UTC

Permalink

From the cli - it looks like the answers I’m getting are actually coming
from one of my non-upgraded servers.The window for those servers is
later tonight. The request gets denied on the localhost it seems.
(Lb3 is the local server. Ipa11 is offsite server that has not been upgraded)

It is getting a 400 from lb3 so falling back to ipa11.

I'm not sure why Apache is throwing the 400. It sure seems like it is
failing before it gets to IPA though given that nothing is logged. You
can try setting LogLevel debug in /etc/httpd/conf.d/nss.conf and
restarting to get additional debug logging out of Apache, that might
provide some insight.

Or you can diff the working and non-working ipa* conf files in
/etc/httpd/conf.d.

rob

ipa: INFO: trying https://lb3.sac.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate
xmlrpclib.py/1.0.1 (by www.pythonware.com
application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}],
"method": "ping", "id": 0}'
reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Date: Mon, 08 May 2017 18:04:19 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0
mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4
Python/2.7.5
header: Content-Length: 347
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
ipa: INFO: trying https://ipa11.be.3si/ipa/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
Not seeing much in the http logs
[Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471]
AH00170: caught SIGWINCH, shutting down gracefully
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007]
AH01757: generating secret for digest authentication ...
[Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid
26007] AH02282: No slotmem from mod_heartmonitor
[Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007]
AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
Command line: '/usr/sbin/httpd -D FOREGROUND'
importing all plugin modules in ipaserver.plugins...
importing plugin module ipaserver.plugins.aci
importing plugin module ipaserver.plugins.automember
importing plugin module ipaserver.plugins.automount
importing plugin module ipaserver.plugins.baseldap
ipaserver.plugins.baseldap is not a valid plugin module
importing plugin module ipaserver.plugins.baseuser
importing plugin module ipaserver.plugins.batch
importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca>
importing plugin module ipaserver.plugins.caacl
importing plugin module ipaserver.plugins.cert
importing plugin module ipaserver.plugins.certprofile
importing plugin module ipaserver.plugins.config
importing all plugin modules in ipaserver.plugins...
importing plugin module ipaserver.plugins.aci
importing plugin module ipaserver.plugins.delegation
importing plugin module ipaserver.plugins.dns
importing plugin module ipaserver.plugins.automember
importing plugin module ipaserver.plugins.automount
importing plugin module ipaserver.plugins.baseldap
ipaserver.plugins.baseldap is not a valid plugin module
importing plugin module ipaserver.plugins.baseuser
importing plugin module ipaserver.plugins.batch
importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca>
importing plugin module ipaserver.plugins.caacl
importing plugin module ipaserver.plugins.cert
importing plugin module ipaserver.plugins.certprofile
importing plugin module ipaserver.plugins.config
importing plugin module ipaserver.plugins.delegation
importing plugin module ipaserver.plugins.dns
importing plugin module ipaserver.plugins.dnsserver
importing plugin module ipaserver.plugins.dogtag
importing plugin module ipaserver.plugins.domainlevel
importing plugin module ipaserver.plugins.group
importing plugin module ipaserver.plugins.hbac
ipaserver.plugins.hbac is not a valid plugin module
importing plugin module ipaserver.plugins.hbacrule
importing plugin module ipaserver.plugins.hbacsvc
importing plugin module ipaserver.plugins.hbacsvcgroup
importing plugin module ipaserver.plugins.hbactest
importing plugin module ipaserver.plugins.host
importing plugin module ipaserver.plugins.hostgroup
importing plugin module ipaserver.plugins.idrange
importing plugin module ipaserver.plugins.idviews
importing plugin module ipaserver.plugins.internal
importing plugin module ipaserver.plugins.join
importing plugin module ipaserver.plugins.krbtpolicy
importing plugin module ipaserver.plugins.ldap2
importing plugin module ipaserver.plugins.location
importing plugin module ipaserver.plugins.migration
importing plugin module ipaserver.plugins.dnsserver
importing plugin module ipaserver.plugins.dogtag
importing plugin module ipaserver.plugins.misc
importing plugin module ipaserver.plugins.netgroup
importing plugin module ipaserver.plugins.otp
ipaserver.plugins.otp is not a valid plugin module
importing plugin module ipaserver.plugins.otpconfig
importing plugin module ipaserver.plugins.otptoken
importing plugin module ipaserver.plugins.passwd
importing plugin module ipaserver.plugins.permission
importing plugin module ipaserver.plugins.ping
importing plugin module ipaserver.plugins.pkinit
ipaserver.plugins.pkinit is not a valid plugin module
importing plugin module ipaserver.plugins.privilege
importing plugin module ipaserver.plugins.pwpolicy
Starting external process
[Mon May 08 10:59:15.794199 2017] [:error] [pid 26014] ipa: DEBUG: args=klist -V
Process finished, return code=0
stdout=Kerberos 5 version 1.14.1
[Mon May 08 10:59:15.799265 2017] [:error] [pid 26014]
[Mon May 08 10:59:15.799321 2017] [:error] [pid 26014] ipa: DEBUG: stderr=
importing plugin module ipaserver.plugins.rabase
ipaserver.plugins.rabase is not a valid plugin module
importing plugin module ipaserver.plugins.radiusproxy
importing plugin module ipaserver.plugins.realmdomains
importing plugin module ipaserver.plugins.role
importing plugin module ipaserver.plugins.schema
importing plugin module ipaserver.plugins.domainlevel
importing plugin module ipaserver.plugins.group
importing plugin module ipaserver.plugins.selfservice
importing plugin module ipaserver.plugins.selinuxusermap
