May 2023 - FreeIPA-users - Fedora Mailing-Lists

by lejeczek

Hi guys. for what 'ipa-healthcheck' complains of: { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "720d7af6-5a11-486f-a610-f6f06ec4d9e2", "when": "20230526202306Z", "duration": "0.054683", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 1 conflict entries found under the replication suffix \"o=ipaca\"." } }, and old trick finds not culprit: -> $ ldapsearch -LLL -H ldaps://$(hostname) -Y GSSAPI -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict SASL/GSSAPI authentication started SASL username: admin(a)MINE.PRIV SASL SSF: 256 SASL data security layer installed. where is it hiding? many thanks, L.

1 day, 16 hours

1
0
0 / 0

Can't add CA to replica - invalid 'cn': must be

by Nicholas Cross

We are in the process of adding a new a CA replica. We install in the following fashion: 1. ipa-replica-install 2. ipa-dns-install 3. ipa-ca-install All goes well until step3. ipa-ca-install, where we get the error: 2023-05-22T16:51:30Z ERROR ERROR: Remote master check failed with following error message(s): invalid 'cn': must be "ipa011.ad.company.fm" If we do --skip-conn-check (not recommended) at step 3 we get a complete install, but it does not allow kinit to work on that server. Any thoughts on how to diagnose and/or fix? Thanks Nick.

