[Freeipa-users] dns/ldap failing after temporary storage problem

Fri Aug 19 09:36:25 UTC 2016

Hello,

I need some help getting one of my replica's to work. Assistance would be
much appreciated.

After the iSCSI volumes of two replicas of were briefly unavailable, on one
of them DNS and LDAP stopped working and replication seems to have stopped.
The ipa service failed with a message that an upgrade was required, so I
ran ipa-server-upgrade, but it failed due to an empty dse.ldif.

Then I probably made a mistake by copying a dse.ldif from another replica
and trying to run the upgrade. It worked more or less, but DNS still didn't
work.

Next I replaced it with an older backup file (from Aug 4) ran the upgrade
command again and after some fiddling all services started normally, except
ipa-dnskeysyncd:

journalctl -u ipa-dnskeysyncd

Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]:
ipa-dnskeysyncd.service holdoff time over, scheduling restart.
Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]: Started IPA key
daemon.
Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]: Starting IPA key
daemon...
Aug 19 11:28:52 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: ipa:
WARNING: session memcached servers not running
Aug 19 11:28:53 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: ipa
  : INFO     LDAP bind...
Aug 19 11:28:53 promethium.ipa.rdmedia.com python2[3756]: GSSAPI client
step 1
Aug 19 11:28:54 promethium.ipa.rdmedia.com python2[3756]: GSSAPI client
step 1
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: ipa
  : ERROR    Login to LDAP server failed: {'info': 'SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information (No key table entry found matching
ldap/praseodymium.ipa.rdmedia.com@)', 'desc': 'Invalid credentials'}
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: Traceback
(most recent call last):
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 92, in <module>
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in
sasl_interactive_bind_s
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: res =
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in
_apply_method_s
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: return
func(self,*args,**kwargs)
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: result =
func(*args,**kwargs)
Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
INVALID_CREDENTIALS: {'info': 'SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (No key
table entry found matching ldap/praseodymium.ipa.rdmedia.com@)', 'desc':
'Invalid credentials'}

praseodymium.ipa.rdmedia.com is the replica I copied the dse.ldif from. DNS
and logins to the webinterface on this host are still not working.

What can I do to get this replica in working order again?

-- 
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160819/1397d6d1/attachment.htm>