The IPA Server hostname must not resolve to localhost (127.0.0.1)
by Peter Bittner
Hi there,
I'm trying to set up an all-in-one infrastructure system (using Vagrant), which included FreeIPA, libvirt and The Foreman, and some other software. The Idea is that I (locally) bootstrap such a system that helps users to create their definite infrastructure management setup in the end.
Naturally, this entails that FreeIPA is installed on localhost. This, however, doesn't seem to work: The `ipa-server-install` script aborts and issues the following error message:
The IPA Server hostname must not resolve to localhost (127.0.0.1). A routable IP address must be used. [...]
Is there any way to make a local install happen? Or what do I have to do instead?
Any thoughts and ideas highly appreciated,
Peter
6 years
FreeIPA/Samba on Fedora 27 results on "anonymous bind"
by x 31978
Hi everybody,
First of all, thank you for providing all that helpful support in this
list, it's amazing!
I've a couple of servers running on CentOS, having FreeIPA as
authentication source and SaMBa for sharing files with some Windows
machines. The configuration is the same as indicated in the post
https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/
Versions are the latest as of today: CentOS 7.4.1708 up-to-date, FreeIPA
4.5.0, SSSD 1.15.2 and SaMBa 4.6.2. Everything is working flawlessly.
These days I'm trying the same config on Fedora 27 (on the two sides: ipa
and samba). Versions are the latest: Fedora 27 up-to-date, FreeIPA 4.6.2,
SSSD 1.16.1 and SaMBa 4.7.6...
... and I can't get it work.
[root@sambaserver ~]# systemctl start smb
[root@sambaserver ~]# systemctl status smb
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor
preset: disabled)
Active: active (running) since Thu 2018-03-22 10:54:42 CET; 20s ago
Main PID: 656 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 4915)
CGroup: /system.slice/smb.service
├─656 /usr/sbin/smbd --foreground --no-process-group
├─832 /usr/sbin/smbd --foreground --no-process-group
└─833 /usr/sbin/smbd --foreground --no-process-group
mar 22 10:54:41 sambaserver.ipaserverdomain smbd[656]: [2018/03/22
10:54:41.603487, 0] ../source3/lib/smbldap.c:1046(smbldap_connect_system)
mar 22 10:54:41 sambaserver.ipaserverdomain smbd[656]: failed to bind to
server ldaps://ipaserver.ipaserverdomain with dn="[Anonymous bind]" Error:
Local error
mar 22 10:54:41 sambaserver.ipaserverdomain smbd[656]: (unknown)
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: GSSAPI client step 1
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: GSSAPI client step 1
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: GSSAPI client step 1
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: GSSAPI client step 2
mar 22 10:54:42 sambaserver.ipaserverdomain systemd[1]: Started Samba SMB
Daemon.
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: [2018/03/22
10:54:42.999414, 0] ../lib/util/become_daemon.c:124(daemon_ready)
mar 22 10:54:42 sambaserver.ipaserverdomain smbd[656]: STATUS=daemon
'smbd' finished starting up and ready to serve connections
[root@sambaserver ~]# cat /var/log/samba/log.smbd
.../...
[2018/03/22 10:54:19.827292, 2]
../source3/lib/smbldap.c:841(smbldap_open_connection)
smbldap_open_connection: connection opened
[2018/03/22 10:54:19.843503, 2]
../source3/lib/smbldap.c:1046(smbldap_connect_system)
failed to bind to server ldaps://ipaserver.ipaserverdomain with
dn="[Anonymous bind]" Error: Can't contact LDAP server
TLS error -8023:A PKCS #11 module returned CKR_DEVICE_ERROR,
indicating that a problem has occurred with the token or slot.
