May 2020 - FreeIPA-users - Fedora Mailing-Lists

Assisting users of frederik.lindenaar.nl with their password security

by Adam Roger

Hello there, I was using the password generator tool you mentioned on your page here: https://frederik.lindenaar.nl/2019/08/30/running-pivacyidea-with-freeipa.... While it does the job overall, I found another tool to be a better alternative. I thought other users might also appreciate it if you update your page. It is a clear and free: https://www.safetydetectives.com/password-meter/ It creates passwords from words, that should be easier to remember, which is why I use it. For example, the word "benediction" will be b=nedicT10n - super easy to remember (you need at least one password to remember as a master password, no?) In hope I helped back, Adam Roger

2 years, 1 month

1
0
0 / 0

Deploying IPA on AWS

by William Muriithi

Hello everyone We want to move some of the systems for a co-location into AWS. IPA systems are some of our candidate servers. I have attempted to get this working by setting up a replica server in the cloud and attempting to setup replication - over VPN - and its not working. This is due to DNS issue on AWS being biased toward AWS DNS. If I use nmap, it verify I can reach port 53 (TCP and UDP) on the co-location from AWS, but if I do a dig against existing DNS, it doesn't seem to resolve. Have anyone gone through the exercise recently and managed to figure how to work around this limitation? Would be grateful if someone can share how the worked around this problem. Regards, William

2 years, 1 month

3
5
0 / 0

IPA and legacy systems

by Ronald Wimmer

What would be a good solution to add systems where the FQDN cannot be changed? Would it make sense to add a second DNS A Record in the IPA domain for each of these systems? Is there any experience on how to deal with such a situation? Thanks a lot in advance! Cheers, Ronald

2 years, 1 month

5
17
0 / 0

AD Trust question

by Monkey Bizness

Hi, I have an infrastructure with 2 ad clusters. AD 1 trusts AD 2 If I establish a one way trust between freeipa and AD1, users from AD2 can authenticate on feeipa clients right? based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... id="-x-evo-selection-start-marker"> Thanks

2 years, 1 month

2
4
0 / 0

AD users login and lookup fails with short name in Ubuntu16 freeipa-client

by Suchismita Panda

Hi, We are trying to configure our FreeIPA environment. We are using freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA server has one way trust to our AD. We have the domain name resolution order setup in the FreeIPA server. The AD users are able to ssh login to Ubuntu 18 fluently. But in Ubuntu 16, the AD user ssh login works only with domain name extension for AD users and fails with short name. Inside the Ubuntu 16 client, AD user lookup as well fails for short name, but works with domain name extension. Is there any extra configuration needed in sssd.conf other than the default configuration generated by freeipa-client? TIA

