[Freeipa-users] IPA Query Tuning and a Recovery Question

Mon Sep 16 09:21:40 UTC 2013

Hi

Update on the errors

kinit charlesd
kinit: Generic error (see e-text) while getting initial credentials
krb5kdc.log - LOOKING_UP_CLIENT: charlesd at EXAMPLE.COM for krbtg/
EXAMPLE.COM at EXAMPLE.COM, Server Error

Starting the IPA service (dirsrv in particular) gives

Failed to read data from Directory Service: Failed to get list of services
to probe status!
Configured hostname 'ipa3.example.com' doesn't match any master server in
LDAP:
No master found because of error: {'matched': dc=example,dc=com', 'desc':
'No such object'}
Shutting down

The errors log has a load of different services schema-compat-plugin.
dna-plugin, ipalockout_preop/postop all complaining in one way or another
about being unable to retrieve entries or no entries being set up.

Cheers,
Charlie

On Fri, Sep 13, 2013 at 2:49 PM, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 09/12/2013 08:04 PM, Charlie Derwent wrote:
>
>
>
> On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>  On 09/09/2013 10:20 AM, Charlie Derwent wrote:
>>
>>  Hi,
>>
>> 2 questions, some of our automation accounts are needlessly querying the
>> IPA server every time they call a command via sudo. This is generating a
>> lot of noise in our access logs. Is there any way to ensure certain system
>> accounts don't call out to the IPA server for additional groups or sudo
>> permission when completing tasks?
>>
>>
>>  What are your client platforms?  Does sssd or newer versions of sudo
>> cache?
>>
>>
>>
>> The other question is slightly more embarrassing, one of our guys saw
>> /var filling and noticed that /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a
>> load of "log" files which looked like they weren't being tidied.
>>
>>
>>  They are automatically cleaned up.  If you have a lot of updates, it may
>> take longer.
>>
>>
>>  One stupid decision later and I'm now here asking on his behalf if
>> there is anyway of restoring the database from a replica or is a complete
>> rebuild required?
>>
>>
>>  Just reinit the replica using ipa-replica-manage.
>>
>>
> I just tried to reinit the replica but I'm getting an error about failure
> to connect to LDAP server I'm guessing that's because it's impossible for
> me to kinit on the server now given the state of the DB.
>
>
> It depends.  What error?  Can you provide the exact error message and/or
> excerpts from /var/log/dirsrv/slapd-DOMAIN-COM/errors?
>
>
>
>>
>
>>
>    Second question is obviously a little bit more urgent than the first
>> but any advice is greatly appreciated.
>>
>> Thanks,
>> Charlie
>>
>>
>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130916/bf50a022/attachment.htm>