Hi All,
I have been carrying out some routine maintenance on our IPA installation and following a reboot I am seeing a number of errors in the 389 logs.
I am struggling to understand whether any of these errors and warnings are anything I should be concerned about and how might go about retifying the situation.
The server works as a replica pair and I haven't noticed any obvious problems as both instances appears to be working fine. The only symptom of a potential issue is that during reboot of either node the authentications slow down dramatically taking around a minute to login to the system even if it is the slave node being rebooted. Again I am not clear if this is expected.
Any pointers would be greatly appreciated - the content of the error log (dirsrv/slapd-MYDOMAIN-NET/errors) is shown below. I've highlighted in red all the parts that concern me.
Thanks,
Callum
*[11/Dec/2017:10:54:45.845493685 +0000] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.* [11/Dec/2017:10:54:45.860198563 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set. [11/Dec/2017:10:54:45.860608642 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [11/Dec/2017:10:54:45.860924167 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [11/Dec/2017:10:54:45.861315831 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [11/Dec/2017:10:54:45.861553800 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [11/Dec/2017:10:54:45.861794809 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [11/Dec/2017:10:54:45.861975495 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [11/Dec/2017:10:54:45.862167830 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [11/Dec/2017:10:54:45.862330320 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [11/Dec/2017:10:54:45.862505120 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [11/Dec/2017:10:54:45.862671264 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [11/Dec/2017:10:54:45.862887543 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [11/Dec/2017:10:54:45.863101461 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [11/Dec/2017:10:54:45.863338463 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [11/Dec/2017:10:54:45.863544421 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [11/Dec/2017:10:54:45.863791975 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [11/Dec/2017:10:54:45.864025763 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [11/Dec/2017:10:54:45.864224082 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [11/Dec/2017:10:54:45.864439879 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [11/Dec/2017:10:54:45.864648577 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [11/Dec/2017:10:54:45.864878026 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [11/Dec/2017:10:54:45.865089112 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [11/Dec/2017:10:54:45.865325308 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [11/Dec/2017:10:54:45.865519848 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [11/Dec/2017:10:54:45.865726729 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [11/Dec/2017:10:54:45.866530550 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [11/Dec/2017:10:54:45.866759925 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [11/Dec/2017:10:54:45.867094660 +0000] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [11/Dec/2017:10:54:45.867324109 +0000] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [11/Dec/2017:10:54:45.867541305 +0000] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [11/Dec/2017:10:54:45.882208253 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2 [11/Dec/2017:10:54:45.883120151 +0000] - INFO - main - 389-Directory/1.3.6.1 B2017.334.195 starting up [11/Dec/2017:10:54:45.906595731 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [11/Dec/2017:10:54:45.930996951 +0000] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [11/Dec/2017:10:54:45.936518595 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [11/Dec/2017:10:54:45.964436646 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [11/Dec/2017:10:54:45.991766644 +0000] - NOTICE - ldbm_back_start - found 65758072k physical memory [11/Dec/2017:10:54:45.992114756 +0000] - NOTICE - ldbm_back_start - found 64274224k available [11/Dec/2017:10:54:45.992292511 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 524288k [11/Dec/2017:10:54:45.992457300 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 2031616k [11/Dec/2017:10:54:46.034980655 +0000] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 2031616k [11/Dec/2017:10:54:46.061542601 +0000] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 2031616k [11/Dec/2017:10:54:46.089160984 +0000] - NOTICE - ldbm_back_start - total cache size: 6809452544 B; *[11/Dec/2017:10:54:46.649231467 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!* *[11/Dec/2017:10:54:46.683853691 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.684455331 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.684843652 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.685517004 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.685862356 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.686187616 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.686501554 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.686847159 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.687297649 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.687692409 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.688148374 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.688610518 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.689053107 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.689563126 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.689956461 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.690253805 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.700212505 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.703349114 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.703741088 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mydomain,dc=net does not exist* *[11/Dec/2017:10:54:46.856737703 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist* *[11/Dec/2017:10:54:46.864338548 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which should be added before the CoS Definition.* *[11/Dec/2017:10:54:46.940988881 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1.mydomain.net@mydomain.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)* *[11/Dec/2017:10:54:46.943069140 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)* *[11/Dec/2017:10:54:46.944217190 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=masterAgreement1-ipa2.mydomain.net-pki-tomcat" (ipa2:389) - Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) ()* [11/Dec/2017:10:54:46.963313439 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [11/Dec/2017:10:54:46.975375127 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Dec/2017:10:54:46.975614879 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [11/Dec/2017:10:54:46.975772722 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-mydomain-NET.socket for LDAPI requests [11/Dec/2017:10:54:49.992127949 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:10:54:52.001683823 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=mydomain,dc=net [11/Dec/2017:10:54:52.001931063 +0000] - ERR - schema-compat-plugin - Finished plugin initialization. *[11/Dec/2017:10:54:56.518870614 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)* [11/Dec/2017:10:55:08.126286757 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:10:55:31.564224049 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:10:56:19.947049662 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:10:57:55.276619160 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:11:01:08.288705049 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:11:06:08.333891976 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) [11/Dec/2017:11:11:08.066222421 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)
freeipa-users@lists.fedorahosted.org