On to, 17 marras 2022, Rob Crittenden via FreeIPA-users wrote:
Roberto Cornacchia via FreeIPA-users wrote:
Oh. I hadn't forgotten. This is what happened.
These are my settings:
[root@ipa02 etc]# cat sysctl.conf | grep -v '#'
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
These will overwrite my settings:
[root@ipa02 etc]# cat sysctl.d/anaconda.conf
# Anaconda disabling ipv6 (noipv6 option)
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
Two questions:
- Does FreeIPA (or, some components therein) really require ipv6? During
installation, it forced me to enable it.
ipv6 can listen to both ipv4 and ipv6. It is required.
It is also a common misunderstanding among administrators. Man page for
ipv6(7) has it covered but people hardly read that:
----------
IPv4 connections can be handled with the v6 API by using the
v4-mapped-on-v6 address type; thus a program needs to support
only this API type to support both protocols. This is handled
transparently by the address handling functions in the C library.
IPv4 and IPv6 share the local port space. When you get an IPv4
connection or packet to an IPv6 socket, its source address will
be mapped to v6 and it will be mapped to v6.
----------
- If so, these anaconda settings look like a trivial way to break the
system. I didn't install anaconda, but it was probably part of some
dependencies. Can something be done to make this more robust?
It isn't a common issue.
rob
Best, Roberto
On Thu, 17 Nov 2022 at 19:06, Roberto Cornacchia
<[email protected] <mailto:[email protected]>> wrote:
I found it!
dirsrv listens on ipv6 only.
I had set net.ipv6.conf.all.disable_ipv6
and net.ipv6.conf.all.disable_ipv6 to 0, but apparently forgot to
make the change permanent, so after the reboot ipv6 was disabled.
On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia
<[email protected] <mailto:[email protected]>>
wrote:
This, however, works:
# ldapsearch -H ldap://localhost:389 -x uid=roberto
# extended LDIF
#
# LDAPv3
# base <dc=hq,dc=spinque,dc=com> (default) with scope subtree
# filter: uid=roberto
# requesting: ALL
#
# roberto, users, compat, hq.spinque.com <http://hq.spinque.com>
dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
[.. omitted ..]
On Thu, 17 Nov 2022 at 18:44, Roberto Cornacchia
<[email protected]
<mailto:[email protected]>> wrote:
You still have a replication agreement, and until its
removed you will keep seeing these messages. However
it's not related to this issue though.
Good to know. I hope there is a way to force removal of that
agreement.
- sometimes, but not always, this log also shows:
ERR - bdb_version_write - Could not open file
"/dev/shm/slapd-HQ-SPINQUE-COM/DBVERSION" for writing
Netscape Portable Runtime -5950 (File not found.)
This might happen after a system reboot. It should be
safe to ignore as long as the server still starts :)
Again, good to know, thanks
So looking at the error log it looks like the server is
started. Schema compat plugin is doing its
initialization which is very resource intensive, but the
server should still be working.
Try doing a ldapsearch just to see if it's responding:
ldapsearch -H ldap://localhost:389 -b "" -s base -D
"cn=directory manager" -W
Ouch, I don't have the directory manager password with me at
the moment, I'll have to wait till tomorrow when I go to the
office.
The server is up and listening:
# netstat -tulnp | grep 389
tcp6 0 0 :::389 :::*
LISTEN 3575/ns-slapd
However, it's not just a slow start.
I can start all the other services via systemctl, so things
seem ok, but when much later I do ipactl stop I get:
# ipactl stop
Failed to read data from Directory Service: Timeout exceeded
Shutting down
So, it's really not cooperating.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
