<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/16/2013 03:21 AM, Charlie Derwent
wrote:<br>
</div>
<blockquote
cite="mid:CA+W6xevNRKTqF=xSwsYAGjM1KVhd2+m7tZP2=R1TMaFWg4taZw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi </div>
<div> </div>
<div>Update on the errors</div>
<div> </div>
<div>kinit charlesd </div>
<div>kinit: Generic error (see e-text) while getting initial
credentials</div>
<div>krb5kdc.log - LOOKING_UP_CLIENT: <a moz-do-not-send="true"
href="mailto:charlesd@EXAMPLE.COM">charlesd@EXAMPLE.COM</a>
for krbtg/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Server Error</div>
<div> </div>
<div> </div>
<div>Starting the IPA service (dirsrv in particular) gives</div>
<div> </div>
<div>Failed to read data from Directory Service: Failed to get
list of services to probe status!</div>
<div>Configured hostname '<a moz-do-not-send="true"
href="http://ipa3.example.com">ipa3.example.com</a>' doesn't
match any master server in LDAP:</div>
<div>No master found because of error: {'matched':
dc=example,dc=com', 'desc': 'No such object'}</div>
<div>Shutting down</div>
<div> </div>
<div> </div>
<div>The errors log has a load of different services
schema-compat-plugin. dna-plugin, ipalockout_preop/postop all
complaining in one way or another about being unable to
retrieve entries or no entries being set up.</div>
</div>
</blockquote>
<br>
I think you'll have to use the workaround where you change
replication to use simple bind in order to initialize the consumer,
then switch back to sasl/gssapi.<br>
<br>
Simo/Rob - which ticket was this? Does freeipa.org have the
workaround?<br>
<br>
<blockquote
cite="mid:CA+W6xevNRKTqF=xSwsYAGjM1KVhd2+m7tZP2=R1TMaFWg4taZw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
Cheers,</div>
<div class="gmail_extra">Charlie<br>
</div>
<div class="gmail_extra"> </div>
<div class="gmail_quote">On Fri, Sep 13, 2013 at 2:49 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">
<div class="im">
<div>On 09/12/2013 08:04 PM, Charlie Derwent wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Sep 9, 2013 at
5:32 PM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div>On 09/09/2013 10:20 AM, Charlie
Derwent wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div> </div>
<div>2 questions, some of our
automation accounts are needlessly
querying the IPA server every time
they call a command via sudo. This
is generating a lot of noise in our
access logs. Is there any way to
ensure certain system accounts don't
call out to the IPA server for
additional groups or sudo permission
when completing tasks?</div>
</div>
</blockquote>
<br>
</div>
What are your client platforms? Does sssd
or newer versions of sudo cache?
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div> </div>
<div>The other question is slightly
more embarrassing, one of our guys
saw /var filling and noticed that
/var/lib/dirsrv/slapd-EXAMPLE-COM/db/
had a load of "log" files which
looked like they weren't being
tidied. </div>
</div>
</blockquote>
<br>
</div>
They are automatically cleaned up. If you
have a lot of updates, it may take longer.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>One stupid decision later and I'm
now here asking on his behalf if
there is anyway of restoring the
database from a replica or is a
complete rebuild required?</div>
</div>
</blockquote>
<br>
</div>
Just reinit the replica using
ipa-replica-manage.<br>
<br>
</div>
</blockquote>
<div>I just tried to reinit the replica but I'm
getting an error about failure to connect to
LDAP server I'm guessing that's because it's
impossible for me to kinit on the server now
given the state of the DB.</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
It depends. What error? Can you provide the exact error
message and/or excerpts from
/var/log/dirsrv/slapd-DOMAIN-COM/errors?
<div class="im"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF"> </div>
</blockquote>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF"> </div>
</blockquote>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div>
<div dir="ltr">
<div>Second question is obviously a
little bit more urgent than the
first but any advice is greatly
appreciated.</div>
<div> </div>
<div>Thanks,</div>
<div>Charlie</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<div class="gmail_extra"><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>