[2018/03/22 10:54:19.843558, 1]
../source3/lib/smbldap.c:1259(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
[2018/03/22 10:54:20.845647, 3]
../source3/smbd/server_exit.c:244(exit_server_common)
Server exit (termination signal)
[2018/03/22 10:54:41.463285, 3]
../source3/param/loadparm.c:3862(lp_load_ex)
lp_load_ex: refreshing parameters
[2018/03/22 10:54:41.470801, 3]
../source3/param/loadparm.c:549(init_globals)
Initialising global parameters
[2018/03/22 10:54:41.470868, 3]
../source3/param/loadparm.c:2776(lp_do_section)
Processing section "[global]"
[2018/03/22 10:54:41.470980, 2]
../source3/param/loadparm.c:2793(lp_do_section)
Processing section "[aplicacions]"
[2018/03/22 10:54:41.471043, 2]
../source3/param/loadparm.c:2793(lp_do_section)
Processing section "[compartit]"
[2018/03/22 10:54:41.471099, 2]
../source3/param/loadparm.c:2793(lp_do_section)
Processing section "[escaner]"
[2018/03/22 10:54:41.471153, 2]
../source3/param/loadparm.c:2793(lp_do_section)
Processing section "[usuaris]"
[2018/03/22 10:54:41.471202, 2]
../source3/param/loadparm.c:2793(lp_do_section)
Processing section "[wpkg]"
[2018/03/22 10:54:41.471288, 3]
../source3/param/loadparm.c:1611(lp_add_ipc)
adding IPC service
[2018/03/22 10:54:41.482042, 3] ../source3/smbd/server.c:1822(main)
loaded services
[2018/03/22 10:54:41.535960, 1]
../source3/profile/profile.c:51(set_profile_level)
INFO: Profiling turned OFF from pid 656
[2018/03/22 10:54:41.535998, 3] ../source3/smbd/server.c:1842(main)
Standard input is not a socket, assuming -D option
[2018/03/22 10:54:41.536011, 3] ../source3/smbd/server.c:1854(main)
Becoming a daemon.
[2018/03/22 10:54:41.536379, 2]
../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
No builtin backend found, trying to load plugin
[2018/03/22 10:54:41.582725, 3]
../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module '/usr/lib64/samba/pdb/ipaserversam.so'
loaded
[2018/03/22 10:54:41.590445, 2]
../source3/lib/smbldap.c:841(smbldap_open_connection)
smbldap_open_connection: connection opened
[2018/03/22 10:54:41.603262, 0] ipaserver_sam.c:4245(bind_callback_cleanup)
kerberos error: code=-1765328230, message=Cannot find KDC for realm
"ipaserverdomain"
[2018/03/22 10:54:41.603487, 0]
../source3/lib/smbldap.c:1046(smbldap_connect_system)
failed to bind to server ldaps://ipaserver.ipaserverdomain with
dn="[Anonymous bind]" Error: Local error
(unknown)
[2018/03/22 10:54:41.603539, 1]
../source3/lib/smbldap.c:1259(get_cached_ldap_connect)
Connection to LDAP server failed for the 1 try!
[2018/03/22 10:54:42.604598, 2]
../source3/lib/smbldap.c:841(smbldap_open_connection)
smbldap_open_connection: connection opened
[2018/03/22 10:54:42.742964, 3]
../source3/lib/smbldap.c:1063(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2018/03/22 10:54:42.750197, 1] ipaserver_sam.c:4724(pdb_init_ipaserversam)
pdb_init_ipaserversam: support for pdb_enum_upn_suffixes enabled for
domain ipaserverdomain
[2018/03/22 10:54:42.856428, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: El fitxer o directori no
existeix
[2018/03/22 10:54:42.976566, 3]
../source3/rpc_server/svcctl/srv_svcctl_reg.c:565(svcctl_init_winreg)
Initialise the svcctl registry keys if needed.
[2018/03/22 10:54:42.998031, 3]
../source3/rpc_server/eventlog/srv_eventlog_reg.c:59(eventlog_init_winreg)
Initialise the eventlog registry keys if needed.
