[Freeipa-users] FreeIPA 4.2.0 / Replica / Join Issue

devin at pabstatencio.com devin at pabstatencio.com
Thu Mar 3 20:12:23 UTC 2016 

I am running the latest patched CentOS 7.2, with FreeIPA 4.2.0, and I the Master node in the Data Center, then i created 3 replica's, one in the DC for High Availability, and then 2 Replica's in the AWS Cloud. I'm having major issues with the Replica's in the AWS Cloud. I am trying to have it so it auto-discovers the servers automatically so the failover is dynamic. I created the replica's as well to have a Certificate Authority. When I attempt to join a virtual machine in AWS to the domain it fails half way thru the process. I have attached a full debug of my ipa-client-install, hoping someone can assist me. I know prior to joining the 2 replicas in AWS I had absolutely no issues with joining servers in the DC to IDM. I built all my replica's from the Master server (rspsna-ipa01), so rspsna-ipa02, ipa01-ore, ipa02-ore were built from rspsna-ipa01.

The main part that seems to fail during the (client) join is:

Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
Starting external process
args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'Local IPA host' '-r'
Process finished, return code=255
stdout=
stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Starting external process
args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' 'IPA Machine Certificate - beanstalk01-ore.prod.cloud.myinc.local' '-r'
Process finished, return code=255
stdout=
stderr=certutil: Could not find cert: IPA Machine Certificate - beanstalk01-ore.prod.cloud.myinc.local
: PR_FILE_NOT_FOUND_ERROR: File not found

Starting external process
args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'
Process finished, return code=255
stdout=
stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Starting external process
args='/bin/systemctl' 'start' 'certmonger.service'
Process finished, return code=0
stdout=
stderr=
Starting external process
args='/bin/systemctl' 'is-active' 'certmonger.service'
Process finished, return code=0
stdout=active

stderr=
Starting external process
args='/bin/systemctl' 'stop' 'certmonger.service'
Process finished, return code=0
stdout=
stderr=
Starting external process
args='/bin/systemctl' 'disable' 'certmonger.service'
Process finished, return code=0
stdout=
stderr=
Unenrolling client from IPA server
Starting external process
args='/usr/sbin/ipa-join' '--unenroll' '-h' 'beanstalk01-ore.prod.cloud.myinc.local' '-d'
Process finished, return code=19
stdout=
stderr=Error obtaining initial credentials: Cannot find KDC for requested realm.

Unenrolling host failed: Error obtaining initial credentials: Cannot find KDC for requested realm.

Removing Kerberos service principals from /etc/krb5.keytab
Starting external process
args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'MYINC.LOCAL'
Process finished, return code=0
stdout=
stderr=Removing principal host/beanstalk01-ore.prod.cloud.myinc.local at MYINC.LOCAL

When I look at the slapd error log on one of the replica's i see this:

[02/Mar/2016:23:40:09 +0000] - Listening on All Interfaces port 636 for LDAPS requests
[02/Mar/2016:23:40:09 +0000] - Listening on /var/run/slapd-MYINC-LOCAL.socket for LDAPI requests
[02/Mar/2016:23:40:09 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[02/Mar/2016:23:40:09 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[02/Mar/2016:23:40:09 +0000] NSMMReplicationPlugin - agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available))
[02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth resumed
[02/Mar/2016:23:40:12 +0000] NSMMReplicationPlugin - agmt="cn=meTorspsna-ipa01.prod.i2x.myinc.local" (rspsna-ipa01:389): Replication bind with GSSAPI auth resumed
[03/Mar/2016:00:07:00 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[03/Mar/2016:00:07:00 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)
[03/Mar/2016:00:07:00 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[03/Mar/2016:00:07:03 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[03/Mar/2016:00:07:03 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)
[03/Mar/2016:00:07:09 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[03/Mar/2016:00:07:09 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)
[03/Mar/2016:00:07:21 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[03/Mar/2016:00:07:21 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)
[03/Mar/2016:00:07:45 +0000] NSMMReplicationPlugin - agmt="cn=meToipa02-ore.prod.cloud.myinc.local" (ipa02-ore:389): Replication bind with GSSAPI auth resumed
[03/Mar/2016:01:26:53 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:03:24:06 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:05:17:30 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:07:08:29 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:08:59:51 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:10:42:48 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:12:35:51 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:14:28:20 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:16:24:12 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:18:09:51 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
[03/Mar/2016:19:47:07 +0000] NSMMReplicationPlugin - replication keep alive entry  already exists
Thanks much.
Devin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/4018037c/attachment.htm>

More information about the Freeipa-users mailing list