FreeIPA and AIX - sudoers_base
by Ronald Wimmer
We managed to integrate AIX IPA clients successfully some time ago. sudo
was also working fine. A few weeks ago sudo stopped working.
The /etc/ldap.conf on our AIX clients contains the following line:
sudoers_base cn=users,cn=compat,ou=sudoers,dc=linux,dc=mydomain,dc=at
If we try to look that up with an LDAP browser we do not even find a OU
named "sudoers". Did the LDAP structure change in the recent past? What
should the sudoers_base line contain?
Cheers,
Ronald
2 days, 22 hours
dns suddenly not happy with DNSSEC
by lejeczek
Hi guys.
That is on first master which was happy for short while and
then suddenly:
...
29-May-2023 12:38:23.597 info: client @0x7f6484005538
127.0.0.1#43235 (onet.pl): query failed (broken trust chain)
for onet.pl/IN/A at ../../../lib/ns/query.c:7355
29-May-2023 12:39:08.518 info: client @0x7f64b0080088
127.0.0.1#48441 (onet.pl): query failed (broken trust chain)
for onet.pl/IN/A at ../../../lib/ns/query.c:7355
and that is for any & every query.
With given forwards or no forwarders.
Time is in sync, network works, everything else seem good
too... and the second master/replica does not complain.
What might the issue (beside the obvious)?
many thanks, L.
3 days, 13 hours
New DNS Record - Create Reverse Option Fails
by Jeff Hochberg
Hello,
I have an odd issue that just cropped up... I've been using FreeIPA for the past two or three months. I'm using it both for user/group membership as well as for internal DNS.
Any time I try to add an A record with the "Create reverse" option checked, I see the "waiting" message for about 30 seconds, then I get an error message that the reverse record could not be created.
Here's an example:
Forward Lookup Zone:
company.com
Reverse Lookup Zones:
10.16.172.in-addr.arpa.
100.16.172.in-addr.arpa.
101.16.172.in-addr.arpa.
11.16.172.in-addr.arpa.
12.16.172.in-addr.arpa.
Let's say I go to add an A record for "test-record" in the company.com forward lookup zone:
A -> 172.16.100.123
I see the "Waiting" message for roughly 30 seconds, followed by this error message:
"Cannot create reverse record for "172.16.100.123": No answers could be found in the specified lifetime for DNS reverse zone 123.100.16.172.in-addr.arpa."
It looks like FreeIPA is appending 123 to the zone name (123.100.16.172.in-addr.arpa.) when it should be trying to create the PTR record in 100.16.172.in-addr.arpa.
This only happens with some of the Reverse Lookup Zones - it doesn't occur consistently across all zones.
For example, I just tried creating a second entry for "test-record2" in company.com:
A -> 172.16.10.124 (PTR should be in 10.16.172.in-addr.arpa.)
Both the A record and PTR record get created successfully.
Does anyone happen to have any thoughts as to why this may be happening?
I've been considering deleting the 100.16.172.in-addr.arpa. zone and recreating it, but I have a few dozen records and would prefer to not have to create them again.
Thanks in advance!
4 days, 7 hours
ldap_sasl_interactive_bind_s: Inappropriate authentication (48) - help debugging
by Radoslaw Kujawa
Hello list.
I am trying to understand a reason for certificate-based authentication
failure to one of my directory servers.
A have 3 IPA replicas running on CentOS 7. After running yum update on
one of the nodes, PKI Tomcat failed to start. That system was not
updated for last year or so, so the problem might have existed earlier
and now was merely triggered by the update.
At first I suspected contents of /etc/pki/tomcat being wrong, however
that does not seem to be the case.
Trying to understand the issue, I decided to try to replicate the
authentication process "by hand":
I've set:
LDAPTLS_CACERTDIR="/etc/pki/pki-tomcat/alias"
LDAPTLS_CERT="NSS Certificate DB:subsystemCert cert-pki-ca"
However:
${NODE1}# ldapsearch -H ldaps://${NODE1}:636 -b "" -s base -Y EXTERNAL
-Q -LLL dn namingcontexts
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
additional info: missing client certificate
Interestingly, I _can_ authenticate this way to the other two nodes
(from the same node where authentication to a local dir server does not
work):
${NODE1}# ldapsearch -H ldaps://${NODE2}:636 -b "" -s base -Y EXTERNAL
-Q -LLL dn namingcontexts
dn:
namingcontexts: cn=changelog
namingcontexts: dc=infra,dc=linker,dc=shop
namingcontexts: o=ipaca
I don't understand what does "missing client certificate" mean in this
case, after all client configuration is identical, I am merely changing
the server to which I connect.
