[Freeipa-users] IPA Query Tuning and a Recovery Question
Rich Megginson
rmeggins at redhat.com
Mon Sep 16 13:44:27 UTC 2013
On 09/16/2013 03:21 AM, Charlie Derwent wrote:
> Hi
> Update on the errors
> kinit charlesd
> kinit: Generic error (see e-text) while getting initial credentials
> krb5kdc.log - LOOKING_UP_CLIENT: charlesd at EXAMPLE.COM
> <mailto:charlesd at EXAMPLE.COM> for krbtg/EXAMPLE.COM at EXAMPLE.COM
> <mailto:EXAMPLE.COM at EXAMPLE.COM>, Server Error
> Starting the IPA service (dirsrv in particular) gives
> Failed to read data from Directory Service: Failed to get list of
> services to probe status!
> Configured hostname 'ipa3.example.com <http://ipa3.example.com>'
> doesn't match any master server in LDAP:
> No master found because of error: {'matched': dc=example,dc=com',
> 'desc': 'No such object'}
> Shutting down
> The errors log has a load of different services schema-compat-plugin.
> dna-plugin, ipalockout_preop/postop all complaining in one way or
> another about being unable to retrieve entries or no entries being set up.
I think you'll have to use the workaround where you change replication
to use simple bind in order to initialize the consumer, then switch back
to sasl/gssapi.
Simo/Rob - which ticket was this? Does freeipa.org have the workaround?
>
> Cheers,
> Charlie
> On Fri, Sep 13, 2013 at 2:49 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 09/12/2013 08:04 PM, Charlie Derwent wrote:
>>
>>
>> On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 09/09/2013 10:20 AM, Charlie Derwent wrote:
>>> Hi,
>>> 2 questions, some of our automation accounts are needlessly
>>> querying the IPA server every time they call a command via
>>> sudo. This is generating a lot of noise in our access logs.
>>> Is there any way to ensure certain system accounts don't
>>> call out to the IPA server for additional groups or sudo
>>> permission when completing tasks?
>>
>> What are your client platforms? Does sssd or newer versions
>> of sudo cache?
>>
>>
>>> The other question is slightly more embarrassing, one of our
>>> guys saw /var filling and noticed that
>>> /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a load of "log"
>>> files which looked like they weren't being tidied.
>>
>> They are automatically cleaned up. If you have a lot of
>> updates, it may take longer.
>>
>>
>>> One stupid decision later and I'm now here asking on his
>>> behalf if there is anyway of restoring the database from a
>>> replica or is a complete rebuild required?
>>
>> Just reinit the replica using ipa-replica-manage.
>>
>> I just tried to reinit the replica but I'm getting an error about
>> failure to connect to LDAP server I'm guessing that's because
>> it's impossible for me to kinit on the server now given the state
>> of the DB.
>
> It depends. What error? Can you provide the exact error message
> and/or excerpts from /var/log/dirsrv/slapd-DOMAIN-COM/errors?
>
>
>>> Second question is obviously a little bit more urgent than
>>> the first but any advice is greatly appreciated.
>>> Thanks,
>>> Charlie
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130916/81cef848/attachment.htm>
More information about the Freeipa-users
mailing list