[2018/03/22 10:54:42.999414, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2018/03/22 10:54:43.007591, 2]
../source3/smbd/server.c:1395(smbd_parent_loop)
waiting for connections
That's driving me mad. Everything is working well: ipaserver, ipaclient,
dns, kerberos, kinit, tickets, users, resolution, keytabs, etc. I can't
figure out why SaMBa cannot find KDC and then trying to contact LDAPS
server with "Anonymous bind" when the dedicated keytab explicitly gives
this permissions. Commands like kinit <user> and kinit -kt <keytab>
<principal> are working as expected.
In CentOS this config is running out of the box. What am I missing? Are
there any incompatibility with newer versions shipped with Fedora? Maybe is
there a bug somwhere? Maybe it's me the bug?
Any hint would be welcome ;-)
Thank you all
A.
6 years
PHP ldap add user
by Per Qvindesland
Hi
We’re trying to add in a user over from another server with php ldap, I can see in the access log that it’s connecting but it looks like it’s trying to add the user that i am binding with:
[27/Mar/2018:08:18:24.743154839 +0000] conn=864 op=1 ADD dn="uid=perq,cn=users,cn=accounts,dc=company,dc=ac,dc=uk"
[27/Mar/2018:08:18:24.743525138 +0000] conn=864 op=1 RESULT err=68 tag=105 nentries=0 etime=0.0000456502
[27/Mar/2018:08:18:24.744248637 +0000] conn=864 op=2 UNBIND
[27/Mar/2018:08:18:24.744265131 +0000] conn=864 op=2 fd=88 closed - U1
[27/Mar/2018:08:18:25.424810686 +0000] conn=865 fd=88 slot=88 connection from 34.243.167.105 to 172.31.37.129
[27/Mar/2018:08:18:25.425101552 +0000] conn=865 op=0 BIND dn="" method=128 version=3
[27/Mar/2018:08:18:25.425208322 +0000] conn=865 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000349904 dn=""
[27/Mar/2018:08:18:25.425905912 +0000] conn=865 op=1 SRCH base="cn=users,cn=accounts,dc=company,dc=ac,dc=uk" scope=2 filter="(uid=)" attrs="distinguishedName memberOf sn givenName eduPersonScopedAffiliation"
[27/Mar/2018:08:18:25.426060385 +0000] conn=865 op=1 RESULT err=0 tag=101 nentries=0 etime=0.0000216324
[27/Mar/2018:08:18:25.426671733 +0000] conn=865 op=2 UNBIND
[27/Mar/2018:08:18:25.426688267 +0000] conn=865 op=2 fd=88 closed - U1
[27/Mar/2018:08:18:25.427748678 +0000] conn=866 fd=88 slot=88 connection from 34.243.167.105 to 172.31.37.129
[27/Mar/2018:08:18:25.427910152 +0000] conn=866 op=0 BIND dn="uid=perq,cn=users,cn=accounts,dc=company,dc=ac,dc=uk" method=128 version=3
[27/Mar/2018:08:18:25.428519552 +0000] conn=866 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000749019 dn="uid=perq,cn=users,cn=accounts,dc=company,dc=ac,dc=uk”
Does anyone have any working php code example with freeipa as the ldap server?
Regards
Per
6 years
directory sync
by Andrew Meyer
So today I come in to work and find that one of my FreeIPA servers isn't synching with the rest of the cluster. I have a policy set to to go in a big square. I tried doing a ipa-replica-manage force-sync --verbose and then tried doing a re-initialize. I have the networks wide open to allow communication to all the servers. When I telnet to port 636 from a remote system it works fine. I have applications that are using ldaps so I know its working. Any reason I would not be able to communicate over ldaps?
