[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
This is on all 4 systems having the issue ipa --version VERSION: 4.6.4, API_VERSION: 2.229 When system was updated ipa-server-upgrade was ran, and it did complete successful 2018-12-19T23:34:26Z INFO The ipa-server-upgrade command was successful Running the command fails now, as the CA won't start, which is expected. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Freeipa replica server issue
Hi Except for the weirdness (replica or master named local-host or localhost, which should not be), your issue looks a lot like what's reported here: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/GTBXNF53UHCUCHQYNCCYUQWUQXEW5D2B/ You should check it out. You should probably also rebuild your IPA domain to have reasonable resolvable hostnames. On Sat, Dec 29, 2018 at 7:21 PM Azim Siddiqui via FreeIPA-users wrote: > > Hello, > > Hope you are doing good. > > Hello All, > > We have a master freeipa server through which we created more two replica > freeipa servers. When we create a user in master server, the user was > automatically created into the two replica servers. Everything was working > fine, But now I am seeing this error for one of the replica server, when > running this command > ipa-replica-manage -v list local-host > > last update status: -1 Incremental update has failed and requires > administrator actionLDAP error: Can't contact LDAP server > > When i am checking the logs for /var/log/dirsrv/localhost, I can see this :- > > [24/Dec/2018:21:27:55 +] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't > contact LDAP server) > [24/Dec/2018:21:32:20 +] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 2 (No such file or > directory) > [24/Dec/2018:21:32:55 +] slapd_ldap_sasl_interactive_bind - Error: could > not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't > contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > [24/Dec/2018:21:32:55 +] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't > contact LDAP server) > > > Can you please tell me how to resolve this issue ? > Thanks & Regards, > Azeem > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Freeipa replica server issue
Hello, Hope you are doing good. Hello All, We have a master freeipa server through which we created more two replica freeipa servers. When we create a user in master server, the user was automatically created into the two replica servers. Everything was working fine, But now I am seeing this error for one of the replica server, when running this command ipa-replica-manage -v list local-host last update status: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server When i am checking the logs for /var/log/dirsrv/localhost, I can see this :- [24/Dec/2018:21:27:55 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [24/Dec/2018:21:32:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [24/Dec/2018:21:32:55 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [24/Dec/2018:21:32:55 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) Can you please tell me how to resolve this issue ? Thanks & Regards, Azeem ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Service named-pkcs11.service on replica reports error: Failed to get initial credentials (TGT) using principal 'DNS/ipa-replica.example.com' and keytab 'FILE:/etc/named.keytab' (Generi
Hi, when I start service `named-pkcs11.service` on replica server I get these error messages: ``` Dez 29 17:33:28 ipa-replica.example.com named-pkcs11[3936]: Failed to get initial credentials (TGT) using principal 'DNS/ipa-replica.example.com' and keytab 'FILE:/etc/named.keytab' (Generic error (see e-text)) [...] Dez 29 17:34:04 ipa-replica.example.com ipa-dnskeysyncd[3942]: ipa-dnskeysyncd: CRITICAL Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): Generic error (see e-text) Dez 29 17:34:04 ipa-replica.example.com systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE ``` The service is starting successfully though. The full log is available here: http://freetexthost.com/e53jnsslf1 What's causing this error? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Service named-pkcs11.service on master fails: Process 3946 (named-pkcs11) of user 25 dumped core
Hi, starting service `named-pkcs11.service` fails with a core dump: ``` Dez 29 17:32:25 ipa-master.example.com systemd-coredump[2901]: Process 2895 (named-pkcs11) of user 25 dumped core. Stack trace of thread 2897: #0 0x7f2b386c753f raise (libc.so.6) #1 0x7f2b386b1895 abort (libc.so.6) #2 0x7f2b386b1769 __assert_fail_base.cold.0 (libc.so.6) #3 0x7f2b386bf9f6 __assert_fail (libc.so.6) #4 0x7f2b38fb8c95 n/a (libkrb5.so.3) #5 0x7f2b38fb96ef n/a (libkrb5.so.3) #6 0x7f2b38fc2d0c n/a (libkrb5.so.3) #7 0x7f2b38fbc8b3 n/a (libkrb5.so.3) #8 0x7f2b38fbb9dd krb5_cc_select (libkrb5.so.3) #9 0x7f2b3909b959 n/a (libgssapi_krb5.so.2) #10 0x7f2b390a4a82 n/a (libgssapi_krb5.so.2) #11 0x7f2b390a5b06 n/a (libgssapi_krb5.so.2) #12 0x7f2b3908f0bb gss_init_sec_context (libgssapi_krb5.so.2) #13 0x7f2b34824667 gssapi_client_mech_step (libgssapiv2.so) #14 0x7f2b34907471 sasl_client_step (libsasl2.so.3) #15 0x7f2b349075fa sasl_client_start (libsasl2.so.3) #16 0x7f2b3494624b ldap_int_sasl_bind (libldap-2.4.so.2) #17 0x7f2b349498ec ldap_sasl_interactive_bind (libldap-2.4.so.2) #18 0x7f2b34949b0a ldap_sasl_interactive_bind_s (libldap-2.4.so.2) #19 0x7f2b34992c6f ldap_connect (ldap.so) #20 0x7f2b3499fa90 new_ldap_instance (ldap.so) #21 0x7f2b34990292 dyndb_init (ldap.so) #22 0x7f2b3943f75a dns_dyndb_load (libdns-pkcs11.so.1102) #23 0x5612e6a46718 n/a (named-pkcs11) #24 0x5612e6a53ed3 n/a (named-pkcs11) #25 0x5612e6a54f47 n/a (named-pkcs11) #26 0x7f2b3938d899 n/a (libisc-pkcs11.so.169) #27 0x7f2b38bd458e start_thread (libpthread.so.0) #28 0x7f2b3878c6a3 __clone (libc.so.6) Stack trace of thread 2898: #0 0x7f2b38bdaa8a pthread_cond_timedwait@@GLIBC_2.3.2 (libpthread.so.0) #1 0x7f2b393ad2b0 isc_condition_waituntil (libisc-pkcs11.so.169) #2 0x7f2b39394683 n/a (libisc-pkcs11.so.169) #3 0x7f2b38bd458e start_thread (libpthread.so.0) #4 0x7f2b3878c6a3 __clone (libc.so.6) Stack trace of thread 2899: #0 0x7f2b3878c9d7 epoll_wait (libc.so.6) #1 0x7f2b393a501c n/a (libisc-pkcs11.so.169)
[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
I recently performed this on my servers. what does “ipa —version” show ? after the yum update, did you run “ipa-server-upgrade” ? - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
I recently performed this on my servers. what does “ipa —version” show ? after the yum update, did you run “ipa-server-upgrade” ? - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
