10:21 p.m.
Hi,
I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD
Provider. I am following the Server Administration Guide but, I'm hitting some error.
I'm not sure if it's a bug or a configuration issue on my part.
This is the link I was following:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
The difference in setup though is that I'm not using the docker image. Instead
I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have
confirmed that SSSD-DBUS is working:
[root@idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups
string:testuser
method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17
reply_serial=2
array [
string "ipausers"
]
For the SP, I setup a basic Apache setup with mod_auth_mellon using
keycloak-httpd-client-install \
--client-originate-method registration \
--keycloak-server-url https://idp.keycloak.test:8443 \
--keycloak-admin-username admin \
--keycloak-admin-password PASSWORD \
--app-name testapp \
--keycloak-realm test_realm \
--mellon-root mroot \
--mellon-protected-locations "/mroot/private" \
--force
When I try to login to the SP, it redirects as expected to the Keycloak server and waits
for a while before returning:
Internal Server Error
From the httpd access log I can see:
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1" 303
384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/50.0.2661.86 Safari/537.36"
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
From the admin console, I can see what appears to be an active session
for the client.
From the Keycloak server.log I can see:
2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
aborting with 1 threads active!
2016-12-01 14:14:31,578 WARN
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
(Transaction Reaper Worker 0) HHH000451: Transaction afterCo
mpletion called by a background thread; delaying afterCompletion processing until the
original thread can handle it. [status=4]
2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker
0,5,main] successfully canceled TX 0:f
fffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077:
Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25)
RESTEASY002025: Unknown exception while executing POST
/realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active!
Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
Leaving out the traceback for brevity. I can send that if needed/wanted.
When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and
httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it
helps.
So, how do I go about troubleshooting this issue? Are there any steps missing from the
SSSD Provider doc?
Thanks,
Scott
--
Scott Poore <spoore(a)redhat.com>
Principal Quality Assurance Engineer
Red Hat, Inc.
10:35 p.m.
Can you run your example without SSSD? Isolate the problem to make sure
that its not an SP configuration issue first. As far as SSSD setup
goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in.
On 12/1/16 4:21 PM, Scott Poore wrote:
Hi,
I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD
Provider. I am following the Server Administration Guide but, I'm hitting some error.
I'm not sure if it's a bug or a configuration issue on my part.
This is the link I was following:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
The difference in setup though is that I'm not using the docker image. Instead
I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have
confirmed that SSSD-DBUS is working:
[root@idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups
string:testuser
method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17
reply_serial=2
array [
string "ipausers"
]
For the SP, I setup a basic Apache setup with mod_auth_mellon using
keycloak-httpd-client-install \
--client-originate-method registration \
--keycloak-server-url https://idp.keycloak.test:8443 \
--keycloak-admin-username admin \
--keycloak-admin-password PASSWORD \
--app-name testapp \
--keycloak-realm test_realm \
--mellon-root mroot \
--mellon-protected-locations "/mroot/private" \
--force
When I try to login to the SP, it redirects as expected to the Keycloak server and waits
for a while before returning:
Internal Server Error
>From the httpd access log I can see:
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1"
303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/50.0.2661.86 Safari/537.36"
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
>From the admin console, I can see what appears to be an active session for the
client.
>From the Keycloak server.log I can see:
2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
aborting with 1 threads active!
2016-12-01 14:14:31,578 WARN
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
(Transaction Reaper Worker 0) HHH000451: Transaction afterCo
mpletion called by a background thread; delaying afterCompletion processing until the
original thread can handle it. [status=4]
2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker
0,5,main] successfully canceled TX 0:f
fffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077:
Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25)
RESTEASY002025: Unknown exception while executing POST
/realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active!
Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
Leaving out the traceback for brevity. I can send that if needed/wanted.
When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and
httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it
helps.
So, how do I go about troubleshooting this issue? Are there any steps missing from the
SSSD Provider doc?
Thanks,
Scott
2:29 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, December 1, 2016 3:35:31 PM
Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
Can you run your example without SSSD? Isolate the problem to make sure
that its not an SP configuration issue first. As far as SSSD setup
goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in.
I tried adding a user to the existing setup from the admin console and I see an error and
then I see this in the server.log:
Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's
attributes. Check if SSSD service is active.
I can't delete the sssd provider though because of this bug:
https://issues.jboss.org/browse/KEYCLOAK-3902
I started over fresh without the SSSD Provider setup. It does appear that I'm not
able to even authenticate as a user created from the admin console.
I've bumped logging up to info on both Keycloak and httpd on the SP but, I still
don't see much there. Any suggestion on where to go from here?
Thanks,
Scott
On 12/1/16 4:21 PM, Scott Poore wrote:
> Hi,
>
> I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using
> the SSSD Provider. I am following the Server Administration Guide but,
> I'm hitting some error. I'm not sure if it's a bug or a configuration
> issue on my part.
>
> This is the link I was following:
>
>
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
>
> The difference in setup though is that I'm not using the docker image.
> Instead I'm using a separate FreeIPA Master server that I have setup as a
> separate VM. I have confirmed that SSSD-DBUS is working:
>
> [root@idp ~]# dbus-send --print-reply --system
> --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> serial=17 reply_serial=2
> array [
> string "ipausers"
> ]
>
> For the SP, I setup a basic Apache setup with mod_auth_mellon using
>
> keycloak-httpd-client-install \
> --client-originate-method registration \
> --keycloak-server-url https://idp.keycloak.test:8443 \
> --keycloak-admin-username admin \
> --keycloak-admin-password PASSWORD \
> --app-name testapp \
> --keycloak-realm test_realm \
> --mellon-root mroot \
> --mellon-protected-locations "/mroot/private" \
> --force
>
> When I try to login to the SP, it redirects as expected to the Keycloak
> server and waits for a while before returning:
>
> Internal Server Error
>
> >From the httpd access log I can see:
>
>
> 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
>
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
>
> >From the admin console, I can see what appears to be an active session for
> >the client.
