[Freeipa-users] ipa-replica-manage list fail on server 2

Rich Megginson rmeggins at redhat.com
Wed Jul 9 14:20:21 UTC 2014


On 07/08/2014 09:02 PM, barrykfl at gmail.com wrote:
> Some error i found :
>
>
> server1.abc.com:636 <http://server1.abc.com:636> 
> (/etc/dirsrv/slapd-abc-COM)
>
> [29/Jun/2014:02:00:56 +0800] - 389-Directory/1.2.11.25 
> <http://1.2.11.25> B2013.325.1951 starting up
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_unwrap_key: failed 
> to unwrap key for cipher AES
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_cipher_init: 
> symmetric key failed to unwrap with the private key; Cert might have 
> been renewed since the key is wrapped.  To recover the encrypted 
> contents, keep the wrapped symmetric key value.
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_unwrap_key: failed 
> to unwrap key for cipher 3DES
> [29/Jun/2014:02:00:56 +0800] attrcrypt - attrcrypt_cipher_init: 
> symmetric key failed to unwrap with the private key; Cert might have 
> been renewed since the key is wrapped.  To recover the encrypted 
> contents, keep the wrapped symmetric key value.
> [29/Jun/2014:02:00:56 +0800] attrcrypt - All prepared ciphers are not 
> available. Please disable attribute encryption.
> [29/Jun/2014:02:00:56 +0800] schema-compat-plugin - warning: no 
> entries set up under cn=computers, cn=compat,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin - warning: no 
> entries set up under cn=ng, cn=compat,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] schema-compat-plugin - warning: no 
> entries set up under ou=sudoers,dc=abc,dc=com
> [29/Jun/2014:02:00:57 +0800] - Skipping CoS Definition cn=Password 
> Policy,cn=accounts,dc=abc,dc=com--no CoS Templates found, which should 
> be added before the CoS Definition.
> [29/Jun/2014:02:00:57 +0800] set_krb5_creds - Could not get initial 
> credentials for principal [ldap/server1.abc.com at abc.COM] in keytab 
> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
> requested realm)
> [29/Jun/2014:02:00:58 +0800] - Skipping CoS Definition cn=Password 
> Policy,cn=accounts,dc=abc,dc=com--no CoS Templates found, which should 
> be added before the CoS Definition.
> [29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Credentials 
> cache file '/tmp/krb5cc_492' not found)) errno 0 (Success)
> [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not 
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [29/Jun/2014:02:00:58 +0800] NSMMReplicationPlugin - 
> agmt="cn=meToserver2.abc.com <http://meToserver2.abc.com>" 
> (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Credentials 
> cache file '/tmp/krb5cc_492' not found))
> [29/Jun/2014:02:00:58 +0800] - slapd started.  Listening on All 
> Interfaces port 389 for LDAP requests
> [29/Jun/2014:02:00:58 +0800] - Listening on All Interfaces port 636 
> for LDAPS requests
>
>
> 389-Directory/1.2.11.15 <http://1.2.11.15> B2013.240.174
> server2.abc.com:636 <http://server2.abc.com:636> 
> (/etc/dirsrv/slapd-abc-COM)
>
> [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not 
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - 
> agmt="cn=meToserver1.abc.com <http://meToserver1.abc.com>" 
> (server1:389): Replication bind with GSSAPI auth failed: LDAP error -2 
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket expired))
> [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not 
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Ticket 
> expired)) errno 0 (Success)
> [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not 
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [30/Jun/2014:12:51:52 +0800] NSMMReplicationPlugin - 
> agmt="cn=meToserver1.abc.com <http://meToserver1.abc.com>" 
> (server1:389): Replication bind with GSSAPI auth resumed
>

You are using an older version of 389.  The version on server2 is older 
than the version on server1.  Can you upgrade and see if that fixes your 
problems?  Even if it doesn't fix your problems, it will be much easier 
for us to support.

>
> 2014-07-09 10:55 GMT+08:00 <barrykfl at gmail.com 
> <mailto:barrykfl at gmail.com>>:
>
>     FYI..
