Bug 809262 - IPA Upgrade Web UI failure with internal server error
Summary: IPA Upgrade Web UI failure with internal server error
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
Depends On:
TreeView+ depends on / blocked
Reported: 2012-04-02 21:50 UTC by Scott Poore
Modified: 2013-10-07 18:52 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-8.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Last Closed: 2012-06-20 13:26:28 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Scott Poore 2012-04-02 21:50:04 UTC
Description of problem:

After upgrading from 2.1.3-9 in RHEL6.2 to 2.2.0-5, Web UI shows an Internal Server Error after login.  This was also seen on 2.1.3-9 -> 2.2.0-5 -> 2.2.0-7.  This appears related (at least somewhat) to bug 783592.   The SELinux httpd_manage_ipa boolean appears to be set to off after the upgrade.  Setting it to true/on fixes the problem.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  <setup IPA server on RHEL6.2>
2.  kinit admin
3.  <install firefox and xauth if necessary>
4.  firefox https://$MASTER/ipa/ui
5.  <follow steps to configure firefox for single sign-on to IPA>

Actual results:

IPA returns an Internal Server Error in the browser.

6.  setsebool httpd_manage_ipa=on
7.  <select retry in browser>

IPA returns expected user page

Expected results:

Should not need to manually turn on the httpd_manage_ipa boolean.

Additional info:

Can check this entirely from the command line with this:

kinit admin 


echo '{"method":"user_find","params":[[],{"sizelimit":0,"pkey_only":true}]}' > $jsonfile

sessionid=$(curl -v --negotiate -u: https://$MASTER/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 2>&1 |grep ipa_session 2>&1|sed 's/^.*ipa_session=\([0-Z]*\).*$/\1/')

curl  -H "Content-Type:application/json" -H "Referer: https://$MASTER/ipa/xml" -H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d  @$jsonfile -X POST -b "ipa_session=$sessionid; httponly; Path=/ipa; secure" https://$MASTER/ipa/session/json 2>&1|grep "dn.*uid="

It will return html for the user list or an Internal Server Error page depending on how httpd_manage_ipa is set.

This is what the failure looks like:

<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<address>Apache/2.2.15 (Red Hat) Server at storm.testrelm.com Port 443</address>

And we see AVCs:

# ausearch -m avc -ts 17:47
time->Mon Apr  2 17:48:01 2012
type=SYSCALL msg=audit(1333403281.476:373): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ebc115310 a1=241 a2=1b6 a3=0 items=0 ppid=20402 pid=20540 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1333403281.476:373): avc:  denied  { write } for  pid=20540 comm="httpd" name="ipa_memcached" dev=dm-0 ino=394187 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=dir

And here's the error_log traceback:

[Mon Apr 02 17:48:01 2012] [error] [client] mod_wsgi (pid=20422): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Apr 02 17:48:01 2012] [error] [client] Traceback (most recent call last):
[Mon Apr 02 17:48:01 2012] [error] [client]   File "/usr/share/ipa/wsgi.py", line 49, in application
[Mon Apr 02 17:48:01 2012] [error] [client]     return api.Backend.wsgi_dispatch(environ, s
[Mon Apr 02 17:48:01 2012] [error] [client]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 229, in __call__
[Mon Apr 02 17:48:01 2012] [error] [client]     return self.route(environ, start_response)
[Mon Apr 02 17:48:01 2012] [error] [client]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 241, in route
[Mon Apr 02 17:48:01 2012] [error] [client]     return app(environ, start_response)
[Mon Apr 02 17:48:01 2012] [error] [client]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 792, in __call__
[Mon Apr 02 17:48:01 2012] [error] [client]     ipa_ccache_name = bind_ipa_ccache(ccache_data)
[Mon Apr 02 17:48:01 2012] [error] [client]   File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1228, in bind_ipa_ccache
[Mon Apr 02 17:48:01 2012] [error] [client]     dst = open(name, 'w')
[Mon Apr 02 17:48:01 2012] [error] [client] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_20422'

Comment 2 Martin Kosek 2012-04-03 07:54:18 UTC
This SELinux boolean is set only for new installs. We need to set it for upgraded installs as well. I will open a ticket.

Comment 3 Martin Kosek 2012-04-03 07:54:50 UTC
Upstream ticket:

Comment 4 Rob Crittenden 2012-04-04 15:30:17 UTC
Fixed upstream

master: 17a0738d2d352f9c3d73167b3fb22cd566fd98d4

ipa-2-2: 56196b28085b346b86b43662a1ba7fdaf7a2454b

Comment 6 Scott Poore 2012-04-09 19:03:10 UTC

Version :: ipa-server-2.2.0-8.el6.x86_64

Automated Test Results ::

Beaker job results not yet available but, manual run of automated test is:

# upgrade_bz_809262 

:: [   LOG    ] :: upgrade_bz_809262: IPA Upgrade Web UI failure with internal server error

:: [13:59:45] ::  Machine in recipe is MASTER
:: [13:59:45] ::  Checking SELinux Boolean httpd_manage_ipa
:: [   PASS   ] :: SELinux Boolean httpd_manage_ipa is enabled
:: [13:59:46] ::  Checking Web UI
:: [13:59:46] ::  Prepare json query in file
:: [13:59:46] ::  Getting Session ID with:  curl -v --negotiate -u: https://spoore-dvm1.testrelm.com/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt
:: [   PASS   ] :: Running 'curl  -H "Content-Type:application/json" -H "Referer: https://spoore-dvm1.testrelm.com/ipa/xml" -H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d  @/tmp/jsoninput -X POST -b "ipa_session=871822b06caf17d6e3b5c75df1144dd7; httponly; Path=/ipa; secure" https://spoore-dvm1.testrelm.com/ipa/session/json > /tmp/errormsg.out 2>&1'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
120   776    0   776    0    69    543     48 --:--:--  0:00:01 --:--:--   513
    "error": null, 
    "id": null, 
    "principal": "admin@TESTRELM.COM", 
    "result": {
        "count": 3, 
        "result": [
                "dn": "uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com", 
                "uid": [
                "dn": "uid=jack,cn=users,cn=accounts,dc=testrelm,dc=com", 
                "uid": [
                "dn": "uid=jill,cn=users,cn=accounts,dc=testrelm,dc=com", 
                "uid": [
        "summary": "3 users matched", 
        "truncated": false
    "version": "2.1.90.rc1"
}:: [   PASS   ] :: Running 'cat /tmp/errormsg.out'
:: [13:59:48] ::  Checking /tmp/errormsg.out for "Internal Server Error"
:: [13:59:48] ::  Internal Server Error Not Found
:: [   PASS   ] :: BZ 809262 not found...WebUI did not return Internal Server 
result_server not set, assuming developer mode.
Setting to state upgrade_bz_809262.36
:: [   PASS   ] :: Running 'rhts-sync-set -s 'upgrade_bz_809262.36' -m'


Comment 8 Martin Kosek 2012-04-25 11:22:05 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
No documentation needed.

Comment 10 errata-xmlrpc 2012-06-20 13:26:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.