[Freeipa-devel] LDAP errors in the dirsrv logs during replica preparation
Ludwig Krispenz
lkrispen at redhat.com
Mon Jun 22 09:28:05 UTC 2015
Hi Oleg,
don't know if it is relevant for the current problem, but maybe you
shoudl address this warning:#
Configuring DNS (named)
[1/9]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long
delays
Ludwig
On 06/22/2015 11:01 AM, Oleg Fayans wrote:
> Here is the session transcript, together with the directory server
> logs from master
>
> On 06/22/2015 10:57 AM, Oleg Fayans wrote:
>> Hi Petr, team,
>>
>> I was able to reproduce it today with sequential installation.
>> Again: one of three replicas caught this issue. Hostnames were other
>> than those on Friday, all three vm's from the same template.
>>
>> On 06/19/2015 05:10 PM, Petr Vobornik wrote:
>>> On 06/19/2015 04:27 PM, Oleg Fayans wrote:
>>>> Hi everybody,
>>>>
>>>> While preparing the replica files on the latest IPA master I've
>>>> noticed
>>>> the following error messages in the dirsrv error log:
>>>>
>>>> [19/Jun/2015:15:26:10 +0200] NSMMReplicationPlugin -
>>>> agmt="cn=masterAgreement1-vm-244.idm.lab.eng.brq.redhat.com-pki-tomcat"
>>>>
>>>> (vm-244:389): Replication bind with SIMPLE auth failed: LDAP error -1
>>>> (Can't contact LDAP server) ()
>>>
>>> Probably a leftover CA replication agreement with some removed
>>> master. Can be removed with ipa-csreplica-manage del --force.
>>>
>>>> [19/Jun/2015:15:26:10 +0200] - Entry "uid=admin,ou=people,o=ipaca" --
>>>> attribute "krbExtraData" not allowed
>>>> [19/Jun/2015:15:26:13 +0200] slapi_ldap_bind - Error: could not send
>>>> startTLS request: error -1 (Can't contact LDAP server) errno 0
>>>> (Success)
>>>>
>>>> Though the stdout of the replica preparation reports success, when I
>>>> later use the resulting gpg file to actually setup a replica the setup
>>>> process fails with the following output:
>>>>
>>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>>> [1/8]: adding sasl mappings to the directory
>>>> [2/8]: configuring KDC
>>>> [3/8]: creating a keytab for the directory
>>>> [4/8]: creating a keytab for the machine
>>>> [5/8]: adding the password extension to the directory
>>>> [6/8]: enable GSSAPI for replication
>>>> [error] RuntimeError: One of the ldap service principals is
>>>> missing.
>>>> Replication agreement cannot be converted.
>>>> Replication error message: Unable to acquire replicaLDAP error: No
>>>> such
>>>> object
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
>>>> ldap service principals is missing. Replication agreement cannot be
>>>> converted.
>>>> Replication error message: Unable to acquire replicaLDAP error: No
>>>> such
>>>> object
>>>>
>>>> The corresponding part of the ipareplica-install.log is attached
>>>>
>>>> I've encountered this already twice. The strangest part is that I
>>>> prepared 3 replicas simultaneously: 2 of them installed
>>>> successfully and
>>>> one - failed. All three replicas were launched from the same
>>>> vm-template
>>>>
>>>
>>> Could this be the cause? It would be safer to run it sequentially.
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150622/5d94f275/attachment.htm>
More information about the Freeipa-devel
mailing list