>     160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73
>     connection from 192.168.156.89 to 192.168.156.89
>     163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1
>
>     There is not abt binding but i unsure how to fix ..
>
>
>
>
>     2014-07-09 2:01 GMT+08:00 Rich Megginson <rmeggins at redhat.com
>     <mailto:rmeggins at redhat.com>>:
>
>         On 07/08/2014 02:16 AM, barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com> wrote:
>>         Resent as size limit.
>>
>>
>>         Here u are  server1 's access log seem one side broken
>>
>>         the problem is how to make it replicate again.
>>
>>         At server 1
>>
>>         it is ok  master server1 master server2
>>
>>
>>         Another side server 2 contains 2 ip replication.
>>
>>         ipa-replica-manage list shown Can't contact LDAP server
>>
>>         I dont know why but the prolematic server is sever 2 not server 1
>>
>>         log of server2
>>         [08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69
>>         connection from 192.168.15.89 (server1) to 192.168.15.88(server2)
>>         [08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1
>>         [08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69
>>         connection from 192.168.15.89 to 192.168.15.88
>>         [08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1
>>         [08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69
>>         connection from 192.168.15.89 to 192.168.15.88
>>         [08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1
>
>         You never answered my question below.  "Are you sure that this
>         connection is a replication session?  Can you post all of the
>         operations from the access log from conn=936207?"
>
>         In the future, please avoid spamming the list with large log
>         files.  In general, it's better to provide excerpts from the
>         log files showing the problem, paste them to fpaste.org
>         <http://fpaste.org>, and post the link to the mailing list. 
>         If for some reason you need to post a large file, please use a
>         file sharing service and post the link to the file.
>
>         Can you take a look at your errors log from server 1 and
>         server 2 and see if there are any relevant errors?
>
>         If I had to guess, I would say that there is some sort of
>         network error between server 1 and server 2 that causes the
>         excessive closed - B1. Perhaps there will be more information
>         in the errors log.
>
>
>>
>>
>>
>>         2014-07-07 22:21 GMT+08:00 Rich Megginson
>>         <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>:
>>
>>             On 07/04/2014 03:28 AM, barrykfl at gmail.com
>>             <mailto:barrykfl at gmail.com> wrote:
>>>             FOUND something strange that server 1 replicate to
>>>             itself rather than server2
>>>
>>>             Server1 access log > Wrong
>>>             [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73
>>>             connection from 192.168.15.89( server1 )  to
>>>             192.168.15.89 (server1)
>>
>>             Are you sure that this connection is a replication
>>             session?  Can you post all of the operations from the
>>             access log from conn=936207?
>>
>>
>>>
>>>
>>>             Server 2 access log > OK
>>>             [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74
>>>             connection from 192.168.15.89(server2) to 192.168.15.88
>>>             (server2)
>>>
>>>
>>>             2014-07-04 9:25 GMT+08:00 <barrykfl at gmail.com
>>>             <mailto:barrykfl at gmail.com>>:
>>>
>>>                 Just sure now one side flow is broken, if u update
>>>                 server1 , it 100% work server2 will upgrade.
>>>                 but if u update server2 there is chance non-syn e.g
>>>                 it create username  in server1 with posfix grp >ok
>>>                 but in server2 it only created posfix grp but no
>>>                 username /attribute it occur serveral times. I have
>>>                 to use command line grp del ...etc. to force del
>>>                 them and recreate them.,.
>>>
>>>                 Result below:
>>>
>>>                 server2.abc.com <http://server2.abc.com>: replica
>>>                   last init status: None
>>>                   last init ended: None
>>>                   last update status: 0 Replica acquired
>>>                 successfully: Incremental update succeeded
>>>                   last update ended: 2014-07-04 00:33:18+00:00
>>>
>>>                 Directory Manager password:
>>>
>>>                 server1.abc.com <http://server1.abc.com>: replica
>>>                   last init status: 0 Total update succeeded
>>>                   last init ended: 2014-06-20 10:07:02+00:00
>>>                   last update status: 0 Replica acquired
>>>                 successfully: Incremental update succeeded
>>>                   last update ended: 2014-07-04 01:14:19+00:00
>>>
>>>
>>>
>>>                 [root@(LIVE)server2 ~]$  ipactl status
>>>                 Directory Service: RUNNING
>>>                 KDC Service: RUNNING
>>>                 KPASSWD Service: RUNNING
>>>                 MEMCACHE Service: RUNNING
>>>                 HTTP Service: RUNNING
>>>
>>>
>>>                 2014-07-04 1:34 GMT+08:00 Rob Crittenden
>>>                 <rcritten at redhat.com <mailto:rcritten at redhat.com>>:
>>>
>>>                     barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>>>                     wrote:
>>>                     > Yes they are running. Server 1 can syn to
>>>                     server2 but error at server 2
>>>                     > like this.
