date:20161219

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Martin Basti




On 17.12.2016 19:30, Brian J. Murrell wrote:

On Fri, 2016-12-16 at 22:53 -0500, Brian J. Murrell wrote:

Hi,

After upgrading to EL 7.3 which included an upgrade of IPA from
4.2.0-
15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting:

22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...
22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server

I wonder if this is related:

https://bugzilla.redhat.com/show_bug.cgi?id=1405716
SELinux is preventing /usr/bin/python2.7 from read access on the file
unix.

It has started to show up as of this IPA upgrade also.

Cheers,
b.




Hello,

could you recheck with SElinux in permissive mode?

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell

On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
> 
> Hello,
> 
> could you recheck with SElinux in permissive mode?

Yeah, still happens even after doing:

# setenforce 0

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Creation Issue

2016-12-19 Thread Christian McNamara

It seems like it is indeed not running. ipactl restart is only starting one
dirsrv. I recently learned this server is itself a replica of an earlier
server. Is it possible it was never meant to be a CA?

--
Christian McNamara

Christian McNamara
Chief Technology Officer
South Side Hackerspace: Chicago

On Thu, Dec 15, 2016 at 6:21 AM, Petr Vobornik  wrote:

> On 12/14/2016 03:27 PM, Christian McNamara wrote:
> > Hi all,
> >
> > I recently inherited a FreeIPA system that I believe is running v3.0,
> and I'm
> > trying to upgrade to the latest version. Following documentation, I'm
> trying to
> > create a replica but I'm running into problems connecting to the LDAP
> server.
> > Here's the output I get when trying to prepare a replica:
> >
> > $ sudo ipa-replica-prepare auth4.sshchicago.org
> >  --ip-address 172.31.31.36
> > Directory Manager (existing master) password:
> >
> > Preparing replica for auth4.sshchicago.org <
> http://auth4.sshchicago.org>
> > from auth3.sshchicago.org 
> > preparation of replica failed: cannot connect to
> > u'ldaps://auth3.sshchicago.org :
> >
> >
> 7390':
> > LDAP Server Down
> > cannot connect to u'ldaps://auth3.sshchicago.org:7390
> > ': LDAP Server Down
> >File "/usr/sbin/ipa-replica-prepare", line 529, in 
> >  main()
> >
> >File "/usr/sbin/ipa-replica-prepare", line 391, in main
> >  update_pki_admin_password(dirman_password)
> >
> >File "/usr/sbin/ipa-replica-prepare", line 247, in
> update_pki_admin_password
> >  bind_pw=dirman_password
> >
> >File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line
> 63, in
> > connect
> >  conn = self.create_connection(*args, **kw)
> >
> >File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> > 846,
> >
> >   in create_connection
> >  self.handle_errors(e)
> >
> >File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> > 736,
> >
> >   in handle_errors
> >  error=u'LDAP Server Down')
> >
> >
> > It says that our LDAP server is down, but it's trying to connect using
> the wrong
> > port number. Our LDAP server runs on 389, not 7390, and I can't figure
> out how
> > to specify this to the prepare script.
> >
> > Any ideas?
> >
>
> IPA 3.0 has 2 instances of directory server. One for domain data second
> for PKI CA data. IPA 4.x instances have them merged.
>
> So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
> 636 port of domain DS instance.  Similar mapping is with 7389 and 389
> ports.
>
> Therefore I'd check if PKI-IPA is running or if it is listening there.
>
> Relevant logs are in:
>   /var/log/dirsrv/slapd-PKI-IPA/errors
>
> Example  of `ipactl restart`:
>
> Shutting down dirsrv:
> DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...  [  OK  ]
> PKI-IPA... [  OK  ]
> Starting dirsrv:
> DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...  [  OK  ]
> PKI-IPA... [  OK  ]
> Restarting KDC Service
> Stopping Kerberos 5 KDC:   [  OK  ]
> Starting Kerberos 5 KDC:   [  OK  ]
> Restarting KPASSWD Service
> Stopping Kerberos 5 Admin Server:  [  OK  ]
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Restarting DNS Service
> Stopping named: .  [  OK  ]
> Starting named:[  OK  ]
> Restarting MEMCACHE Service
> Stopping ipa_memcached:[  OK  ]
> Starting ipa_memcached:[  OK  ]
> Restarting HTTP Service
> Stopping httpd:[  OK  ]
> Starting httpd:[  OK  ]
> Restarting CA Service  [  OK  ]
> Starting pki-ca:   [  OK  ]
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Rob Verduijn

Hello,

I'm running ipa on centos 7.3 with the latest patches applied.