1 day, 21 hours

3
15
0 / 0

container IPA fine but only until host's reboot

by lejeczek

Hi guys. I've a replica in container which deploys & works seemingly a okey, container reboot is not detrimental to IPA yet host reboot seems to break LDAP down. Both container and host, are up to date Centos 9, it's a rootful container. So far - a several times - it reproduces each time - I can remove "broken" container, re-create anew, it works, then host reboots and ... a bummer. Anybody seen this or similar issues? Log snippets: -> $ ipactl restart Starting Directory Service Failed to start Directory Service: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv(a)MINE-PRIV.service'] returned non-zero exit status 1) Starting 389 Directory Server MINE-PRIV.... dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. dirsrv(a)MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. [25/May/2023:20:38:08.747319489 +0000] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will likely fail [25/May/2023:20:38:08.752730373 +0000] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will likely fail [25/May/2023:20:38:08.768566520 +0000] - ERR - Security Initialization - SSL failure: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): certdir: /etc/dirsrv/slapd-MINE-PRIV [25/May/2023:20:38:08.770531395 +0000] - ERR - force_to_disable_security - ERROR: NSS Initialization Failed. Disabling NSS. [25/May/2023:20:38:08.772440575 +0000] - ERR - set_workingdir - detach: failed to chdir to /var/log/dirsrv/slapd-MINE-PRIV [25/May/2023:20:38:08.774326540 +0000] - ERR - set_workingdir - detach: set workingdir failed with "Working directory "/" is not writeable." [25/May/2023:20:38:08.776402306 +0000] - INFO - main - 389-Directory/2.2.4 B2022.347.0000 starting up [25/May/2023:20:38:08.778279795 +0000] - INFO - main - Setting the maximum file descriptor limit to: 1024 [25/May/2023:20:38:08.780257034 +0000] - ERR - fedse_create_startOK - Cannot copy DSE file "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif" to "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.startOK" OS error 13 (Permission denied) [25/May/2023:20:38:08.782222230 +0000] - ERR - dse_write_file_nolock - Cannot open temporary DSE file "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.tmp" for update: OS error 13 (Permission denied) [25/May/2023:20:38:08.787607325 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.789526243 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.791436584 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.793404806 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.795305449 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.797253522 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.799164114 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.801065298 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.803027158 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.804938281 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.806866727 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.808871438 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.810796257 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.812761433 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.814675903 +0000] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.816595692 +0000] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.818568974 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 12000 rounds [25/May/2023:20:38:08.822101547 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [25/May/2023:20:38:08.824226177 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr aci [25/May/2023:20:38:08.826218264 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-cachesize [25/May/2023:20:38:08.828147422 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-cachememsize [25/May/2023:20:38:08.830689678 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-readonly [25/May/2023:20:38:08.832725468 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-require-index [25/May/2023:20:38:08.834666098 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-require-internalop-index [25/May/2023:20:38:08.836658115 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-dncachememsize [25/May/2023:20:38:08.838859671 +0000] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-directory [25/May/2023:20:38:08.843583015 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [25/May/2023:20:38:08.845746619 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-cachesize [25/May/2023:20:38:08.847696185 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-cachememsize [25/May/2023:20:38:08.850034512 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-readonly [25/May/2023:20:38:08.852052299 