2 years, 1 month

2
3
0 / 0

New DNS records not populating

by Andrew Meyer

I recently had a server that didn't get added to DNS but was joined to FreeIPA system. I just went backto fix it. I tried removing the host rebooting and re-adding it to the FreeIPA system. After doing this new DNS records did not get added. I went back to manually add the DNS records (A,SSHFP) and was successful however when I try to ssh to the server I get this: [andrew.meyer@jump01 ~]$ ssh pihole01.loc.example.com sss_ssh_knownhostsproxy: Could not resolve hostname pihole01.loc.example.com kex_exchange_identification: Connection closed by remote host [andrew.meyer@jump01 ~]$ But when I try to run a dig against the records added none of the them come back. [andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2980 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 05879881b6a519f543d896f85ecd7e4235ba486f22821495 (good) ;; QUESTION SECTION: ;pihole01.loc.example.com. IN A ;; AUTHORITY SECTION: loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590523365 3600 900 1209600 3600 ;; Query time: 0 msec ;; SERVER: 10.150.10.12#53(10.150.10.12) ;; WHEN: Tue May 26 15:38:26 CDT 2020 ;; MSG SIZE rcvd: 141 [andrew.meyer@jump01 ~]$ [andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com A ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24317 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: da22b671a9a042aa3acbb8d95ecd71177b0f9a24a87f4651 (good) ;; QUESTION SECTION: ;pihole01.loc.example.com. IN A ;; AUTHORITY SECTION: loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590520949 3600 900 1209600 3600 ;; Query time: 0 msec ;; SERVER: 10.150.10.12#53(10.150.10.12) ;; WHEN: Tue May 26 14:42:15 CDT 2020 ;; MSG SIZE rcvd: 141 [andrew.meyer@jump01 ~]$ Here are the logs from bind on the freeipa server: 26-May-2020 15:27:24.686 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:27:24.687 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:27:24.729 no valid RRSIG resolving 'asm-fedora/DS/IN': 10.150.10.40#53 26-May-2020 15:27:24.729 no valid DS resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:00.622 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:28:00.622 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:28:00.636 validating asm-fedora/A: bad cache hit (asm-fedora/DS) 26-May-2020 15:28:00.636 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:03.868 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:28:03.869 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:28:03.886 validating asm-fedora/A: bad cache hit (asm-fedora/DS) 26-May-2020 15:28:03.886 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:08.154 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:08.223 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:08.280 validating ocsp.swisssign.net/A: no valid signature found 26-May-2020 15:28:08.349 validating swisssign.net/SOA: no valid signature found 26-May-2020 15:28:08.350 validating ocsp.swisssign.net/NSEC: no valid signature found 26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/A/IN': 10.150.10.40#53 26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/AAAA/IN': 10.150.10.40#53 26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/A/IN': 10.150.10.40#53 26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/AAAA/IN': 10.150.10.40#53 26-May-2020 15:28:26.783 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:26.897 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/A/IN': 10.150.10.40#53 26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/AAAA/IN': 10.150.10.40#53 26-May-2020 15:29:45.969 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:29:45.969 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:34:26.510 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53 26-May-2020 15:34:26.510 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:39:28.026 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:39:28.026 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.352 validating librenms.example.local/A: bad cache hit (local/DS) 26-May-2020 15:40:21.352 broken trust chain resolving 'librenms.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.370 validating grocy01.example.local/A: bad cache hit (local/DS) 26-May-2020 15:40:21.370 broken trust chain resolving 'grocy01.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.392 validating grocy01.example.local/MX: bad cache hit (local/DS) 26-May-2020 15:40:21.392 broken trust chain resolving 'grocy01.example.local/MX/IN': 10.150.10.40#53 26-May-2020 15:40:21.393 validating librenms.example.local/MX: bad cache hit (local/DS) 26-May-2020 15:40:21.393 broken trust chain resolving 'librenms.example.local/MX/IN': 10.150.10.40#53 26-May-2020 15:44:27.810 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53 26-May-2020 15:44:27.810 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:46:40.756 validating pihole01.loc.example.com.example.local/AAAA: bad cache hit (local/DS) 26-May-2020 15:46:40.756 broken trust chain resolving 'pihole01.loc.example.com.example.local/AAAA/IN': 10.150.10.40#53 26-May-2020 15:46:40.760 validating pihole01.loc.example.com.example.local/A: bad cache hit (local/DS) 26-May-2020 15:46:40.760 broken trust chain resolving 'pihole01.loc.example.com.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:48:52.134 insecurity proof failed resolving 'collection-endpoint-prod.herokuapp.com/A/IN': 10.150.10.40#53 26-May-2020 15:49:31.721 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:49:31.721 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 [root@freeipa001 data]#

2 years, 1 month

1
0
0 / 0

API logout

by Peter Tselios

Hello, How do I perform a "session logout" in the API? I am using the ansible's URI module and so far I tried a few different options, like for example this: - name: Logout from IdM API uri: url: "https://{{ ipa_master }}/ipa/session/json" headers: Content-type: "application/json" Accept: "application/json" Referer: "https://{{ ipa_master }}/ipa" Cookie: "{{ ipa_session }}" method: POST body_format: json body: | { "id": 0, "method": "session_logout/1", "params": [ { "version": "{{ ipa_api_version | default('2.231') }}" } ] } which gives me the following error: message: 'Invalid JSON-RPC request: params must contain [args, options]' I also tried to simply visit the /ipa/session/session_logout, or the /ipa/session_logout. Both options gave me a 404. So, how do I "logout"?