importing plugin module ipaserver.plugins.server
importing plugin module ipaserver.plugins.hbac
ipaserver.plugins.hbac is not a valid plugin module
importing plugin module ipaserver.plugins.hbacrule
importing plugin module ipaserver.plugins.hbacsvc
importing plugin module ipaserver.plugins.hbacsvcgroup
importing plugin module ipaserver.plugins.hbactest
importing plugin module ipaserver.plugins.host
importing plugin module ipaserver.plugins.hostgroup
importing plugin module ipaserver.plugins.idrange
importing plugin module ipaserver.plugins.idviews
importing plugin module ipaserver.plugins.internal
importing plugin module ipaserver.plugins.join
importing plugin module ipaserver.plugins.krbtpolicy
importing plugin module ipaserver.plugins.ldap2
importing plugin module ipaserver.plugins.location
importing plugin module ipaserver.plugins.migration
importing plugin module ipaserver.plugins.misc
importing plugin module ipaserver.plugins.netgroup
importing plugin module ipaserver.plugins.otp
ipaserver.plugins.otp is not a valid plugin module
importing plugin module ipaserver.plugins.otpconfig
importing plugin module ipaserver.plugins.otptoken
importing plugin module ipaserver.plugins.passwd
importing plugin module ipaserver.plugins.permission
importing plugin module ipaserver.plugins.ping
importing plugin module ipaserver.plugins.pkinit
ipaserver.plugins.pkinit is not a valid plugin module
importing plugin module ipaserver.plugins.privilege
importing plugin module ipaserver.plugins.pwpolicy
Starting external process
[Mon May 08 10:59:15.928750 2017] [:error] [pid 26013] ipa: DEBUG: args=klist -V
Process finished, return code=0
stdout=Kerberos 5 version 1.14.1
[Mon May 08 10:59:15.933418 2017] [:error] [pid 26013]
[Mon May 08 10:59:15.933474 2017] [:error] [pid 26013] ipa: DEBUG: stderr=
importing plugin module ipaserver.plugins.rabase
ipaserver.plugins.rabase is not a valid plugin module
importing plugin module ipaserver.plugins.radiusproxy
importing plugin module ipaserver.plugins.realmdomains
importing plugin module ipaserver.plugins.role
importing plugin module ipaserver.plugins.schema
importing plugin module ipaserver.plugins.selfservice
importing plugin module ipaserver.plugins.selinuxusermap
importing plugin module ipaserver.plugins.server
importing plugin module ipaserver.plugins.serverrole
importing plugin module ipaserver.plugins.serverroles
importing plugin module ipaserver.plugins.service
importing plugin module ipaserver.plugins.servicedelegation
importing plugin module ipaserver.plugins.session
importing plugin module ipaserver.plugins.stageuser
importing plugin module ipaserver.plugins.sudo
ipaserver.plugins.sudo is not a valid plugin module
importing plugin module ipaserver.plugins.sudocmd
importing plugin module ipaserver.plugins.sudocmdgroup
importing plugin module ipaserver.plugins.sudorule
importing plugin module ipaserver.plugins.topology
importing plugin module ipaserver.plugins.trust
importing plugin module ipaserver.plugins.user
importing plugin module ipaserver.plugins.vault
importing plugin module ipaserver.plugins.virtual
ipaserver.plugins.virtual is not a valid plugin module
importing plugin module ipaserver.plugins.xmlserver
SessionAuthManager.register: name=xmlserver_session_139942843997200
SessionAuthManager.register: name=jsonserver_session_139942844019152
importing plugin module ipaserver.plugins.serverrole
importing plugin module ipaserver.plugins.serverroles
importing plugin module ipaserver.plugins.service
importing plugin module ipaserver.plugins.servicedelegation
importing plugin module ipaserver.plugins.session
importing plugin module ipaserver.plugins.stageuser
importing plugin module ipaserver.plugins.sudo
ipaserver.plugins.sudo is not a valid plugin module
importing plugin module ipaserver.plugins.sudocmd
importing plugin module ipaserver.plugins.sudocmdgroup
importing plugin module ipaserver.plugins.sudorule
importing plugin module ipaserver.plugins.topology
importing plugin module ipaserver.plugins.trust
importing plugin module ipaserver.plugins.user
importing plugin module ipaserver.plugins.vault
importing plugin module ipaserver.plugins.virtual
ipaserver.plugins.virtual is not a valid plugin module
importing plugin module ipaserver.plugins.xmlserver
Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
session_auth_duration: 0:20:00
SessionAuthManager.register: name=xmlserver_session_139942843997200
SessionAuthManager.register: name=jsonserver_session_139942844019152
Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
session_auth_duration: 0:20:00
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
session_auth_duration: 0:20:00
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.xmlserver() at '/xml'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.xmlserver() at '/xml'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
session_auth_duration: 0:20:00
Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
session_auth_duration: 0:20:00
[Mon May 08 10:59:18.179768 2017] [:error] [pid 26014] ipa: INFO: *** PROCESS START ***
[Mon May 08 10:59:18.313005 2017] [:error] [pid 26013] ipa: INFO: *** PROCESS START ***

Post by Rob Crittenden

Note that client activity (login, sudo, etc) does not go through Apache.
Only the IPA API does (so web UI and cli).
Still need to see the error log.
rob

Post by Rob Crittenden

Does the ipa command-line tool work?
What are you seeing in the Apache error log?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.or

Per Qvindesland

2017-05-08 17:24:41 UTC

Permalink

Tried with another browser? 400 normally means an issue with cookies or cache.

Sent from my Commodore 64

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Pete Fuller

2017-05-08 17:36:59 UTC

Permalink

That was my first thought too. Tried with different browsers, in incognito, etc.

Post by Per Qvindesland
Tried with another browser? 400 normally means an issue with cookies or cache.
Sent from my Commodore 64

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project