Hey, I set everything up as described at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#post-installation (except I installed it on the same server as FreeIPA), but when trying to register a user, the following error occurs:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
response.body = self.handler()
File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
return self.callable(*self.args, **self.kwargs)
File "/usr/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 74, in POST
errors = user.save()
File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 56, in save
self._call_api()
File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 66, in _call_api
api_connect()
File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 47, in api_connect
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
raise NetworkError(uri=server, error=str(e))
NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
This is on a freshly-installed Fedora 26 VM (KVM).
$ dnf list installed | grep -E "([^i]ipa|[^a-z]nss)"
device-mapper-multipath.x86_64 0.4.9-88.fc26 @fedora
device-mapper-multipath-libs.x86_64 0.4.9-88.fc26 @fedora
freeipa-client.x86_64 4.4.4-4.fc26 @updates
freeipa-client-common.noarch 4.4.4-4.fc26 @updates
freeipa-common.noarch 4.4.4-4.fc26 @updates
freeipa-server.x86_64 4.4.4-4.fc26 @updates
freeipa-server-common.noarch 4.4.4-4.fc26 @updates
libcrypt-nss.x86_64 2.25-7.fc26 @updates
libipa_hbac.x86_64 1.15.3-1.fc26 @updates
libsss_nss_idmap.x86_64 1.15.3-1.fc26 @updates
mod_nss.x86_64 1.0.14-3.fc26 @fedora
python-ipaddress.noarch 1.0.16-4.fc26 @fedora
python-nss.x86_64 1.0.1-1.fc26 @fedora
python2-ipaclient.noarch 4.4.4-4.fc26 @updates
python2-ipalib.noarch 4.4.4-4.fc26 @updates
python2-ipaserver.noarch 4.4.4-4.fc26 @updates
python2-libipa_hbac.x86_64 1.15.3-1.fc26 @updates
python3-iniparse.noarch 0.4-24.fc26 @fedora
sssd-ipa.x86_64 1.15.3-1.fc26 @updates
$ pip freeze | grep -E "ipa|nss"
freeipa==2.0.0a0
freeipa-community-portal==0.2
ipaclient==4.4.4
ipaddress==1.0.16
ipalib==4.4.4
ipaplatform==4.4.4
ipapython==4.4.4
python-nss==1.0.1
/var/log/krb5kdc.log:
Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for HTTP/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
/var/log/sssd/sssd_nss.log: (full of this repeating)
(Wed Aug 23 17:56:56 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]
If I take a minimal example, e.g.
#!/usr/bin/env python2
import os
from ipalib import api
os.environ['KRB5_CLIENT_KTNAME'] = "/etc/ipa/portal.keytab"
api.bootstrap(context='cli')
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
api.Command.stageuser_add(
givenname=u'testy',
sn=u'mctestface',
uid=u'testymctest',
mail=u'[email protected]')
Running this as apache works fine (now), not sure why the below happened.
Running this as root (with an admin ticket), works just fine. However, running this as apache leads to
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 994, in forward
return self._call_command(command, params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 975, in _call_command
return command(*params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1125, in _call
return self.__request(name, args)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1119, in __request
raise error_class(**kw)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Matching credential not found (filename: /var/run/httpd/ipa/clientcaches/[email protected]))
and sometimes
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (PR_END_OF_FILE_ERROR) Encountered end of file.
Happens both with ipalib/ipaclient 4.4.4 and 4.5.3. The keytab was created via ipa-getkeytab -s ipa.mueslo.de -p [email protected] -k /etc/ipa/portal.keytab
.