[Freeipa-users] FreeIPA web UI Freezing up

Rich Megginson rmeggins at redhat.com
Mon Jun 8 19:15:50 UTC 2015 

On 06/08/2015 01:09 PM, nathan at nathanpeters.com wrote:
>> [root at dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
>> objectclass=nsDSWindowsReplicationAgreement
>> Enter LDAP Password:
>> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
>>   \2Cdc\3Dnet,cn=mapping tree,cn=config
>> nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
>> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
>> cn: meToofficedc2.office.addomain.net
>> nsds7NewWinGroupSyncEnabled: false
>> objectClass: nsDSWindowsReplicationAgreement
>> objectClass: top
>> nsDS5ReplicaTransportInfo: TLS
>> description: me to officedc2.office.addomain.net
>> nsDS5ReplicaRoot: dc=ipadomain,dc=net
>> nsDS5ReplicaHost: officedc2.office.addomain.net
>> nsds5replicaTimeout: 120
>> nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
>> Account,dc=office,dc=addomain,dc=net
>> nsds7NewWinUserSyncEnabled: true
>> nsDS5ReplicaPort: 389
>> nsds7WindowsDomain: ipadomain.net
>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
>> idnssoaserial
>>    entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>> nsDS5ReplicaBindMethod: simple
>> nsDS5ReplicaCredentials:
>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>>   RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
>>   0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
>>   I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
>> nsds7DirsyncCookie::
>> TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA
>>   ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
>>   13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
>>   PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
>>   /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA
>>   AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
>>   mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
>>   NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
>> nsds50ruv: {replicageneration} 553fe9bb000000040000
>> nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
>>   000000040000 5575dff8000000040000
>> nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
>>   4000000030000 557244db001700030000
>> nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
>>   t:389} 5575df5e
>> nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
>>   et:389} 00000000
>> nsds5replicareapactive: 0
>> nsds5replicaLastUpdateStart: 20150608183216Z
>> nsds5replicaLastUpdateEnd: 20150608183216Z
>> nsds5replicaChangesSentSinceStartup:: NDozMC8wIA==
>> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
>> upd
>>   ate succeeded
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 0
>> nsds5replicaLastInitEnd: 0
>>
>> =====================================================
>> hmmm, problem still exists and not sure how to fix it
>> =====================================================
>>
>>
> This is also really strange, when I run an ipactl restart I get the
> following weird stuff in my log.  messages about ACL targets not existing

Not sure about this.

> and a strange kerberos error where the host can't find it's own keytab or
> ldap service record?

See below.

>
> [08/Jun/2015:19:04:06 +0000] - 389-Directory/1.3.3.8 B2015.040.128
> starting up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
> rounding up
> [08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B
> is less than db size 12500992B; We recommend to increase the entry cache
> size nsslapd-cachememsize.
> [08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is
> less than db size 1343488B; We recommend to increase the entry cache size
> nsslapd-cachememsize.
> [08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size
> 512000B is less than db size 45654016B; We recommend to increase the entry
> cache size nsslapd-cachememsize.
> [08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000
> [08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=ipadomain,dc=net
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
> cn=groups,cn=compat,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
> cn=computers,cn=compat,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
> cn=ng,cn=compat,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
> ou=sudoers,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
> cn=users,cn=compat,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
> [08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember
> rebuild membership,cn=tasks,cn=config does not exist
> [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
> should be added before the CoS Definition.
> [08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial
> credentials for principal [ldap/dc1.ipadomain.net at IPADOMAIN.NET] in keytab
> [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
> [08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (No Kerberos credentials
> available)) errno 0 (Success)
> [08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
> should be added before the CoS Definition.
> [08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] authentication mechanism [GSSAPI]: error -2
> (Local error)
> [08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin -
> agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
> auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
> GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
> information (No Kerberos credentials available))
> [08/Jun/2015:19:04:08 +0000] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for
> LDAPS requests
> [08/Jun/2015:19:04:08 +0000] - Listening on
> /var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests
> [08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Cannot contact any KDC
> for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress)
> [08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] authentication mechanism [GSSAPI]: error -2
> (Local error)
> [08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin -
> agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
> auth resumed

This last line means "everything is ok now - I can use the keytab". The 
problem is that dirsrv starts very early, before kerberos is available.  
Replication keeps trying until kerberos is available.  I admit the 
errors look scary but as long as you see the "

Replication bind with GSSAPI
auth resumed

Then everything is fine.

>
>

More information about the Freeipa-users mailing list