[Freeipa-devel] LDAP errors in the dirsrv logs during replica preparation
Petr Vobornik
pvoborni at redhat.com
Mon Jun 22 12:21:01 UTC 2015
On 06/22/2015 11:28 AM, Ludwig Krispenz wrote:
> Hi Oleg,
>
> don't know if it is relevant for the current problem, but maybe you
> shoudl address this warning:#
>
> Configuring DNS (named)
> [1/9]: generating rndc key file
> WARNING: Your system is running out of entropy, you may experience long
> delays
This is easy to solve(on vms) with:
dnf install rng-tools
systemctl start rngd.service
>
> Ludwig
>
>
> On 06/22/2015 11:01 AM, Oleg Fayans wrote:
>> Here is the session transcript, together with the directory server
>> logs from master
>>
>> On 06/22/2015 10:57 AM, Oleg Fayans wrote:
>>> Hi Petr, team,
>>>
>>> I was able to reproduce it today with sequential installation.
>>> Again: one of three replicas caught this issue. Hostnames were other
>>> than those on Friday, all three vm's from the same template.
>>>
>>> On 06/19/2015 05:10 PM, Petr Vobornik wrote:
>>>> On 06/19/2015 04:27 PM, Oleg Fayans wrote:
>>>>> Hi everybody,
>>>>>
>>>>> While preparing the replica files on the latest IPA master I've
>>>>> noticed
>>>>> the following error messages in the dirsrv error log:
>>>>>
>>>>> [19/Jun/2015:15:26:10 +0200] NSMMReplicationPlugin -
>>>>> agmt="cn=masterAgreement1-vm-244.idm.lab.eng.brq.redhat.com-pki-tomcat"
>>>>>
>>>>> (vm-244:389): Replication bind with SIMPLE auth failed: LDAP error -1
>>>>> (Can't contact LDAP server) ()
>>>>
>>>> Probably a leftover CA replication agreement with some removed
>>>> master. Can be removed with ipa-csreplica-manage del --force.
>>>>
>>>>> [19/Jun/2015:15:26:10 +0200] - Entry "uid=admin,ou=people,o=ipaca" --
>>>>> attribute "krbExtraData" not allowed
>>>>> [19/Jun/2015:15:26:13 +0200] slapi_ldap_bind - Error: could not send
>>>>> startTLS request: error -1 (Can't contact LDAP server) errno 0
>>>>> (Success)
>>>>>
>>>>> Though the stdout of the replica preparation reports success, when I
>>>>> later use the resulting gpg file to actually setup a replica the setup
>>>>> process fails with the following output:
>>>>>
>>>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>>>> [1/8]: adding sasl mappings to the directory
>>>>> [2/8]: configuring KDC
>>>>> [3/8]: creating a keytab for the directory
>>>>> [4/8]: creating a keytab for the machine
>>>>> [5/8]: adding the password extension to the directory
>>>>> [6/8]: enable GSSAPI for replication
>>>>> [error] RuntimeError: One of the ldap service principals is
>>>>> missing.
>>>>> Replication agreement cannot be converted.
>>>>> Replication error message: Unable to acquire replicaLDAP error: No
>>>>> such
>>>>> object
>>>>> Your system may be partly configured.
>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>
>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the
>>>>> ldap service principals is missing. Replication agreement cannot be
>>>>> converted.
>>>>> Replication error message: Unable to acquire replicaLDAP error: No
>>>>> such
>>>>> object
>>>>>
>>>>> The corresponding part of the ipareplica-install.log is attached
>>>>>
>>>>> I've encountered this already twice. The strangest part is that I
>>>>> prepared 3 replicas simultaneously: 2 of them installed
>>>>> successfully and
>>>>> one - failed. All three replicas were launched from the same
>>>>> vm-template
>>>>>
>>>>
>>>> Could this be the cause? It would be safer to run it sequentially.
>>>
>>
>>
>>
>
>
>
>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list