[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
Rich Megginson
rmeggins at redhat.com
Fri May 15 00:06:41 UTC 2015
On 05/14/2015 05:43 PM, nathan at nathanpeters.com wrote:
>> On 05/14/2015 04:58 AM, nathan at nathanpeters.com wrote:
>>> I have tried to setup synchronization between a FreeIPA domain and an AD
>>> domain. The certificates are in the right place.
>>>
>>> [root at ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
>>> user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword
>>> --passsync secretpassword --cacert
>>> /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net
>>> -v
>>> Directory Manager password:
>>>
>>> Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to
>>> certificate database for ipadc1.ipadomain.net
>>> ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net
>>> The user for the Windows PassSync service is
>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>> Windows PassSync system account exists, not resetting password
>>> ipa: INFO: Added new sync agreement, waiting for it to become ready . .
>>> .
>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
>>> error: Connect error: start: 0: end: 0
>>> ipa: INFO: Agreement is ready, starting replication . . .
>>> Starting replication, please wait until this has completed.
>>>
>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
>>> error:
>>> Connect error]
>>>
>>> Failed to start replication
>>>
>>>
>>> This is the system journal while the failure is happening
>>>
>>> May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory
>>> Server IPADOMAIN-NET....
>>> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>>> Can't
>>> contact LDAP server: ldap_sync_poll() failed
>>> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa
>>> :
>>> ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP
>>> server"})
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback
>>> (most recent call last):
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>>> "/usr/libexec/ipa/ipa-dnskeysyncd", line 106, in <module>
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while
>>> ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>>> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 349, in
>>> syncrepl_poll
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]:
>>> add_intermediates=1, add_ctrls=1, all = 0
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in
>>> result4
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result
>>> =
>>> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File
>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in
>>> _ldap_call
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result =
>>> func(*args,**kwargs)
>>> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN:
>>> {'desc': "Can't contact LDAP server"}
>>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]:
>>> ipa-dnskeysyncd.service:
>>> main process exited, code=exited, status=1/FAILURE
>>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit
>>> ipa-dnskeysyncd.service entered failed state.
>>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory
>>> Server IPADOMAIN-NET..
>>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory
>>> Server IPADOMAIN-NET....
>>> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory
>>> Server IPADOMAIN-NET..
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] SSL Initialization - Configured SSL version range: min: TLS1.0,
>>> max: TLS1.2
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: Configured NSS Ciphers
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA:
>>> enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
>>> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]:
>>> [14/May/2015:02:50:41
>>> +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: connection to
>>> the
>>> LDAP server was lost
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 1
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 2
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 2
>>> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 3
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
>>> reconnected to LDAP server
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP instance
>>> 'ipa' is being synchronized, please ignore message 'all zones loaded'
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>>> Can't
>>> contact LDAP server: while modifying(replace) entry
>>> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: retrying LDAP
>>> operation (modifying(replace)) on entry
>>> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error:
>>> Can't
>>> contact LDAP server: connection error
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service
>>> holdoff time over, scheduling restart.
>>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Stopping IPA key
>>> daemon...
>>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Starting IPA key
>>> daemon...
>>> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Started IPA key daemon.
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 1
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 1
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 2
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client
>>> step 2
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 3
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
>>> reconnected to LDAP server
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone
>>> 19.21.10.in-addr.arpa/IN: loaded serial 1431571902
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone
>>> ipadomain.net/IN: loaded serial 1431571901
>>> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: 2 master zones
>>> from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed
>>> to
>>> load)
>>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 1
>>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 2
>>> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 2
>>> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step
>>> 3
>>> May 14 02:51:43 ipadc1.ipadomain.net ipa-dnskeysyncd[3318]: ipa
>>> :
>>> INFO LDAP bind...
>> CCing Alexander. I wonder if it is related to
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1215010
>>
>> If your AD has the MS update mentioned in the bug and has a CA cert with
>> SHA-512 signing, then may be hitting this bug.
>>
> I have done some more testing and created a 2008r2 DC to try to setup
> synchronization with. This also failed with the same types of error
> messages. I find it really strange that I get errors looking up DNS zones
> in my logs when this is happening. They appear to be looking for the root
> zone above my AD zone.
>
> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
> supersecretpassword --passsync supersecretpassword --cacert
> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
> Directory Manager password:
>
> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate
> database for ipadc1.ipadomain.net
> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
> Windows PassSync system account exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
> error: Connect error: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
>
> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error:
> Connect error]
Have you tried using ldapsearch to verify the connection?
# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h
addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"
and/or
# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL
-ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"
>
> Failed to start replication
> [root at ipadc1 cacerts]#
>
>
> May 14 23:35:18 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory
> Server IPADOMAIN-NET....
> May 14 23:35:19 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory
> Server IPADOMAIN-NET..
> May 14 23:35:19 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory
> Server IPADOMAIN-NET....
> May 14 23:35:19 ipadc1.ipadomain.net systemd[1]: Started 389 Directory
> Server IPADOMAIN-NET..
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] SSL Initialization - Configured SSL version range: min: TLS1.0,
> max: TLS1.2
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: Configured NSS Ciphers
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
> enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
> enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:19 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:19
> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
> May 14 23:35:20 ipadc1.ipadomain.net ns-slapd[4938]: [14/May/2015:23:35:20
> +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
> May 14 23:35:56 ipadc1.ipadomain.net named-pkcs11[5594]: connection to the
> LDAP server was lost
> May 14 23:35:56 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:56 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:56 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 1
> May 14 23:35:56 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:56 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 2
> May 14 23:35:56 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 2
> May 14 23:35:56 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 3
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
> reconnected to LDAP server
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP instance
> 'ipa' is being synchronized, please ignore message 'all zones loaded'
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't
> contact LDAP server: while modifying(replace) entry
> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: retrying LDAP
> operation (modifying(replace)) on entry
> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net'
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't
> contact LDAP server: connection error
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 1
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 2
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 2
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 3
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: successfully
> reconnected to LDAP server
> May 14 23:35:57 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service
> holdoff time over, scheduling restart.
> May 14 23:35:57 ipadc1.ipadomain.net systemd[1]: Stopping IPA key daemon...
> May 14 23:35:57 ipadc1.ipadomain.net systemd[1]: Starting IPA key daemon...
> May 14 23:35:57 ipadc1.ipadomain.net systemd[1]: Started IPA key daemon.
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: zone
> 19.21.10.in-addr.arpa/IN: loaded serial 1431646557
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: zone
> ipadomain.net/IN: loaded serial 1431646557
> May 14 23:35:57 ipadc1.ipadomain.net named-pkcs11[5594]: 2 master zones
> from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed to
> load)
> May 14 23:35:57 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 1
> May 14 23:35:57 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 2
> May 14 23:35:57 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 2
> May 14 23:35:57 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 3
> May 14 23:35:58 ipadc1.ipadomain.net ipa-dnskeysyncd[4988]: ipa :
> INFO LDAP bind...
> May 14 23:35:58 ipadc1.ipadomain.net python[4988]: GSSAPI client step 1
> May 14 23:35:58 ipadc1.ipadomain.net python[4988]: GSSAPI client step 1
> May 14 23:35:58 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 1
> May 14 23:35:58 ipadc1.ipadomain.net python[4988]: GSSAPI client step 1
> May 14 23:35:58 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 2
> May 14 23:35:58 ipadc1.ipadomain.net python[4988]: GSSAPI client step 2
> May 14 23:35:58 ipadc1.ipadomain.net ns-slapd[4939]: GSSAPI server step 3
> May 14 23:35:58 ipadc1.ipadomain.net ipa-dnskeysyncd[4988]: ipa :
> INFO Commencing sync process
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: validating
> @0x7fbd5d6dcdf0: . NS: got insecure response; parent indicates it should
> be secure
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: validating
> @0x7fbd5c6af300: . DNSKEY: got insecure response; parent indicates it
> should be secure
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (insecurity
> proof failed) resolving './NS/IN': 10.21.19.41#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (insecurity
> proof failed) resolving './DNSKEY/IN': 10.21.19.41#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving './NS/IN': 2001:503:c27::2:30#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving './DNSKEY/IN': 2001:503:c27::2:30#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving 'mycompany.net/DS/IN': 2001:500:2d::d#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving 'mycompany.net/DS/IN': 2001:500:1::803f:235#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving 'mycompany.net/DS/IN': 2001:dc3::35#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (network
> unreachable) resolving 'mycompany.net/DS/IN': 2001:503:231d::2:30#53
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: validating
> @0x7fbd5d6dc160: net DNSKEY: got insecure response; parent indicates it
> should be secure
> May 14 23:36:08 ipadc1.ipadomain.net named-pkcs11[5594]: error (insecurity
> proof failed) resolving 'net/DNSKEY/IN': 10.21.19.41#53
>
>
More information about the Freeipa-users
mailing list