[Freeipa-users] Latest FreeIPA update causing problems

Thu Feb 16 19:24:57 UTC 2012

On 02/16/2012 10:40 AM, Dan Scott wrote:
> Hi,
>
> On Thu, Feb 16, 2012 at 11:56, Rich Megginson<rmeggins at redhat.com>  wrote:
>> On 02/16/2012 09:12 AM, Dan Scott wrote:
>>> Hi,
>>>
>>> On Thu, Feb 16, 2012 at 10:37, Rich Megginson<rmeggins at redhat.com>    wrote:
>>>> On 02/16/2012 08:26 AM, Dan Scott wrote:
>>>>> Hi,
>>>>>
>>>>> I have recently upgraded one of my FreeIPA servers (Fedora 16) with
>>>>> the latest package versions:
>>>>>
>>>>> Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64
>>>>> Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64
>>>>> Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64
>>>>> Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64
>>>>> Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64
>>>>> Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64
>>>>> Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64
>>>>> Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64
>>>>> Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64
>>>>> Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64
>>>>> Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64
>>>>> Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64
>>>>> Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64
>>>>> Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64
>>>>> Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64
>>>>> Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64
>>>>> Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64
>>>>> Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64
>>>>> Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64
>>>>> Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64
>>>>> Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64
>>>>> Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64
>>>>> Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64
>>>>> Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64
>>>>> Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64
>>>>> Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64
>>>>> Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64
>>>>> Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64
>>>>> Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64
>>>>> Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64
>>>>> Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64
>>>>>
>>>>> I am having major problems with freeipa services (I replaced my real
>>>>> domain with example.com):
>>>>>
>>>>> [root at fileserver3 ~]# ipactl status
>>>>> Directory Service: STOPPED
>>>>> Unknown error when retrieving list of services from LDAP: [Errno 111]
>>>>> Connection refused
>>>>> [root at fileserver3 ~]# ipactl start
>>>>> Starting Directory Service
>>>>> Failed to read data from Directory Service: Failed to get list of
>>>>> services to probe status!
>>>>> Configured hostname 'fileserver3.example.com' does not match any
>>>>> master server in LDAP:
>>>>> No master found because of error: {'matched': 'dc=example,dc=com',
>>>>> 'desc': 'No such object'}
>>>>> Shutting down
>>>>> [root at fileserver3 ~]#
>>>>>
>>>>> None of the IPA processes will start. The dirsrv error log shows:
>>>>>
>>>>> [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328
>>>>> starting up
>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no
>>>>> entries set up under cn=groups, cn=compat,dc=example,dc=com
>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no
>>>>> entries set up under cn=ng, cn=compat,dc=example,dc=com
>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no
>>>>> entries set up under ou=sudoers,dc=example,dc=com
>>>>> [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no
>>>>> entries set up under cn=users, cn=compat,dc=example,dc=com
>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry:
>>>>> Unable to locate shared configuration entry
>>>>> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com)
>>>>> [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry:
>>>>> Invalid config entry [cn=posix ids,cn=distributed numeric assignment
>>>>> plugin,cn=plugins,cn=config] skipped
>>>>> [16/Feb/2012:10:20:23 -0500] - slapd started.  Listening on All
>>>>> Interfaces port 389 for LDAP requests
>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636
>>>>> for LDAPS requests
>>>>> [16/Feb/2012:10:20:23 -0500] - Listening on
>>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation
>>>>> threads
>>>>> [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down
>>>>> internal subsystems and plugins
>>>>> [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop
>>>>> [16/Feb/2012:10:20:24 -0500] - All database threads now stopped
>>>>> [16/Feb/2012:10:20:24 -0500] - slapd stopped.
>>>>>
>>>>> Can someone help?
>>>> start your directory server - systemctl start dirsrv.target
>>>> do a search for the dna entries:
>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b
>>>> "cn=dna,cn=ipa,cn=etc,dc=example,dc=com"
>>>>
>>>> and
>>>> ldapsearch -xLLL -D "cn=directory manager" -W -s one -b "cn=distributed
>>>> numeric assignment
>>>> plugin,cn=plugins,cn=config"
>>> Results:
>>>
>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s
>>> one -b "cn=dna,cn=ipa,cn=etc,dc=example,dc=com"
>>> Enter LDAP Password:
>>> No such object (32)
>>> Matched DN: dc=example,dc=com
>>> [root at fileserver3 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s
>>> one -b "cn=distributed numeric assignment plugin,cn=plugins,cn=config"
>>> Enter LDAP Password:
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: Posix IDs
>>> dnatype: uidNumber
>>> dnatype: gidNumber
>>> dnanextvalue: 1101
>>> dnamaxvalue: 1100
>>> dnamagicregen: 999
>>> dnafilter: (|(objectclass=posixAccount)(objectClass=posixGroup))
>>> dnascope: dc=example,dc=com
>>> dnathreshold: 500
>>> dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>>>
>>> It looks like all my data is missing.... do I need to re-initialize
>>> the replication?
>> Is this your master or a replica?
>> You can look at the database directly with
>> dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/id2entry.db4
>> you can also export it to ldif with
>> /var/lib/dirsrv/scripts-DOMAIN/db2ldif -n userRoot -a
>> /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif
> It's a replica. Luckily the master hasn't been updated yet. I have
> another replica running Fedora 15 which seems OK as well.
>
> The dbscan command looks good, I think. I can see an entry for "rdn:
> uid=djscott".
>
> I ran the export, and got:
>
> Exported ldif file: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif
> ldiffile: /var/lib/dirsrv/slapd-DOMAIN/ldif/mydb.ldif
> [16/Feb/2012:12:37:40 -0500] - export userRoot: Processed 437 entries (100%).
> [16/Feb/2012:12:37:40 -0500] - All database threads now stopped
>
> The ldif file looks good, thanks. Nice to know that the data is all
> still there. Any ideas why it's not showing up when I query LDAP?
So you do see an entry for 
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com in your dbscan 
output and in the mydb.ldif file?
The dbscan output should contain an entry ID and a parent entry ID - 
this will be a one, two, or three digit integer.
try the following, where X is the entry ID, and Y is the parent entry ID:
dbscan -k X -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4
dbscan -k Y -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4
dbscan -k PX -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4
dbscan -k CY -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4
> Dan