search

freeipa / freeipa-community-portal

[ABANDONED] FreeIPA Community Portal extension
GNU General Public License v3.0
4 stars 6 forks source link

(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. #47

Open mueslo opened 6 years ago

mueslo commented 6 years ago

Hey, I set everything up as described at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#post-installation (except I installed it on the same server as FreeIPA), but when trying to register a user, the following error occurs:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 74, in POST
    errors = user.save()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 56, in save
    self._call_api()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 66, in _call_api
    api_connect()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 47, in api_connect
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

This is on a freshly-installed Fedora 26 VM (KVM).

$ dnf list installed | grep -E "([^i]ipa|[^a-z]nss)"
device-mapper-multipath.x86_64       0.4.9-88.fc26                      @fedora
device-mapper-multipath-libs.x86_64  0.4.9-88.fc26                      @fedora
freeipa-client.x86_64                4.4.4-4.fc26                       @updates
freeipa-client-common.noarch         4.4.4-4.fc26                       @updates
freeipa-common.noarch                4.4.4-4.fc26                       @updates
freeipa-server.x86_64                4.4.4-4.fc26                       @updates
freeipa-server-common.noarch         4.4.4-4.fc26                       @updates
libcrypt-nss.x86_64                  2.25-7.fc26                        @updates
libipa_hbac.x86_64                   1.15.3-1.fc26                      @updates
libsss_nss_idmap.x86_64              1.15.3-1.fc26                      @updates
mod_nss.x86_64                       1.0.14-3.fc26                      @fedora
python-ipaddress.noarch              1.0.16-4.fc26                      @fedora
python-nss.x86_64                    1.0.1-1.fc26                       @fedora
python2-ipaclient.noarch             4.4.4-4.fc26                       @updates
python2-ipalib.noarch                4.4.4-4.fc26                       @updates
python2-ipaserver.noarch             4.4.4-4.fc26                       @updates
python2-libipa_hbac.x86_64           1.15.3-1.fc26                      @updates
python3-iniparse.noarch              0.4-24.fc26                        @fedora
sssd-ipa.x86_64                      1.15.3-1.fc26                      @updates

$  pip freeze | grep -E "ipa|nss"
freeipa==2.0.0a0
freeipa-community-portal==0.2
ipaclient==4.4.4
ipaddress==1.0.16
ipalib==4.4.4
ipaplatform==4.4.4
ipapython==4.4.4
python-nss==1.0.1

/var/log/krb5kdc.log:

Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: portal@MUESLO.DE for krbtgt/MUESLO.DE@MUESLO.DE, Additional pre-authentication required
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, portal@MUESLO.DE for krbtgt/MUESLO.DE@MUESLO.DE
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, portal@MUESLO.DE for HTTP/ipa.mueslo.de@MUESLO.DE
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11

/var/log/sssd/sssd_nss.log: (full of this repeating) (Wed Aug 23 17:56:56 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]

If I take a minimal example, e.g.

#!/usr/bin/env python2
import os
from ipalib import api

os.environ['KRB5_CLIENT_KTNAME'] = "/etc/ipa/portal.keytab"

api.bootstrap(context='cli')
api.finalize()

if not api.Backend.rpcclient.isconnected():
    api.Backend.rpcclient.connect()

api.Command.stageuser_add(
    givenname=u'testy',
    sn=u'mctestface',
    uid=u'testymctest',
    mail=u'test@test.net')

Running this as apache works fine (now), not sure why the below happened.

Running this as root (with an admin ticket), works just fine. However, running this as apache leads to

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 994, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 975, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1125, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1119, in __request
    raise error_class(**kw)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found (filename: /var/run/httpd/ipa/clientcaches/portal@MUESLO.DE-H40gwq))

and sometimes

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (PR_END_OF_FILE_ERROR) Encountered end of file.

Happens both with ipalib/ipaclient 4.4.4 and 4.5.3. The keytab was created via ipa-getkeytab -s ipa.mueslo.de -p portal@MUESLO.DE -k /etc/ipa/portal.keytab.