On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote:
On 19-10-17 10:03, Kees Bakker via FreeIPA-users wrote:
On 18-10-17 22:57, Robbie Harwood wrote:
Kees Bakker writes:
Since I've setup a replica it gives errors like these:
[17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
Well, is the ticket expired?
Maybe. The message suggests it is. Which ticket is this, and how do I check the
expiration?
Does the ticket even exist?
I would assume so. The replica seems to be working correctly, besides the
mentioned error messages.
And are the
machine clocks synced?
Yes they are.
Perhaps the following is valuable information, perhaps not. The
installation failed at first due to a timeout problem. I've changed
the Python to increase the time, and after that the replica
installation succeeded. I'm able to connect to it (LDAP and web UI),
and new information entered in the master was replicated correctly.
But now I see some clients having Kerberos ticket problems, most
likely because they use the replica, which is not valid anymore.
Should I abandon the replica and reinstall it, and if so, how should I
do that (safely)?
If the replica is not able to bind correctly: yes, it needs to be
abandoned or fixed (someone else who knows should say more in this
area).
Thanks,
--Robbie
Like mentioned above, it seems to function alright. It's just that
error message that worries me.
Now on the first master (rotte) there are similar error message too, but the
other way around.
[18/Oct/2017:11:23:41 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: The referenced context has
expired (Success)) errno 0 (Success)
[18/Oct/2017:11:23:41 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local
error)
[18/Oct/2017:11:23:41 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl"
(linge:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success))
[18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:23:45 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local
error)
[18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:23:51 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local
error)
[18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)) errno 2 (No such file
or directory)
[18/Oct/2017:11:24:03 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local
error)
[18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl"
(linge:389): Replication bind with GSSAPI auth resumed
Again, I would really appreciate if someone could hint how to debug this.
For example, what commands can I use to check the connection (in both
directions)?
My understanding is that if you get the last message ("Replication bind
with GSSAPI auth resumed"), you don't need to worry about the ones
above. An intermittent issue of expired ticket is OK, SASL GSSAPI
mechanism in CyrusSASL will reacquire credentials again after few
attempts. Technically these could be multiple times depending on how
many threads are utilizing the same creds at the same time.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
