[Freeipa-users] ipa-ods-exporter failed ?

Petr Spacek pspacek at redhat.com
Thu Jul 7 07:14:35 UTC 2016 

On 23.6.2016 15:27, Günther J. Niederwimmer wrote:
> Hello Martin,
> 
> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti:
>> On 20.06.2016 18:48, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
>>>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
>>>>> hello,
>>>>>
>>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
>>>>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
>>>>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
>>>>>>>>> Hello List,
>>>>>>>>>
>>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
>>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote:
>>>>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
>>>>>>>>>>>> Hello
>>>>>>>>>>>>
>>>>>>>>>>>> on my system the ods-exporter i mean have a problem.
>>>>>>>>>>>>
>>>>>>>>>>>> I have this in the logs
>>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1
>>>>>>>>>>>>
>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise
>>>>>>>>>>>> errors.ACIError(info=info)
>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
>>>>>>>>>>>> Insufficient
>>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
>>>>>>>>>>>> failure.
>>>>>>>>>>>> Minor code may provide more information (Ticket expired)
>>>>>>>>>>>>
>>>>>>>>>>>                                              ^^^^^^^^^^^^^^
>>>>>>>>>>>                       
>>>>>>>>>>>                       Here seems to be a reason why it failed.
>>>>>>>>>>>                       But I can't help you more.
>>>>>>>>>>
>>>>>>>>>> Lukas is right. Interesting, this should never happen :-)
>>>>>>>>>
>>>>>>>>> this have I also found ;-)
>>>>>>>>>
>>>>>>>>>> Please enable debugging using procedure
>>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_
>>>>>>>>>> re
>>>>>>>>>> tu
>>>>>>>>>> rn
>>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart.
>>>>>>>>>> Thank you!
>>>>>>>>>
>>>>>>>>> OK,
>>>>>>>>>
>>>>>>>>> I attache the messages log?
>>>>>>>>>
>>>>>>>>> I mean this is a problem with my DNS ?
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI?
>>>>>>>>
>>>>>>>> identity/services/ipa-ods-exported/<hostname>
>>>>>>>> There should be kerberos status in right top corner in details view
>>>>>>>
>>>>>>> I have a
>>>>>>> identity/services/ipa-ods-exporter/..
>>>>>>>
>>>>>>> with a "Kerberos Key Present, Service Provisioned"
>>>>>>>
>>>>>>> but no Certificate ?
>>>>>>
>>>>>> Can you try,
>>>>>>
>>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
>>>>>> ipa-ods-exporter/$(hostname)
>>>>>
>>>>> OK
>>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
>>>>> exporter/$(hostname)"
>>>>>
>>>>> written on one line!! is this OK.
>>>>>
>>>>>> and do ldapsearch
>>>>>> # ldapsearch -Y GSSAPI
>>>>>
>>>>> and also ldapsearch is OK
>>>>>
>>>>>> It should show us if keytab is okay
>>>>>
>>>>> But the Error is present :-(.
>>>>
>>>> We need to see precise error. Please copy&paste it into the e-mail.
>>>
>>> that is it.
>>>
>>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed.
>>>
>>>> It would be awesome if you could follow general rules for bug reporting:
>>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html
>>>>
>>>> Besides other things it would allow us to help you in shorter time.
>>>>
>>>> Have a nice day!
>>
>> This is weird, It looks like your kerberos keytab is valid, but I have
>> no idea why you are getting ticket expired messages. It should just
>> kinit again.
>>
>> Can you please remove this ccache file?
>> /var/opendnssec/tmp/ipa-ods-exporter.ccache
> 
> OK now i make a ipactl stop remove the ccache file and start ipa again.
> 
> to start the ods-exporte I have to wait a long time 1-2 min. ;-)
> 
> I send you the log without debug when you like this with debug tell me. 
> Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last):
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
> exporter", line 656, in <module>
> Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind()
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/
> ipapython/ipaldap.py", line 1085, in gssapi_bind
> Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, 
> client_controls)
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/
> contextlib.py", line 35, in __exit__
> Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback)
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/
> ipapython/ipaldap.py", line 992, in error_handler
> Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info)
> Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient 
> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
> Minor code may provide more information (Ticket expired)
> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process exited, 
> code=exited, status=1/FAILURE
> Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed 
> state.
> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed.

This is really weird, I have no idea what happened. We can try a big hammer:
Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g.
/etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT

and re-run ipa-dns-install with the same options as you used for the first
time. It should re-create the keytab and all other things.

I hope it will help.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list