[root@freeipa04 ~]# ipa-replica-manage force-sync --from freeipa03.east.gatewayblend.net --verboseTraceback (most recent call last): File "/sbin/ipa-replica-manage", line 1615, in <module> main(options, args) File "/sbin/ipa-replica-manage", line 1564, in main options.nolookup) File "/sbin/ipa-replica-manage", line 1234, in force_sync repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 222, in __init__ self.conn.gssapi_bind() File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1124, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1005, in error_handler error=info)NetworkError: cannot connect to 'ldaps://freeipa03.east.gatewayblend.net:636':Unexpected error: cannot connect to 'ldaps://freeipa03.east.gatewayblend.net:636':[root@freeipa04 ~]#
[root@freeipa04 ~]# ipa-replica-manage re-initialize --from freeipa03.east.gatewayblend.net --verboseTraceback (most recent call last): File "/sbin/ipa-replica-manage", line 1615, in <module> main(options, args) File "/sbin/ipa-replica-manage", line 1558, in main options.nolookup) File "/sbin/ipa-replica-manage", line 1200, in re_initialize repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 222, in __init__ self.conn.gssapi_bind() File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1124, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1005, in error_handler error=info)NetworkError: cannot connect to 'ldaps://freeipa03.east.gatewayblend.net:636':Unexpected error: cannot connect to 'ldaps://freeipa03.east.gatewayblend.net:636':[root@freeipa04 ~]#
[root@freeipa04 ~]# ipa-replica-manage re-initialize --from freeipa03.stl1.gatewayblend.net --verboseipa: INFO: Setting agreement cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=replica,cn=dc\=gatewayblend\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synchipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=replica,cn=dc\=gatewayblend\,dc\=net,cn=mapping tree,cn=configUpdate in progress, 14 seconds elapsed[ldaps://freeipa03.stl1.gatewayblend.net:636] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server]
[root@freeipa04 ~]#
6 years, 1 month
Bind-dyndb-ldap Crashes on Successful Search
by Michael Papet
I'm trying to use bind9 and the dyndb-ldap plugin with Olpenldap on Debian as a standalone DNS server. Any configuration where named can successfully find the top of the DNS configuration branch, named crashes.
Per the instructions, I'm posting here first.
Full output is here: bind9 dyndb crash - Pastebin.com
|
|
|
| | |
|
|
|
| |
bind9 dyndb crash - Pastebin.com
|
|
|
The config is
dyndb myLDAP "/usr/lib/x86_64-linux-gnu/bind/ldap.so" {
uri "ldap://localhost:389";
base "idnsServerId=zed2,dc=mynicehome,dc=home";
auth_method "simple";
bind_dn "cn=someUser,dc=mynicehome,dc=home";
password "somePwd";
server_id "zed";
reconnect_interval 10;
verbose_checks true;
};
The only other config is to move the listeners off UDP 53
listen-on port 5353 {127.0.0.1;192.168.15.5;};
listen-on-v6 port 5353 {any;};
max-cache-size 10%;
##
A search works.
ldapsearch -x -b 'cn=dns,dc=mynicehome,dc=home' "(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=zed)))"
# extended LDIF
#
# LDAPv3
# base <cn=dns,dc=mynicehome,dc=home> with scope subtree
# filter: (|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=zed)))
# requesting: ALL
#
# dns, mynicehome.home
dn: cn=dns,dc=mynicehome,dc=home
cn: dns
objectClass: nsContainer
objectClass: top
objectClass: idnsConfigObject
# zed, dns,mynicehome.home
dn: idnsServerId=zed,cn=dns,dc=mynincehome,dc=home
idnsServerId: zed
objectClass: top
objectClass: idnsServerConfigObject
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
####
#Here's the crashed part of the output of named run without forking
## named -4 -g -c /etc/bind/named.conf -u bind
24-Mar-2018 07:30:43.786 ../../../lib/dns/rbt.c:1466: REQUIRE((__builtin_expect(!!((rbt) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(rbt))->magic == ((('R') << 24 | ('B') << 16 | ('T') << 8 | ('+')))), 1))) failed, back trace
24-Mar-2018 07:30:43.786 #0 0x55c18c058670 in ??
