Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. #47

Open
mueslo opened this issue Aug 11, 2017 · 0 comments
Open

(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. #47

mueslo opened this issue Aug 11, 2017 · 0 comments

Comments

@mueslo
Copy link

mueslo commented Aug 11, 2017
edited
Loading

Hey, I set everything up as described at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#post-installation (except I installed it on the same server as FreeIPA), but when trying to register a user, the following error occurs:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/app.py", line 74, in POST
    errors = user.save()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 56, in save
    self._call_api()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/user.py", line 66, in _call_api
    api_connect()
  File "/usr/lib/python2.7/site-packages/freeipa_community_portal/model/__init__.py", line 47, in api_connect
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

This is on a freshly-installed Fedora 26 VM (KVM).

$ dnf list installed | grep -E "([^i]ipa|[^a-z]nss)"
device-mapper-multipath.x86_64       0.4.9-88.fc26                      @fedora
device-mapper-multipath-libs.x86_64  0.4.9-88.fc26                      @fedora
freeipa-client.x86_64                4.4.4-4.fc26                       @updates
freeipa-client-common.noarch         4.4.4-4.fc26                       @updates
freeipa-common.noarch                4.4.4-4.fc26                       @updates
freeipa-server.x86_64                4.4.4-4.fc26                       @updates
freeipa-server-common.noarch         4.4.4-4.fc26                       @updates
libcrypt-nss.x86_64                  2.25-7.fc26                        @updates
libipa_hbac.x86_64                   1.15.3-1.fc26                      @updates
libsss_nss_idmap.x86_64              1.15.3-1.fc26                      @updates
mod_nss.x86_64                       1.0.14-3.fc26                      @fedora
python-ipaddress.noarch              1.0.16-4.fc26                      @fedora
python-nss.x86_64                    1.0.1-1.fc26                       @fedora
python2-ipaclient.noarch             4.4.4-4.fc26                       @updates
python2-ipalib.noarch                4.4.4-4.fc26                       @updates
python2-ipaserver.noarch             4.4.4-4.fc26                       @updates
python2-libipa_hbac.x86_64           1.15.3-1.fc26                      @updates
python3-iniparse.noarch              0.4-24.fc26                        @fedora
sssd-ipa.x86_64                      1.15.3-1.fc26                      @updates

$  pip freeze | grep -E "ipa|nss"
freeipa==2.0.0a0
freeipa-community-portal==0.2
ipaclient==4.4.4
ipaddress==1.0.16
ipalib==4.4.4
ipaplatform==4.4.4
ipapython==4.4.4
python-nss==1.0.1

/var/log/krb5kdc.log:

Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11
Aug 23 17:37:44 ipa krb5kdc[1847](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.4: ISSUE: authtime 1503502664, etypes {rep=18 tkt=18 ses=18}, [email protected] for HTTP/[email protected]
Aug 23 17:37:44 ipa krb5kdc[1847](info): closing down fd 11

/var/log/sssd/sssd_nss.log: (full of this repeating)
(Wed Aug 23 17:56:56 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]

If I take a minimal example, e.g.

#!/usr/bin/env python2
import os
from ipalib import api

os.environ['KRB5_CLIENT_KTNAME'] = "/etc/ipa/portal.keytab"

api.bootstrap(context='cli')
api.finalize()

if not api.Backend.rpcclient.isconnected():
    api.Backend.rpcclient.connect()

api.Command.stageuser_add(
    givenname=u'testy',
    sn=u'mctestface',
    uid=u'testymctest',
    mail=u'[email protected]')

Running this as apache works fine (now), not sure why the below happened.

Running this as root (with an admin ticket), works just fine. However, running this as apache leads to

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 994, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 975, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1125, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1119, in __request
    raise error_class(**kw)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found (filename: /var/run/httpd/ipa/clientcaches/[email protected]))

and sometimes

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1008, in forward
    raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://ipa.mueslo.de/ipa/json': (PR_END_OF_FILE_ERROR) Encountered end of file.

Happens both with ipalib/ipaclient 4.4.4 and 4.5.3. The keytab was created via ipa-getkeytab -s ipa.mueslo.de -p [email protected] -k /etc/ipa/portal.keytab.
@mueslo mueslo changed the title https://ipa.mueslo.de/ipa/json (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. @mueslo Attach files by dragging & dropping, , or pasting from the clipboard. Styling with Markdown is supported Aug 11, 2017
@mueslo mueslo changed the title (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. @mueslo Attach files by dragging & dropping, , or pasting from the clipboard. Styling with Markdown is supported (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. Aug 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mueslo