>
> >From the Keycloak server.log I can see:
>
> 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> 2016-12-01 14:14:31,578 WARN
>
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> mpletion called by a background thread; delaying afterCompletion processing
> until the original thread can handle it. [status=4]
> 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> fffc0a87abf:7c36d3eb:58406454:81e
> 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25)
> ARJUNA012077: Abort called on already aborted atomic action
> 0:ffffc0a87abf:7c36d3eb:58406454:81e
> 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-25) RESTEASY002025: Unknown exception while executing POST
> /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> eption: javax.transaction.RollbackException: ARJUNA016102: The transaction
> is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
>
> Leaving out the traceback for brevity. I can send that if needed/wanted.
>
>
> When I logout the session and set SSSD debug_level to 9 and restart sssd,
> keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can
> provide the SSSD logs if it helps.
>
>
> So, how do I go about troubleshooting this issue? Are there any steps
> missing from the SSSD Provider doc?
>
> Thanks,
> Scott
>
>
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:41 a.m.
Hi Scott, sorry for the late response.
From what I noticed, dbus-send works for you right? But I feel like
the
user running Keycloak process does not have access to
/etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
If yes, check if user running Keycloak is listed into sssd.conf 'allowed_uids'
section. I saw that you managed to run dbus-send, but worth to ask.
Is the user running dbus-send, the same starting Keycloak server process?
I included a very simple check to make sure that Windows users don't see the SSSD
Federation provider listed — If the user running Keycloak does not have
reading rights over /etc/sssd.
For troubleshooting some of these issues (because from time to time, I
mess up with my environment), I have this docker image[1].
Speaking about KEYCLOAK-3902, I already fixed it. I will just include
the integration tests to reproduce this scenario.
[1] -
https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycl...
On 2016-12-01, Scott Poore wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, December 1, 2016 3:35:31 PM
> Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
>
> Can you run your example without SSSD? Isolate the problem to make sure
> that its not an SP configuration issue first. As far as SSSD setup
> goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in.
I tried adding a user to the existing setup from the admin console and I see an error and
then I see this in the server.log:
Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's
attributes. Check if SSSD service is active.
I can't delete the sssd provider though because of this bug:
https://issues.jboss.org/browse/KEYCLOAK-3902
I started over fresh without the SSSD Provider setup. It does appear that I'm not
able to even authenticate as a user created from the admin console.
I've bumped logging up to info on both Keycloak and httpd on the SP but, I still
don't see much there. Any suggestion on where to go from here?
Thanks,
Scott
>
>
> On 12/1/16 4:21 PM, Scott Poore wrote:
> > Hi,
> >
> > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using
> > the SSSD Provider. I am following the Server Administration Guide but,
> > I'm hitting some error. I'm not sure if it's a bug or a
configuration
> > issue on my part.
> >
> > This is the link I was following:
> >
> >
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
> >
> > The difference in setup though is that I'm not using the docker image.
> > Instead I'm using a separate FreeIPA Master server that I have setup as a
> > separate VM. I have confirmed that SSSD-DBUS is working:
> >
> > [root@idp ~]# dbus-send --print-reply --system
> > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> > serial=17 reply_serial=2
> > array [
> > string "ipausers"
> > ]
> >
> > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> >
> > keycloak-httpd-client-install \
> > --client-originate-method registration \
> > --keycloak-server-url https://idp.keycloak.test:8443 \
> > --keycloak-admin-username admin \
> > --keycloak-admin-password PASSWORD \
> > --app-name testapp \
> > --keycloak-realm test_realm \
> > --mellon-root mroot \
> > --mellon-protected-locations "/mroot/private" \
> > --force
> >
> > When I try to login to the SP, it redirects as expected to the Keycloak
> > server and waits for a while before returning:
> >
> > Internal Server Error
> >
> > >From the httpd access log I can see:
> >
> >
> > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> >
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> >
> > >From the admin console, I can see what appears to be an active session for
> > >the client.
> >
> > >From the Keycloak server.log I can see:
> >
> > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > 2016-12-01 14:14:31,578 WARN
> >
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > mpletion called by a background thread; delaying afterCompletion processing
> > until the original thread can handle it. [status=4]
> > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> > fffc0a87abf:7c36d3eb:58406454:81e
> > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25)
> > ARJUNA012077: Abort called on already aborted atomic action
> > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > (default task-25) RESTEASY002025: Unknown exception while executing POST
> > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > eption: javax.transaction.RollbackException: ARJUNA016102: The transaction
> > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> >
> > Leaving out the traceback for brevity. I can send that if needed/wanted.
> >
> >
> > When I logout the session and set SSSD debug_level to 9 and restart sssd,
> > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can
> > provide the SSSD logs if it helps.
> >
> >
> > So, how do I go about troubleshooting this issue? Are there any steps
> > missing from the SSSD Provider doc?
> >
> > Thanks,
> > Scott
> >
> >
> >
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
7:11 p.m.
----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Scott Poore" <spoore(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, December 2, 2016 1:41:48 AM
Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
Hi Scott, sorry for the late response.
From what I noticed, dbus-send works for you right? But I feel like the
user running Keycloak process does not have access to
/etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
Yes, that's one problem. I was running keycloak as keycloak user but dbus-send as
root. I also found where I had the wrong ownership on a java keystore file for running
https.
If yes, check if user running Keycloak is listed into sssd.conf
'allowed_uids'
section. I saw that you managed to run dbus-send, but worth to ask.
