When installing replica from a current master branch, the following series of tracebacks can be seen in certmonger journal output:
Mar 13 16:11:45 replica1.ipa.test systemd[1]: Started Certificate monitoring and PKI enrollment. Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7890]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7887]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7889]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7888]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7894]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7893]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache)
It may be that these messages are actually harmless since in the end the certificate requests are succesfully resolved, but it may be more helpful to catch these exceptions and log them as soft errors.
Relevant software versions.
[root@replica1 ~]# rpm -q freeipa-server gssproxy freeipa-server-4.4.90.dev201703131430+git5758f8a-0.fc25.x86_64 gssproxy-0.7.0-1.fc25.x86_64
Metadata Update from @jcholast: - Issue assigned to jcholast
Metadata Update from @pvoborni: - Issue priority set to: 1 - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: regression
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1435611
Issue linked to bug 1435611
master:
a6a89e2 renew agent, restart scripts: connect to LDAP after kinit ipa-4-5:
3a3cd01 dsinstance: reconnect ldap2 after DS is restarted by certmonger
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @stlaz: - Issue status updated to: Open (was: Closed)
https://pagure.io/freeipa/c/181cb94e744c380a823b94d0d5ca088ab3dcca1c breaks server installation with external CA, fix is in https://github.com/freeipa/freeipa/pull/719
Metadata Update from @stlaz: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/719
ipa-4-5:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.