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-require-index [25/May/2023:20:38:08.854005963 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-require-internalop-index [25/May/2023:20:38:08.855960008 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-dncachememsize [25/May/2023:20:38:08.858087924 +0000] - INFO - ldbm_instance_config_set - instance: ipaca attr nsslapd-directory [25/May/2023:20:38:08.862288731 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [25/May/2023:20:38:08.864482192 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-cachesize [25/May/2023:20:38:08.866449653 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-cachememsize [25/May/2023:20:38:08.868618397 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-readonly [25/May/2023:20:38:08.870625282 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-require-index [25/May/2023:20:38:08.872589927 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-require-internalop-index [25/May/2023:20:38:08.874549833 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-dncachememsize [25/May/2023:20:38:08.876699000 +0000] - INFO - ldbm_instance_config_set - instance: changelog attr nsslapd-directory [25/May/2023:20:38:08.880669548 +0000] - NOTICE - bdb_start_autotune - found 32506232k physical memory [25/May/2023:20:38:08.882702473 +0000] - NOTICE - bdb_start_autotune - found 28174216k available [25/May/2023:20:38:08.884678500 +0000] - NOTICE - bdb_start_autotune - cache autosizing: db cache: 1572864k [25/May/2023:20:38:08.886641071 +0000] - NOTICE - bdb_start_autotune - cache autosizing: userRoot entry cache (3 total): 2031616k [25/May/2023:20:38:08.889062407 +0000] - NOTICE - bdb_start_autotune - cache autosizing: userRoot dn cache (3 total): 262144k [25/May/2023:20:38:08.891234948 +0000] - NOTICE - bdb_start_autotune - cache autosizing: ipaca entry cache (3 total): 2031616k [25/May/2023:20:38:08.893482262 +0000] - NOTICE - bdb_start_autotune - cache autosizing: ipaca dn cache (3 total): 262144k [25/May/2023:20:38:08.895602163 +0000] - NOTICE - bdb_start_autotune - cache autosizing: changelog entry cache (3 total): 2031616k [25/May/2023:20:38:08.897693539 +0000] - NOTICE - bdb_start_autotune - cache autosizing: changelog dn cache (3 total): 262144k [25/May/2023:20:38:08.899736183 +0000] - NOTICE - bdb_start_autotune - total cache size: 8657043456 B; [25/May/2023:20:38:08.901810216 +0000] - ERR - bdb_version_write - Could not open file "/var/lib/dirsrv/slapd-MINE-PRIV/db/DBVERSION" for writing Netscape Portable Runtime -5966 (Access Denied.) [25/May/2023:20:38:08.903797254 +0000] - ERR - mkdir_p - /var/lib/dirsrv: error -5943 (Cannot create or rename a filename that already exists.) [25/May/2023:20:38:08.905887528 +0000] - CRIT - bdb_start - Can't start because the database directory "/var/lib/dirsrv/slapd-MINE-PRIV/db" either doesn't exist, or is not accessible [25/May/2023:20:38:08.907883443 +0000] - ERR - ldbm_back_start - Failed to init database, err=-1 Unexpected dbimpl error code [25/May/2023:20:38:08.909873536 +0000] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database [25/May/2023:20:38:08.912185504 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [25/May/2023:20:38:08.914588354 +0000] - CRIT - dblayer_setup - dblayer_init failed [25/May/2023:20:38:08.916582074 +0000] - ERR - ldbm_back_start - Failed to setup dblayer [25/May/2023:20:38:08.918659775 +0000] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database [25/May/2023:20:38:08.920651491 +0000] - ERR - plugin_dependency_startall - Failed to resolve plugin dependencies [25/May/2023:20:38:08.922769498 +0000] - ERR - plugin_dependency_startall - betxnpreoperation plugin 7-bit check is not started [25/May/2023:20:38:08.924779700 +0000] - ERR - plugin_dependency_startall - preoperation plugin Account Usability Plugin is not started [25/May/2023:20:38:08.926780244 +0000] - ERR - plugin_dependency_startall - accesscontrol plugin ACL Plugin is not started [25/May/2023:20:38:08.928838868 +0000] - ERR - plugin_dependency_startall - preoperation plugin ACL preoperation is not started [25/May/2023:20:38:08.930855532 +0000] - ERR - plugin_dependency_startall - betxnpreoperation plugin Auto Membership Plugin is not started [25/May/2023:20:38:08.932879861 +0000] - ERR - plugin_dependency_startall - preoperation plugin caacl name uniqueness is not started [25/May/2023:20:38:08.934954846 +0000] - ERR - plugin_dependency_startall - preoperation plugin certificate store issuer/serial uniqueness is not started [25/May/2023:20:38:08.936969697 +0000] - ERR - plugin_dependency_startall - preoperation plugin certificate store subject uniqueness is not started [25/May/2023:20:38:08.939096711 +0000] - ERR - plugin_dependency_startall - object plugin Class of Service