Is the user running dbus-send, the same starting Keycloak server process?
That I was fixing. I just wasn't testing dbus-send as keycloak user.
I included a very simple check to make sure that Windows users don't see the
SSSD
Federation provider listed — If the user running Keycloak does not have
reading rights over /etc/sssd.
By default /etc/sssd is 700 so no one but root can read that. Should I just be running
keycloak as root? (FYI, that's what I'm trying now).
For troubleshooting some of these issues (because from time to time, I
mess up with my environment), I have this docker image[1].
Speaking about KEYCLOAK-3902, I already fixed it. I will just include
the integration tests to reproduce this scenario.
I saw that it was at least scheduled to be fixed. Wasn't sure if the fix was
complete.
So, what about my last issue where I cannot seem to authenticate as a normal user I
created in the realm from the Keycloak admin console?
FYI, I'm trying to set this up on Fedora 24 if that makes any difference.
[root@idp ~]# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64
[root@sp1 ~]# rpm -q httpd mod_auth_mellon
httpd-2.4.23-4.fc24.x86_64
mod_auth_mellon-0.12.0-2.fc24.x86_64
I also re-installed the client manually using mellon_create_metadata.sh and importing the
metadata file from the admin console. I see the same thing so I don't think
keycloak-httpd-client-install set up anything in a way to cause this.
It looks like it takes almost 12 minutes for something to time out when I try accessing
the SP from my browser.
started: 11:53:55 by the clock on my desktop
ended: ~12:05:42 by the clock on my desktop
Not sure if that helps at all but, thought I'd actually document it in case it does
help.
When it does finally time out is when I see the "Internal Server Error". And
the location bar is pointing to the keycloak and does not seem to have been redirected
back to the SP.
Does any of that sound familar?
Thanks,
Scott
[1] -
https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycl...
On 2016-12-01, Scott Poore wrote:
>
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke(a)redhat.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Thursday, December 1, 2016 3:35:31 PM
> > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> >
> > Can you run your example without SSSD? Isolate the problem to make sure
> > that its not an SP configuration issue first. As far as SSSD setup
> > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes
> > in.
>
> I tried adding a user to the existing setup from the admin console and I
> see an error and then I see this in the server.log:
>
> Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> retrieve user's attributes. Check if SSSD service is active.
>
> I can't delete the sssd provider though because of this bug:
>
> https://issues.jboss.org/browse/KEYCLOAK-3902
>
> I started over fresh without the SSSD Provider setup. It does appear that
> I'm not able to even authenticate as a user created from the admin
> console.
>
> I've bumped logging up to info on both Keycloak and httpd on the SP but, I
> still don't see much there. Any suggestion on where to go from here?
>
> Thanks,
> Scott
>
>
> >
> >
> > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > Hi,
> > >
> > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration
> > > using
> > > the SSSD Provider. I am following the Server Administration Guide but,
> > > I'm hitting some error. I'm not sure if it's a bug or a
configuration
> > > issue on my part.
> > >
> > > This is the link I was following:
> > >
> > >
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
> > >
> > > The difference in setup though is that I'm not using the docker
image.
> > > Instead I'm using a separate FreeIPA Master server that I have setup
as
> > > a
> > > separate VM. I have confirmed that SSSD-DBUS is working:
> > >
> > > [root@idp ~]# dbus-send --print-reply --system
> > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> > > serial=17 reply_serial=2
> > > array [
> > > string "ipausers"
> > > ]
> > >
> > > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> > >
> > > keycloak-httpd-client-install \
> > > --client-originate-method registration \
> > > --keycloak-server-url https://idp.keycloak.test:8443 \
> > > --keycloak-admin-username admin \
> > > --keycloak-admin-password PASSWORD \
> > > --app-name testapp \
> > > --keycloak-realm test_realm \
> > > --mellon-root mroot \
> > > --mellon-protected-locations "/mroot/private" \
> > > --force
> > >
> > > When I try to login to the SP, it redirects as expected to the Keycloak
> > > server and waits for a while before returning:
> > >
> > > Internal Server Error
> > >
> > > >From the httpd access log I can see:
> > >
> > >
> > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux
x86_64)
> > > AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > >
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux
x86_64)
> > > AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > >
> > > >From the admin console, I can see what appears to be an active
session
> > > >for
> > > >the client.
> > >
> > > >From the Keycloak server.log I can see:
> > >
> > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction
> > > Reaper
> > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > > 2016-12-01 14:14:31,578 WARN
> > >
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > > mpletion called by a background thread; delaying afterCompletion
> > > processing
> > > until the original thread can handle it. [status=4]
> > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction
> > > Reaper
> > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> > > fffc0a87abf:7c36d3eb:58406454:81e
> > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25)
> > > ARJUNA012077: Abort called on already aborted atomic action
> > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > (default task-25) RESTEASY002025: Unknown exception while executing
> > > POST
> > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > > eption: javax.transaction.RollbackException: ARJUNA016102: The
> > > transaction
> > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > >
> > > Leaving out the traceback for brevity. I can send that if
> > > needed/wanted.
> > >
> > >
> > > When I logout the session and set SSSD debug_level to 9 and restart
> > > sssd,
> > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I
> > > can
> > > provide the SSSD logs if it helps.
> > >
> > >
> > > So, how do I go about troubleshooting this issue? Are there any steps
> > > missing from the SSSD Provider doc?
> > >
> > > Thanks,
> > > Scott
> > >
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
7:37 p.m.
On 2016-12-02, Scott Poore wrote:
----- Original Message -----
> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> To: "Scott Poore" <spoore(a)redhat.com>
> Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> Sent: Friday, December 2, 2016 1:41:48 AM
> Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
>
> Hi Scott, sorry for the late response.
