[Freeipa-users] Replication woes
Simo Sorce
simo at redhat.com
Mon Aug 19 18:02:54 UTC 2013
On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote:
> So, any idea how to fix the Kerberos problem?
>
If your server is trying to get a tgt for ldap/localhost it probably
means your /etc/hosts file is broken and has a line like this:
1.2.3.4 localhost my.real.name
When GSSAPI tries to resolve my.realm.name it gets back that 'localhost'
is the canonical name so it tries to get a TGT with that name and it
fails.
If /etc/host sis fine then the DNS server may be returning an IP address
that later resolves to localhost again.
To unbreak make sure that if you have your fully qualified name
in /etc/hosts that it is on its own line pointing at the right IP
address and where the FQDN name is the first in line:
eg:
this is ok:
1.2.3.4 server.full.name server
this is not:
1.2.3.4 server server.full.name
Simo.
>
> Bret Wortman
>
>
> http://damascusgrp.com/
>
> http://about.me/wortmanbret
>
>
>
> On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman
> <bret.wortman at damascusgrp.com> wrote:
> ...and I got the web UI, authentication and sudo back via:
>
>
> # ipactl stop
> # ipactl start
>
>
> Not sure why that worked, but it did. I was grasping at
> straws, honestly.
>
>
>
>
>
> Bret Wortman
>
>
> http://damascusgrp.com/
>
> http://about.me/wortmanbret
>
>
>
>
> On Mon, Aug 19, 2013 at 12:18 PM, Bret Wortman
> <bret.wortman at damascusgrp.com> wrote:
> Digging further, I think this log entry might be the
> problem between the two servers that aren't talking:
>
>
> slapd_ldap_sasl_interactive_bind - Error: could not
> perform interactive bind for id[] mech [GSSAPI]: LDAP
> error -2 (Local error) (SASL(-1): generic failure:
> GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Server
> ldap/localhost at SPX.NET not found in Kerberos
> database)) errno 2 (No such file or directory)
>
>
> Did I build something incorrectly when that server was
> set up originally?
>
>
>
>
>
>
>
> Bret Wortman
>
>
> http://damascusgrp.com/
>
> http://about.me/wortmanbret
>
>
>
>
> On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman
> <bret.wortman at damascusgrp.com> wrote:
> I ran it on a good master, against a bad one.
> As in, I ran this command on my master IPA
> node:
>
>
> # ipa-replica-manage del --force bad1.foo.net
> --cleanup
>
>
> Was that wrong? I was trying to delete the bad
> replica from the master, so I figured the
> command needed to be run on the master. But
> again, my master is now in a state where it's
> not resolving DNS, user logins, or sudo at the
> very least.
>
>
> Oh, and I checked the node that it was
> complaining about earlier. The network
> connection to it is the pits, but it's there.
> And it resolves.
>
>
>
>
>
> Bret Wortman
>
>
> http://damascusgrp.com/
>
> http://about.me/wortmanbret
>
>
>
> On Mon, Aug 19, 2013 at 11:58 AM, Rob
> Crittenden <rcritten at redhat.com> wrote:
> Rob Crittenden wrote:
> Bret Wortman wrote:
> Well, my master ground
> to a halt and wasn't
> responding. I rebooted
> the
> system and now I can't
> access the web UI or
> ssh to the master
> either. I
> have console access
> but that's it.
>
> The services all say
> they're running, but
> the web UI gives an
> "Unknown
> Error" dialog and ssh
> fails with
> "ssh_exchange_identification:
> Connection closed by
> remote host" whenever
> I try to ssh to
> ipamaster. I
> think something has
> gone really wrong
> inside my master. Any
> ideas? Even
> after the reboot,
> --cleanup isn't
> helping and just
> hangs.
>
> The logfiles end (as
> of the time I ^C'd the
> process) with:
>
> NSMMReplicationPlugin
> -
> agmt="cn=meTogood3.spx.net
> <http://meTogood3.spx.net>" (good3:389): Replication bind with GSSAPI
> auth failed: LDAP
> error -2 (Local error)
> (SASL(-1): generic
> failure:
> GSSAPI Error:
> Unspecified GSS
> failure. Minor code
> may provide more
> information (Cannot
> determine realm for
> numeric host address))
> NSMMReplicationPlugin
> - CleanAllRUV Task:
> Replica not online
> (agmt="cn=meTogood3.foo.net <http://meTogood3.foo.net>" (good3:389))
> NSMMReplicationPlugin
> - CleanAllRUV Task:
> Not all replicas
> online,
> retrying in 160
> seconds...,
>
> So it looks like it's
> having trouble talking
> with one of my
> replicas and
> is doggedly trying to
> get the job done. Any
> idea how to get the
> master
> back working again
> while I troubleshoot
> this connectivity
> issue?
>
> That suggests a DNS problem,
> and it might explain ssh as
> well depending
> on your configuration.
>
>
> To be clear, you ran --cleanup against
> one of the bad masters, not a good
> one, right?
>
> rob
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list