is not started [25/May/2023:20:38:08.941113295 +0000] - ERR - plugin_dependency_startall - object plugin Content Synchronization is not started [25/May/2023:20:38:08.943127434 +0000] - ERR - plugin_dependency_startall - preoperation plugin deref is not started [25/May/2023:20:38:08.945181109 +0000] - ERR - plugin_dependency_startall - bepreoperation plugin Distributed Numeric Assignment Plugin is not started [25/May/2023:20:38:08.947196180 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA DNS is not started [25/May/2023:20:38:08.949205500 +0000] - ERR - plugin_dependency_startall - object plugin IPA Graceperiod is not started [25/May/2023:20:38:08.951276348 +0000] - ERR - plugin_dependency_startall - object plugin IPA Lockout is not started [25/May/2023:20:38:08.953303542 +0000] - ERR - plugin_dependency_startall - betxnpostoperation plugin IPA MODRDN is not started [25/May/2023:20:38:08.955319695 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA OTP Counter is not started [25/May/2023:20:38:08.957401373 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA OTP Last Token is not started [25/May/2023:20:38:08.959428697 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA Range-Check is not started [25/May/2023:20:38:08.961479948 +0000] - ERR - plugin_dependency_startall - postoperation plugin IPA SIDGEN is not started [25/May/2023:20:38:08.963520437 +0000] - ERR - plugin_dependency_startall - object plugin IPA Topology Configuration is not started [25/May/2023:20:38:08.965548823 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA UUID is not started [25/May/2023:20:38:08.967588822 +0000] - ERR - plugin_dependency_startall - preoperation plugin IPA Version Replication is not started [25/May/2023:20:38:08.969640553 +0000] - ERR - plugin_dependency_startall - preoperation plugin ipa-winsync is not started [25/May/2023:20:38:08.971679109 +0000] - ERR - plugin_dependency_startall - extendedop plugin ipa_enrollment_extop is not started [25/May/2023:20:38:08.973720600 +0000] - ERR - plugin_dependency_startall - extendedop plugin ipa_extdom_extop is not started [25/May/2023:20:38:08.975765037 +0000] - ERR - plugin_dependency_startall - extendedop plugin ipa_pwd_extop is not started [25/May/2023:20:38:08.977817560 +0000] - ERR - plugin_dependency_startall - preoperation plugin ipaSubordinateIdEntry ipaOwner uniqueness is not started [25/May/2023:20:38:08.979867658 +0000] - ERR - plugin_dependency_startall - preoperation plugin ipaUniqueID uniqueness is not started [25/May/2023:20:38:08.981913688 +0000] - ERR - plugin_dependency_startall - preoperation plugin krbCanonicalName uniqueness is not started [25/May/2023:20:38:08.983974386 +0000] - ERR - plugin_dependency_startall - preoperation plugin krbPrincipalName uniqueness is not started [25/May/2023:20:38:08.986051896 +0000] - ERR - plugin_dependency_startall - database plugin ldbm database is not started [25/May/2023:20:38:08.988109989 +0000] - ERR - plugin_dependency_startall - betxnpreoperation plugin Linked Attributes is not started [25/May/2023:20:38:08.990170186 +0000] - ERR - plugin_dependency_startall - betxnpreoperation plugin Managed Entries is not started [25/May/2023:20:38:08.992227157 +0000] - ERR - plugin_dependency_startall - betxnpostoperation plugin MemberOf Plugin is not started [25/May/2023:20:38:08.994270532 +0000] - ERR - plugin_dependency_startall - object plugin Multisupplier Replication Plugin is not started [25/May/2023:20:38:08.996345598 +0000] - ERR - plugin_dependency_startall - preoperation plugin netgroup uniqueness is not started [25/May/2023:20:38:08.998405354 +0000] - ERR - plugin_dependency_startall - betxnpostoperation plugin referential integrity postoperation is not started [25/May/2023:20:38:09.000484848 +0000] - ERR - plugin_dependency_startall - object plugin Retro Changelog Plugin is not started [25/May/2023:20:38:09.002615038 +0000] - ERR - plugin_dependency_startall - object plugin Roles Plugin is not started [25/May/2023:20:38:09.004668452 +0000] - ERR - plugin_dependency_startall - preoperation plugin sudorule name uniqueness is not started [25/May/2023:20:38:09.006728329 +0000] - ERR - plugin_dependency_startall - preoperation plugin uid uniqueness is not started [25/May/2023:20:38:09.008808835 +0000] - ERR - plugin_dependency_startall - object plugin USN is not started [25/May/2023:20:38:09.010895272 +0000] - ERR - plugin_dependency_startall - object plugin Views is not started [25/May/2023:20:38:09.012962683 +0000] - ERR - plugin_dependency_startall - extendedop plugin whoami is not started dirsrv(a)MINE-PRIV.service: Main process exited, code=exited, status=1/FAILURE dirsrv(a)MINE-PRIV.service: Failed with result 'exit-code'. Failed to start 389 Directory Server MINE-PRIV..