I've investigated the contents of /tmp/openldap-tlsmc*/*/*pem and it
seems to be correct (and same on all nodes), if I use ldapsearch -Y
EXTERNAL.
${NODE1}# openssl x509 -in /tmp/openldap-tlsmc-alias--*/cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 228 (0xe4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=xxx CN=Certificate Authority
Validity
Not Before: Jul 12 08:49:04 2022 GMT
Not After : Jul 1 08:49:04 2024 GMT
Subject: O=xxx, CN=CA Subsystem
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
I suspected that maybe replication is somehow messed up, but it seems to
be working:
${NODE1}# ipa-replica-manage list `hostname` -v
${NODE2}: replica
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2023-05-30 14:21:10+00:00
${NODE3}: replica
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2023-05-30 14:21:10+00:00
As I understand, the cert-pki-ca certificate and private key is shared
between the nodes and can be used to authenticate to any of directory
servers?
What can possibly be different in directory servers between these nodes,
which results in certificate authentication failing to one server, and
succeeding to another?
Any hints would be appreciated.
Best regards,
Radoslaw
4 days, 14 hours
Need some advice on current Replica Best Practices (LDAP only, no AD)
by Chris Cowan
I work for a large corporation where we like to switch from OpenLDAP (with Krb5) to RedHat idM. I'll call it xyz.com
The IAM system we are refactoring was setup more than a decade ago, and based on OpenLDAP. We had a primary or master server in one location, with multiple RO replicas, geographically distributed. The user and group spaces were flat, from an LDAP OU and kerberos 5 perspective. There was only a single realm. DNS was not used for kerberos, with krb5.conf files managed so clients are pushed to the closest KDC.
After the system was running, the CIO implemented a corporate SSO using an Enterprise Directory (which also Open LDAP or some other 389 descendant). There are isolated pockets of AD, and nothing in the TLD. So, AD is not really used at the Enterprise level.
I'm exploring the replication options using the following assumptions.
- Not using AD, only OpenLDAP, RHDS, or some 389 variant.
- There will be a minimum of 3 but eventually 7 locations with an IdM server deployed. Each location uses a unique subdomain under xyz.com
- We allocate uids and gids starting at 100K. We still want it to be flat.
- We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this block of users, if possible, for the LDAP binding.
- We would like have a single kerberos realm for all of these locations.
- There is no expectation that the LDAP and Kerberos passwords will be synced.
I've seen some conversations in the mailing list archives, but nothing recent. Hopefully, someone can give me some pointers or websites which discuss replication/deployment scenarios.
--
Chris
4 days, 19 hours
repl conflict which is not there - ?
by lejeczek
Hi guys.
for what 'ipa-healthcheck' complains of:
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "720d7af6-5a11-486f-a610-f6f06ec4d9e2",
"when": "20230526202306Z",
"duration": "0.054683",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 1 conflict entries found under the
replication suffix \"o=ipaca\"."
}
},
and old trick finds not culprit:
-> $ ldapsearch -LLL -H ldaps://$(hostname) -Y GSSAPI -D
'cn=Directory Manager' -b 'o=ipaca'
'(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))'
nsds5ReplConflict
SASL/GSSAPI authentication started
SASL username: admin(a)MINE.PRIV
SASL SSF: 256
SASL data security layer installed.
where is it hiding?
many thanks, L.
4 days, 20 hours
Can't add CA to replica - invalid 'cn': must be
by Nicholas Cross
We are in the process of adding a new a CA replica.
We install in the following fashion:
1. ipa-replica-install
2. ipa-dns-install
3. ipa-ca-install
All goes well until step3. ipa-ca-install, where we get the error:
2023-05-22T16:51:30Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa011.ad.company.fm"
If we do --skip-conn-check (not recommended) at step 3 we get a complete install, but it does not allow kinit to work on that server.
Any thoughts on how to diagnose and/or fix?
Thanks
Nick.
1 week, 1 day
container IPA fine but only until host's reboot
by lejeczek
Hi guys.
