[Freeipa-users] Asking for help with crashed freeIPA istance

Daniel Schimpfoessl daniel at schimpfoessl.com
Mon Jan 16 00:47:13 UTC 2017 

Anything else I should look for?

2017-01-11 22:33 GMT-06:00 Daniel Schimpfoessl <daniel at schimpfoessl.com>:

> Flo,
>
> these are all the errors found:
> grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g' |
> sort -n | uniq -c | sort -n
>       2 RESULT err=6
>      95 RESULT err=32
>     200 RESULT err=14
>    2105 RESULT err=0
>
>
> 2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com>:
>
>> On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>
>>> From the logs:
>>> /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>> ... a few warnings about cache size, NSACLPLugin and schema-compat-plugin
>>> [04/Jan/2017:12:14:21.392642021 -0600] slapd started.  Listening on All
>>> Interfaces port 389 for LDAP requests
>>>
>>> /var/log/dirsrv/slapd-DOMAIN-COM/access
>>> ... lots of entries, not sure what to look for some lines contain RESULT
>>> with err!=0
>>> [04/Jan/2017:12:18:01.753400307 -0600] conn=5 op=243 RESULT err=32
>>> tag=101 nentries=0 etime=0
>>> [04/Jan/2017:12:18:01.786928085 -0600] conn=44 op=1 RESULT err=14 tag=97
>>> nentries=0 etime=0, SASL bind in progress
>>>
>>> Hi Daniel,
>>
>> are there any RESULT err=48 that could correspond to the error seen on
>> pki logs?
>>
>> Flo
>>
>> /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>> [04/Jan/2017:12:19:25.566022098 -0600] slapd shutting down - signaling
>>> operation threads - op stack size 5 max work q size 2 max work q stack
>>> size 2
>>> [04/Jan/2017:12:19:25.572566622 -0600] slapd shutting down - closing
>>> down internal subsystems and plugins
>>>
>>>
>>> 2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl <daniel at schimpfoessl.com
>>> <mailto:daniel at schimpfoessl.com>>:
>>>
>>>     Do you have a list of all log files involved in IPA?
>>>     Would be good to consolidate them into ELK for analysis.
>>>
>>>     2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com
>>>     <mailto:flo at redhat.com>>:
>>>
>>>
>>>         On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>>
>>>             Thanks for your reply.
>>>
>>>             This was the initial error I asked for help a while ago and
>>>             did not get
>>>             resolved. Further digging showed the recent errors.
>>>             The service was running (using ipactl start --force) and
>>>             only after a
>>>             restart I am getting a stack trace for two primary messages:
>>>
>>>             Could not connect to LDAP server host wwgwho01.webwim.com
>>>             <http://wwgwho01.webwim.com>
>>>             <http://wwgwho01.webwim.com> port 636 Error
>>>             netscape.ldap.LDAPException:
>>>             Authentication failed (48)
>>>             ...
>>>
>>>             Internal Database Error encountered: Could not connect to
>>>             LDAP server
>>>             host wwgwho01.webwim.com <http://wwgwho01.webwim.com>
>>>             <http://wwgwho01.webwim.com> port 636 Error
>>>             netscape.ldap.LDAPException: Authentication failed (48)
>>>             ...
>>>
>>>             and finally:
>>>             [02/Jan/2017:12:20:34][localhost-startStop-1]:
>>>             CMSEngine.shutdown()
>>>
>>>
>>>             2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud
>>>             <flo at redhat.com <mailto:flo at redhat.com>
>>>             <mailto:flo at redhat.com <mailto:flo at redhat.com>>>:
>>>
>>>                 systemctl start pki-tomcatd at pki-tomcat.service
>>>
>>>
>>>
>>>         Hi Daniel,
>>>
>>>         the next step would be to understand the root cause of this
>>>         "Authentication failed (48)" error. Note the exact time of this
>>>         log and look for a corresponding log in the LDAP server logs
>>>         (/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing
>>>         BIND with err=48. This may help diagnose the issue (if we can
>>>         see which certificate is used for the bind or if there is a
>>>         specific error message).
>>>
>>>         For the record, a successful bind over SSL would produce this
>>>         type of log where we can see the certificate subject and the
>>>         user mapped to this certificate:
>>>         [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
>>>         10.34.58.150
>>>         [...] conn=47 TLS1.2 128-bit AES; client CN=CA
>>>         Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>; issuer
>>>         CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM>
>>>         [...] conn=47 TLS1.2 client bound as
>>> uid=pkidbuser,ou=people,o=ipaca
>>>         [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
>>>         [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
>>>         dn="uid=pkidbuser,ou=people,o=ipaca"
>>>
>>>         Flo
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170115/90b185a1/attachment.htm>

More information about the Freeipa-users mailing list