zabbix for monitoring FreeIPA server?
by Tony Brian Albers
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
/tony
--
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
4 years, 6 months
ipa-getkeytab: PrincipalName not found
by Harald Dunkel
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server,
AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment
is highly appreciated.
Harri
4 years, 7 months
FreeIPA AD Trust with Samba4 ... is it possible?
by D Anderson
Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations|
>The internal DNS does not support:
>zone transfers
https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_...
>Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
>[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts
>[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
>In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
It recommends
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
>but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
Thanks
4 years, 8 months
ipa-replica-manage --force replica.server fails
by Ralph Crongeyer
Hi List,
I have a master server that had a replica installed. The replica has been
uninstalled. When I try to run "ipa-replica-manage del --force
replica.server" it fails with:
invalid 'PKINIT enabled server': all masters must have IPA master role
enabled
How can I delete this replica?
Thanks,
Ralph
4 years, 8 months
nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
[General]
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
Any pointers appreciated!
Regards,
Robert.
4 years, 8 months
external ocsp ?
by veer Schlansky
My company's PIV/AD credintial is user(a)example.com. We set up our IPA
credintial as user(a)linux.example.com
example.com and linux.example.com are completedly seperated domain/realms,
no trust or interaction whatsoever.
I took the user and CA certs on the PIV card and put them into ipa. I was
able to authenticate to ipa webui with my PIV card.
My question is does ipa do online certificate status protocol check for the
user(a)example.com cert? Any way to verify that?
Thanks.
4 years, 9 months
de/selecting AD's users
by lejeczek
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
many thanks, L.
4 years, 10 months
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
by lune voo
Hello !
I contact you because I have a random problem with my 3.0.0.47 FreeIPA
server.
Sometimes, suddenly, I cannot use anymore the REST API and I got the
following errors when I try things like ipa user-show <myuser> :
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Ticket expired)]
traceback : <traceback object at 0x3b917a0>
The kinit works fine, klist also.
My ticket is valid until the day after so no problem from there.
The datetime is the same between the IPA server and the IPA client.
When I check the httpd logs on the IPA server, as long as this error lasts,
I don't see any logs at all.
For example, today, the problem occured at 12:06:39 and in the HTTPD error
logs :
[Wed Oct 31 12:05:23 2018] [error] ipa: INFO: aPrincipal@MYREALM:
user_show(u'anotherPincipal', rights=False, all=True, raw=False,
version=u'2.49', no_members=False): SUCCESS
[Wed Oct 31 12:07:23 2018] [error] ipa: INFO: aPrincipal@MYREALM:
user_find(u'PrincipalPattern_', sizelimit=1000, whoami=False, all=False,
raw=False, version=u'2.49', no_members=False, pkey_only=False): SUCCESS
There is nothing in the dirsrv error logs at this time and around this time.
Nothing neither in the PKI CA logs.
When I check the logs in cli.log, I find this kind of lines :
2018-10-31T12:06:39Z 1933 MainThread ipa.ipalib.rpc.xmlclient
INFO trying https://<IPA-MASTER>/ipa/xml
2018-10-31T12:06:39Z 1933 MainThread ipa.ipalib.rpc.xmlclient
INFO Forwarding 'user_show' to server u'https://<IPA-MASTER>/ipa/xml'
2018-10-31T12:06:39Z 1947 MainThread ipa.ipalib.rpc.xmlclient
INFO trying https://<IPA-MASTER>/ipa/xml
2018-10-31T12:06:39Z 1947 MainThread ipa.ipalib.rpc.xmlclient
INFO Forwarding 'user_show' to server u'https://<IPA-MASTER>/ipa/xml'
2018-10-31T12:06:40Z 1961 MainThread ipa.ipalib.rpc.xmlclient
INFO trying https://<IPA-MASTER>/ipa/xml
2018-10-31T12:06:40Z 1961 MainThread ipa.ipalib.rpc.xmlclient
INFO Forwarding 'user_show' to server u'https://<IPA-MASTER>/ipa/xml'
2018-10-31T12:06:40Z 1975 MainThread ipa.ipalib.rpc.xmlclient
INFO trying https://<IPA-MASTER>/ipa/xml
2018-10-31T12:06:40Z 1975 MainThread ipa.ipalib.rpc.xmlclient
INFO Forwarding 'user_show' to server u'https://<IPA-MASTER>/ipa/xml'
2018-10-31T12:07:27Z 2159 MainThread ipa INFO The ipactl
command was successful
2018-10-31T12:07:27Z 2160 MainThread ipa INFO The ipactl
command was successful
I cannot see anything special in the krb5kdc.log neither for this time. The
only line corresponding to the IP of the client are the followings :
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137188](info): AS_REQ (4 etypes {18 17
16 23}) <IP CLIENT>: NEEDED_PREAUTH: <MYUSER>@<MYREALM> for
krbtgt/<MYREALM>@<MYREALM>, Additional pre-authentication required
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137188](info): AS_REQ (4 etypes {18 17
16 23}) <IP CLIENT>: NEEDED_PREAUTH: <MYUSER>@<MYREALM> for
krbtgt/<MYREALM>@<MYREALM>, Additional pre-authentication required
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137188](info): closing down fd 10
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137188](info): closing down fd 10
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137181](info): AS_REQ (4 etypes {18 17
16 23}) <IP CLIENT>: ISSUE: authtime 1540983984, etypes {rep=18 tkt=18
ses=18}, <MYUSER>@<MYREALM> for krbtgt/<MYREALM>@<MYREALM>
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137181](info): AS_REQ (4 etypes {18 17
16 23}) <IP CLIENT>: ISSUE: authtime 1540983984, etypes {rep=18 tkt=18
ses=18}, <MYUSER>@<MYREALM> for krbtgt/<MYREALM>@<MYREALM>
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137181](info): closing down fd 10
Oct 31 12:06:24 <IPA-MASTER> krb5kdc[137181](info): closing down fd 10
We are multiple users connecting to the same server with SSH and using root.
