[Freeipa-users] FreeIPA web UI Freezing up

nathan at nathanpeters.com nathan at nathanpeters.com
Mon Jun 8 19:09:12 UTC 2015

> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectclass=nsDSWindowsReplicationAgreement
> Enter LDAP Password:
> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
>  \2Cdc\3Dnet,cn=mapping tree,cn=config
> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
> cn: meToofficedc2.office.addomain.net
> nsds7NewWinGroupSyncEnabled: false
> objectClass: nsDSWindowsReplicationAgreement
> objectClass: top
> nsDS5ReplicaTransportInfo: TLS
> description: me to officedc2.office.addomain.net
> nsDS5ReplicaRoot: dc=ipadomain,dc=net
> nsDS5ReplicaHost: officedc2.office.addomain.net
> nsds5replicaTimeout: 120
> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
> Account,dc=office,dc=addomain,dc=net
> nsds7NewWinUserSyncEnabled: true
> nsDS5ReplicaPort: 389
> nsds7WindowsDomain: ipadomain.net
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicaBindMethod: simple
> nsDS5ReplicaCredentials:
>  I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
> nsds7DirsyncCookie::
>  /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA
>  AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
> nsds50ruv: {replicageneration} 553fe9bb000000040000
> nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
>  000000040000 5575dff8000000040000
> nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
>  4000000030000 557244db001700030000
> nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
>  t:389} 5575df5e
> nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
>  et:389} 00000000
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150608183216Z
> nsds5replicaLastUpdateEnd: 20150608183216Z
> nsds5replicaChangesSentSinceStartup:: NDozMC8wIA==
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
> upd
>  ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 0
> nsds5replicaLastInitEnd: 0
> =====================================================
> hmmm, problem still exists and not sure how to fix it
> =====================================================

This is also really strange, when I run an ipactl restart I get the
following weird stuff in my log.  messages about ACL targets not existing
and a strange kerberos error where the host can't find it's own keytab or
ldap service record?

[08/Jun/2015:19:04:06 +0000] - 389-Directory/ B2015.040.128
starting up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B
is less than db size 12500992B; We recommend to increase the entry cache
size nsslapd-cachememsize.
[08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is
less than db size 1343488B; We recommend to increase the entry cache size
[08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size
512000B is less than db size 45654016B; We recommend to increase the entry
cache size nsslapd-cachememsize.
[08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000
[08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipadomain,dc=net
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
ou=sudoers,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember
rebuild membership,cn=tasks,cn=config does not exist
[08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
should be added before the CoS Definition.
[08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial
credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (No Kerberos credentials
available)) errno 0 (Success)
[08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
should be added before the CoS Definition.
[08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (No Kerberos credentials available))
[08/Jun/2015:19:04:08 +0000] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[08/Jun/2015:19:04:08 +0000] - Listening on
/var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests
[08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Cannot contact any KDC
for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress)
[08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth resumed

More information about the Freeipa-users mailing list