>
> From what I noticed, dbus-send works for you right? But I feel like the
> user running Keycloak process does not have access to
> /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
Yes, that's one problem. I was running keycloak as keycloak user but dbus-send as
root. I also found where I had the wrong ownership on a java keystore file for running
https.
>
> If yes, check if user running Keycloak is listed into sssd.conf
> 'allowed_uids'
> section. I saw that you managed to run dbus-send, but worth to ask.
> Is the user running dbus-send, the same starting Keycloak server process?
That I was fixing. I just wasn't testing dbus-send as keycloak user.
>
> I included a very simple check to make sure that Windows users don't see the
> SSSD
> Federation provider listed — If the user running Keycloak does not have
> reading rights over /etc/sssd.
By default /etc/sssd is 700 so no one but root can read that. Should I just be running
keycloak as root? (FYI, that's what I'm trying now).
Do what for now, or add reading permissions to this folder to isolate
the problem.
>
> For troubleshooting some of these issues (because from time to time, I
> mess up with my environment), I have this docker image[1].
>
> Speaking about KEYCLOAK-3902, I already fixed it. I will just include
> the integration tests to reproduce this scenario.
I saw that it was at least scheduled to be fixed. Wasn't sure if the fix was
complete.
So, what about my last issue where I cannot seem to authenticate as a normal user I
created in the realm from the Keycloak admin console?
What you have at your logs? Have you installed jna and libunix RPMs?
FYI, I'm trying to set this up on Fedora 24 if that makes any difference.
[root@idp ~]# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64
[root@sp1 ~]# rpm -q httpd mod_auth_mellon
httpd-2.4.23-4.fc24.x86_64
mod_auth_mellon-0.12.0-2.fc24.x86_64
I also re-installed the client manually using mellon_create_metadata.sh and importing the
metadata file from the admin console. I see the same thing so I don't think
keycloak-httpd-client-install set up anything in a way to cause this.
It looks like it takes almost 12 minutes for something to time out when I try accessing
the SP from my browser.
started: 11:53:55 by the clock on my desktop
ended: ~12:05:42 by the clock on my desktop
Not sure if that helps at all but, thought I'd actually document it in case it does
help.
When it does finally time out is when I see the "Internal Server Error". And
the location bar is pointing to the keycloak and does not seem to have been redirected
back to the SP.
Does any of that sound familar?
Thanks,
Scott
>
> [1] -
>
https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycl...
>
> On 2016-12-01, Scott Poore wrote:
> >
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke(a)redhat.com>
> > > To: keycloak-user(a)lists.jboss.org
> > > Sent: Thursday, December 1, 2016 3:35:31 PM
> > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> > >
> > > Can you run your example without SSSD? Isolate the problem to make sure
> > > that its not an SP configuration issue first. As far as SSSD setup
> > > goes, you're gonna have to talk to Bruno about that. Hopefully he
chimes
> > > in.
> >
> > I tried adding a user to the existing setup from the admin console and I
> > see an error and then I see this in the server.log:
> >
> > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> > retrieve user's attributes. Check if SSSD service is active.
> >
> > I can't delete the sssd provider though because of this bug:
> >
> > https://issues.jboss.org/browse/KEYCLOAK-3902
> >
> > I started over fresh without the SSSD Provider setup. It does appear that
> > I'm not able to even authenticate as a user created from the admin
> > console.
> >
> > I've bumped logging up to info on both Keycloak and httpd on the SP but, I
> > still don't see much there. Any suggestion on where to go from here?
> >
> > Thanks,
> > Scott
> >
> >
> > >
> > >
> > > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > > Hi,
> > > >
> > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration
> > > > using
> > > > the SSSD Provider. I am following the Server Administration Guide
but,
> > > > I'm hitting some error. I'm not sure if it's a bug or a
configuration
> > > > issue on my part.
> > > >
> > > > This is the link I was following:
> > > >
> > > >
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
> > > >
> > > > The difference in setup though is that I'm not using the docker
image.
> > > > Instead I'm using a separate FreeIPA Master server that I have
setup as
> > > > a
> > > > separate VM. I have confirmed that SSSD-DBUS is working:
> > > >
> > > > [root@idp ~]# dbus-send --print-reply --system
> > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > > > method return time=1480625438.634684 sender=:1.26 ->
destination=:1.29
> > > > serial=17 reply_serial=2
> > > > array [
> > > > string "ipausers"
> > > > ]
> > > >
> > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> > > >
> > > > keycloak-httpd-client-install \
> > > > --client-originate-method registration \
> > > > --keycloak-server-url https://idp.keycloak.test:8443 \
> > > > --keycloak-admin-username admin \
> > > > --keycloak-admin-password PASSWORD \
> > > > --app-name testapp \
> > > > --keycloak-realm test_realm \
> > > > --mellon-root mroot \
> > > > --mellon-protected-locations "/mroot/private" \
> > > > --force
> > > >
> > > > When I try to login to the SP, it redirects as expected to the
Keycloak
> > > > server and waits for a while before returning:
> > > >
> > > > Internal Server Error
> > > >
> > > > >From the httpd access log I can see:
> > > >
> > > >
> > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
/mroot/private
> > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux
x86_64)
> > > > AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > > >
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux
x86_64)
> > > > AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > >
> > > > >From the admin console, I can see what appears to be an active
session
> > > > >for
> > > > >the client.