>>>
>>>                     How do you know server 1 is syncing with server 2?
>>>
>>>                     On server 1 I'd run:
>>>
>>>                     ipa-replica-manage list -v `hostname`
>>>
>>>                     This will show the replication status.
>>>
>>>                     And what does ipactl status show on server 2?
>>>
>>>                     rob
>>>
>>>                     >
>>>                     > 2014/7/3 下午10:14 於 "Rob Crittenden"
>>>                     <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>>                     > <mailto:rcritten at redhat.com
>>>                     <mailto:rcritten at redhat.com>>> 寫道:
>>>                     >
>>>                     > Please keep relies on the list.
>>>                     >
>>>                     > barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>>>                     <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>> wrote:
>>>                     >     > I saw the error beloe and errpr log is
>>>                     it related ?
>>>                     >     >
>>>                     >     > 29/Jun/2014:02:00:58 +0800]
>>>                     slapd_ldap_sasl_interactive_bind - Error:
>>>                     >     > could not perform interactive bind for
>>>                     id [] mech [GSSAPI]: LDAP error
>>>                     >     > -2 (Local error) (SASL(-1): generic
>>>                     failure: GSSAPI Error: Unspecified
>>>                     >     > GSS failure.  Minor code may provide
>>>                     more information (Credentials
>>>                     >     cache
>>>                     >     > file '/tmp/krb5cc_492' not found)) errno
>>>                     0 (Success)
>>>                     >     > [29/Jun/2014:02:00:58 +0800]
>>>                     slapi_ldap_bind - Error: could not
>>>                     > perform
>>>                     >     > interactive bind for id [] mech
>>>                     [GSSAPI]: error -2 (Local error)
>>>                     >
>>>                     >     I believe this is fairly normal on a new
>>>                     startup. It has to start
>>>                     > somewhere. The expired ticket errors below are
>>>                     unexpected since there
>>>                     >     are so many of them. Is your KDC running?
>>>                     >
>>>                     > ipactl status
>>>                     >
>>>                     >     rob
>>>                     >
>>>                     >     >
>>>                     >     >
>>>                     >     > 2014-07-02 14:15 GMT+08:00
>>>                     <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>>>                     > <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>>
>>>                     <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>
>>>                     > <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>>>>:
>>>                     >     >
>>>                     >     >
>>>                     >     >     this is the error log i found at
>>>                     2.abc.com <http://2.abc.com> <http://2.abc.com>
>>>                     >     <http://2.abc.com>
>>>                     >     >
>>>                     >     > [30/Jun/2014:12:51:31 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:31 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:31 +0800]
>>>                     slapi_ldap_bind - Error: could not
>>>                     >     >     perform interactive bind for id []
>>>                     mech [GSSAPI]: error -2
>>>                     > (Local error)
>>>                     >     > [30/Jun/2014:12:51:31 +0800]
>>>                     NSMMReplicationPlugin -
>>>                     >     >     agmt="cn=meTo1.abc.com
>>>                     <http://meTo1.abc.com> <http://meTo1.abc.com>
>>>                     >     <http://meTo1.abc.com>" (central:389):
>>>                     >     > Replication bind with GSSAPI auth
>>>                     failed: LDAP error -2 (Local
>>>                     >     >     error) (SASL(-1): generic failure:
>>>                     GSSAPI Error: Unspecified GSS
>>>                     >     >     failure.  Minor code may provide
>>>                     more information (Ticket
>>>                     > expired))
>>>                     >     > [30/Jun/2014:12:51:34 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:35 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:35 +0800]
>>>                     slapi_ldap_bind - Error: could not
>>>                     >     >     perform interactive bind for id []
>>>                     mech [GSSAPI]: error -2
>>>                     > (Local error)
>>>                     >     > [30/Jun/2014:12:51:40 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:40 +0800]
>>>                     slapd_ldap_sasl_interactive_bind -
>>>                     >     >     Error: could not perform interactive
>>>                     bind for id [] mech [GSSAPI]:
>>>                     >     >     LDAP error -2 (Local error)
>>>                     (SASL(-1): generic failure: GSSAPI
>>>                     >     >     Error: Unspecified GSS failure.
