> Le 20 juil. 2015 à 17:58, Petr Vobornik <pvobo...@redhat.com> a écrit : > > On 07/20/2015 05:17 PM, Alexander Bokovoy wrote: >> On Mon, 20 Jul 2015, Alexandre Ellert wrote: >>> >>>> Can you please show output from >>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >>> >>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema >> >> This is original 'dc' definition: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> >> This is the offending one: >>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D >> >>> In 00core.ldif, I have : >>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' >>> 'domaincomponent' ) >>> EQUALITY caseIgnoreIA5Match >>> SUBSTR caseIgnoreIA5SubstringsMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>> SINGLE-VALUE >>> X-ORIGIN 'RFC 4519' >>> X-DEPRECATED 'domaincomponent' ) >> If you look into 99user.ldif, you'll see the wrong definition there. >> >> 99user.ldif accumulates definitions coming from replication or updates. >> You can check other IPA masters, do they have 'dc' attribute defined in >> a wrong way? >> >>> As far as I remember, the only modification I made was to disable >>> read-only access without authentication. I don’t need any other >>> special customization. >> Something brought the wrong definition into your IPA masters. >> May be someone tried to add support for some old application? >> > > Probably caused by migration from 6.6 to 7.x. See > https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause > any issue but looks scary.
I confirm this was a migration from CentOS 6.6 to 7.1. Every thing else worked just fine following the RedHat migration procedure (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html>) > > I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the > time the following CA error happened (could be new start). > > [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException > Internal Database Error encountered: Could not connect to LDAP server host > ipa.mydomain.org <http://ipa.mydomain.org/> I restarted IPA : /var/log/pki/pki-tomcat/ca/debug : [20/Jul/2015:18:12:17][localhost-startStop-1]: CMS:Caught EBaseException /var/log/krb5kdc.log : otp: Loaded Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): setting up network... Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 9: udp fe80::250:56ff:fe93:357e%ens160.88 krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 11: tcp 0.0.0.0.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): listening on fd 10: tcp ::.88 Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16635](info): set up 4 sockets Jul 20 18:11:47 inf-ipa-2.numeezy.fr krb5kdc[16636](info): commencing operation Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: host/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Additional pre-authentication required Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, host/inf-ipa-2.numeezy...@numeezy.fr for ldap/inf-ipa-2.numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: DNS/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Additional pre-authentication required Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408708, etypes {rep=18 tkt=18 ses=18}, DNS/inf-ipa-2.numeezy...@numeezy.fr for ldap/inf-ipa-2.numeezy...@numeezy.fr Jul 20 18:11:48 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: NEEDED_PREAUTH: ldap/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Additional pre-authentication required Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy...@numeezy.fr for krbtgt/numeezy...@numeezy.fr Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 37.59.203.176: ISSUE: authtime 1437408709, etypes {rep=18 tkt=18 ses=18}, ldap/inf-ipa-2.numeezy...@numeezy.fr for ldap/inf-ipa.numeezy...@numeezy.fr Jul 20 18:11:49 inf-ipa-2.numeezy.fr krb5kdc[16636](info): closing down fd 12 Jul 20 18:13:00 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: ISSUE: authtime 1437408779, etypes {rep=18 tkt=18 ses=18}, host/mut-web-2.numeezy...@numeezy.fr for ldap/inf-ipa.numeezy...@numeezy.fr Jul 20 18:17:02 inf-ipa-2.numeezy.fr krb5kdc[16636](info): TGS_REQ (4 etypes {18 17 16 23}) 37.59.203.170: ISSUE: authtime 1437409022, etypes {rep=18 tkt=18 ses=18}, host/ded-web-8.numeezy...@numeezy.fr for ldap/inf-ipa.numeezy...@numeezy.fr Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Jul 20 18:17:05 inf-ipa-2.numeezy.fr krb5kdc[16636](info): AS_REQ (4 etypes {18 17 16 23}) 188.165.154.171: PREAUTH_FAILED: ad...@numeezy.fr for krbtgt/numeezy...@numeezy.fr, Decrypt integrity check failed Thanks for your investigation.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project