> > > >
> > > > >From the Keycloak server.log I can see:
> > > >
> > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction
> > > > Reaper
> > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > > > 2016-12-01 14:14:31,578 WARN
> > > >
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > > > mpletion called by a background thread; delaying afterCompletion
> > > > processing
> > > > until the original thread can handle it. [status=4]
> > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction
> > > > Reaper
> > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX
0:f
> > > > fffc0a87abf:7c36d3eb:58406454:81e
> > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default
task-25)
> > > > ARJUNA012077: Abort called on already aborted atomic action
> > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > 2016-12-01 14:15:50,620 ERROR
[org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > > (default task-25) RESTEASY002025: Unknown exception while executing
> > > > POST
> > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > > > eption: javax.transaction.RollbackException: ARJUNA016102: The
> > > > transaction
> > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > >
> > > > Leaving out the traceback for brevity. I can send that if
> > > > needed/wanted.
> > > >
> > > >
> > > > When I logout the session and set SSSD debug_level to 9 and restart
> > > > sssd,
> > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user.
I
> > > > can
> > > > provide the SSSD logs if it helps.
> > > >
> > > >
> > > > So, how do I go about troubleshooting this issue? Are there any
steps
> > > > missing from the SSSD Provider doc?
> > > >
> > > > Thanks,
> > > > Scott
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
--
abstractj
PGP: 0x84DC9914
8:37 p.m.
----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Scott Poore" <spoore(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, December 2, 2016 12:37:32 PM
Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
On 2016-12-02, Scott Poore wrote:
>
>
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno(a)abstractj.org>
> > To: "Scott Poore" <spoore(a)redhat.com>
> > Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > Sent: Friday, December 2, 2016 1:41:48 AM
> > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> >
> > Hi Scott, sorry for the late response.
> >
> > From what I noticed, dbus-send works for you right? But I feel like the
> > user running Keycloak process does not have access to
> > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
>
> Yes, that's one problem. I was running keycloak as keycloak user but
> dbus-send as root. I also found where I had the wrong ownership on a java
> keystore file for running https.
>
> >
> > If yes, check if user running Keycloak is listed into sssd.conf
> > 'allowed_uids'
> > section. I saw that you managed to run dbus-send, but worth to ask.
> > Is the user running dbus-send, the same starting Keycloak server process?
>
> That I was fixing. I just wasn't testing dbus-send as keycloak user.
>
> >
> > I included a very simple check to make sure that Windows users don't see
> > the
> > SSSD
> > Federation provider listed — If the user running Keycloak does not have
> > reading rights over /etc/sssd.
>
> By default /etc/sssd is 700 so no one but root can read that. Should I
> just be running keycloak as root? (FYI, that's what I'm trying now).
Do what for now, or add reading permissions to this folder to isolate
the problem.
>
> >
> > For troubleshooting some of these issues (because from time to time, I
> > mess up with my environment), I have this docker image[1].
> >
> > Speaking about KEYCLOAK-3902, I already fixed it. I will just include
> > the integration tests to reproduce this scenario.
>
> I saw that it was at least scheduled to be fixed. Wasn't sure if the fix
> was complete.
>
> So, what about my last issue where I cannot seem to authenticate as a
> normal user I created in the realm from the Keycloak admin console?
What you have at your logs? Have you installed jna and libunix RPMs?
I opened a ticket to post logs too. I wasn't sure if you wanted those posted to the
mailing list.
https://issues.jboss.org/browse/KEYCLOAK-4019
In the ticket I also tried to post detailed description of my setup in the "Steps to
Reproduce". Maybe that will show what I was doing wrong.
I have not yet installed the jna or libunix RPMs in my current setup. My previous setup
had them before I tried starting over to try to cut out all SSSD Provider related possible
issues. So, I'm trying now with a clean install without using the SSSD Provider.
But, it is still an ipa client so sssd was running. Do I still need jna and libunix
installed if I'm not using SSSD?
Should I also change the subject of the email to better reflect my current issue? Or
we'll get back the SSSD in this thread when my other issue is resolved?
Thanks for all the help.
Scott
>
> FYI, I'm trying to set this up on Fedora 24 if that makes any difference.
>
> [root@idp ~]# rpm -q java-1.8.0-openjdk
> java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64
>
> [root@sp1 ~]# rpm -q httpd mod_auth_mellon
> httpd-2.4.23-4.fc24.x86_64
> mod_auth_mellon-0.12.0-2.fc24.x86_64
>
>
> I also re-installed the client manually using mellon_create_metadata.sh and
> importing the metadata file from the admin console. I see the same thing
> so I don't think keycloak-httpd-client-install set up anything in a way to
> cause this.
>
> It looks like it takes almost 12 minutes for something to time out when I
> try accessing the SP from my browser.
>
> started: 11:53:55 by the clock on my desktop
> ended: ~12:05:42 by the clock on my desktop
>
> Not sure if that helps at all but, thought I'd actually document it in case
> it does help.
>
> When it does finally time out is when I see the "Internal Server Error".
> And the location bar is pointing to the keycloak and does not seem to
> have been redirected back to the SP.
>
> Does any of that sound familar?
>
> Thanks,
> Scott
>
> >
> > [1] -
> >
https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycl...
> >
> > On 2016-12-01, Scott Poore wrote:
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Bill Burke" <bburke(a)redhat.com>
> > > > To: keycloak-user(a)lists.jboss.org
> > > > Sent: Thursday, December 1, 2016 3:35:31 PM
> > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for
> > > > FreeIPA
> > > >
> > > > Can you run your example without SSSD? Isolate the problem to make
> > > > sure
> > > > that its not an SP configuration issue first. As far as SSSD setup
> > > > goes, you're gonna have to talk to Bruno about that. Hopefully
he
> > > > chimes
> > > > in.
