[Freeipa-users] Re: urgent help needed, ipa unusable after short power cut

[Torsten Harenberg via FreeIPA-users]

Hi Rob,

thanks for pointing us into that direction.

Actually, I already looked into /var/log/pkg/pkg-tomcat/ca/debug, but couldn't 
find anything that rang the bell. Here are the last couple of lines.

[root@ipa2 ca]# tail -40 debug
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: TCP Keep-Alive: true
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: 
SSLClientCertificateSelectionCB: Setting desired cert nickname to: 
subsystemCert cert-pki-ca
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: LdapJssSSLSocket: set client 
auth cert nickname subsystemCert cert-pki-ca
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: SSL handshake happened
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Established LDAP connection 
with SSL client auth to ipa2.pleiades.uni-wuppertal.de:636
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: getConn: conn is connected false
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Attempt to bring back down 
connection.
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Re-animated connection: 
LDAPConnection {ldaps://ipa2.pleiades.uni-wuppertal.de:636 (2) ldapVersion:3 
bindDN:""}
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: getConn: mNumConns now 2
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Releasing ldap connection
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: returnConn: mNumConns now 3
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: 
 dn=ou=certificateRepository, ou=ca, o=ipaca  attr=description:;
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  mEnableRandomSerialNumbers=false
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  CertificateRepositoryMode =
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  modeChange=false
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: CertificateRepository: 
UpdateCounter  mEnableRandomSerialNumbers=false  mCounter=-1
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Starting cert checkRanges
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Repository: Server not 
completely started.  Returning ..
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Starting request checkRanges
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: Repository: Server not 
completely started.  Returning ..
[18/Mar/2019:14:36:39][SerialNumberUpdateTask]: updateSerialNumbers done
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: About to start 
updateSerialNumbers
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Starting updateSerialNumbers 
(entered lock)
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  mEnableRandomSerialNumbers=false  mCounter=-1
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: In 
LdapBoundConnFactory::getConn()
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: masterConn is connected: true
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: getConn: conn is connected true
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: getConn: mNumConns now 2
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Releasing ldap connection
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: returnConn: mNumConns now 3
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: 
 dn=ou=certificateRepository, ou=ca, o=ipaca  attr=description:;
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  mEnableRandomSerialNumbers=false
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  CertificateRepositoryMode =
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: CertificateRepository: 
updateCounter  modeChange=false
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: CertificateRepository: 
UpdateCounter  mEnableRandomSerialNumbers=false  mCounter=-1
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Starting cert checkRanges
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Repository: Server not 
completely started.  Returning ..
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Starting request checkRanges
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: Repository: Server not 
completely started.  Returning ..
[18/Mar/2019:14:46:39][SerialNumberUpdateTask]: updateSerialNumbers done
[root@ipa2 ca]#

However, the "system" file contains tons of:

0.profileChangeMonitor - [18/Mar/2019:14:36:25 CET] [8] [3] In Ldap (bound) 
connection pool to host ipa2.pleiades.uni-wuppertal.de port 636, Cannot connect 
to LDAP server. Error: netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: Connection refused (Connection refused) (-1)
0.profileChangeMonitor - [18/Mar/2019:14:36:26 CET] [8] [3] In Ldap (bound) 
connection pool to host ipa2.pleiades.uni-wuppertal.de port 636, Cannot connect 
to LDAP server. Error: netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: Connection refused (Connection refused) (-1)
0.authorityMonitor - [18/Mar/2019:14:36:26 CET] [8] [3] In Ldap (bound) 
connection pool to host ipa2.pleiades.uni-wuppertal.de port 636, Cannot connect 
to LDAP server. Error: netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: Connection refused (Connection refused) (-1)


We started IPA with the "--ignore-service-failures" flag, but still noone could 
log in. We switched ipa off at the moment so the other server is inquired which 
still works ok.

Thanks for your help!!!

Kind regards

  Torsten


Am 18. März 2019 19:00:54 MEZ schrieb Rob Crittenden <rcrit...@redhat.com>:
>Robbie Harwood via FreeIPA-users wrote:
>> Marisa Sandhoff via FreeIPA-users
><freeipa-users@lists.fedorahosted.org>
>> writes:
>> 
>>> [18/Mar/2019:14:36:27.577557647 +0100] - ERR - set_krb5_creds -
>Could
>>> not get initial credentials for principal
>>> [ldap/ipa2.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de] in
>>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
>>> e-text))
>> 
>> Can you inspect this keytab?  `klist -ekt /etc/dirsrv/ds.keytab`?
>
>Those errors are normal. 389-ds was rather chatty about starting up
>when
>it doesn't have a ccache.
>
>You should look at the CA logs in /var/log/pki/pki-tomcat/ca
>
>To bring IPA up without the CA to limp along while you diagnose the
>problem run: ipactl start --ignore-service-failures
>
>rob

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org