2 years, 1 month

2
1
0 / 0

centos with automount maps from ipa AND files

by Klaus Vink Slott

Hi I am trying to mix files based automount entries with some entries from IPA. I found that in order to make this work on Centos clients I must place files before sss in nsswitch. After this discovery I just made my ansible setup ensure this. grep automount /etc/nsswitch.conf #automount: files nisplus sss automount: files sss Now moving to Centos 8 I found warnings in nsswitch, not to edit it directly, so I revisited this oddity. I found that according to Redhat(1) authselect should not be used anyway, when IPA is in charge. But the setup made by ipa-client-automount also had the same problem: sss before files. Actually, I dont mind which one is consulted first, I have no mixed maps. But to me it seems that when sss is consulted first, auto.master is not used at all. Is this a in my setup or in Centos/Redhat - or am I missing something? (1)https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/... -- Regards Klaus

2 years, 1 month

2
3
0 / 0

Reverse DNS zones with AD Trust

by Vinícius Ferrão

Hello, I would like to know how to handle reverse DNS zones when AD trust is enabled. I do have separate domains for AD and IPA as required, but the reverse zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves? There’s some older discussions here on the list but without continuity and I don’t know the results, like this one: https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html In this old thread, the recommendation was to move the reverse zone to IPA and make some grants on BIND to allow Dynamic DNS updates. But is this still the case? There’s any oficial guidance in this issue? This scenario is supported or I must have separate networks, even with VLANs and IP addresses, for *nix and Windows clients? Thanks,

2 years, 1 month

2
3
0 / 0

kernel: ns-slapd[5865]: segfault at 5603c0ee2000 ip 00007fe3ba3975ba sp 00007fe3bdbd28a8 error 4 in libc-2.17.so[7fe3ba242000