> > >
> > > I tried adding a user to the existing setup from the admin console and
> > > I
> > > see an error and then I see this in the server.log:
> > >
> > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> > > retrieve user's attributes. Check if SSSD service is active.
> > >
> > > I can't delete the sssd provider though because of this bug:
> > >
> > > https://issues.jboss.org/browse/KEYCLOAK-3902
> > >
> > > I started over fresh without the SSSD Provider setup. It does appear
> > > that
> > > I'm not able to even authenticate as a user created from the admin
> > > console.
> > >
> > > I've bumped logging up to info on both Keycloak and httpd on the SP
> > > but, I
> > > still don't see much there. Any suggestion on where to go from here?
> > >
> > > Thanks,
> > > Scott
> > >
> > >
> > > >
> > > >
> > > > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > > > Hi,
> > > > >
> > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA
> > > > > integration
> > > > > using
> > > > > the SSSD Provider. I am following the Server Administration
Guide
> > > > > but,
> > > > > I'm hitting some error. I'm not sure if it's a bug
or a
> > > > > configuration
> > > > > issue on my part.
> > > > >
> > > > > This is the link I was following:
> > > > >
> > > > >
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
> > > > >
> > > > > The difference in setup though is that I'm not using the
docker
> > > > > image.
> > > > > Instead I'm using a separate FreeIPA Master server that I
have
> > > > > setup as
> > > > > a
> > > > > separate VM. I have confirmed that SSSD-DBUS is working:
> > > > >
> > > > > [root@idp ~]# dbus-send --print-reply --system
> > > > > --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
> > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > > > > method return time=1480625438.634684 sender=:1.26 ->
> > > > > destination=:1.29
> > > > > serial=17 reply_serial=2
> > > > > array [
> > > > > string "ipausers"
> > > > > ]
> > > > >
> > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon
using
> > > > >
> > > > > keycloak-httpd-client-install \
> > > > > --client-originate-method registration \
> > > > > --keycloak-server-url https://idp.keycloak.test:8443 \
> > > > > --keycloak-admin-username admin \
> > > > > --keycloak-admin-password PASSWORD \
> > > > > --app-name testapp \
> > > > > --keycloak-realm test_realm \
> > > > > --mellon-root mroot \
> > > > > --mellon-protected-locations "/mroot/private" \
> > > > > --force
> > > > >
> > > > > When I try to login to the SP, it redirects as expected to the
> > > > > Keycloak
> > > > > server and waits for a while before returning:
> > > > >
> > > > > Internal Server Error
> > > > >
> > > > > >From the httpd access log I can see:
> > > > >
> > > > >
> > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
/mroot/private
> > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11;
Linux x86_64)
> > > > > AppleWebKit/537.36
> > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > > > >
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11;
Linux x86_64)
> > > > > AppleWebKit/537.36
> > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > >
> > > > > >From the admin console, I can see what appears to be an
active
> > > > > >session
> > > > > >for
> > > > > >the client.
> > > > >
> > > > > >From the Keycloak server.log I can see:
> > > > >
> > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna]
(Transaction
> > > > > Reaper
> > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads
> > > > > active!
> > > > > 2016-12-01 14:14:31,578 WARN
> > > > >
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > > > > mpletion called by a background thread; delaying
afterCompletion
> > > > > processing
> > > > > until the original thread can handle it. [status=4]
> > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna]
(Transaction
> > > > > Reaper
> > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations
worker
> > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled
TX
> > > > > 0:f
> > > > > fffc0a87abf:7c36d3eb:58406454:81e
> > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default
> > > > > task-25)
> > > > > ARJUNA012077: Abort called on already aborted atomic action
> > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > > 2016-12-01 14:15:50,620 ERROR
> > > > > [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > > > (default task-25) RESTEASY002025: Unknown exception while
executing
> > > > > POST
> > > > > /realms/test_realm/login-actions/authenticate:
java.lang.RuntimeExc
> > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The
> > > > > transaction
> > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > >
> > > > > Leaving out the traceback for brevity. I can send that if
> > > > > needed/wanted.
> > > > >
> > > > >
> > > > > When I logout the session and set SSSD debug_level to 9 and
restart
> > > > > sssd,
> > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the
user.
> > > > > I
> > > > > can
> > > > > provide the SSSD logs if it helps.
> > > > >
> > > > >
> > > > > So, how do I go about troubleshooting this issue? Are there
any
> > > > > steps
> > > > > missing from the SSSD Provider doc?
> > > > >
> > > > > Thanks,
> > > > > Scott
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >
--
abstractj
PGP: 0x84DC9914
12:08 p.m.
On 2016-12-02, Scott Poore wrote:
----- Original Message -----
> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> To: "Scott Poore" <spoore(a)redhat.com>
> Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> Sent: Friday, December 2, 2016 12:37:32 PM
> Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
>
> On 2016-12-02, Scott Poore wrote:
> >
> >
> > ----- Original Message -----
> > > From: "Bruno Oliveira" <bruno(a)abstractj.org>
> > > To: "Scott Poore" <spoore(a)redhat.com>
> > > Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > > Sent: Friday, December 2, 2016 1:41:48 AM
> > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> > >
> > > Hi Scott, sorry for the late response.
> > >
> > > From what I noticed, dbus-send works for you right? But I feel like the
> > > user running Keycloak process does not have access to
> > > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
> >
> > Yes, that's one problem. I was running keycloak as keycloak user but
> > dbus-send as root. I also found where I had the wrong ownership on a java
> > keystore file for running https.
> >
> > >
> > > If yes, check if user running Keycloak is listed into sssd.conf
> > > 'allowed_uids'
> > > section. I saw that you managed to run dbus-send, but worth to ask.