It seem to run fine however the ipa-dnskeysyncd keeps failing to start and
I keep seeing this message in my logs:

ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
python2[25663]: GSSAPI client step 1
python2[25663]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 1
python2[25663]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 2
python2[25663]: GSSAPI client step 2
ns-slapd[2569]: GSSAPI server step 3
ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
Initial LDAP dump is done, sychronizing with ODS and BIND
python2[25674]: GSSAPI client step 1
python2[25674]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 1
python2[25674]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 2
python2[25674]: GSSAPI client step 2
ns-slapd[2569]: GSSAPI server step 3
ipa-dnskeysyncd[25663]: Traceback (most recent call last):
ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
in 
ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
msgid=ldap_search):
ipa-dnskeysyncd[25663]: File
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
syncrepl_poll
ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 115,
in syncrepl_refreshdone
ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 181,
in hsm_replica_sync
ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run
ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, arg_string,
str(output))
ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
'/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1
systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
status=1/FAILURE
systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
systemd[1]: ipa-dnskeysyncd.service failed.

for some reason the ipa-dnskeysyncd keeops crashing.
Anybody know where to start looking for this one ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Petr Spacek

On 19.12.2016 14:07, Rob Verduijn wrote:
> Hello,
> 
> I'm running ipa on centos 7.3 with the latest patches applied.
> 
> It seem to run fine however the ipa-dnskeysyncd keeps failing to start and
> I keep seeing this message in my logs:
> 
> ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
> python2[25663]: GSSAPI client step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25663]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
> ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
> Initial LDAP dump is done, sychronizing with ODS and BIND
> python2[25674]: GSSAPI client step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25674]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: Traceback (most recent call last):
> ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
> in 
> ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
> msgid=ldap_search):
> ipa-dnskeysyncd[25663]: File
> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
> syncrepl_poll
> ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
> ipa-dnskeysyncd[25663]: File
> "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 115,
> in syncrepl_refreshdone
> ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
> ipa-dnskeysyncd[25663]: File
> "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 181,
> in hsm_replica_sync
> ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
> ipa-dnskeysyncd[25663]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run
> ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, arg_string,
> str(output))
> ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
> '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1
> systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
> status=1/FAILURE
> systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
> systemd[1]: ipa-dnskeysyncd.service failed.
> 
> for some reason the ipa-dnskeysyncd keeops crashing.
> Anybody know where to start looking for this one ?

Please raise the debug level so we can see something in the logs:

http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-19 Thread Petr Spacek

On 15.12.2016 23:59, Brian Candler wrote:
>> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > > wrote:
>>
>>
>> yes you can do it. DNS domain and Kerberos realm are two different
>> things. It's common and AFAIK recommended to capitalize DNS domain
>> to get the realm but it's not required.
>> If you really want to have them different make sure:
>> a) anotherdomain.com  is under your
>> control,
>> b) you don't already have other Kerberos instance (FreeIPA, MIT
>> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>>  realm deployed.
>>
>> With FreeIPA you can run
>> # ipa-server-install --domain example.com
>>  --realm ANOTHERDOMAIN.COM
>> 
>>
>> But before you do, why do you want to have the realm different
>> from the domain?
>>
>>
> 
> Question: what "domain" does the --domain option to ipa-server-install
> actually refer to?
> 
> The man page just says " Your DNS domain name". But what does it actually 
> alter?
> 
> 1. the DNS domain which holds the kerberos realm location information? I don't
> think so; I think if you are searching for realm FOO.COM you'll always look in
> the DNS under "foo.com", that's a fixed relationship.
> 
> 2. the DNS name of the IPA server itself? But if set up correctly, it already
> has an FQDN (as reported by "hostname -f"). And if you give the "--hostname"
> option, that's a FQDN not a bare hostname.
> 
> 3. the DNS zone which IPA is authoritative for? But you can run IPA without
> integrated DNS.
> 
> 4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts
> everything under tree "dc=foo,dc=com"?
> 
> 5. something else?

