[Freeipa-users] Periodic unable to authenticate

Troels Hansen th at casalogic.dk
Fri Jul 8 05:43:06 UTC 2016 

You mean the /var/log/dirsrv/<server>/error right?

Clean except for when I do ipa backup, which actually doesn't look like tis errors, but more info..

However, sometimes, at 0:20 I have:

[07/Jul/2016:00:15:41 +0200] NSMMReplicationPlugin - replication keep alive entry <cn=repl keep alive 4,dc=casalogic,dc=lan> already exists
[07/Jul/2016:00:24:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:45 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[07/Jul/2016:00:24:45 +0200] NSMMReplicationPlugin - agmt="cn=meTokoda.casalogic.lan" (koda:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired))
[07/Jul/2016:00:24:48 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:48 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:48 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[07/Jul/2016:00:24:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[07/Jul/2016:00:24:54 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[07/Jul/2016:00:25:06 +0200] NSMMReplicationPlugin - agmt="cn=meTokoda.casalogic.lan" (koda:389): Replication bind with GSSAPI auth resumed
[07/Jul/2016:01:36:52 +0200] NSMMReplicationPlugin - replication keep alive entry <cn=repl keep alive 4,dc=casalogic,dc=lan> already exists

However, thats not when I have the auth problems.

----- On Jul 7, 2016, at 9:28 PM, Rob Crittenden rcritten at redhat.com wrote:

> Troels Hansen wrote:
>> Hi, we have 2 IPA servers setup in replication.
>> All works fine, except sometimes I see unable to authenticate.
>> It goes on for like 2-5 minutes, and then everything works again. When
>> looking at the logs I see nothing, except err?53 which means incorrect
>> password, but its NOT!
>>
>> [07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM
>> [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND
>> dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3
>> [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97
>> nentries=0 etime=0
>> [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND
>> [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1
>>
>> Anyone having any clues about where to look?
> 
> 53 is not bad password, it is unwilling to perform. The error log might
> have additional details.
> 
> rob

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list