I have 6 servers setup as freeipa replicas.
5 are working great, no problems.
They are all running ipa-server-3.0.0-26.el6_4.4.x86_64
However, the same one will randomly stop working. By stop working I mean the
following:
(domain name and ips have been redacted)
I cannot kinit as any user on that machine:
[root@badserver ~]# kinit admin
kinit: Generic error (see e-text) while getting initial credentials
I cannot connect on 389 or 636 to that server:
telnet badserver 636
telnet: Unable to connect to remote host: Connection refused
slapd is running and listening on port 389 according to netstat:
[root@badserver ~]# netstat -lpn | grep 389
tcp 0 0 :::7389 :::*
LISTEN 16419/ns-slapd
but nothing is returned for port 636
in the /var/log/slapd-PKI* or slapd-<DOMAIN> error files, the last error is
from over a week ago, actually the last entry period is from there.
[18/Sep/2013:01:09:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (KDC returned error string:
PROCESS_TGS)) errno 2 (No such file or directory)
/var/log/krb5kdc.log shows
Sep 30 12:22:24 badserver krb5kdc[32063](info): AS_REQ (4 etypes {18 17 16 23})
<ip>: LOOKING_UP_CLIENT: ad...@example.com for krbtgt/example....@example.com,
Server error
a service ipa restart ALWAYS fixes it.
I added debug=true to /etc/ipa/default.conf but I do not see anything that is
helpful.
The only things listed in default.conf are things related to "importing plugin
module"
Any guidance/advice/docs to read would be greatly appreciated! The fact that it
seems to be so random and the other 5 ipa servers are working great makes it
even more frustrating!
Thanks!
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