I've tried to clarify things in man pages and on web as well. Please have a
look to changes and let us know if it is better or not, and preferably what
can be improved and in which way :-)

The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations

Man page changes and changes in description of installer options are here:
https://github.com/freeipa/freeipa/pull/352

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Rob Verduijn

2016-12-19 15:52 GMT+01:00 Petr Spacek :

> On 19.12.2016 14:07, Rob Verduijn wrote:
> > Hello,
> >
> > I'm running ipa on centos 7.3 with the latest patches applied.
> >
> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
> and
> > I keep seeing this message in my logs:
> >
> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
> > python2[25663]: GSSAPI client step 1
> > python2[25663]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 1
> > python2[25663]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 2
> > python2[25663]: GSSAPI client step 2
> > ns-slapd[2569]: GSSAPI server step 3
> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
> > Initial LDAP dump is done, sychronizing with ODS and BIND
> > python2[25674]: GSSAPI client step 1
> > python2[25674]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 1
> > python2[25674]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 2
> > python2[25674]: GSSAPI client step 2
> > ns-slapd[2569]: GSSAPI server step 3
> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
> 110,
> > in 
> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
> > msgid=ldap_search):
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
> > syncrepl_poll
> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
> 115,
> > in syncrepl_refreshdone
> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
> 181,
> > in hsm_replica_sync
> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
> run
> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
> arg_string,
> > str(output))
> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status
> 1
> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
> > status=1/FAILURE
> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
> > systemd[1]: ipa-dnskeysyncd.service failed.
> >
> > for some reason the ipa-dnskeysyncd keeops crashing.
> > Anybody know where to start looking for this one ?
>
> Please raise the debug level so we can see something in the logs:
>
> http://www.freeipa.org/page/Troubleshooting#ipa_command_
> crashes_or_returns_no_data
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

Hello,

The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist on
my system.
How to set debugging in this case ?

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Rob Verduijn

2016-12-19 16:07 GMT+01:00 Rob Verduijn :

>
>
>
> 2016-12-19 15:52 GMT+01:00 Petr Spacek :
>
>> On 19.12.2016 14:07, Rob Verduijn wrote:
>> > Hello,
>> >
>> > I'm running ipa on centos 7.3 with the latest patches applied.
>> >
>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
>> and
>> > I keep seeing this message in my logs:
>> >
>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
>> > python2[25663]: GSSAPI client step 1
>> > python2[25663]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 1
>> > python2[25663]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 2
>> > python2[25663]: GSSAPI client step 2
>> > ns-slapd[2569]: GSSAPI server step 3
>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
>> > Initial LDAP dump is done, sychronizing with ODS and BIND
>> > python2[25674]: GSSAPI client step 1
>> > python2[25674]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 1
>> > python2[25674]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 2
>> > python2[25674]: GSSAPI client step 2
>> > ns-slapd[2569]: GSSAPI server step 3
>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
>> 110,
>> > in 
>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
>> > msgid=ldap_search):
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
>> > syncrepl_poll
>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
>> 115,
>> > in syncrepl_refreshdone
>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
>> 181,
>> > in hsm_replica_sync
>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
>> run
>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
>> arg_string,
>> > str(output))
>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
>> status 1
>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>> > status=1/FAILURE
>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>> > systemd[1]: ipa-dnskeysyncd.service failed.
>> >
>> > for some reason the ipa-dnskeysyncd keeops crashing.
>> > Anybody know where to start looking for this one ?
>>
>> Please raise the debug level so we can see something in the logs:
>>
>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
>> hes_or_returns_no_data
>>
>> --
>> Petr^2 Spacek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
> Hello,
>
> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist
> on my system.
> How to set debugging in this case ?
>
> Rob
>

