On 5/22/19 3:55 PM, Kristian Petersen via FreeIPA-users wrote:
When I say it won't resolve, I am getting NXDOMAIN as the result of the
query like this:
[root@ipa3 /]# nslookup ipa1 ipa3
Server: ipa3
Address: xxx.xxx.xxx.xxx#53
** server can't find ipa1: NXDOMAIN
Running journalctl -u named-pkcs11 shows a ton of lines like the following:
May 21 12:22:25 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: network unreachable resolving 'udmserve.net/A/IN
<http://udmserve.net/A/IN>': 2600:9000:5306:3100::1#53
There is also some error messages that appear in the log, but only
sporadically (this was the largest contiguous block of them):
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: syncrepl_update failed for resource record DN
'idnsName=250,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu'
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: syncrepl_update failed for resource record DN
'idnsName=136,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu'
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu>
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
The messages log has a number of messages like this one:
May 19 03:11:53 ipa3 ns-slapd: [19/May/2019:03:11:53.896464579 -0600] -
ERR - NSMMReplicationPlugin - acquire_replica -
agmt="cn=caToipa1.chem.byu.edu <http://caToipa1.chem.byu.edu>"
(ipa1:389): Unable to acqui
re replica: permission denied. The bind dn "" does not have permission
to supply replication updates to the replica. Will retry later.
May 19 03:13:10 ipa3 ns-slapd: [19/May/2019:03:13:10.967375303 -0600] -
ERR - NSMMReplicationPlugin - acquire_replica -
agmt="cn=ipa3.chem.byu.edu-to-ipa2.chem.byu.edu
<http://ipa3.chem.byu.edu-to-ipa2.chem.byu.edu>" (ipa2:389)
: Unable to acquire replica: permission denied. The bind dn "" does not
have permission to supply replication updates to the replica. Will retry
later.
Hi,
It looks like a replication issue. Can you check the content of the entry
cn=replication managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com
on your servers? It should contain a "member" attribute for the replica
and the master like the following:
member:
krbprincipalname=ldap/replica.chem.byu....@chem.byu.com,cn=services,cn=accounts,dc=chem,dc=buy,dc=com
Then check that that the replica bind dn group is properly defined for
IPA domain:
dn: cn=replica,cn=dc\3Dchem\2Cdc\3Dbyu\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com
nsds5replicabinddngroupcheckinterval: 60
and for the CA domain:
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com
nsds5replicabinddngroupcheckinterval: 60
HTH,
flo
On Tue, May 21, 2019 at 1:26 PM Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Kristian Petersen via FreeIPA-users wrote:
> Hey all,
>
> I am using IPA for my DNS and have 3 total servers in the group.
2 of
> them are responding to queries just fine, but the 3rd (which is bare
> metal, not a VM like the others) is not resolving the queries
issued to
> it. Running ipactl status returns all services running:
>
> [root@ipa3 /]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> *named Service: RUNNING *
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> We tried restarting the services but didn't change anything. Next we
> tries to do a forced sync of the server with one of its working
replicas:
>
> ipa-replica-manage force-sync --from ipa1.example.com
<http://ipa1.example.com>
> <http://ipa1.example.com>
>
> We also tried re-initializing the non-working replica:
>
> ipa-replica-manage re-initialize --from ipa1.example.com
<http://ipa1.example.com>
> <http://ipa1.example.com>
>
> However, it still won't resolve any queries directed to it. Any
ideas
> of what to try next?
Can you clarify what doesn't resolve means?
Is dig timing out, returning the wrong data, etc? Is that on the same
host or another host? What do the bind logs show? journalctl?
rob
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org