freeipa（3）常见错误

1）ipa user-xxx命令报错

ipa: ERROR: did not receive Kerberos credentials

解决方案：重新执行kinit admin

2）ipa-client-install时报错

LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

解决办法：删除/etc/ipa/ca.crt，重新执行

3）ovirt-engine web上普通用户登录时，报错：未授权执行该行为

解决办法：要先用admin用户为普通用户分配虚拟机，才能登录。

4）在ovirt-engine的管理界面上，添加用户时，搜索指定域内的用户没有反应（或已有用户无法登录，提示“登录失败”

engine日志中提示

2015-01-10 17:55:14,864 ERROR [org.ovirt.engine.core.bll.adbroker.GetRootDSE] (ajp--127.0.0.1-8702-9) Failed to query rootDSE for LDAP server ldap://test.com:389 due to test.com:389 2015-01-10 17:55:14,865 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-9) Failed ldap search server ldap://test.com:389 using user user1@TEST.COM due to javax.naming.CommunicationException: test.com:389 [Root exception is java.net.UnknownHostException: test.com]. We should try the next server 2015-01-10 17:55:14,865 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-9) Failed authenticating user: user1 to domain test.com. Ldap Query Type is getUserByName 2015-01-10 17:55:14,866 INFO  [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp--127.0.0.1-8702-9) Cant login user "user1" with authentication profile "test.com" because the authentication failed. 2015-01-10 17:55:14,878 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-9) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User user1 failed to log in.

这个问题的原因是“Root exception is java.net.UnknownHostException: test.com“，确认engine节点的dns配置是否使用ipa-server所指定的DNS服务器，然后engine重启即可。

5）执行ipa-client-install时报错

User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin@TEST.COM: Joining realm failed: HTTP response code is 500, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system.

这个问题的原因：ldap启动了sasl通信，需要dns能够反向解析ipa-client的ip，如果不能则ldap通信失败，进而ipa-join失败。

解决办法：重新安装ipa server后，此问题消失。不知道怎么回事。

另外，根据文档，还有两个办法：

1）禁止ldap的sasl协议，在ldap.conf或者全局变量中修改选项——经测试，无效。

2）可以在ipa-web-ui上配置client的dns反向解析，也可解决此问题。注意，不是直接写named的zone文件，而是通过ipa的web或cli来添加zone和record（到ldap），

named会周期性地（30s）轮训ldap数据，更新自己的zone数据。——这个方法还没有测试。

6）安装ipaserver后，web登录提示“unknown error”

安装时报错

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain test.com --server ihost.test.com --realm TEST.COM --hostname ihost.test.com' returned non-zero exit status 1
kinit: Generic error (see e-text) while getting initial credentials

重启ipa服务，依然是这个错误。

http/error中报错为

[Mon Jan 12 12:56:00 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:56:00 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:17 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:18 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:18 2015] [error] [client 192.168.1.200] Failed to initialize ccache for HTTP/ihost.test.com: Credentials cache permissions incorrect (-1765328190), referer: https://ihost.test.com/ipa/xml [Mon Jan 12 12:57:18 2015] [error] [client 192.168.1.200] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, ), referer: https://ihost.test.com/ipa/xml [Mon Jan 12 12:57:29 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:29 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:01:33 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:36 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:39 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:43 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:00 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:05 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:25 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:04:25 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:05:43 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:05:45 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate

解决办法：换了一个浏览器，就ok了。可能是原浏览器残留证书有问题。https://ihost.test.com/ipa/xml中的内容为：

Please make sure that you have valid Kerberos tickets (obtainable via kinit), and that you have configured your browser correctly

这个错误在ipaserver-install.log中的报错为

CRYPTO INIT WITH CERTDB:/tmp/tmp-YDjaN_ Crypto manager already initialized Debug : initialize crypto Manager INITIALIZATION ERROR: org.mozilla.jss.crypto.AlreadyInitializedException 2015-01-12T07:15:49Z DEBUG stderr=certutil: Could not find cert: TEST.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found 2015-01-12T07:16:26Z DEBUG stderr=certutil: Could not find cert: TEST.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found New SSSD config will be created Configured /etc/sssd/sssd.conf trying https://ihost.test.com/ipa/xml Forwarding 'env' to server u'https://ihost.test.com/ipa/xml' Traceback (most recent call last):   File "/usr/sbin/ipa-client-install", line 2377, in <module>     sys.exit(main())   File "/usr/sbin/ipa-client-install", line 2363, in main     rval = install(options, env, fstore, statestore)   File "/usr/sbin/ipa-client-install", line 2167, in install     remote_env = api.Command['env'](server=True)['result']   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__     ret = self.run(*args, **options)   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run     return self.forward(*args, **options)   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward     return self.Backend.xmlclient.forward(self.name, *args, **kw)   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward     raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://ihost.test.com/ipa/xml': Internal Server Error 2015-01-12T07:19:24Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script     return_value = main_function()   File "/usr/sbin/ipa-server-install", line 1103, in main     sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

其中真正导致此问题的错误是ipalib.errors.NetworkError: cannot connect to u'https://ihost.test.com/ipa/xml': Internal Server Error。

上面两种错误没有影响。具体原因待继续分析。估计是关闭了某些后台服务导致的。

7）web ui登录不上去

解决办法1，不是用kerbores，使用密码登录：

（1）/etc/httpd/conf.d/ipa.conf中的passwd选项，修改为on

（2）service httpd restart或ipactl restart

这个方法在linux下用opera登录是ok的，但在windows下一开始什么浏览器都不行，后来将网卡的dns1设为ipaserver，保证其域名能解析就ok了，和windows的防火墙无关。

解决办法2，使用kerbores登录

（1）将登录用的机器，ipa-client-install，join到ipa server的domain

（2）修改firefox 的about:config中的negotiate选项为域名

（3）然后登录——这个方法一开诗测试有问题，firefox一直报错“unknown error”，清楚所有历史数据和历史证书后，重启firefox即可。