>>>                      Minor code may provide more
>>>                     >     > information (Ticket expired)) errno 0
>>>                     (Success)
>>>                     >     > [30/Jun/2014:12:51:40 +0800]
>>>                     slapi_ldap_bind - Error: could not
>>>                     >     >     perform interactive bind for id []
>>>                     mech [GSSAPI]: error -2
>>>                     > (Local error)
>>>                     >     >
>>>                     >     >
>>>                     >     >     2014-07-02 12:32 GMT+08:00
>>>                     <barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>>>                     > <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>>
>>>                     >     > <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>
>>>                     <mailto:barrykfl at gmail.com
>>>                     <mailto:barrykfl at gmail.com>>>>:
>>>                     > >
>>>                     >     >         yes on node 1 it is happening
>>>                     only node2 fail connect
>>>                     >     >
>>>                     >     > ipa-replica-manage list 2.abc.com
>>>                     <http://2.abc.com> <http://2.abc.com>
>>>                     >     <http://2.abc.com>
>>>                     >     > Directory Manager password:
>>>                     >     >
>>>                     >     > 1.abc.com <http://1.abc.com>
>>>                     <http://1.abc.com> <http://1.abc.com>: replica
>>>                     > >
>>>                     >     >
>>>                     >     >
>>>                     >     > 2014-06-30 20:59 GMT+08:00 Rob Crittenden
>>>                     >     <rcritten at redhat.com
>>>                     <mailto:rcritten at redhat.com>
>>>                     <mailto:rcritten at redhat.com
>>>                     <mailto:rcritten at redhat.com>>
>>>                     >     > <mailto:rcritten at redhat.com
>>>                     <mailto:rcritten at redhat.com>
>>>                     <mailto:rcritten at redhat.com
>>>                     <mailto:rcritten at redhat.com>>>>:
>>>                     > >
>>>                     >     > Barry wrote:
>>>                     >     > > Hi:
>>>                     >     > >
>>>                     >     > > Server 1 and Sever 2 is cluster master
>>>                     master
>>>                     > orginally ,
>>>                     >     > but server 2
>>>                     >     > > fail to connect server1 ,.
>>>                     >     > >
>>>                     >     > > ipa-replica-manage list shown Can't
>>>                     contact LDAP server
>>>                     >     > >
>>>                     >     > > But as server1 it is ok  master
>>>                     server1 master server2 ,
>>>                     >     > >
>>>                     >     > > It seem affect if update on server 1
>>>                     then it syn to
>>>                     >     > server2 no problem
>>>                     >     > > but sometimes if modfy in server2 if
>>>                     fail to update
>>>                     > server1.
>>>                     >     > >
>>>                     >     > > Any idea to rebuild mutual relationship.?
>>>                     >     >
>>>                     >     > The first step is to diagnose what is
>>>                     wrong. I've already
>>>                     >     > suggested a
>>>                     >     > few things,
>>>                     >     >
>>>                     >
>>>                     https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html
>>>                     >     >
>>>                     >     > rob
>>>                     >     >
>>>                     >     >             --
>>>                     >     > Manage your subscription for the
>>>                     Freeipa-users mailing
>>>                     >     list:
>>>                     >     >
>>>                     https://www.redhat.com/mailman/listinfo/freeipa-users
>>>                     >     >             Go To http://freeipa.org for
>>>                     more info on the project
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >     >
>>>                     >
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140709/eb3ae952/attachment.htm>


More information about the Freeipa-users mailing list