2 days

2
2
0 / 0

Fwd: Problem with replica installation 4.10.1

by Jakub Werwiński

I tried with the --skip-conncheck option, however the same error (-11) every time. The firewall was disabled and also tested. error on replica /var/log/dirsrv/slapd-MY.DOMAIN.COM/error [25/May/2023:15:18:45.460057564 +0200] - ERR - NSMMReplicationPlugin - update_consumer_schema - [S] Schema agmt="cn= meTofreeipa-replica.mydomain.com" (freeipa-replica:389) must not be overwritten (set replication log for additional info) [25/May/2023:15:18:46.104681271 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meTofreeipa-mydomain.com" (freeipa-replica:389)". [25/May/2023:15:18:58.638287655 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_log_operation_failure - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Received error -1 (Can't contact LDAP server): for total update operation [25/May/2023:15:18:58.640550244 +0200] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn= meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Unable to send endReplication extended operation (Can't contact LDAP server) [25/May/2023:15:18:58.642048003 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn= meTofreeipa-replica.mydomain.com" (freeipa-replica:389)", error (-11) [25/May/2023:15:18:58.659305226 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Replication bind with GSSAPI auth resumed [25/May/2023:15:18:59.607038328 +0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [25/May/2023:15:19:02.995509460 +0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn= meTofreeipa-replica.mydomain.com" (freeipa-replica:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. czw., 25 maj 2023 o 09:46 Florence Blanc-Renaud <flo(a)redhat.com> napisał(a): > Hi, > > replica installation failures are often related to either a wrong DNS > configuration or firewall preventing the communication. > Did you run ipa-replica-installation with or without the option > --skip-conncheck? Without the option you may have some hints if the issue > is related to the firewall. > You can find more info in Host name and DNS requirements for IdM [1] and > Opening the ports required by IdM [2]. > > The timestamp for replica installation is 2023-05-24T*10:15:04Z* but the > master logs don't match (24/May/2023:*11:47:29.382502138 +0200*). > Difficult to draw any conclusion with that, do you have the master logs > from the same time? > > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... > [2] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... > > > On Wed, May 24, 2023 at 12:34 PM Jakub Werwiński via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> wrote: > >> Hi i have problem with freeipa replica installation log: >> >> Starting replication, please wait until this has completed. >> Update in progress, 12 seconds elapsed >> [ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error >> (-11) connection error: Unknown connection error (-11) - Total update >> aborted] >> >> [error] RuntimeError: Failed to start replication >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Failed to start replication >> The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> >> >> ---------------------------------------- var/log/ipareplica-install.log >> ------------------------------------------------------- >> >> 2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication >> (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping >> tree,cn=config (objectclass=*) >> 2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn= >> meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping >> tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], >> 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b' >> freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'], >> 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': >> [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to >> freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList': >> [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn >> krblastsuccessfulauth krblastfailedauth krbloginfailedcount >> passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], >> 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': >> [b'modifiersName modifyTimestamp internalModifiersName >> internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': >> [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth >> krblastfailedauth krbloginfailedcount passwordgraceusertime'], >> 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': >> [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], >> 'nsds5replicaChangesSentSinceStartup': [b''], >> 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions >> started since server startup'], 'nsds5replicaLastUpdateStatusJSON': >> [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": >> "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z", >> "message": "Error (0) No replication sessions started since server >> startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], >> 'nsds5replicaLastInitStart': [b'19700101000000Z'], >> 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] >> 2023-05-24T10:15:04Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >> line 686, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >> line 672, in run_step >> method() >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line >> 430, in __setup_replica >> repl.setup_promote_replication( >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line >> 1930, in setup_promote_replication >> raise RuntimeError("Failed to start replication") >> RuntimeError: Failed to start replication >> >> 2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start >> replication >> 2023-05-24T10:15:04Z DEBUG Destroyed connection >> context.ldap2_140645096151696 >> 2023-05-24T10:15:04Z DEBUG Backing up system configuration file >> '/etc/ipa/default.conf' >> 2023-05-24T10:15:04Z DEBUG Saving Index File to >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2023-05-24T10:15:04Z DEBUG Writing configuration file >> /etc/ipa/default.conf >> 2023-05-24T10:15:04Z DEBUG [global] >> basedn = dc=mydomain,dc=com,dc=pl >> host = freeipa-replica.mydomain.com >> realm = My.REALM.COM >> domain = mydomain.com >> xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml >> ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket >> mode = production >> enable_ra = True >> ra_plugin = dogtag >> dogtag_version = 10 >> ca_host = freeipa.mydomain.com >> >> >> >> 2023-05-24T10:15:04Z DEBUG File >> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in >> execute >> return_value = self.run() >> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line >> 344, in run >> return cfgr.run() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 360, in run >> return self.execute() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 386, in execute >> for rval in self._executor(): >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 431, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 460, in _handle_execute_exception >> self._handle_exception(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 450, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise >> raise value >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 421, in __runner >> step() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 418, in <lambda> >> step = lambda: next(self.__gen) >> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line >> 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise >> raise value >> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line >> 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 655, in _configure >> next(executor) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 431, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 460, in _handle_execute_exception >> self._handle_exception(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 518, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 450, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise >> raise value >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 515, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 450, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise >> raise value >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 421, in __runner >> step() >> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line >> 418, in <lambda> >> step = lambda: next(self.__gen) >> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line >> 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise >> raise value >> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line >> 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", >> line 65, in _install >> for unused in self._installer(self.parent): >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", >> line 599, in main >> replica_install(self) >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", >> line 401, in decorated >> func(installer) >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", >> line 1267, in install >> ds = install_replica_ds(config, options, ca_enabled, >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", >> line 100, in install_replica_ds >> ds.create_replica( >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line >> 398, in create_replica >> self.start_creation(runtime=30) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >> line 686, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >> line 672, in run_step >> method() >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line >> 430, in __setup_replica >> repl.setup_promote_replication( >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line >> 1930, in setup_promote_replication >> raise RuntimeError("Failed to start replication") >> >> 2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: Failed to start replication >> 2023-05-24T10:15:04Z ERROR Failed to start replication >> 2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> ---------------------------------------- master: /var/log/dirsrv/slapd-MY- >> DOMAIN.COM/error ------------------------------------------------------- >> >> [24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin - >> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" >> (freeipa-replica:389) - Replication bind >> with GSSAPI auth failed: LDAP error 49 (Invalid >> credentials) () >> [24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin - >> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" >> (freeipa-replica:389) - Replication bind >> with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin - >> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" >> (freeipa-replica:389): Replication bind >> with GSSAPI auth resumed >> [24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin - >> repl5_tot_run - Beginning total update of replica "agmt="cn= >> meTofreeipa-replica.mydomain.com" (freeipa-r >> eplica:389)". >> [24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin - >> repl5_tot_log_operation_failure - agmt="cn= >> meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei >> ved error -1 (Can't contact >> LDAP server): for total update operation >> [24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin - >> release_replica - agmt="cn=meTofreeipa-replica.mydomain.com" >> (freeipa-replica:389): Unable to send endRep >> lication extended operation (Can't contact LDAP >> server) >> [24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin - >> repl5_tot_run - Total update failed for replica "agmt="cn= >> meTofreeipa-replica.mydomain.com" (freeipa-repl >> ica:389)", error (-11) >> [24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin - >> bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" >> (freeipa-replica:389): Replication bind >> with GSSAPI auth resumed >> >> >> ---------------------------------------- About system >> ------------------------------------------------------- >> Mater and Replica: >> Os: Rocky Linux 9.2 >> IPA: 4.10.1 >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >

2 days, 6 hours

1
0
0 / 0

'del' removes replica/tion but keeps all DNS record in - ?

by lejeczek

Hi guys. With a forceful removal of a replica with 'ipa-replica-manage' such replica/tion gets removed but all DNS records - of which 'ipa-healthcheck' complains - remain intact. Is that normal & expected? many thanks, L.

2 days, 17 hours

2
1
0 / 0

ipa: ERROR: No valid Negotiate header - from/in container replica

by lejeczek

Hi guys. This is my first trial/test of replicas in container - here I added a replica to already existing, bare-metal IPA domain, which otherwise works a okey - so numerous issues are possible. In container, only in this replica, I get: bash-5.1# ipa dnszone-find ipa: ERROR: No valid Negotiate header in server response What that is, might be, a symptom of? Where to go with troubleshooting? All thoughts share are much appreciated. many thanks, L.

3 days, 2 hours

1
1
0 / 0

Re: Can't add CA to replica - invalid 'cn': must be

by Nicholas Cross

Replying to myself here and asking additional questions. Knowing that the original issues were that 1. i could not conn-check successfully and 2. kinit. The kinit issue was fixed with the SID/PAC fix. i ran `ipa-ca-install --debug --skip-conncheck` just for the heck if it and it tells me it installed successfully. :tada: So my questions are, - Can we ignore the connection check failure, as we know it worked before any of the installs? - What issues might this cause in the future? - Is there anyway i could debug the connection check - Should i just ignore all of this and take the win? thanks everyone for your input. Nick