24-Mar-2018 07:30:43.786 #1 0x7fdf5f96ed8a in ??
24-Mar-2018 07:30:43.786 #2 0x7fdf610bc9aa in ??
24-Mar-2018 07:30:43.786 #3 0x7fdf610bd223 in ??
24-Mar-2018 07:30:43.786 #4 0x7fdf5475baab in ??
24-Mar-2018 07:30:43.786 #5 0x7fdf5475d080 in ??
24-Mar-2018 07:30:43.786 #6 0x7fdf5474fa74 in ??
24-Mar-2018 07:30:43.786 #7 0x7fdf54751712 in ??
24-Mar-2018 07:30:43.786 #8 0x7fdf5f996ca6 in ??
24-Mar-2018 07:30:43.786 #9 0x7fdf5ef155aa in ??
24-Mar-2018 07:30:43.786 #10 0x7fdf5e2c0cbf in ??
24-Mar-2018 07:30:43.786 exiting (due to assertion failure)
Aborted (core dumped)
6 years, 1 month
FreeIPA in AWS
by Andrew Meyer
I have FreeIPA setup on CentOS 7 in AWS. However we are looking to lock down communication over our VPN tunnel. Trying to do some research to see what ports I need. I've gotten most of them, 80,443,88,464,389,636,123. I have it setup to allow UDP/TCP for both sides. However in the amazon security groups I have found that if I remove 0.0.0.0/0 from the inbound I lose communication to the remote FreeIPA servers. However the server in AWS can talk back.
This email thread might not be relevant here but I wanted to see what kind of response i'd get.
Are there ports similar to what needs to be opened for AD ?
I found this on Amazon's website:How to Connect Your On-Premises Active Directory to AWS Using AD Connector | Amazon Web Services
Thanks,Andrew
6 years, 1 month
Remove and add a new CA autority
by Labanowski Pierre
Hello,
I'm confused with my freeipa setup. Some details on the installation:
- I use freeipa on only one server since 2012 (basic install with a
self-signed certificate ... KO from then 2014).
- meanwhile (a few years) I made a migration to switch to a version of
freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the
old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried.
- I mainly use the ldap (user, group, host, hbac, automount etc), and
especially kerberos, and also winsync (trust AD etc ...)
- I never interressed at the party certificate.
- The HTTP and LDAP certificates of the server is signed via an external
authority not managed by freeipa.
Only here I wanted to add a 2nd server to replicate my single server
freeipa, to secure the system. And here the disaster begins for me ...
because the certificates block the process in all directions.
I'm considering several solutions:
- Solution 1 (my favorite if it's possible), that I started to try to do ...
remove the CA and restart from scratch on my master server before
starting to replicate.
I made a:
ipa-ca-install ----> KO
CA is already installed on this host
THEN
pkidestroy -s CA -i pki-tomcat
ipa-getcert stop-tracking -i ******** (certificate expired for several
years)
ipa-ca-install ----> KO
''
Run connection check to master
Connection check OK
Your system may be partly configured.
Run / usr / sbin / ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
HTTPError: 404 Client Error: Not Found
''
I tried enorment order I think have put more basard than anything else
that said ... :'(
how i can erase all traces of CA autority and reinstall with
ipa-ca-install a new autority and leave with a correct installation ?
- Solution 2
Add a replica server without CA autority and pass it master and install
a new CA autority! it's possible ?
- solution 3
make a new freeipa server from 0
- ipa-server-install
- import my ~ 600 users and ~ 50 hosts (service)
- import my rules HBAC
- import my sudo rules
- import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this?
It seems much more difficult, especially since it will certainly be
necessary to plan production stops for my services:
Which solution do you recommend?