I've set the debug level in /etc/ipa/default.conf

now I get this output
 systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
status=1/FAILURE
 systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
 systemd[1]: ipa-dnskeysyncd.service failed.
 systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart.
 systemd[1]: Started IPA key daemon.
 systemd[1]: Starting IPA key daemon...
 ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind...
 python2[30568]: GSSAPI client step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 2
 python2[30568]: GSSAPI client step 2
 ns-slapd[26744]: GSSAPI server step 3
 ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process
 ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
Initial LDAP dump is done, sychronizing with ODS and BIND
 python2[30579]: GSSAPI client step 1
 python2[30579]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 1
 python2[30579]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 2
 python2[30579]: GSSAPI client step 2
 ns-slapd[26744]: GSSAPI server step 3
 python2[30579]: ObjectStore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/
 python2[30579]: SoftHSM.cpp(476): Could not load the object store
 ipa-dnskeysyncd[30568]: Traceback (most recent call last):
 ipa-dnskeysyncd[30568]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
in 
 ipa-dnskeysyncd[30568]: while ldap_connection.syncrepl_poll(all=1,
msgid=ldap_search):
 ipa-dnskeysyncd[30568]: File
"/usr/lib64/python2.7/site-package

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Martin Basti




On 19.12.2016 16:27, Rob Verduijn wrote:



2016-12-19 16:07 GMT+01:00 Rob Verduijn >:





2016-12-19 15:52 GMT+01:00 Petr Spacek mailto:pspa...@redhat.com>>:

On 19.12.2016 14:07, Rob Verduijn wrote:
> Hello,
>
> I'm running ipa on centos 7.3 with the latest patches applied.
>
> It seem to run fine however the ipa-dnskeysyncd keeps
failing to start and
> I keep seeing this message in my logs:
>
> ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
> python2[25663]: GSSAPI client step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25663]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: ipa : INFO Commencing
sync process
> ipa-dnskeysyncd[25663]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
> Initial LDAP dump is done, sychronizing with ODS and BIND
> python2[25674]: GSSAPI client step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25674]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: Traceback (most recent call last):
> ipa-dnskeysyncd[25663]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
> in 
> ipa-dnskeysyncd[25663]: while
ldap_connection.syncrepl_poll(all=1,
> msgid=ldap_search):
> ipa-dnskeysyncd[25663]: File
> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line
405, in
> syncrepl_poll
> ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
> ipa-dnskeysyncd[25663]: File
>
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
line 115,
> in syncrepl_refreshdone
> ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
> ipa-dnskeysyncd[25663]: File
>
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
line 181,
> in hsm_replica_sync
> ipa-dnskeysyncd[25663]:
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
> ipa-dnskeysyncd[25663]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
line 494, in run
> ipa-dnskeysyncd[25663]: raise
CalledProcessError(p.returncode, arg_string,
> str(output))
> ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
> '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero
exit status 1
> systemd[1]: ipa-dnskeysyncd.service: main process exited,
code=exited,
> status=1/FAILURE
> systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
> systemd[1]: ipa-dnskeysyncd.service failed.
>
> for some reason the ipa-dnskeysyncd keeops crashing.
> Anybody know where to start looking for this one ?

Please raise the debug level so we can see something in the logs:


http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data



--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project


Hello,

The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not
exist on my system.
How to set debugging in this case ?

Rob


I've set the debug level in /etc/ipa/default.conf

now I get this output
 systemd[1]: ipa-dnskeysyncd.service: main process exited, 
code=exited, status=1/FAILURE

 systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
 systemd[1]: ipa-dnskeysyncd.service failed.
 systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling 
restart.

 systemd[1]: Started IPA key daemon.
 systemd[1]: Starting IPA key daemon...
 ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind...
 python2[30568]: GSSAPI client step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 2
 python2[30568]: GSSAPI client step 2
 ns-slapd[26744]: GSSAPI server step 3
 ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process
 ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer: 
INFO Initial LDAP dump is done, sychronizing with ODS and BIND

 python2[30579]: GSSAPI client step 1
 pyt

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Martin Basti




On 19.12.2016 13:19, Brian J. Murrell wrote:

On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:

Hello,

could you recheck with SElinux in permissive mode?

