Nick Polites via FreeIPA-users wrote: > Hello, > > I ran into this issue which was compounded when I ran a yum update and IPA > needed to run an upgrade. I rolled back the update to get it to stop > requesting an upgrade. I see two issues here and not sure if they are > related. Note I removed our domain name and replaced it with DOMAIN. > > 1) Running "getcert list | egrep -e status -e expire -e certificate" I see > one cert which has expired but two are showing a status of CA_UNREACHABLE > getcert list | egrep -e status -e expire -e certificate > Number of certificates and requests being tracked: 8. > status: MONITORING > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2023-10-09 05:38:11 UTC > status: MONITORING > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2023-10-09 05:40:10 UTC > status: MONITORING > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > expires: 2024-05-06 15:43:26 UTC > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2024-05-06 15:44:27 UTC > status: CA_UNREACHABLE > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-06-14 06:59:34 UTC > status: CA_UNREACHABLE > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2036-09-08 13:37:52 UTC > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > expires: 2023-09-23 05:38:11 UTC > status: MONITORING > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > expires: 2023-06-08 15:43:24 UTC > certificate template/profile: KDCs_PKINIT_Certs > I think this could be what is throwing this error in my messages > > Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most > recent call last):#012 File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 515, in > <module>#012 > sys.exit(main())#012 File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in > main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 > File "/us > r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in > kinit_keytab#012 cred = gssapi.Credentials(name=name, store=store, > usage='initiate')#012 File "/usr/lib64/python2.7/s > ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 > File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in > acquire#012 usage)#012 File "ext_cred > _store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from > (gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified > GSS failure. Minor code may provide more i > nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM' > > So what I tried to do is roll back the date to Dec 25,2021 and try to restart > everything but LDAP is still not starting and here are a few errors I am > seeing > > > > > Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM.... > Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] - > NOTICE - config_set_port - Non-Secure Port Disabled > Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - > INFO - main - 389-Directory/1.3.10.2 B2022.179.1321 starting up > Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - > INFO - main - Setting the maximum file descriptor limit to: 16384 > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - > INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - > WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not > handle caseExactIA5Match > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - > INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - > INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] - > NOTICE - ldbm_back_start - found 30613432k physical memory > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] - > NOTICE - ldbm_back_start - found 29044884k available > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] - > NOTICE - ldbm_back_start - cache autosizing: db cache: 765335k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] - > NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): > 720896k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] - > NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): > 131072k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] - > NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): > 720896k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] - > NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] - > NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): > 720896k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] - > NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): > 131072k > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] - > NOTICE - ldbm_back_start - total cache size: 3400949555 B; > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does > not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does > not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does > not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=groups,cn=compat,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=computers,cn=compat,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=ng,cn=compat,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com > does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=users,cn=compat,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > > > 18516,1 99% > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target > cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does > not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com > does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - > WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild > membership,cn=tasks,cn=config does not exist > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - > ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meTohlipa06.domain.com" (hlipa06:389) - Repl > ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials available > (default cache: /tmp/krb5cc_389)) > Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - > INFO - slapd_daemon - slapd started. Listening on > /var/run/slapd-DOMAIN-COM.socket for LDAPI requests > Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM.. > Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - > ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 > (Can't contact LDAP server) errno 107 (Tr > ansport endpoint is not connected) > Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - > ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca > t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1 > (Can't contact LDAP server) () > Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials available > (default cache: /tmp/krb5cc_389)) > Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/hlipa03.domain.com@DOMAIN > DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact > any KDC for requested realm) > Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials available > (default cache: /tmp/krb5cc_389)) > Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - > ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 > (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) > > Does anyone know what could be happening here?
You don't say what version of IPA you're running, but here is a guess. Look in /etc/dirsrv/slapd-REALM/dse.ldif for: nsslapd-port and nsslapd-securePort. They should be set to 389 and 636 respectively. If not stop 389-ds, manually make the change, then restart. I have the feeling there are no listeners configured. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