3 days, 4 hours

1
0
0 / 0

Problem with replica installation 4.10.1

by Jakub Werwiński

Hi i have problem with freeipa replica installation log: Starting replication, please wait until this has completed. Update in progress, 12 seconds elapsed [ldap://freeipa.mydomain.com:389] reports: Update failed! Status: [Error (-11) connection error: Unknown connection error (-11) - Total update aborted] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ---------------------------------------- var/log/ipareplica-install.log ------------------------------------------------------- 2023-05-24T10:14:50Z DEBUG Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-MY-DOMAIN.COM.socket) cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-poland\,dc\=com\,dc\=pl,cn=mapping tree,cn=config (objectclass=*) 2023-05-24T10:14:50Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meTofreeipa.mydomain.com,cn=replica,cn=dc\=xxx-com\,dc\=com\,dc\=pl,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn': [b'meTofreeipa.mydomain.com'], 'nsDS5ReplicaHost': [b'freeipa.mydomain.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=mydomain,dc=com,dc=pl'], 'description': [b'me to freeipa.mydomain.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2023-05-24T10:14:50Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] 2023-05-24T10:15:04Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 430, in __setup_replica repl.setup_promote_replication( File "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line 1930, in setup_promote_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2023-05-24T10:15:04Z DEBUG [error] RuntimeError: Failed to start replication 2023-05-24T10:15:04Z DEBUG Destroyed connection context.ldap2_140645096151696 2023-05-24T10:15:04Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2023-05-24T10:15:04Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-24T10:15:04Z DEBUG Writing configuration file /etc/ipa/default.conf 2023-05-24T10:15:04Z DEBUG [global] basedn = dc=mydomain,dc=com,dc=pl host = freeipa-replica.mydomain.com realm = My.REALM.COM domain = mydomain.com xmlrpc_uri = https://freeipa-replica.mydomain.com/ipa/xml ldap_uri = ldapi://%2Frun%2Fslapd-MY-DOMAIN-COM.socket mode = production enable_ra = True ra_plugin = dogtag dogtag_version = 10 ca_host = freeipa.mydomain.com 2023-05-24T10:15:04Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 599, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1267, in install ds = install_replica_ds(config, options, ca_enabled, File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 100, in install_replica_ds ds.create_replica( File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 398, in create_replica self.start_creation(runtime=30) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/dsinstance.py", line 430, in __setup_replica repl.setup_promote_replication( File "/usr/lib/python3.9/site-packages/ipaserver/install/replication.py", line 1930, in setup_promote_replication raise RuntimeError("Failed to start replication") 2023-05-24T10:15:04Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication 2023-05-24T10:15:04Z ERROR Failed to start replication 2023-05-24T10:15:04Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ---------------------------------------- master: /var/log/dirsrv/slapd-MY-DOMAIN.COM/error ------------------------------------------------------- [24/May/2023:11:47:02.653622389 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [24/May/2023:11:47:08.700315039 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [24/May/2023:11:47:16.774918557 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Replication bind with GSSAPI auth resumed [24/May/2023:11:47:17.035351907 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-r eplica:389)". [24/May/2023:11:47:29.357889007 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_log_operation_failure - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Recei ved error -1 (Can't contact LDAP server): for total update operation [24/May/2023:11:47:29.361891385 +0200] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Unable to send endRep lication extended operation (Can't contact LDAP server) [24/May/2023:11:47:29.363050079 +0200] - ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-repl ica:389)", error (-11) [24/May/2023:11:47:29.382502138 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTofreeipa-replica.mydomain.com" (freeipa-replica:389): Replication bind with GSSAPI auth resumed ---------------------------------------- About system ------------------------------------------------------- Mater and Replica: Os: Rocky Linux 9.2 IPA: 4.10.1

3 days, 5 hours

2
1
0 / 0

Re: Can't add CA to replica - invalid 'cn': must be

by Nicholas Cross

Sorry i added far too much there. here is a slightly less when i grep for my name [root@ipa011 ~]# tail -f /var/log/krb5kdc.log | grep nicholas May 23 10:55:47 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: NEEDED_PREAUTH: nicholas.cross(a)AD.companyx.FM for krbtgt/ AD.companyx.FM(a)AD.companyx.FM, Additional pre-authentication required May 23 10:55:56 ipa011.ad.companyx.fm krb5kdc[4304](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.32.225.7: HANDLE_AUTHDATA: nicholas.cross(a)AD.companyx.FM for krbtgt/ AD.companyx.FM(a)AD.companyx.FM, No such file or directory I'm guessing it's this? nicholas.cross(a)AD.companyx.FM for krbtgt/AD.companyx.FM(a)AD.companyx.FM, No such file or directory

4 days, 2 hours

2
4
0 / 0

ACME service is disabled

by Georgy Safronov

Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa 4.10.1, ca role) there are no same problems. ipactl status and ipa-healthcheck reports all ok, restarting of services also goes normally. But in pki debug log have some flood about java exeption: [root@dc1 ~]# tail -n 57 /var/log/pki/pki-tomcat/pki/debug.2023-05-23.log 2023-05-23 14:30:21 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR: RESTEASY002010: Failed to execute javax.ws.rs.ServiceUnavailableException: ACME service is disabled at org.dogtagpki.acme.server.ACMERequestFilter.filter(ACMERequestFilter.java:48) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:263) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:222) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1724) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833) Also have some flood in systemctl status pki-tomcatd(a)pki-tomcat.service like: [root@dc1 ~]# journalctl -u pki-tomcatd(a)pki-tomcat.service --no-pager|tail -n 4 May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD2 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD5 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. What could be the reason for these messages? And how to fix it? Thank you in advance!

4 days, 21 hours

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2023