Yeah, still happens even after doing:

# setenforce 0

Cheers,
b.


could you please kinit as service?


kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/$(hostname)


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Rob Verduijn

2016-12-19 17:06 GMT+01:00 Martin Basti :

>
>
> On 19.12.2016 16:27, Rob Verduijn wrote:
>
>
>
> 2016-12-19 16:07 GMT+01:00 Rob Verduijn :
>
>>
>>
>>
>> 2016-12-19 15:52 GMT+01:00 Petr Spacek :
>>
>>> On 19.12.2016 14:07, Rob Verduijn wrote:
>>> > Hello,
>>> >
>>> > I'm running ipa on centos 7.3 with the latest patches applied.
>>> >
>>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
>>> and
>>> > I keep seeing this message in my logs:
>>> >
>>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
>>> > python2[25663]: GSSAPI client step 1
>>> > python2[25663]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 1
>>> > python2[25663]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 2
>>> > python2[25663]: GSSAPI client step 2
>>> > ns-slapd[2569]: GSSAPI server step 3
>>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
>>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
>>> > Initial LDAP dump is done, sychronizing with ODS and BIND
>>> > python2[25674]: GSSAPI client step 1
>>> > python2[25674]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 1
>>> > python2[25674]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 2
>>> > python2[25674]: GSSAPI client step 2
>>> > ns-slapd[2569]: GSSAPI server step 3
>>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
>>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
>>> 110,
>>> > in 
>>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
>>> > msgid=ldap_search):
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
>>> > syncrepl_poll
>>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>> line 115,
>>> > in syncrepl_refreshdone
>>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>> line 181,
>>> > in hsm_replica_sync
>>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
>>> run
>>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
>>> arg_string,
>>> > str(output))
>>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
>>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
>>> status 1
>>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>>> > status=1/FAILURE
>>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>>> > systemd[1]: ipa-dnskeysyncd.service failed.
>>> >
>>> > for some reason the ipa-dnskeysyncd keeops crashing.
>>> > Anybody know where to start looking for this one ?
>>>
>>> Please raise the debug level so we can see something in the logs:
>>>
>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
>>> hes_or_returns_no_data
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>> Hello,
>>
>> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist
>> on my system.
>> How to set debugging in this case ?
>>
>> Rob
>>
>
> I've set the debug level in /etc/ipa/default.conf
>
> now I get this output
>  systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
> status=1/FAILURE
>  systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>  systemd[1]: ipa-dnskeysyncd.service failed.
>  systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart.
>  systemd[1]: Started IPA key daemon.
>  systemd[1]: Starting IPA key daemon...
>  ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind...
>  python2[30568]: GSSAPI client step 1
>  python2[30568]: GSSAPI client step 1
>  ns-slapd[26744]: GSSAPI server step 1
>  python2[30568]: GSSAPI client step 1
>  ns-slapd[26744]: GSSAPI server step 2
>  python2[30568]: GSSAPI client step 2
>  ns-slapd[26744]: GSSAPI server step 3
>  ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process
>  ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer:
> INFO Initial LDAP dump is done, sychronizing with ODS and BIND
>  python2[30579]: GSSAPI client step 1
>  python2[30579]: GSSAPI client step 1
>  ns-slapd[26744]: GSSAPI server step 1
>  python2[30579]: GSSAPI client step 1
>  ns-slapd[26744]: GSSAPI server step 2
>  python2[30579]: GSSAPI client step 2
>  ns-slapd[26744]: GSSAPI server step 3
>  python2[30579]: ObjectStore.cpp(59): Failed to enumerate object store in
> /var/lib/softhsm/tokens/
>  python2[30579]: SoftHSM.cpp(476): Could not load the object store
>  ipa-dnskeysyncd[30568]: Traceback

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Martin Basti




On 19.12.2016 17:51, Rob Verduijn wrote:
2016-12-19 17:06 GMT+01:00 Martin Basti >:




On 19.12.2016 16:27, Rob Verduijn wrote:



2016-12-19 16:07 GMT+01:00 Rob Verduijn mailto:rob.verdu...@gmail.com>>:




2016-12-19 15:52 GMT+01:00 Petr Spacek mailto:pspa...@redhat.com>>:

On 19.12.2016 14:07, Rob Verduijn wrote:
> Hello,
>
> I'm running ipa on centos 7.3 with the latest patches
applied.
>
> It seem to run fine however the ipa-dnskeysyncd keeps
failing to start and
> I keep seeing this message in my logs:
>
> ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
> python2[25663]: GSSAPI client step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25663]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25663]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: ipa : INFO  Commencing
sync process
> ipa-dnskeysyncd[25663]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
> Initial LDAP dump is done, sychronizing with ODS and BIND
> python2[25674]: GSSAPI client step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 1
> python2[25674]: GSSAPI client step 1
> ns-slapd[2569]: GSSAPI server step 2
> python2[25674]: GSSAPI client step 2
> ns-slapd[2569]: GSSAPI server step 3
> ipa-dnskeysyncd[25663]: Traceback (most recent call last):
> ipa-dnskeysyncd[25663]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
> in 
> ipa-dnskeysyncd[25663]: while
ldap_connection.syncrepl_poll(all=1,
> msgid=ldap_search):
> ipa-dnskeysyncd[25663]: File
> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py",
line 405, in
> syncrepl_poll
> ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
> ipa-dnskeysyncd[25663]: File
>
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
line 115,
> in syncrepl_refreshdone
> ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
> ipa-dnskeysyncd[25663]: File
>
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
line 181,
> in hsm_replica_sync
> ipa-dnskeysyncd[25663]:
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
> ipa-dnskeysyncd[25663]: File
>
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
line 494, in run
> ipa-dnskeysyncd[25663]: raise
CalledProcessError(p.returncode, arg_string,
> str(output))
> ipa-dnskeysyncd[25663]: subprocess.CalledProcessError:
Command
> '/usr/libexec/ipa/ipa-dnskeysync-replica' returned
non-zero exit status 1
> systemd[1]: ipa-dnskeysyncd.service: main process
exited, code=exited,
> status=1/FAILURE
> systemd[1]: Unit ipa-dnskeysyncd.service entered failed
state.
> systemd[1]: ipa-dnskeysyncd.service failed.
>
> for some reason the ipa-dnskeysyncd keeops crashing.
> Anybody know where to start looking for this one ?

Please raise the debug level so we can see something in
the logs:


http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data



--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project


Hello,

The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf
do not exist on my system.
How to set debugging in this case ?

Rob


I've set the debug level in /etc/ipa/default.conf

now I get this output
 systemd[1]: ipa-dnskeysyncd.service: main process exited,
code=exited, status=1/FAILURE
 systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
 systemd[1]: ipa-dnskeysyncd.service failed.
 systemd[1]: ipa-dnskeysyncd.service holdoff time over,
scheduling restart.
 systemd[1]: Started IPA key daemon.
 systemd[1]: Starting IPA key daemon...
 ipa-dnskeysync

Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

2016-12-19 Thread Jochen Hein

Alexander Bokovoy  writes:

> On su, 18 joulu 2016, Jochen Hein wrote:
> Ok. It would probably make sense to file a ticket to FreeIPA tracker to
> get these changes in FreeIPA 4.5.

I'm now fighting against my privacyidea server, but if I can test
something more and am sure about the needed changes I'll file a ticket.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell

On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote:
> 
> On 19.12.2016 13:19, Brian J. Murrell wrote:
> > On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
> > > Hello,
> > > 
> > > could you recheck with SElinux in permissive mode?
> > 
> > Yeah, still happens even after doing:
> > 
> > # setenforce 0
> > 
> > Cheers,
> > b.
> 
> could you please kinit as service?
> 
> 
> kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-
> dnskeysyncd/$(hostname)

# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 
ipa-dnskeysyncd/server.example.com
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
19/12/16 15:20:20  20/12/16 15:20:20  krbtgt/example@example.com

Seems to have worked.  FWIW, I was not asked for any password.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 Thread Rob Verduijn

2016-12-19 18:53 GMT+01:00 Martin Basti :