I've a replica in container which deploys & works seemingly
a okey, container reboot is not detrimental to IPA yet host
reboot seems to break LDAP down.
Both container and host, are up to date Centos 9, it's a
rootful container.
So far - a several times - it reproduces each time - I can
remove "broken" container, re-create anew, it works, then
host reboots and ... a bummer.
Anybody seen this or similar issues? Log snippets:
-> $ ipactl restart
Starting Directory Service
Failed to start Directory Service:
CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)MINE-PRIV.service'] returned non-zero exit status 1)
Starting 389 Directory Server MINE-PRIV....
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured,
but UTS namespace setup is prohibited (container manager?),
ignoring namespace setup.
[25/May/2023:20:38:08.747319489 +0000] - CRIT - Security
Initialization - warn_if_no_cert_file - Certificate DB file
cert8.db nor cert9.db exists in
[/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will
likely fail
[25/May/2023:20:38:08.752730373 +0000] - CRIT - Security
Initialization - warn_if_no_key_file - Key DB file key3.db
nor key4.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL
initialization will likely fail
[25/May/2023:20:38:08.768566520 +0000] - ERR - Security
Initialization - SSL failure: NSS initialization failed
(Netscape Portable Runtime error -8174 - security library:
bad database.): certdir: /etc/dirsrv/slapd-MINE-PRIV
[25/May/2023:20:38:08.770531395 +0000] - ERR -
force_to_disable_security - ERROR: NSS Initialization
Failed. Disabling NSS.
[25/May/2023:20:38:08.772440575 +0000] - ERR -
set_workingdir - detach: failed to chdir to
/var/log/dirsrv/slapd-MINE-PRIV
[25/May/2023:20:38:08.774326540 +0000] - ERR -
set_workingdir - detach: set workingdir failed with "Working
directory "/" is not writeable."
[25/May/2023:20:38:08.776402306 +0000] - INFO - main -
389-Directory/2.2.4 B2022.347.0000 starting up
[25/May/2023:20:38:08.778279795 +0000] - INFO - main -
Setting the maximum file descriptor limit to: 1024
[25/May/2023:20:38:08.780257034 +0000] - ERR -
fedse_create_startOK - Cannot copy DSE file
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif" to
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.startOK" OS error 13
(Permission denied)
[25/May/2023:20:38:08.782222230 +0000] - ERR -
dse_write_file_nolock - Cannot open temporary DSE file
"/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.tmp" for update: OS
error 13 (Permission denied)
[25/May/2023:20:38:08.787607325 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.789526243 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.791436584 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.793404806 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.795305449 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.797253522 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.799164114 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.801065298 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.803027158 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.804938281 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.806866727 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.808871438 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.810796257 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.812761433 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.814675903 +0000] - ERR - PBKDF2_SHA256
- Unable to generate algorithm ID.
[25/May/2023:20:38:08.816595692 +0000] - ERR - PBKDF2_SHA256
- Could not generate pbkdf2_sha256_hash!
[25/May/2023:20:38:08.818568974 +0000] - INFO -
PBKDF2_SHA256 - Based on CPU performance, chose 12000 rounds
[25/May/2023:20:38:08.822101547 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.824226177 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr aci
[25/May/2023:20:38:08.826218264 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-cachesize
[25/May/2023:20:38:08.828147422 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-cachememsize
[25/May/2023:20:38:08.830689678 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-readonly
[25/May/2023:20:38:08.832725468 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-require-index
[25/May/2023:20:38:08.834666098 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.836658115 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.838859671 +0000] - INFO -
ldbm_instance_config_set - instance: userRoot attr
nsslapd-directory
[25/May/2023:20:38:08.843583015 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.845746619 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-cachesize
[25/May/2023:20:38:08.847696185 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-cachememsize
