We have a number of servers in different pops. When I say intermittent I mean 
it doesn't just happen on the same server again and again but rather on random 
servers each time. There is no pattern as far as which pop or time of day etc. 
I do ipactl status and see that dirsrv is STOPPED. ipactl restart doesn't help, 
I just get the below errormessage that ipa can't start without 389ds and to 
check journalctl.
No matter what I've tried I never managed to fix the problem properly. I just 
blow the replica out and reinstall.
I've sanitized the file. The servers are actually named something completely 
different than what's in logs below.

thank you and please let me know what other steps I should try.

      From: Rob Crittenden <rcrit...@redhat.com>
 To: pgb205 <pgb...@yahoo.com>; FreeIPA users list 
<freeipa-users@lists.fedorahosted.org> 
 Sent: Thursday, December 28, 2017 2:26 PM
 Subject: Re: [Freeipa-users] Failed to read service file. Hostname does not 
match any master server in LDAP
   
pgb205 via FreeIPA-users wrote:
> Hello everyone. 
> 
> Periodically and seemingly at random our replicas crash with the above
> error. Dirsrv shows as stopped and restarting doesn't help.
> Someone suggested earlier that this is due to problems with topology
> plugin but I don't think that the cause as we are still on
> domainlevel=0.
> 
> I'm not sure if it's a problem with 389ds or with some other part of
> freeipa. The only other clue I can think of is that often we see
> inconsistencies
> between replicas. IE a user that is supposed to be present everywhere
> goes missing on just one of the many replicas. 
> 
> I'm quite at a loss on how to troubleshoot this further. I hope that
> someone can assist.
> 
> ipactl start
> Starting Directory Service
> Failed to read data from service file: Failed to get list of services to
> probe status!
> Configured hostname 'server.pop.domain.local' does not match any master
> server in LDAP:
> No master found because of error: no such entry
> Shutting down

This isn't exactly a crash. In what context are you restarting it?

You said it is intermittent, does it ever start working again on its own?

Is this the correct hostname?

IPA uses the hostname to look in LDAP for the list of enabled services
on a given host to know what to start.

rob

> 
> 
> cat errors
> [26/Dec/2017:21:15:56.234793153 +0000] SSL alert: Sending pin request to
> SVRCore. You may need to run systemd-tty-ask-password-agent to provide
> the password.
> [26/Dec/2017:21:15:56.236060353 +0000] SSL alert: Security
> Initialization: Enabling default cipher set.
> [26/Dec/2017:21:15:56.236362922 +0000] SSL alert: Configured NSS Ciphers
> [26/Dec/2017:21:15:56.236652729 +0000] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.236921632 +0000] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237114079 +0000] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.237317678 +0000] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237526365 +0000] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.237746660 +0000] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237908539 +0000] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.238087338 +0000] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238306056 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.238517868 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238724920 +0000] SSL
> alert:      TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238889982 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.239048124 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.239233534 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.239402097 +0000] SSL
> alert:      TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.239767245 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.239997083 +0000] SSL
> alert:      TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.240177269 +0000] SSL
> alert:      TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.240376177 +0000] SSL
> alert:      TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.240585031 +0000] SSL
> alert:      TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.240745192 +0000] SSL
> alert:      TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.240897126 +0000] SSL
> alert:      TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.241075071 +0000] SSL
> alert:      TLS_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.241245788 +0000] SSL
> alert:      TLS_CHACHA20_POLY1305_SHA256: enabled
> [26/Dec/2017:21:15:56.241456256 +0000] SSL
> alert:      TLS_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.241617090 +0000] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Dec/2017:21:15:56.241766851 +0000] SSL
> alert:      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Dec/2017:21:15:56.241947040 +0000] SSL
> alert:      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Dec/2017:21:15:56.249524586 +0000] SSL Initialization - Configured
> SSL version range: min: TLS1.0, max: TLS1.2
> [26/Dec/2017:21:15:56.249909319 +0000] 389-Directory/1.3.5.10
> B2017.102.203 starting up
> [26/Dec/2017:21:15:56.261829771 +0000] default_mr_indexer_create:
> warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
> [26/Dec/2017:21:15:56.269563770 +0000] WARNING: changelog: entry cache
> size 2097152 B is less than db size 149151744 B; We recommend to
> increase the entry cache size nsslapd-cachememsize.
> [26/Dec/2017:21:15:56.300878069 +0000] schema-compat-plugin - scheduled
> schema-compat-plugin tree scan in about 5 seconds after the server startup!
> [26/Dec/2017:21:15:56.399266161 +0000] NSACLPlugin - The ACL target
> cn=automember rebuild membership,cn=tasks,cn=config does not exist
> [26/Dec/2017:21:15:56.406444789 +0000] dna-plugin -
> dna_parse_config_entry: Unable to locate shared configuration entry
> (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=domain,dc=local)
> [26/Dec/2017:21:15:56.406758873 +0000] dna-plugin -
> dna_parse_config_entry: Invalid config entry [cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped
> [26/Dec/2017:21:15:56.423696836 +0000] schema-compat-plugin -
> schema-compat-plugin tree scan will start in about 5 seconds!
> [26/Dec/2017:21:15:56.434117007 +0000] slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [26/Dec/2017:21:15:56.434370916 +0000] Listening on All Interfaces port
> 636 for LDAPS requests
> [26/Dec/2017:21:15:56.434602326 +0000] Listening on
> /var/run/slapd-domain-local.socket for LDAPI requests
> [26/Dec/2017:21:15:56.517403933 +0000] slapd shutting down - signaling
> operation threads - op stack size 1 max work q size 1 max work q stack
> size 1
> [26/Dec/2017:21:15:56.517944438 +0000] slapd shutting down - waiting for
> 28 threads to terminate
> [26/Dec/2017:21:15:56.518216669 +0000] slapd shutting down - closing
> down local subsystems and plugins
> [26/Dec/2017:21:16:01.429082375 +0000] Waiting for 4 database threads to
> stop
> [26/Dec/2017:21:16:02.283796028 +0000] All database threads now stopped
> [26/Dec/2017:21:16:02.302693986 +0000] slapd shutting down - freed 1
> work q stack objects - freed 1 op stack objects
> [26/Dec/2017:21:16:02.439672563 +0000] slapd stopped.
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 



   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to