But each one of us use a different KRB5CCNAME to take a kerberos ticket.
(we take different ticket, me for example I take an admin ticket, a
colleague takes another principal ticket).
I tried using the ipa user-show with the -d flag : ipa -d user-show
<myuser> and I compared the result between one which failed and one which
was successfull.
The difference came at this step :
When it failed :
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=<IPA-MASTER>,O=<MYREALM>"
ipa: DEBUG: handshake complete, peer = <IP>:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: Caught fault 2100 from server
https://<IPA-MASTER>/ipa/session/xml: Insufficient access: SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Ticket expired)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Ticket expired)
When it succeeds :
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=<IPA-MASTER>,O=<MYREALM>"
ipa: DEBUG: handshake complete, peer = <IP>:<PORT>
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: received Set-Cookie
'ipa_session=385454761d74afed915a24124ba5ef25; Domain=<IPA-MASTER>;
Path=/ipa; Expires=Wed, 31 Oct 2018 15:57:45 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=385454761d74afed915a24124ba5ef25;
Domain=<IPA-MASTER>; Path=/ipa; Expires=Wed, 31 Oct 2018 15:57:45 GMT;
Secure; HttpOnly' for principal <myPrincipal>@<MYREALM>
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:<myPrincipal>@<MYREALM>
ipa: DEBUG: stdout=485338998
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:<myPrincipal>@<MYREALM>
ipa: DEBUG: stdout=485338998
ipa: DEBUG: stderr=
ipa: DEBUG: args=keyctl pupdate 485338998
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Destroyed connection context.xmlclient
So when it works, it sets a session cookie ?
Some information about FreeIPA and cookies :
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
May you help me please ?
As a note, I found a workaround for that. I need to destroy my ticket with
kdestroy and then to disconnect from the server.
Then when I connect back to the server, I take a kerberos ticket and I can
use the rest api.
This problem is really strange, thank you in advance for your help guys.
Lune
4 years, 11 months
replica unable to communicate
by Andrew Meyer
I need some help with this. I am working with FreeIPA runnning on CentOS 7.4 verssion 4.5.0-22. I have 2 servers in my AWS VPC and 2 servers at my local office.
For some reason I am not seeing replication happen (over ldaps?) from 1 server in my local office to the two servers up there.
AWS servers:
[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[centos@freeipa03 ~]$
[root@freeipa04 log]# ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[root@freeipa04 log]# ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[root@freeipa04 log]#
Local office:server 1
[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:41+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:32+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$
[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:08:00+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:07:54+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$ sudo vim /etc/resolv.conf[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$
The topologysegment shows we have 2-way connectivity all the way around:[root@freeipa04 log]# ipa topologysegment-find --allSuffix name: domain------------------6 segments matched------------------ dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa03.stl1.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top
dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa01.stl1.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top
dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa03.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top----------------------------Number of entries returned 6----------------------------[root@freeipa04 log]#
When I add a user everything gets sync'ed. When I add a DNS entry its gets sync'ed all the way around.
Is the error i'm getting a false positive? It seems like it is.
This is the error I'm getting in /var/log/messages. However I think this pertains to DNSSEC and can be ignored, correct?
Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:35:25 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:36:25 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:36:25 freeipa01 systemd: Started IPA key daemon.Mar 21 13:36:25 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:36:29 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:36:33 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:37:33 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:37:33 freeipa01 systemd: Started IPA key daemon.Mar 21 13:37:33 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:37:40 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service failed.[gatewayblend@freeipa01 ~]$
I'm not sure what the issue is.
Any help is appreciated.
Thank you,Andrew Meyer
5 years
