[Freeipa-users] Replica Server's ipactl does not control named after reinstallation

Sina Owolabi notify.sina at gmail.com
Sat Jan 10 22:47:49 UTC 2015 

Yes, I've had this installed more than three years, and I upgrade from time
to time, not frequently because I don't want to break anything. I just did
an upgrade to the latest RHEL version about a week ago, when the replica
started acting up. Directory services would hang indefinitely, and nothing
else would function. So I took it down and reinstalled ipa and resynced.
Is there a fix I can apply?
On Jan 10, 2015 10:42 PM, "Dmitri Pal" <dpal at redhat.com> wrote:

> On 01/10/2015 04:41 AM, Sina Owolabi wrote:
>
>> I've run ipa-dns-install after the fact now, and named is setup.
>> Strange, it used to work without me having to do this manually
>> (whenever I needed to take down a replica).
>> However when I ran dnsconfig-mod on the new replica, I get:
>>
>>   ipa dnsconfig-mod
>> ipa: ERROR: cert validation failed for
>> "CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's certificate issuer has been marked as not trusted by the user.)
>> ipa: ERROR: cert validation failed for
>> "CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's certificate issuer has been marked as not trusted by the user.)
>> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
>> domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml,
>> https://services.mydom.com/ipa/xml
>>
>
> Can it be that your certs have expired and were not properly renewed?
> How long have you been running this setup?
> More than two years?
> Have you been upgrading since early versions?
>
>
>
>> On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi <notify.sina at gmail.com>
>> wrote:
>>
>>> I did run it with --setup-dns.
>>>
>>> [root at services01 ~]# ipa-replica-install --setup-dns
>>> --forwarder=8.8.8.8 --forwarder=8.8.4.4
>>> replica-info-services01.mydom.com.gpg
>>>
>>> How can I fix this, please?
>>>
>>> On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> Sina Owolabi wrote:
>>>>
>>>>> Hi List,
>>>>>
>>>>> I've seen this happen on two occasions, now, in two different
>>>>> environments, one with RHEL6.6 and RHEL 6.3.
>>>>>
>>>>> I have issues with a replica sever, I delete the replication
>>>>> agreement, remove the server from ipa dns, run ipa-server-install
>>>>> --uninstall -U.
>>>>> Reboot the server, create new replication settings from the existing
>>>>> master, and restore the replica.
>>>>> Running ipactl status, I see:
>>>>>
>>>>>   ipactl status
>>>>> Directory Service: RUNNING
>>>>> KDC Service: RUNNING
>>>>> KPASSWD Service: RUNNING
>>>>> MEMCACHE Service: RUNNING
>>>>> HTTP Service: RUNNING
>>>>>
>>>>> No DNS service listed. Named is not running.
>>>>>
>>>>> ipactl restart
>>>>> Restarting Directory Service
>>>>> Shutting down dirsrv:
>>>>>      MYDOM-COM...                                    [  OK  ]
>>>>> Starting dirsrv:
>>>>>      MYDOM-COM...                                    [  OK  ]
>>>>> Restarting KDC Service
>>>>> Stopping Kerberos 5 KDC:                                   [  OK  ]
>>>>> Starting Kerberos 5 KDC:                                   [  OK  ]
>>>>> Restarting KPASSWD Service
>>>>> Stopping Kerberos 5 Admin Server:                          [  OK  ]
>>>>> Starting Kerberos 5 Admin Server:                          [  OK  ]
>>>>> Restarting MEMCACHE Service
>>>>> Stopping ipa_memcached:                                    [  OK  ]
>>>>> Starting ipa_memcached:                                    [  OK  ]
>>>>> Restarting HTTP Service
>>>>> Stopping httpd:                                            [  OK  ]
>>>>> Starting httpd:                                            [  OK  ]
>>>>>
>>>>> Checking on named:
>>>>>   service named status
>>>>> rndc: connect failed: 127.0.0.1#953: connection refused
>>>>> named is stopped
>>>>> # service named start
>>>>> Starting named:                                            [  OK  ]
>>>>> # service named status
>>>>> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
>>>>> CPUs found: 2
>>>>> worker threads: 2
>>>>> number of zones: 19
>>>>> debug level: 0
>>>>> xfers running: 0
>>>>> xfers deferred: 0
>>>>> soa queries in progress: 0
>>>>> query logging is OFF
>>>>> recursive clients: 0/0/1000
>>>>> tcp clients: 0/100
>>>>> server is up and running
>>>>> named (pid  25017) is running...
>>>>>
>>>>> But it does not resolve. Please what is happening and how can I fix
>>>>> this?
>>>>> I don't know what logs to provide, but please let me know what is
>>>>> necessary and I'll make them available.
>>>>>
>>>> Bind is an optional service. You can either configure it at the time you
>>>> install replica using the --setup-dns option or afterward using
>>>> ipa-dns-install.
>>>>
>>>> rob
>>>>
>>>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150110/a97e7840/attachment.htm>

More information about the Freeipa-users mailing list