by TomK

Hey All, I've upgrade one side of my two node cluster. However, the secondary won't come even though the manual upgrade apparently went well. [root@idmipa04 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [6/9]: updating schema [7/9]: upgrading server [8/9]: stopping directory server [9/9]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start dirsrv(a)MWS-MDS-XYZ.service' returned non-zero exit status 1 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information [root@idmipa04 ~]# Additional information: [root@idmipa04 ~]# cat /var/log/ipaupgrade.log|tail -n 50 2020-05-19T04:18:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG duration: 0 seconds 2020-05-19T04:18:10Z DEBUG Done. 2020-05-19T04:18:10Z INFO Update complete 2020-05-19T04:18:10Z INFO Upgrading the configuration of the IPA services 2020-05-19T04:18:10Z DEBUG IPA version 4.6.6-11.el7.centos 2020-05-19T04:18:10Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-05-19T04:18:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-05-19T04:18:10Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-05-19T04:18:10Z DEBUG Starting external process 2020-05-19T04:18:10Z DEBUG args=/bin/systemctl is-active dirsrv(a)MWS-MDS-XYZ.service 2020-05-19T04:18:10Z DEBUG Process finished, return code=3 2020-05-19T04:18:10Z DEBUG stdout=unknown 2020-05-19T04:18:10Z DEBUG stderr= 2020-05-19T04:18:10Z DEBUG Starting external process 2020-05-19T04:18:10Z DEBUG args=/bin/systemctl start dirsrv(a)MWS-MDS-XYZ.service 2020-05-19T04:19:55Z DEBUG Process finished, return code=1 2020-05-19T04:19:55Z DEBUG stdout= 2020-05-19T04:19:55Z DEBUG stderr=Job for dirsrv(a)MWS-MDS-XYZ.service failed because a fatal signal was delivered to the control process. See "systemctl status dirsrv(a)MWS-MDS-XYZ.service" and "journalctl -xe" for details. 2020-05-19T04:19:56Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-05-19T04:19:56Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2166, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1791, in upgrade_configuration ds.start(ds_serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 656, in start super(DsInstance, self).start(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 464, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 136, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 303, in start skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2020-05-19T04:19:56Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: Command '/bin/systemctl start dirsrv(a)MWS-MDS-XYZ.service' returned non-zero exit status 1 2020-05-19T04:19:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start dirsrv(a)MWS-MDS-XYZ.service' returned non-zero exit status 1 2020-05-19T04:19:56Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# /bin/systemctl start dirsrv(a)MWS-MDS-XYZ.service [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# systemctl status dirsrv(a)MWS-MDS-XYZ.service ● dirsrv(a)MWS-MDS-XYZ.service - 389 Directory Server MWS-MDS-XYZ. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2020-05-19 00:21:49 EDT; 10s ago Process: 4657 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 4664 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)MWS-MDS-XYZ.service └─4664 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MWS-MDS-XYZ -i /var/run/dirsrv/slapd-MWS-MDS-XYZ.pid May 19 00:21:49 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:49.380321307 -0400] - ERR - set_krb5_creds - ...ealm) May 19 00:21:49 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:49.381268146 -0400] - ERR - NSMMReplicationPl...r) () May 19 00:21:49 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:49.602418963 -0400] - ERR - schema-compat-plu...onds! May 19 00:21:52 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:52.607265030 -0400] - ERR - set_krb5_creds - ...ealm) May 19 00:21:52 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:52.609340757 -0400] - ERR - set_krb5_creds - ...ealm) May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.625706606 -0400] - ERR - schema-compat-plu...c=xyz May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.758965595 -0400] - ERR - schema-compat-plu...c=xyz May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.759530547 -0400] - ERR - schema-compat-plu...tion. May 19 00:21:58 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:58.612054116 -0400] - ERR - set_krb5_creds - ...ealm) May 19 00:21:58 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:58.613830783 -0400] - ERR - set_krb5_creds - ...ealm) Hint: Some lines were ellipsized, use -l to show in full. [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# [root@idmipa04 ~]# systemctl status dirsrv(a)MWS-MDS-XYZ.service -l ● dirsrv(a)MWS-MDS-XYZ.service - 389 Directory Server MWS-MDS-XYZ. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2020-05-19 00:21:49 EDT; 16s ago Process: 4657 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 4664 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)MWS-MDS-XYZ.service └─4664 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MWS-MDS-XYZ -i /var/run/dirsrv/slapd-MWS-MDS-XYZ.pid May 19 00:21:52 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:52.607265030 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idmipa04.mws.mds.xyz(a)MWS.MDS.XYZ] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) May 19 00:21:52 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:52.609340757 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idmipa04.mws.mds.xyz(a)MWS.MDS.XYZ] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.625706606 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=mws,dc=mds,dc=xyz May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.758965595 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=mws,dc=mds,dc=xyz May 19 00:21:54 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:54.759530547 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. May 19 00:21:58 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:58.612054116 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idmipa04.mws.mds.xyz(a)MWS.MDS.XYZ] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) May 19 00:21:58 idmipa04.mws.mds.xyz ns-slapd[4664]: [19/May/2020:00:21:58.613830783 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idmipa04.mws.mds.xyz(a)MWS.MDS.XYZ] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) May 19 00:22:03 idmipa04.mws.mds.xyz ns-slapd[4664]: GSSAPI server step 1 May 19 00:22:03 idmipa04.mws.mds.xyz ns-slapd[4664]: GSSAPI server step 2 May 19 00:22:03 idmipa04.mws.mds.xyz ns-slapd[4664]: GSSAPI server step 3 [root@idmipa04 ~]# [root@idmipa04 ~]# --------------------------------------------------------------------- Looking at the service, appears libc hit a SEGFAULT. [root@idmipa04 ~]# journalctl -xe May 19 00:34:03 idmipa04.mws.mds.xyz Keepalived_vrrp[5424]: /usr/bin/killall -0 haproxy exited with status 1 May 19 00:34:05 idmipa04.mws.mds.xyz Keepalived_vrrp[5424]: /usr/bin/killall -0 haproxy exited with status 1 May 19 00:34:06 idmipa04.mws.mds.xyz ns-slapd[5745]: [19/May/2020:00:34:06.272901079 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRU May 19 00:34:06 idmipa04.mws.mds.xyz kernel: ns-slapd[5865]: segfault at 5603c0ee2000 ip 00007fe3ba3975ba sp 00007fe3bdbd28a8 error 4 in libc-2.17.so[7fe3ba242000 May 19 00:34:06 idmipa04.mws.mds.xyz systemd[1]: dirsrv(a)MWS-MDS-XYZ.service: main process exited, code=killed, status=11/SEGV May 19 00:34:06 idmipa04.mws.mds.xyz systemd[1]: Failed to start 389 Directory Server MWS-MDS-XYZ.. -- Subject: Unit dirsrv(a)MWS-MDS-XYZ.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv(a)MWS-MDS-XYZ.service has failed. -- -- The result is failed. Wondering what should my next steps be from here? -- Thx, TK.

2 years, 1 month

2
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2020