[25/May/2023:20:38:08.850034512 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr nsslapd-readonly
[25/May/2023:20:38:08.852052299 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-require-index
[25/May/2023:20:38:08.854005963 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.855960008 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.858087924 +0000] - INFO -
ldbm_instance_config_set - instance: ipaca attr
nsslapd-directory
[25/May/2023:20:38:08.862288731 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal
value 512000
[25/May/2023:20:38:08.864482192 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-cachesize
[25/May/2023:20:38:08.866449653 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-cachememsize
[25/May/2023:20:38:08.868618397 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-readonly
[25/May/2023:20:38:08.870625282 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-require-index
[25/May/2023:20:38:08.872589927 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-require-internalop-index
[25/May/2023:20:38:08.874549833 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-dncachememsize
[25/May/2023:20:38:08.876699000 +0000] - INFO -
ldbm_instance_config_set - instance: changelog attr
nsslapd-directory
[25/May/2023:20:38:08.880669548 +0000] - NOTICE -
bdb_start_autotune - found 32506232k physical memory
[25/May/2023:20:38:08.882702473 +0000] - NOTICE -
bdb_start_autotune - found 28174216k available
[25/May/2023:20:38:08.884678500 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: db cache: 1572864k
[25/May/2023:20:38:08.886641071 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: userRoot entry cache
(3 total): 2031616k
[25/May/2023:20:38:08.889062407 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: userRoot dn cache (3
total): 262144k
[25/May/2023:20:38:08.891234948 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: ipaca entry cache (3
total): 2031616k
[25/May/2023:20:38:08.893482262 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: ipaca dn cache (3
total): 262144k
[25/May/2023:20:38:08.895602163 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: changelog entry cache
(3 total): 2031616k
[25/May/2023:20:38:08.897693539 +0000] - NOTICE -
bdb_start_autotune - cache autosizing: changelog dn cache (3
total): 262144k
[25/May/2023:20:38:08.899736183 +0000] - NOTICE -
bdb_start_autotune - total cache size: 8657043456 B;
[25/May/2023:20:38:08.901810216 +0000] - ERR -
bdb_version_write - Could not open file
"/var/lib/dirsrv/slapd-MINE-PRIV/db/DBVERSION" for writing
Netscape Portable Runtime -5966 (Access Denied.)
[25/May/2023:20:38:08.903797254 +0000] - ERR - mkdir_p -
/var/lib/dirsrv: error -5943 (Cannot create or rename a
filename that already exists.)
[25/May/2023:20:38:08.905887528 +0000] - CRIT - bdb_start -
Can't start because the database directory
"/var/lib/dirsrv/slapd-MINE-PRIV/db" either doesn't exist,
or is not accessible
[25/May/2023:20:38:08.907883443 +0000] - ERR -
ldbm_back_start - Failed to init database, err=-1 Unexpected
dbimpl error code
[25/May/2023:20:38:08.909873536 +0000] - ERR -
plugin_dependency_startall - Failed to start database plugin
ldbm database
[25/May/2023:20:38:08.912185504 +0000] - ERR -
schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
[25/May/2023:20:38:08.914588354 +0000] - CRIT -
dblayer_setup - dblayer_init failed
[25/May/2023:20:38:08.916582074 +0000] - ERR -
ldbm_back_start - Failed to setup dblayer
[25/May/2023:20:38:08.918659775 +0000] - ERR -
plugin_dependency_startall - Failed to start database plugin
ldbm database
[25/May/2023:20:38:08.920651491 +0000] - ERR -
plugin_dependency_startall - Failed to resolve plugin
dependencies
[25/May/2023:20:38:08.922769498 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin 7-bit
check is not started
[25/May/2023:20:38:08.924779700 +0000] - ERR -
plugin_dependency_startall - preoperation plugin Account
Usability Plugin is not started
[25/May/2023:20:38:08.926780244 +0000] - ERR -
plugin_dependency_startall - accesscontrol plugin ACL Plugin
is not started
[25/May/2023:20:38:08.928838868 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ACL
preoperation is not started
[25/May/2023:20:38:08.930855532 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin Auto
Membership Plugin is not started
[25/May/2023:20:38:08.932879861 +0000] - ERR -
plugin_dependency_startall - preoperation plugin caacl name
uniqueness is not started
[25/May/2023:20:38:08.934954846 +0000] - ERR -
plugin_dependency_startall - preoperation plugin certificate
store issuer/serial uniqueness is not started
[25/May/2023:20:38:08.936969697 +0000] - ERR -
plugin_dependency_startall - preoperation plugin certificate
