[Freeipa-users] Re: replica install fails

Alexandru David via FreeIPA-users Tue, 14 Apr 2020 07:31:06 -0700

Hi Mark

This is what I have on the master error log during replica install:


[14/Apr/2020:11:21:00.257655895 +0000] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) 
- Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP 
server) ()
[14/Apr/2020:11:21:21.285497624 +0000] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) 
- Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP 
server) ()
[14/Apr/2020:11:21:27.293626669 +0000] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipareplica01.example.com" (ipareplica01:389) 
- Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP 
server) ()
[14/Apr/2020:11:21:37.327494957 +0000] - WARN - NSMMReplicationPlugin - 
repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying 
in 1 seconds.
[14/Apr/2020:11:21:38.385987336 +0000] - WARN - NSMMReplicationPlugin - 
repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying 
in 2 seconds.
[14/Apr/2020:11:21:40.398179033 +0000] - WARN - NSMMReplicationPlugin - 
repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying 
in 3 seconds.
[14/Apr/2020:11:21:43.407848477 +0000] - WARN - NSMMReplicationPlugin - 
repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying 
in 4 seconds.
[14/Apr/2020:11:21:47.419790763 +0000] - WARN - NSMMReplicationPlugin - 
repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying 
in 5 seconds.

on the replica error log there are no ERR logs only INFO and WARN and the logs 
ends with :

[14/Apr/2020:11:21:34.981330893 +0000] - INFO - main - 389-Directory/1.4.1.3 
B2019.323.229 starting up
[14/Apr/2020:11:21:35.022977416 +0000] - INFO - main - Setting the maximum file 
descriptor limit to: 4096
[14/Apr/2020:11:21:35.803769888 +0000] - INFO - PBKDF2_SHA256 - Based on CPU 
performance, chose 2048 rounds
[14/Apr/2020:11:21:35.874697893 +0000] - INFO - 
ldbm_instance_config_cachememsize_set - force a minimal value 512000
[14/Apr/2020:11:21:35.927003711 +0000] - NOTICE - ldbm_back_start - found 
12128704k physical memory
[14/Apr/2020:11:21:36.006415484 +0000] - NOTICE - ldbm_back_start - found 
11445168k available
[14/Apr/2020:11:21:36.048090360 +0000] - NOTICE - ldbm_back_start - cache 
autosizing: db cache: 303217k
[14/Apr/2020:11:21:36.123061153 +0000] - NOTICE - ldbm_back_start - cache 
autosizing: userRoot entry cache (1 total): 851968k
[14/Apr/2020:11:21:36.350166036 +0000] - NOTICE - ldbm_back_start - cache 
autosizing: userRoot dn cache (1 total): 131072k
[14/Apr/2020:11:21:36.599188174 +0000] - NOTICE - ldbm_back_start - total cache 
size: 1255028817 B;
[14/Apr/2020:11:21:36.745618576 +0000] - INFO - slapd_daemon - slapd started.  
Listening on All Interfaces port 389 for LDAP requests
[14/Apr/2020:11:21:36.781112735 +0000] - INFO - slapd_daemon - Listening on All 
Interfaces port 636 for LDAPS requests
[14/Apr/2020:11:21:36.806422732 +0000] - INFO - slapd_daemon - Listening on 
/var/run/slapd-IPAMASTER01-EXAMPLE-COM.socket for LDAPI requests
[14/Apr/2020:11:21:37.309999728 +0000] - WARN - NSMMReplicationPlugin - 
repl5_inc_run - agmt="cn=meToipamaster01.example.com" (ipamaster01:389): The 
remote replica has a different database generation ID than the local database.  
You may have to reinitialize the remote replica, or the local replica.

But the interesting part is on master :

KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" 
-s base
SASL/GSSAPI authentication started
[14335] 1586874293.284426: ccselect can't find appropriate cache for server 
principal ldap/ipareplica01.example....@example.com
[14335] 1586874293.284427: Getting credentials ad...@ipamaster01.example.com -> 
ldap/ipareplica01.example....@example.com using ccache KCM:0
[14335] 1586874293.284428: Retrieving ad...@ipamaster01.example.com -> 
ldap/ipareplica01.example....@example.com from KCM:0 with result: 
-1765328243/Matching credential not found
[14335] 1586874293.284429: Retrieving ad...@ipamaster01.example.com -> 
krbtgt/example....@example.com from KCM:0 with result: -1765328243/Matching 
credential not found
[14335] 1586874293.284430: Retrieving ad...@ipamaster01.example.com -> 
krbtgt/ipamaster01.example....@ipamaster01.example.com from KCM:0 with result: 
0/Success
[14335] 1586874293.284431: Starting with TGT for client realm: 
ad...@ipamaster01.example.com -> 
krbtgt/ipamaster01.example....@ipamaster01.example.com
[14335] 1586874293.284432: Retrieving ad...@ipamaster01.example.com -> 
krbtgt/example....@example.com from KCM:0 with result: -1765328243/Matching 
credential not found
[14335] 1586874293.284433: Requesting TGT 
krbtgt/example....@ipamaster01.example.com using TGT 
krbtgt/ipamaster01.example....@ipamaster01.example.com
[14335] 1586874293.284434: Generated subkey for TGS request: aes256-cts/8B0E
[14335] 1586874293.284435: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts
[14335] 1586874293.284437: Encoding request body and padata into FAST request
[14335] 1586874293.284438: Sending request (1569 bytes) to 
IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284439: Initiating TCP connection to stream 
192.168.200.107:88
[14335] 1586874293.284440: Sending TCP request to stream 192.168.200.107:88
[14335] 1586874293.284441: Received answer (461 bytes) from stream 
192.168.200.107:88
[14335] 1586874293.284442: Terminating TCP connection to stream 
192.168.200.107:88
[14335] 1586874293.284443: Response was from master KDC
[14335] 1586874293.284444: Decoding FAST response
[14335] 1586874293.284445: TGS request result: -1765328377/Server 
krbtgt/example....@ipamaster01.example.com not found in Kerberos database
[14335] 1586874293.284446: Trying next closer realm in path: EXAMPLE.COM
[14335] 1586874293.284447: Retrieving ad...@ipamaster01.example.com -> 
krbtgt/example....@example.com from KCM:0 with result: -1765328243/Matching 
credential not found
[14335] 1586874293.284448: Requesting TGT 
krbtgt/example....@ipamaster01.example.com using TGT 
krbtgt/ipamaster01.example....@ipamaster01.example.com
[14335] 1586874293.284449: Generated subkey for TGS request: aes256-cts/E193
[14335] 1586874293.284450: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts
[14335] 1586874293.284452: Encoding request body and padata into FAST request
[14335] 1586874293.284453: Sending request (1569 bytes) to 
IPAMASTER01.EXAMPLE.COM
[14335] 1586874293.284454: Initiating TCP connection to stream 
192.168.200.107:88
[14335] 1586874293.284455: Sending TCP request to stream 192.168.200.107:88
[14335] 1586874293.284456: Received answer (461 bytes) from stream 
192.168.200.107:88
[14335] 1586874293.284457: Terminating TCP connection to stream 
192.168.200.107:88
[14335] 1586874293.284458: Response was from master KDC
[14335] 1586874293.284459: Decoding FAST response
[14335] 1586874293.284460: TGS request result: -1765328377/Server 
krbtgt/example....@ipamaster01.example.com not found in Kerberos database
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server 
krbtgt/example....@ipamaster01.example.com not found in Kerberos database)


and on replica:

KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -h ipareplica01.example.com -b "" 
-s base
SASL/GSSAPI authentication started
[6124] 1586874420.464854: ccselect module realm chose cache KCM:0 with client 
principal ad...@ipamaster01.example.com for server principal 
ldap/ipareplica01.example....@ipamaster01.example.com
[6124] 1586874420.464855: Getting credentials ad...@ipamaster01.example.com -> 
ldap/ipareplica01.example....@ipamaster01.example.com using ccache KCM:0
[6124] 1586874420.464856: Retrieving ad...@ipamaster01.example.com -> 
ldap/ipareplica01.example....@ipamaster01.example.com from KCM:0 with result: 
0/Success
[6124] 1586874420.464858: Creating authenticator for 
ad...@ipamaster01.example.com -> 
ldap/ipareplica01.example....@ipamaster01.example.com, seqnum 602124589, subkey 
aes256-cts/EDE8, session key aes256-cts/8C19
[6124] 1586874420.464863: Read AP-REP, time 1586874420.464859, subkey 
aes256-cts/57FE, seqnum 837693153
ldap_sasl_interactive_bind_s: Invalid credentials (49)

Best
Alex
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: replica install fails

Reply via email to