Thank you in advance for all the help you will give me
Pierre
6 years, 1 month
FreeIPA PKI with OpenVPN
by Mike Kelly
Hi,
I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right
way to generate per-user certificates? (Looking to generate certs for
Android and Chrome OS, so I don't have an easy way to build a CSR on those
devices directly that I can find; I assume I want to just generate the cert
& key on the IPA server, copy it securely, then nuke the private key, and
place the public key somewhere for OpenVPN to find?
--
Mike Kelly
6 years, 1 month
HP-UX with IPA AD Trusts
by stich86@gmail.com
Hi all,
i'm trying to configure and HP-UX 11.31 to connect on my IPA Server and use and AD user to connect via SSH.
First attempt was using Kerberos, kinit local works without issue but i'm getting error trying to logon using via SSH because the KDC seems to not respond correctly (using an IPA user instead of AD user works).
So i'm trying to configure HP-UX using LDAP auth instead of Kerberos, but i'm getting this error:
Mar 22 14:55:32 test sshd[12630]: pam_authenticate: error No account present for user
Mar 22 14:55:36 test sshd[12630]: debug1: PAM: password authentication failed for myuser(a)ad.domain: No account present for user
Mar 22 14:55:36 test sshd[12630]: Failed password for g.marzano(a)octo.local from X.X.X.X port 63080 ssh2
Mar 22 14:55:36 test sshd[12630]: debug1: Entering record_failed_login uid 0
Mar 22 14:55:32 test sshd[12630]: pam_authenticate: error No account present for user
Doing a tcpdump between HP-UX machine and IPA server I've seen that LDAP query are successful. I'm also using "Proxy Users" to bind on the IPA to have access on directory.
Is it this configuration supported or i'm just wasting time?
Thanks!
6 years, 1 month
IPA 4.5 replica installation failing - Unable to acquire replica: error: permission denied
by Michael Stathers
Hello, I'm having an issue setting up a new replica. When running the
following on the replica:
ipa-replica-install --mkhomedir replica-info-corp-idm03.aws.vwsrv.net.gpg
it stops at "[27/40]: setting up initial replication" with "RuntimeError:
Failed to start replication"
From the /var/log/ipareplica-install.log
2018-03-16T18:05:13Z DEBUG [27/40]: setting up initial replication
2018-03-16T18:05:13Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CORP-VWSRV-NET.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x8d9a908>
2018-03-16T18:05:13Z DEBUG Destroyed connection context.ldap2_73919120
2018-03-16T18:05:13Z DEBUG Starting external process
2018-03-16T18:05:13Z DEBUG args=/bin/systemctl --system daemon-reload
2018-03-16T18:05:13Z DEBUG Process finished, return code=0
2018-03-16T18:05:13Z DEBUG stdout=
2018-03-16T18:05:13Z DEBUG stderr=
2018-03-16T18:05:13Z DEBUG Starting external process
2018-03-16T18:05:13Z DEBUG args=/bin/systemctl restart
dirsrv(a)CORP-VWSRV-NET.service
2018-03-16T18:05:14Z DEBUG Process finished, return code=0
2018-03-16T18:05:14Z DEBUG stdout=
2018-03-16T18:05:14Z DEBUG stderr=
2018-03-16T18:05:14Z DEBUG Created connection context.ldap2_73919120
2018-03-16T18:05:14Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2018-03-16T18:05:14Z DEBUG retrieving schema for SchemaCache url=ldap://
corp-idm02.aws.vwsrv.net:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x92e5fc8>
2018-03-16T18:05:14Z DEBUG Successfully updated nsDS5ReplicaId.