store subject uniqueness is not started
[25/May/2023:20:38:08.939096711 +0000] - ERR -
plugin_dependency_startall - object plugin Class of Service
is not started
[25/May/2023:20:38:08.941113295 +0000] - ERR -
plugin_dependency_startall - object plugin Content
Synchronization is not started
[25/May/2023:20:38:08.943127434 +0000] - ERR -
plugin_dependency_startall - preoperation plugin deref is
not started
[25/May/2023:20:38:08.945181109 +0000] - ERR -
plugin_dependency_startall - bepreoperation plugin
Distributed Numeric Assignment Plugin is not started
[25/May/2023:20:38:08.947196180 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA DNS is
not started
[25/May/2023:20:38:08.949205500 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Graceperiod
is not started
[25/May/2023:20:38:08.951276348 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Lockout is
not started
[25/May/2023:20:38:08.953303542 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin IPA
MODRDN is not started
[25/May/2023:20:38:08.955319695 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA OTP
Counter is not started
[25/May/2023:20:38:08.957401373 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA OTP
Last Token is not started
[25/May/2023:20:38:08.959428697 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA
Range-Check is not started
[25/May/2023:20:38:08.961479948 +0000] - ERR -
plugin_dependency_startall - postoperation plugin IPA SIDGEN
is not started
[25/May/2023:20:38:08.963520437 +0000] - ERR -
plugin_dependency_startall - object plugin IPA Topology
Configuration is not started
[25/May/2023:20:38:08.965548823 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA UUID is
not started
[25/May/2023:20:38:08.967588822 +0000] - ERR -
plugin_dependency_startall - preoperation plugin IPA Version
Replication is not started
[25/May/2023:20:38:08.969640553 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ipa-winsync
is not started
[25/May/2023:20:38:08.971679109 +0000] - ERR -
plugin_dependency_startall - extendedop plugin
ipa_enrollment_extop is not started
[25/May/2023:20:38:08.973720600 +0000] - ERR -
plugin_dependency_startall - extendedop plugin
ipa_extdom_extop is not started
[25/May/2023:20:38:08.975765037 +0000] - ERR -
plugin_dependency_startall - extendedop plugin ipa_pwd_extop
is not started
[25/May/2023:20:38:08.977817560 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
ipaSubordinateIdEntry ipaOwner uniqueness is not started
[25/May/2023:20:38:08.979867658 +0000] - ERR -
plugin_dependency_startall - preoperation plugin ipaUniqueID
uniqueness is not started
[25/May/2023:20:38:08.981913688 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
krbCanonicalName uniqueness is not started
[25/May/2023:20:38:08.983974386 +0000] - ERR -
plugin_dependency_startall - preoperation plugin
krbPrincipalName uniqueness is not started
[25/May/2023:20:38:08.986051896 +0000] - ERR -
plugin_dependency_startall - database plugin ldbm database
is not started
[25/May/2023:20:38:08.988109989 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin Linked
Attributes is not started
[25/May/2023:20:38:08.990170186 +0000] - ERR -
plugin_dependency_startall - betxnpreoperation plugin
Managed Entries is not started
[25/May/2023:20:38:08.992227157 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin
MemberOf Plugin is not started
[25/May/2023:20:38:08.994270532 +0000] - ERR -
plugin_dependency_startall - object plugin Multisupplier
Replication Plugin is not started
[25/May/2023:20:38:08.996345598 +0000] - ERR -
plugin_dependency_startall - preoperation plugin netgroup
uniqueness is not started
[25/May/2023:20:38:08.998405354 +0000] - ERR -
plugin_dependency_startall - betxnpostoperation plugin
referential integrity postoperation is not started
[25/May/2023:20:38:09.000484848 +0000] - ERR -
plugin_dependency_startall - object plugin Retro Changelog
Plugin is not started
[25/May/2023:20:38:09.002615038 +0000] - ERR -
plugin_dependency_startall - object plugin Roles Plugin is
not started
[25/May/2023:20:38:09.004668452 +0000] - ERR -
plugin_dependency_startall - preoperation plugin sudorule
name uniqueness is not started
[25/May/2023:20:38:09.006728329 +0000] - ERR -
plugin_dependency_startall - preoperation plugin uid
uniqueness is not started
[25/May/2023:20:38:09.008808835 +0000] - ERR -
plugin_dependency_startall - object plugin USN is not started
[25/May/2023:20:38:09.010895272 +0000] - ERR -
plugin_dependency_startall - object plugin Views is not started
[25/May/2023:20:38:09.012962683 +0000] - ERR -
plugin_dependency_startall - extendedop plugin whoami is not
started
dirsrv(a)MINE-PRIV.service: Main process exited, code=exited,
status=1/FAILURE
dirsrv(a)MINE-PRIV.service: Failed with result 'exit-code'.