>
>
> On 19.12.2016 17:51, Rob Verduijn wrote:
>
> 2016-12-19 17:06 GMT+01:00 Martin Basti :
>
>>
>>
>> On 19.12.2016 16:27, Rob Verduijn wrote:
>>
>>
>>
>> 2016-12-19 16:07 GMT+01:00 Rob Verduijn :
>>
>>>
>>>
>>>
>>> 2016-12-19 15:52 GMT+01:00 Petr Spacek :
>>>
 On 19.12.2016 14:07, Rob Verduijn wrote:
 > Hello,
 >
 > I'm running ipa on centos 7.3 with the latest patches applied.
 >
 > It seem to run fine however the ipa-dnskeysyncd keeps failing to
 start and
 > I keep seeing this message in my logs:
 >
 > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
 > python2[25663]: GSSAPI client step 1
 > python2[25663]: GSSAPI client step 1
 > ns-slapd[2569]: GSSAPI server step 1
 > python2[25663]: GSSAPI client step 1
 > ns-slapd[2569]: GSSAPI server step 2
 > python2[25663]: GSSAPI client step 2
 > ns-slapd[2569]: GSSAPI server step 3
 > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
 > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer:
 INFO
 > Initial LDAP dump is done, sychronizing with ODS and BIND
 > python2[25674]: GSSAPI client step 1
 > python2[25674]: GSSAPI client step 1
 > ns-slapd[2569]: GSSAPI server step 1
 > python2[25674]: GSSAPI client step 1
 > ns-slapd[2569]: GSSAPI server step 2
 > python2[25674]: GSSAPI client step 2
 > ns-slapd[2569]: GSSAPI server step 3
 > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
 > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd",
 line 110,
 > in 
 > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
 > msgid=ldap_search):
 > ipa-dnskeysyncd[25663]: File
 > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
 > syncrepl_poll
 > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
 > ipa-dnskeysyncd[25663]: File
 > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
 line 115,
 > in syncrepl_refreshdone
 > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
 > ipa-dnskeysyncd[25663]: File
 > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
 line 181,
 > in hsm_replica_sync
 > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
 > ipa-dnskeysyncd[25663]: File
 > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494,
 in run
 > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
 arg_string,
 > str(output))
 > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
 > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
 status 1
 > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
 > status=1/FAILURE
 > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
 > systemd[1]: ipa-dnskeysyncd.service failed.
 >
 > for some reason the ipa-dnskeysyncd keeops crashing.
 > Anybody know where to start looking for this one ?

 Please raise the debug level so we can see something in the logs:

 http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
 hes_or_returns_no_data

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

>>>
>>> Hello,
>>>
>>> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist
>>> on my system.
>>> How to set debugging in this case ?
>>>
>>> Rob
>>>
>>
>> I've set the debug level in /etc/ipa/default.conf
>>
>> now I get this output
>>  systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>> status=1/FAILURE
>>  systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>>  systemd[1]: ipa-dnskeysyncd.service failed.
>>  systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling
>> restart.
>>  systemd[1]: Started IPA key daemon.
>>  systemd[1]: Starting IPA key daemon...
>>  ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind...
>>  python2[30568]: GSSAPI client step 1
>>  python2[30568]: GSSAPI client step 1
>>  ns-slapd[26744]: GSSAPI server step 1
>>  python2[30568]: GSSAPI client step 1
>>  ns-slapd[26744]: GSSAPI server step 2
>>  python2[30568]: GSSAPI client step 2
>>  ns-slapd[26744]: GSSAPI server step 3
>>  ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process
>>  ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer:
>> INFO Initial LDAP dump is done, sychronizing with ODS and BIND
>>  python2[30579]: GSSAPI client step 1
>>  python2[30579]: GSSAPI client step 1
>>  ns-slapd[26744]: GSSAPI server step 1
>>  python2[30579]: GSSAPI client step 1
>>  ns-slapd[26744]: GSSAPI server step 2
>>  python2[30579]: GSSAPI client step 2
>>  ns-slapd[26744]

[Freeipa-users] DNS reverse zone is not managed by this server

2016-12-19 Thread Maciej Drobniuch

Hi All!

I get the following message while adding a new hostname.

"The host was added but the DNS update failed with: DNS reverse zone
in-addr.arpa. for IP address 10.0.0.165 is not managed by this server"

The reverse zone is configured and working.
When I am manually adding the PTR record to the reverse zone - all OK

While adding a new host,  the A record is being created but the PTR fails
with the message above.

Reinstalling centos+IPA worked once but I had to reinstall again because of
problems with kerberos(probably dependencies).

Not sure what is the root cause of the issue.

VERSION: 4.4.0, API_VERSION: 2.213

CENTOS7 Linux freeipa1 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux

Any help appreciated!
-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-sense LLC
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Re: [Freeipa-users] Replica Creation Issue

[Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] Kerberos realm for different domain

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] ipa-dnskeysyncd not starting

Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Re: [Freeipa-users] ipa-dnskeysyncd not starting

[Freeipa-users] DNS reverse zone is not managed by this server

16 matches

Site Navigation

Mail list logo

Footer information