[Freeipa-users] dns/ldap failing after temporary storage problem

Fri Aug 19 14:13:27 UTC 2016

I did actually use a local dse.ldif in the end, but I forgot to stop dirsrv
while replacing it, so maybe the nsslapd-localhost line got updated by the
running dirsrv?

On 19 August 2016 at 15:59, Petr Spacek <pspacek at redhat.com> wrote:

> On 19.8.2016 15:26, Tiemen Ruiten wrote:
> > Managed to fix it: had to stop dirsrv at IPA-RDMEDIA-COM and put the
> server's
> > hostname on the line with nsslapd-localhost
>
> Uh, this is quite brutal. There might be some other server-specific
> options.
>
> If you can dig up older dse.ldif from the same server, I would rather
> restore
> that version. You never know what will silently break.
>
> Petr^2 Spacek
>
> >
> > Then run ipa-replica-manage re-initialize --from
> > other-master.ipa.rdmedia.com
> >
> > On 19 August 2016 at 12:14, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
> >
> >> I see lots of messages /var/log/dirsrv/slapd-IPA-RDMEDIA-COM/errors,
> >> looks definitely like an issue with dirsrv.
> >>
> >> On 19 August 2016 at 11:43, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
> >>
> >>> I see I didn't use the right terminology: all four of my FreeIPA
> servers
> >>> are masters.
> >>>
> >>> On 19 August 2016 at 11:36, Tiemen Ruiten <t.ruiten at rdmedia.com>
> wrote:
> >>>
> >>>> Hello,
> >>>>
> >>>> I need some help getting one of my replica's to work. Assistance would
> >>>> be much appreciated.
> >>>>
> >>>> After the iSCSI volumes of two replicas of were briefly unavailable,
> on
> >>>> one of them DNS and LDAP stopped working and replication seems to have
> >>>> stopped. The ipa service failed with a message that an upgrade was
> >>>> required, so I ran ipa-server-upgrade, but it failed due to an empty
> >>>> dse.ldif.
> >>>>
> >>>> Then I probably made a mistake by copying a dse.ldif from another
> >>>> replica and trying to run the upgrade. It worked more or less, but DNS
> >>>> still didn't work.
> >>>>
> >>>> Next I replaced it with an older backup file (from Aug 4) ran the
> >>>> upgrade command again and after some fiddling all services started
> >>>> normally, except ipa-dnskeysyncd:
> >>>>
> >>>> journalctl -u ipa-dnskeysyncd
> >>>>
> >>>> Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]:
> >>>> ipa-dnskeysyncd.service holdoff time over, scheduling restart.
> >>>> Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]: Started IPA
> key
> >>>> daemon.
> >>>> Aug 19 11:28:52 promethium.ipa.rdmedia.com systemd[1]: Starting IPA
> key
> >>>> daemon...
> >>>> Aug 19 11:28:52 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> ipa:
> >>>> WARNING: session memcached servers not running
> >>>> Aug 19 11:28:53 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: ipa
> >>>>       : INFO     LDAP bind...
> >>>> Aug 19 11:28:53 promethium.ipa.rdmedia.com python2[3756]: GSSAPI
> client
> >>>> step 1
> >>>> Aug 19 11:28:54 promethium.ipa.rdmedia.com python2[3756]: GSSAPI
> client
> >>>> step 1
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]: ipa
> >>>>       : ERROR    Login to LDAP server failed: {'info': 'SASL(-1):
> generic
> >>>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide
> >>>> more information (No key table entry found matching
> >>>> ldap/praseodymium.ipa.rdmedia.com@)', 'desc': 'Invalid credentials'}
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> Traceback (most recent call last):
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> File
> >>>> "/usr/libexec/ipa/ipa-dnskeysyncd", line 92, in <module>
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> File
> >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in
> >>>> sasl_interactive_bind_s
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> res =
> >>>> self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_
> >>>> s,*args,**kwargs)
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> File
> >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in
> >>>> _apply_method_s
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> return func(self,*args,**kwargs)
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> File
> >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
> >>>> sasl_interactive_bind_s
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,Req
> >>>> uestControlTuples(serverctrls),RequestControlTuples(clientct
> >>>> rls),sasl_flags)
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> File
> >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> >>>> _ldap_call
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> result = func(*args,**kwargs)
> >>>> Aug 19 11:28:55 promethium.ipa.rdmedia.com ipa-dnskeysyncd[3756]:
> >>>> INVALID_CREDENTIALS: {'info': 'SASL(-1): generic failure: GSSAPI
> Error:
> >>>> Unspecified GSS failure.  Minor code may provide more information (No
> key
> >>>> table entry found matching ldap/praseodymium.ipa.rdmedia.com@)',
> >>>> 'desc': 'Invalid credentials'}
> >>>>
> >>>> praseodymium.ipa.rdmedia.com is the replica I copied the dse.ldif
> from.
> >>>> DNS and logins to the webinterface on this host are still not working.
> >>>>
> >>>> What can I do to get this replica in working order again?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

-- 
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160819/9da92d53/attachment.htm>