> > > Is the user running dbus-send, the same starting Keycloak server process?
> >
> > That I was fixing. I just wasn't testing dbus-send as keycloak user.
> >
> > >
> > > I included a very simple check to make sure that Windows users don't
see
> > > the
> > > SSSD
> > > Federation provider listed — If the user running Keycloak does not have
> > > reading rights over /etc/sssd.
> >
> > By default /etc/sssd is 700 so no one but root can read that. Should I
> > just be running keycloak as root? (FYI, that's what I'm trying now).
>
> Do what for now, or add reading permissions to this folder to isolate
> the problem.
>
> >
> > >
> > > For troubleshooting some of these issues (because from time to time, I
> > > mess up with my environment), I have this docker image[1].
> > >
> > > Speaking about KEYCLOAK-3902, I already fixed it. I will just include
> > > the integration tests to reproduce this scenario.
> >
> > I saw that it was at least scheduled to be fixed. Wasn't sure if the fix
> > was complete.
> >
> > So, what about my last issue where I cannot seem to authenticate as a
> > normal user I created in the realm from the Keycloak admin console?
>
> What you have at your logs? Have you installed jna and libunix RPMs?
I opened a ticket to post logs too. I wasn't sure if you wanted those posted to the
mailing list.
https://issues.jboss.org/browse/KEYCLOAK-4019
In the ticket I also tried to post detailed description of my setup in the "Steps to
Reproduce". Maybe that will show what I was doing wrong.
I have not yet installed the jna or libunix RPMs in my current setup. My previous setup
had them before I tried starting over to try to cut out all SSSD Provider related possible
issues. So, I'm trying now with a clean install without using the SSSD Provider.
But, it is still an ipa client so sssd was running. Do I still need jna and libunix
installed if I'm not using SSSD?
You only need JNA and libunix if you would like to enable SSSD
Federation provider, other than that, ignore it.
Should I also change the subject of the email to better reflect my current issue? Or
we'll get back the SSSD in this thread when my other issue is resolved?
I can be wrong. But looking at the description of your issue, it seems
like more related with SAML2 setup, than SSSD federation provider setup.
Thanks for all the help.
Scott
>
> >
> > FYI, I'm trying to set this up on Fedora 24 if that makes any difference.
> >
> > [root@idp ~]# rpm -q java-1.8.0-openjdk
> > java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64
> >
> > [root@sp1 ~]# rpm -q httpd mod_auth_mellon
> > httpd-2.4.23-4.fc24.x86_64
> > mod_auth_mellon-0.12.0-2.fc24.x86_64
> >
> >
> > I also re-installed the client manually using mellon_create_metadata.sh and
> > importing the metadata file from the admin console. I see the same thing
> > so I don't think keycloak-httpd-client-install set up anything in a way to
> > cause this.
> >
> > It looks like it takes almost 12 minutes for something to time out when I
> > try accessing the SP from my browser.
> >
> > started: 11:53:55 by the clock on my desktop
> > ended: ~12:05:42 by the clock on my desktop
> >
> > Not sure if that helps at all but, thought I'd actually document it in
case
> > it does help.
> >
> > When it does finally time out is when I see the "Internal Server
Error".
> > And the location bar is pointing to the keycloak and does not seem to
> > have been redirected back to the SP.
> >
> > Does any of that sound familar?
> >
> > Thanks,
> > Scott
> >
> > >
> > > [1] -
> > >
https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycl...
> > >
> > > On 2016-12-01, Scott Poore wrote:
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Bill Burke" <bburke(a)redhat.com>
> > > > > To: keycloak-user(a)lists.jboss.org
> > > > > Sent: Thursday, December 1, 2016 3:35:31 PM
> > > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup
for
> > > > > FreeIPA
> > > > >
> > > > > Can you run your example without SSSD? Isolate the problem to
make
> > > > > sure
> > > > > that its not an SP configuration issue first. As far as SSSD
setup
> > > > > goes, you're gonna have to talk to Bruno about that.
Hopefully he
> > > > > chimes
> > > > > in.
> > > >
> > > > I tried adding a user to the existing setup from the admin console
and
> > > > I
> > > > see an error and then I see this in the server.log:
> > > >
> > > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> > > > retrieve user's attributes. Check if SSSD service is active.
> > > >
> > > > I can't delete the sssd provider though because of this bug:
> > > >
> > > > https://issues.jboss.org/browse/KEYCLOAK-3902
> > > >
> > > > I started over fresh without the SSSD Provider setup. It does
appear
> > > > that
> > > > I'm not able to even authenticate as a user created from the
admin
> > > > console.
> > > >
> > > > I've bumped logging up to info on both Keycloak and httpd on the
SP
> > > > but, I
> > > > still don't see much there. Any suggestion on where to go from
here?
> > > >
> > > > Thanks,
> > > > Scott
> > > >
> > > >
> > > > >
> > > > >
> > > > > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA
> > > > > > integration
> > > > > > using
> > > > > > the SSSD Provider. I am following the Server
Administration Guide
> > > > > > but,
> > > > > > I'm hitting some error. I'm not sure if it's a
bug or a
> > > > > > configuration
> > > > > > issue on my part.
> > > > > >
> > > > > > This is the link I was following:
> > > > > >
> > > > > >
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
> > > > > >
> > > > > > The difference in setup though is that I'm not using
the docker
> > > > > > image.