2018-03-16T18:05:30Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 439, in __setup_replica
cacert=self.ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1666, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2018-03-16T18:05:30Z DEBUG [error] RuntimeError: Failed to start
replication
2018-03-16T18:05:30Z DEBUG Destroyed connection context.ldap2_107462864
2018-03-16T18:05:30Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
333, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
368, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
392, in execute
for _nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _install
for _nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py",
line 617, in main
replica_install(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 386, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1405, in install
pkcs12_info=dirsrv_pkcs12_info)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 107, in install_replica_ds
setup_pkinit=not options.no_pkinit,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 404, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 439, in __setup_replica
cacert=self.ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1666, in setup_promote_replication
raise RuntimeError("Failed to start replication")
2018-03-16T18:05:30Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication
2018-03-16T18:05:30Z ERROR Failed to start replication
2018-03-16T18:05:30Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
In the dirsrv error log on the replica:
[16/Mar/2018:14:06:00.376045567 -0400] - ERR - NSMMReplicationPlugin -
acquire_replica - agmt="cn=meTocorp-idm02.aws.vwsrv.net" (corp-idm02:389):
Unable to acquire replica: permission denied. The bind dn "" does not have
permission to supply replication updates to the replica. Will retry later.
In the dirsrv error log on the master:
[16/Mar/2018:14:06:00.345021912 -0400] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=895 op=9
replica="dc=corp,dc=vwsrv,dc=net": Unable to acquire replica: error:
permission denied
This issue does seem similar to a previous issue posted to this list,
although this person was at a different stage during the replica install
(maybe it changed in this version) -
https://www.redhat.com/archives/freeipa-users/2016-November/msg00237.html
I ran some ldapsearch queries as well to try to get more information (as
suggested in that thread).
On the replica:
# ldapsearch -LLL -D "cn=directory manager" -W -b "cn=config" 'cn=replica'
nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval
nsDS5ReplicaBindDN
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dcorp\2Cdc\3Dvwsrv\2Cdc\3Dnet,cn=mapping
tree,cn=config
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp
,dc=vwsrv,dc=net
nsds5replicabinddngroupcheckinterval: 60
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: cn=ldap/corp-idm02.aws.vwsrv.net(a)CORP.VWSRV.NET
,cn=config
On the master:
# ldapsearch -LLL -D "cn=directory manager" -W -b "cn=config" 'cn=replica'
nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval
nsDS5ReplicaBindDN
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dcorp\2Cdc\3Dvwsrv\2Cdc\3Dnet,cn=mapping
tree,cn=config
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp
,dc=vwsrv,dc=net
nsds5replicabinddngroupcheckinterval: 60
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: cn=ldap/corp-idm03.aws.vwsrv.net(a)CORP.VWSRV.NET,cn=config
<-- I added this entry manually.
On the replica (interesting that it doesn't have this cn, maybe it isn't
setup yet by the replica instal):
# ldapsearch -D "cn=directory manager" -W -b "cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp,dc=vwsrv,dc=net"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp,dc=vwsrv,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
matchedDN: dc=corp,dc=vwsrv,dc=net
# numResponses: 1
On the master:
# ldapsearch -D "cn=directory manager" -W -b "cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp,dc=vwsrv,dc=net"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=replication
managers,cn=sysaccounts,cn=etc,dc=corp,dc=vwsrv,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# replication managers, sysaccounts, etc, corp.vwsrv.net
dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=corp,dc=vwsrv,dc=net
cn: replication managers
member: krbprincipalname=ldap/dal10-corp-idm01.corp.vwsrv.net(a)CORP.VWSRV.NET
,c
n=services,cn=accounts,dc=corp,dc=vwsrv,dc=net
member: krbprincipalname=ldap/corp-idm02.aws.vwsrv.net(a)CORP.VWSRV.NET
,cn=servi
ces,cn=accounts,dc=corp,dc=vwsrv,dc=net
member: krbprincipalname=ldap/corp-idm03.aws.vwsrv.net(a)CORP.VWSRV.NET
,cn=servi
ces,cn=accounts,dc=corp,dc=vwsrv,dc=net
objectClass: top
objectClass: groupofnames
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The logs seem lacking in this case, "permission denied" isn't super
helpful. Does anybody have any ideas about this one? Thanks!
--
Michael
6 years, 1 month