Dude. You rock :-) That was it !! All the entries were the wrong way round (not sure how I missed that ... time for a visit to the optometrists)
Beer is in the mail! And thanks to all @redhat for an excellent piece of software and for all the help today! On Wed, Apr 1, 2015 at 4:40 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Traiano Welcome wrote: >> Hi Dmitri >> >> This is a freshly generated DS log (sanitized: XYZ = realm): >> >> >> 389-Directory/1.3.1.6 B2014.160.2139 >> lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) >> >> [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting >> up >> [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=xyz,dc=local >> [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> cleanAllRUV task found, resuming the cleaning of rid(6)... >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 >> (Success) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat" >> (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP >> error -1 (Can't contact LDAP server) () >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 2 (No such file or directory) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololard-xyz-slve.xyz.local" (lolard-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololospr-xyz-slve.xyz.local" (lolospr-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> [01/Apr/2015:15:19:02 +0300] - Listening on >> /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololpr-xyz-slve.xyz.local" (lolpr-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meToukpr-xyz-slve.xyz.local" (ukpr-xyz-slve:389): Replication >> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (No Kerberos credentials available)) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) >> [01/Apr/2015:15:19:04 +0300] - slapd shutting down - signaling operation >> threads >> [01/Apr/2015:15:19:04 +0300] - slapd shutting down - closing down >> internal subsystems and plugins >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Cleaning rid (6)... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting to process all the updates from the deleted replica... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting for all the replicas to be online... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Server shutting down. Process will resume at server startup >> [01/Apr/2015:15:19:05 +0300] - Waiting for 4 database threads to stop >> [01/Apr/2015:15:19:05 +0300] - All database threads now stopped >> [01/Apr/2015:15:19:05 +0300] - slapd stopped. > > At least some of this noise is expected. When 389-ds starts it has no > ccache, logs about it, then goes about getting one. At the same time > replication agreements are starting and if the credentials haven't been > obtained yet, those fail as well. It all (usually) ends up syncing back > up within a few seconds. > > Do you hae an entry for this machine in /etc/hosts? If so, is the FQDN > first? If not it should be. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project