> > > > > > Instead I'm using a separate FreeIPA Master server that
I have
> > > > > > setup as
> > > > > > a
> > > > > > separate VM. I have confirmed that SSSD-DBUS is working:
> > > > > >
> > > > > > [root@idp ~]# dbus-send --print-reply --system
> > > > > > --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
> > > > > > org.freedesktop.sssd.infopipe.GetUserGroups
string:testuser
> > > > > > method return time=1480625438.634684 sender=:1.26 ->
> > > > > > destination=:1.29
> > > > > > serial=17 reply_serial=2
> > > > > > array [
> > > > > > string "ipausers"
> > > > > > ]
> > > > > >
> > > > > > For the SP, I setup a basic Apache setup with
mod_auth_mellon using
> > > > > >
> > > > > > keycloak-httpd-client-install \
> > > > > > --client-originate-method registration \
> > > > > > --keycloak-server-url https://idp.keycloak.test:8443
\
> > > > > > --keycloak-admin-username admin \
> > > > > > --keycloak-admin-password PASSWORD \
> > > > > > --app-name testapp \
> > > > > > --keycloak-realm test_realm \
> > > > > > --mellon-root mroot \
> > > > > > --mellon-protected-locations
"/mroot/private" \
> > > > > > --force
> > > > > >
> > > > > > When I try to login to the SP, it redirects as expected to
the
> > > > > > Keycloak
> > > > > > server and waits for a while before returning:
> > > > > >
> > > > > > Internal Server Error
> > > > > >
> > > > > > >From the httpd access log I can see:
> > > > > >
> > > > > >
> > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
/mroot/private
> > > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0
(X11; Linux x86_64)
> > > > > > AppleWebKit/537.36
> > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86
Safari/537.36"
> > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > > > > >
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0
(X11; Linux x86_64)
> > > > > > AppleWebKit/537.36
> > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86
Safari/537.36"
> > > > > >
> > > > > > >From the admin console, I can see what appears to be an
active
> > > > > > >session
> > > > > > >for
> > > > > > >the client.
> > > > > >
> > > > > > >From the Keycloak server.log I can see:
> > > > > >
> > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna]
(Transaction
> > > > > > Reaper
> > > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic
action
> > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1
threads
> > > > > > active!
> > > > > > 2016-12-01 14:14:31,578 WARN
> > > > > >
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > > > > (Transaction Reaper Worker 0) HHH000451: Transaction
afterCo
> > > > > > mpletion called by a background thread; delaying
afterCompletion
> > > > > > processing
> > > > > > until the original thread can handle it. [status=4]
> > > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna]
(Transaction
> > > > > > Reaper
> > > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations
worker
> > > > > > Thread[Transaction Reaper Worker 0,5,main] successfully
canceled TX
> > > > > > 0:f
> > > > > > fffc0a87abf:7c36d3eb:58406454:81e
> > > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna]
(default
> > > > > > task-25)
> > > > > > ARJUNA012077: Abort called on already aborted atomic
action
> > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > > > 2016-12-01 14:15:50,620 ERROR
> > > > > > [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > > > > (default task-25) RESTEASY002025: Unknown exception while
executing
> > > > > > POST
> > > > > > /realms/test_realm/login-actions/authenticate:
java.lang.RuntimeExc
> > > > > > eption: javax.transaction.RollbackException: ARJUNA016102:
The
> > > > > > transaction
> > > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > > >
> > > > > > Leaving out the traceback for brevity. I can send that if
> > > > > > needed/wanted.
> > > > > >
> > > > > >
> > > > > > When I logout the session and set SSSD debug_level to 9 and
restart
> > > > > > sssd,
> > > > > > keycloak, and httpd (on the SP), I do see SSSD looking up
the user.
> > > > > > I
> > > > > > can
> > > > > > provide the SSSD logs if it helps.
> > > > > >
> > > > > >
> > > > > > So, how do I go about troubleshooting this issue? Are
there any
> > > > > > steps
> > > > > > missing from the SSSD Provider doc?
> > > > > >
> > > > > > Thanks,
> > > > > > Scott
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user(a)lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
--
abstractj
PGP: 0x84DC9914
2:42 p.m.
New subject: Keycloak 2.4 SAML2 login issue
----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Scott Poore" <spoore(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Monday, December 5, 2016 5:08:14 AM
Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
On 2016-12-02, Scott Poore wrote:
...
> > From: "Bruno Oliveira"
<bruno(a)abstractj.org>
...
> > On 2016-12-02, Scott Poore wrote:
...
> > > So, what about my last issue where I cannot seem to
authenticate as a
> > > normal user I created in the realm from the Keycloak admin console?
> >
> > What you have at your logs? Have you installed jna and libunix RPMs?
>
> I opened a ticket to post logs too. I wasn't sure if you wanted those
> posted to the mailing list.
>
> https://issues.jboss.org/browse/KEYCLOAK-4019
>
> In the ticket I also tried to post detailed description of my setup in the
> "Steps to Reproduce". Maybe that will show what I was doing wrong.
>
> I have not yet installed the jna or libunix RPMs in my current setup. My
> previous setup had them before I tried starting over to try to cut out all
> SSSD Provider related possible issues. So, I'm trying now with a clean
> install without using the SSSD Provider. But, it is still an ipa client
> so sssd was running. Do I still need jna and libunix installed if I'm not
> using SSSD?
You only need JNA and libunix if you would like to enable SSSD
Federation provider, other than that, ignore it.
>
> Should I also change the subject of the email to better reflect my current
> issue? Or we'll get back the SSSD in this thread when my other issue is
> resolved?
I can be wrong. But looking at the description of your issue, it seems
like more related with SAML2 setup, than SSSD federation provider setup.
Ok, I changed the subject to try to better match the issue.
Are you able to tell from my logs I posted to the ticket why is the login timing out?
Thanks,
Scott
2707
days inactive
2711
days old
8 comments
3 participants
participants (3)
-
Bill Burke -
Bruno Oliveira -
Scott Poore