Hello,
Thank you for the answer! I don't know how i overlooked that thread, but he
seems to have the exact same error messages. Unfortunately I do not seem to
have the same issue causing my problems. I tried running the command `pki
securitydomain-show` and it had this output:
Domain: IPA
CA Subsystem:
Host ID: CA ipa01.example.com 443
Hostname: ipa01.example.com
Port: 80
Secure Port: 443
Domain Manager: TRUE
Which is what i would expect to see, so no ghost pki servers.
Because your post on that thread said that the problem is likely on the master
I looked again at some of the logs ont there but i am not entirely sure what to
make of them.
/var/log/httpd/error_log:
[Tue Jun 27 19:15:32.337225 2023] [auth_gssapi:error] [pid 6960] [client
193.190.253.81:51488] Failed to unseal session data!, referer:
https://ipa01.exampe.com/ipa/xml
[Tue Jun 27 19:15:32.337346 2023] [auth_gssapi:error] [pid 6960] [client
193.190.253.81:51488] NO AUTH DATA Client did not send any authentication
headers, referer: https://ipa01.example.com/ipa/xml
[Tue Jun 27 19:15:32.616436 2023] [:error] [pid 6955] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Credential
cache is empty)
[Tue Jun 27 19:15:32.934945 2023] [:error] [pid 6954] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Credential
cache is empty)
And i also found some errors in /var/log/dirsv/slapd-EXAMPLE-COM/errors:
[27/Jun/2023:17:29:09.056259008 +0200] - ERR - cos-plugin - cos_dn_defs_cb -
Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no
CoS Templates found, which should be added before the CoS Definition.
[27/Jun/2023:17:29:09.178628062 +0200] - ERR - set_krb5_creds - Could not get
initial credentials for principal [ldap/ipa01.example....@example.com] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[27/Jun/2023:17:29:09.246224361 +0200] - INFO - slapd_daemon - slapd started.
Listening on All Interfaces port 389 for LDAP requests
[27/Jun/2023:17:29:09.315077882 +0200] - INFO - slapd_daemon - Listening on All
Interfaces port 636 for LDAPS requests
[27/Jun/2023:17:29:09.375742873 +0200] - INFO - slapd_daemon - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
[27/Jun/2023:17:29:09.415783191 +0200] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[27/Jun/2023:17:29:10.745933826 +0200] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) -
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP
server) ()
[27/Jun/2023:17:29:14.894515440 +0200] - ERR - schema-compat-plugin - warning:
no entries set up under cn=ng, cn=compat,dc=example,dc=com
[27/Jun/2023:17:29:20.263045483 +0200] - ERR - schema-compat-plugin - warning:
no entries set up under cn=computers, cn=compat,dc=example,dc=com
[27/Jun/2023:17:29:20.308590630 +0200] - ERR - schema-compat-plugin - Finished
plugin initialization.
[27/Jun/2023:17:30:44.625896180 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389):
Replication bind with GSSAPI auth resumed
[27/Jun/2023:19:04:28.171069570 +0200] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) -
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP
server) ()
[27/Jun/2023:19:07:37.983080605 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389):
Replication bind with GSSAPI auth resumed
[27/Jun/2023:19:55:46.403689644 +0200] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) -
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP
server) ()
[27/Jun/2023:19:57:19.079492205 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389):
Replication bind with GSSAPI auth resumed
[27/Jun/2023:20:20:55.449501930 +0200] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) -
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP
server) ()
[27/Jun/2023:20:22:28.551932671 +0200] - INFO - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389):
Replication bind with GSSAPI auth resumed
Do you have any other insights or things I could try to help resolve my issue?
Sincerely,
Arne
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
