freeipa

Clone
Source Code
GIT

#4736 kinit not working after data restored online from full or data backup.
Closed: Duplicate None Opened 9 years ago by ksiddiqu.

Closed: Duplicate
Reopen Issue

See following error message,

"kinit: Generic error (see e-text) while getting initial credentials"

Also AVC denial seen. please have a look at snip from audit.log below.

Console output
===============
[root@dhcp207-1 ~]# ipa-backup 
Preparing backup on dhcp207-1.testrelm.test
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18
Starting IPA service
The ipa-backup command was successful
[root@dhcp207-1 ~]# echo xxxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@dhcp207-1 ~]# ipa user-del testuser1
------------------------
Deleted user "testuser1"
------------------------
[root@dhcp207-1 ~]# ipa-restore --data --online -p xxxxxxxx /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18/
Preparing restore from /var/lib/ipa/backup/ipa-full-2014-11-18-17-52-18/ on dhcp207-1.testrelm.test
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Starting Directory Server
Restoring from userRoot in TESTRELM-TEST
Waiting for LDIF to finish
Restoring from ipaca in TESTRELM-TEST
Waiting for LDIF to finish
The ipa-restore command was successful
[root@dhcp207-1 ~]# kdestroy -A
[root@dhcp207-1 ~]# sudo -u apache kdestroy
[root@dhcp207-1 ~]# echo xxxxxxxx|kinit admin
kinit: Generic error (see e-text) while getting initial credentials
[root@dhcp207-1 ~]#

==> /var/log/krb5kdc.log <==
Nov 18 17:57:32 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: admin@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error
Nov 18 17:57:40 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: host/dhcp207-1.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error
Nov 18 17:57:41 dhcp207-1.testrelm.test krb5kdc[15907](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.1: LOOKING_UP_CLIENT: host/dhcp207-1.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Server error

snip from audit.log
===================
[root@dhcp207-1 backup]# tail -f /var/log/audit/audit.log 
type=AVC msg=audit(1416320289.169:1685): avc:  denied  { open } for  pid=30607 comm="ns-slapd" path="/tmp/tmpMv04xDipa/ipa/TESTRELM-TEST-userRoot.ldif" dev="dm-1" ino=17857594 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1416320289.169:1685): arch=c000003e syscall=2 success=no exit=-13 a0=7f3b04001600 a1=0 a2=0 a3=7f3af63f99d0 items=0 ppid=1 pid=30607 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1416320298.353:1686): avc:  denied  { open } for  pid=30663 comm="ns-slapd" path="/tmp/tmpMv04xDipa/ipa/TESTRELM-TEST-ipaca.ldif" dev="dm-1" ino=17857592 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1416320298.353:1686): arch=c000003e syscall=2 success=no exit=-13 a0=7f3b200ba970 a1=0 a2=0 a3=7f3b3b6a0039 items=0 ppid=1 pid=30663 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)

[root@dhcp207-1 backup]# cat /var/log/audit/audit.log |audit2allow 
#============= dirsrv_t ==============
allow dirsrv_t user_tmp_t:file open;
[root@dhcp207-1 backup]#

On restarting ipa service after ipa-restore, saw following in /var/log/message/
===============================================================================
Nov 18 17:59:40 dhcp207-1 ipactl: Failed to read data from service file: Failed to get list of services to probe status!
Nov 18 17:59:40 dhcp207-1 ipactl: Configured hostname 'dhcp207-1.testrelm.test' does not match any master server in LDAP:
Nov 18 17:59:40 dhcp207-1 ipactl: No master found because of error: no such entry
Nov 18 17:59:40 dhcp207-1 ipactl: Shutting down
Nov 18 17:59:40 dhcp207-1 systemd: Stopping 389 Directory Server TESTRELM-TEST....
Nov 18 17:59:41 dhcp207-1 systemd: Stopped 389 Directory Server TESTRELM-TEST..
Nov 18 17:59:41 dhcp207-1 ipactl: Starting Directory Service
Nov 18 17:59:41 dhcp207-1 systemd: ipa.service: main process exited, code=exited, status=1/FAILURE
Nov 18 17:59:41 dhcp207-1 systemd: Failed to start Identity, Policy, Audit.
Nov 18 17:59:41 dhcp207-1 systemd: Unit ipa.service entered failed state.

Duplicate of #4712

  • knit fails because sssd doesn't provide the user.
  • sssd doesn't provide the user because directory server is down

  • directory server is down because of the mentioned AVC denial:

    [18/Nov/2014:16:00:33 +0100] - import ipaca: Could not open LDIF file "/tmp/tmpp0hqQVipa/ipa/IDM-LAB-ENG-BRQ-REDHAT-COM-ipaca.ldif", errno 13 (Permission denied)
    [18/Nov/2014:16:00:33 +0100] - import ipaca: Thread monitoring returned: -23

    [18/Nov/2014:16:00:33 +0100] - import ipaca: Aborting all Import threads...
    [18/Nov/2014:16:00:44 +0100] - import ipaca: Import threads aborted.
    [18/Nov/2014:16:00:44 +0100] - import ipaca: Closing files...
    [18/Nov/2014:16:00:44 +0100] - import ipaca: Import failed.
    [18/Nov/2014:16:02:09 +0100] - slapd shutting down - signaling operation threads - op stack size 6 max work q size 1 max work q stack size 1
    [18/Nov/2014:16:02:09 +0100] - slapd shutting down - closing down internal subsystems and plugins
    [18/Nov/2014:16:02:09 +0100] - Waiting for 4 database threads to stop
    [18/Nov/2014:16:02:09 +0100] - All database threads now stopped
    [18/Nov/2014:16:02:09 +0100] - slapd shutting down - freed 1 work q stack objects - freed 6 op stack objects
    [18/Nov/2014:16:02:09 +0100] - slapd stopped.

    time->Fri Nov 7 15:25:44 2014
    type=AVC msg=audit(1415370344.228:131): avc: denied { create } for pid=2207 comm="cp" name="CS.cfg.bak.20141107152544" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=0

    time->Tue Nov 18 16:00:24 2014
    type=AVC msg=audit(1416322824.149:3949): avc: denied { open } for pid=16975 comm="ns-slapd" path="/tmp/tmpp0hqQVipa/ipa/IDM-LAB-ENG-BRQ-REDHAT-COM-userRoot.ldif" dev="tmpfs" ino=2709303 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

Metadata Update from @ksiddiqu:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Backup
None
0
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.