Failed to start 389 Directory Server MINE-PRIV..
1 week, 1 day
Fwd: Problem with replica installation 4.10.1
by Jakub Werwiński
I tried with the --skip-conncheck option, however the same error (-11)
every time. The firewall was disabled and also tested.
error on replica /var/log/dirsrv/slapd-MY.DOMAIN.COM/error
[25/May/2023:15:18:45.460057564 +0200] - ERR - NSMMReplicationPlugin -
update_consumer_schema - [S] Schema agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389) must not be
overwritten (set replication log for additional info)
[25/May/2023:15:18:46.104681271 +0200] - INFO - NSMMReplicationPlugin -
repl5_tot_run - Beginning total update of replica
"agmt="cn=meTofreeipa-mydomain.com" (freeipa-replica:389)".
[25/May/2023:15:18:58.638287655 +0200] - ERR - NSMMReplicationPlugin -
repl5_tot_log_operation_failure - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): Received error -1 (Can't contact LDAP server): for
total update operation [25/May/2023:15:18:58.640550244 +0200] - ERR -
NSMMReplicationPlugin - release_replica - agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Unable to send
endReplication extended operation (Can't contact LDAP server)
[25/May/2023:15:18:58.642048003 +0200] - ERR - NSMMReplicationPlugin -
repl5_tot_run - Total update failed for replica "agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389)", error (-11)
[25/May/2023:15:18:58.659305226 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): Replication bind with GSSAPI auth resumed
[25/May/2023:15:18:59.607038328 +0200] - WARN - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTofreeipa-replica.mydomain.com"
(freeipa-replica:389): The remote replica has a different database
generation ID than the local database. You may have to reinitialize the
remote replica, or the local replica. [25/May/2023:15:19:02.995509460
+0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=
meTofreeipa-replica.mydomain.com" (freeipa-replica:389): The remote replica
has a different database generation ID than the local database. You may
have to reinitialize the remote replica, or the local replica.
czw., 25 maj 2023 o 09:46 Florence Blanc-Renaud <flo(a)redhat.com> napisał(a):
> Hi,
>
> replica installation failures are often related to either a wrong DNS
> configuration or firewall preventing the communication.
> Did you run ipa-replica-installation with or without the option
> --skip-conncheck? Without the option you may have some hints if the issue
> is related to the firewall.
> You can find more info in Host name and DNS requirements for IdM [1] and
> Opening the ports required by IdM [2].
>
> The timestamp for replica installation is 2023-05-24T*10:15:04Z* but the
> master logs don't match (24/May/2023:*11:47:29.382502138 +0200*).
> Difficult to draw any conclusion with that, do you have the master logs
> from the same time?
>
> flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
> [2]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>
>
> On Wed, May 24, 2023 at 12:34 PM Jakub Werwiński via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hi i have problem with freeipa replica installation log:
>>
>> Starting replication, please wait until this has completed.
