<div dir="ltr">I did actually use a local dse.ldif in the end, but I forgot to stop dirsrv while replacing it, so maybe the nsslapd-localhost line got updated by the running dirsrv?</div><div class="gmail_extra"> <div class="gmail_quote">On 19 August 2016 at 15:59, Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 19.8.2016 15:26, Tiemen Ruiten wrote: > Managed to fix it: had to stop dirsrv@IPA-RDMEDIA-COM and put the server's > hostname on the line with nsslapd-localhost Uh, this is quite brutal. There might be some other server-specific options. If you can dig up older dse.ldif from the same server, I would rather restore that version. You never know what will silently break. Petr^2 Spacek <div><div class="h5"> > > Then run ipa-replica-manage re-initialize --from > <a href="http://other-master.ipa.rdmedia.com" rel="noreferrer" target="_blank">other-master.ipa.rdmedia.com</a> > > On 19 August 2016 at 12:14, Tiemen Ruiten <<a href="mailto:t.ruiten@rdmedia.com">t.ruiten@rdmedia.com</a>> wrote: > >> I see lots of messages /var/log/dirsrv/slapd-IPA-RDMEDIA-COM/errors, >> looks definitely like an issue with dirsrv. >> >> On 19 August 2016 at 11:43, Tiemen Ruiten <<a href="mailto:t.ruiten@rdmedia.com">t.ruiten@rdmedia.com</a>> wrote: >> >>> I see I didn't use the right terminology: all four of my FreeIPA servers >>> are masters. >>> >>> On 19 August 2016 at 11:36, Tiemen Ruiten <<a href="mailto:t.ruiten@rdmedia.com">t.ruiten@rdmedia.com</a>> wrote: >>> >>>> Hello, >>>> >>>> I need some help getting one of my replica's to work. Assistance would >>>> be much appreciated. >>>> >>>> After the iSCSI volumes of two replicas of were briefly unavailable, on >>>> one of them DNS and LDAP stopped working and replication seems to have >>>> stopped. The ipa service failed with a message that an upgrade was >>>> required, so I ran ipa-server-upgrade, but it failed due to an empty >>>> dse.ldif. >>>> >>>> Then I probably made a mistake by copying a dse.ldif from another >>>> replica and trying to run the upgrade. It worked more or less, but DNS >>>> still didn't work. >>>> >>>> Next I replaced it with an older backup file (from Aug 4) ran the >>>> upgrade command again and after some fiddling all services started >>>> normally, except ipa-dnskeysyncd: >>>> >>>> journalctl -u ipa-dnskeysyncd >>>> >>>> Aug 19 11:28:52 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> systemd[1]: >>>> ipa-dnskeysyncd.service holdoff time over, scheduling restart. >>>> Aug 19 11:28:52 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> systemd[1]: Started IPA key >>>> daemon. >>>> Aug 19 11:28:52 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> systemd[1]: Starting IPA key >>>> daemon... >>>> Aug 19 11:28:52 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: ipa: >>>> WARNING: session memcached servers not running >>>> Aug 19 11:28:53 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: ipa >>>> : INFO LDAP bind... >>>> Aug 19 11:28:53 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> python2[3756]: GSSAPI client >>>> step 1 >>>> Aug 19 11:28:54 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> python2[3756]: GSSAPI client >>>> step 1 >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: ipa >>>> : ERROR Login to LDAP server failed: {'info': 'SASL(-1): generic >>>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide >>>> more information (No key table entry found matching >>>> ldap/praseodymium.ipa.rdmedia.com@)', 'desc': 'Invalid credentials'} >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> Traceback (most recent call last): >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: File >>>> "/usr/libexec/ipa/ipa-dnskeysyncd", line 92, in <module> >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: File >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in >>>> sasl_interactive_bind_s >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: res = >>>> self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_ >>>> s,*args,**kwargs) >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: File >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in >>>> _apply_method_s >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> return func(self,*args,**kwargs) >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: File >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in >>>> sasl_interactive_bind_s >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,Req >>>> uestControlTuples(serverctrls),RequestControlTuples(clientct >>>> rls),sasl_flags) >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: File >>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in >>>> _ldap_call >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> result = func(*args,**kwargs) >>>> Aug 19 11:28:55 <a href="http://promethium.ipa.rdmedia.com" rel="noreferrer" target="_blank">promethium.ipa.rdmedia.com</a> ipa-dnskeysyncd[3756]: >>>> INVALID_CREDENTIALS: {'info': 'SASL(-1): generic failure: GSSAPI Error: >>>> Unspecified GSS failure. Minor code may provide more information (No key >>>> table entry found matching ldap/praseodymium.ipa.rdmedia.com@)', >>>> 'desc': 'Invalid credentials'} >>>> >>>> <a href="http://praseodymium.ipa.rdmedia.com" rel="noreferrer" target="_blank">praseodymium.ipa.rdmedia.com</a> is the replica I copied the dse.ldif from. >>>> DNS and logins to the webinterface on this host are still not working. >>>> >>>> What can I do to get this replica in working order again? -- </div></div>Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> <div> </div>-- <div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Tiemen Ruiten Systems Engineer R&D Media </div></div> </div>