On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel

On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvoma...@redhat.com <mailto:pvoma...@redhat.com>> wrote:

    Hello Gustavo,

    From what I can see, the issue would be PROTOCOL ERROR in whoami
    command. Could you please check whether all services running?
    Please run
    # ipactl status

    and post the output.

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

    And please could you send me the /etc/named.conf? Especially
    everything after
     dyndb "ipa"
    line is interesting for us.

This is from /etc/named.conf

options {
        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
        listen-on-v6 {any;};

// Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";

        forward only;
        forwarders {

        // Any host is permitted to issue recursive queries
        allow-recursion { any; };

        tkey-gssapi-keytab "/etc/named.keytab";
        pid-file "/run/named/named.pid";
        dnssec-enable yes;
        dnssec-validation no;
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";

/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named directory,
 * so put the default debug log file in data/ :
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
                print-time yes;

zone "." IN {
        type hint;
        file "named.ca <http://named.ca>";

include "/etc/named.rfc1912.zones";

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
        uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket";
        base "cn=dns, dc=fisica,dc=cabib";
        fake_mname "ipaserver.fisica.cabib.";
        auth_method "sasl";
        sasl_mech "GSSAPI";
        sasl_user "DNS/ipaserver.fisica.cabib";
        server_id "ipaserver.fisica.cabib";
include "/etc/named.root.key";

key "rndc-key" {
        algorithm hmac-md5;
        secret "#########################";

Thank you for the configuration. It looks good.

Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line:
dn: cn=whoami,cn=plugins,cn=config

in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif

If not please add there following lines (between double quotes and without them):

dn: cn=whoami,cn=plugins,cn=config
cn: whoami
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: whoami extended operation plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: whoami-plugin
nsslapd-pluginInitfunc: whoami_init
nsslapd-pluginPath: libwhoami-plugin
nsslapd-pluginType: extendedop
nsslapd-pluginVendor: 389 Project
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

and change the nsslapd-pluginVersion value to the same as other plugins have.

Then you will probably need to restart ipa service or at least dirsrv.

Did that help?

Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?

Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Pavel^3 Vomacka

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to