>> Update in progress, 12 seconds elapsed
>> [ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error
>> (-11) connection error: Unknown connection error (-11) - Total update
>> aborted]
>>
>> [error] RuntimeError: Failed to start replication
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Failed to start replication
>> The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>>
>>
>> ---------------------------------------- var/log/ipareplica-install.log
>> -------------------------------------------------------
>>
>> 2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication
>> (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping
>> tree,cn=config (objectclass=*)
>> 2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=
>> meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping
>> tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'],
>> 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b'
>> freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'],
>> 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot':
>> [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to
>> freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList':
>> [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
>> krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>> passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'],
>> 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs':
>> [b'modifiersName modifyTimestamp internalModifiersName
>> internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal':
>> [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth
>> krblastfailedauth krbloginfailedcount passwordgraceusertime'],
>> 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart':
>> [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'],
>> 'nsds5replicaChangesSentSinceStartup': [b''],
>> 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions
>> started since server startup'], 'nsds5replicaLastUpdateStatusJSON':
>> [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc":
>> "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z",
>> "message": "Error (0) No replication sessions started since server
>> startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'],
>> 'nsds5replicaLastInitStart': [b'19700101000000Z'],
>> 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
>> 2023-05-24T10:15:04Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 430, in __setup_replica
>> repl.setup_promote_replication(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line
>> 1930, in setup_promote_replication
>> raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start
>> replication
>> 2023-05-24T10:15:04Z DEBUG Destroyed connection
>> context.ldap2_140645096151696
>> 2023-05-24T10:15:04Z DEBUG Backing up system configuration file
>> '/etc/ipa/default.conf'
>> 2023-05-24T10:15:04Z DEBUG Saving Index File to
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2023-05-24T10:15:04Z DEBUG Writing configuration file
>> /etc/ipa/default.conf
>> 2023-05-24T10:15:04Z DEBUG [global]
>> basedn = dc=mydomain,dc=com,dc=pl
>> host = freeipa-replica.mydomain.com
>> realm = My.REALM.COM
>> domain = mydomain.com
>> xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml
>> ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket
>> mode = production
>> enable_ra = True
>> ra_plugin = dogtag
>> dogtag_version = 10
>> ca_host = freeipa.mydomain.com
>>
>>
>>
>> 2023-05-24T10:15:04Z DEBUG File
>> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in
>> execute
>> return_value = self.run()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
>> 344, in run
>> return cfgr.run()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 360, in run
>> return self.execute()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 386, in execute
>> for rval in self._executor():
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 431, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 460, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 421, in __runner
>> step()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 418, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 655, in _configure
>> next(executor)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 431, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 460, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 518, in _handle_exception
>> self.__parent._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 515, in _handle_exception
>> super(ComponentBase, self)._handle_exception(exc_info)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 450, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 421, in __runner
>> step()
>> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
>> 418, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
>> raise value
>> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
>> 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python3.9/site-packages/ipapython/install/common.py",
>> line 65, in _install
>> for unused in self._installer(self.parent):
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
>> line 599, in main
>> replica_install(self)
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 401, in decorated
>> func(installer)
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 1267, in install
>> ds = install_replica_ds(config, options, ca_enabled,
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
>> line 100, in install_replica_ds
>> ds.create_replica(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 398, in create_replica
>> self.start_creation(runtime=30)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
>> line 672, in run_step
>> method()
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line
>> 430, in __setup_replica
>> repl.setup_promote_replication(
>> File
>> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line
>> 1930, in setup_promote_replication
>> raise RuntimeError("Failed to start replication")
>>
>> 2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: Failed to start replication
>> 2023-05-24T10:15:04Z ERROR Failed to start replication
>> 2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> ---------------------------------------- master: /var/log/dirsrv/slapd-MY-
>> DOMAIN.COM/error -------------------------------------------------------
>>
>> [24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389) - Replication bind
>> with GSSAPI auth failed: LDAP error 49 (Invalid
>> credentials) ()
>> [24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389) - Replication bind
>> with GSSAPI auth failed: LDAP error -1 (Can't contact
>> LDAP server) ()
>> [24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Replication bind
>> with GSSAPI auth resumed
>> [24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin -
>> repl5_tot_run - Beginning total update of replica "agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-r
>> eplica:389)".
>> [24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin -
>> repl5_tot_log_operation_failure - agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei
>> ved error -1 (Can't contact
>> LDAP server): for total update operation
>> [24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin -
>> release_replica - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Unable to send endRep
>> lication extended operation (Can't contact LDAP
>> server)
>> [24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin -
>> repl5_tot_run - Total update failed for replica "agmt="cn=
>> meTofreeipa-replica.mydomain.com" (freeipa-repl
>> ica:389)", error (-11)
>> [24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin -
>> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com"
>> (freeipa-replica:389): Replication bind
>> with GSSAPI auth resumed
>>
>>
>> ---------------------------------------- About system
>> -------------------------------------------------------
>> Mater and Replica:
>> Os: Rocky Linux 9.2
>> IPA: 4.10.1
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
1 week, 1 day
'del' removes replica/tion but keeps all DNS record in - ?
by lejeczek
Hi guys.
With a forceful removal of a replica with
'ipa-replica-manage' such replica/tion gets removed but all
DNS records - of which 'ipa-healthcheck' complains - remain
intact.
Is that normal & expected?
many thanks, L.
1 week, 2 days
