Arne Verheyden via FreeIPA-users wrote: > Hello, > > Thank you for the answer! I don't know how i overlooked that thread, but he > seems to have the exact same error messages. Unfortunately I do not seem to > have the same issue causing my problems. I tried running the command `pki > securitydomain-show` and it had this output: > Domain: IPA > CA Subsystem: > > Host ID: CA ipa01.example.com 443 > Hostname: ipa01.example.com > Port: 80 > Secure Port: 443 > Domain Manager: TRUE > > Which is what i would expect to see, so no ghost pki servers. > > Because your post on that thread said that the problem is likely on the > master I looked again at some of the logs ont there but i am not entirely > sure what to make of them. > /var/log/httpd/error_log: > [Tue Jun 27 19:15:32.337225 2023] [auth_gssapi:error] [pid 6960] [client > 193.190.253.81:51488] Failed to unseal session data!, referer: > https://ipa01.exampe.com/ipa/xml > [Tue Jun 27 19:15:32.337346 2023] [auth_gssapi:error] [pid 6960] [client > 193.190.253.81:51488] NO AUTH DATA Client did not send any authentication > headers, referer: https://ipa01.example.com/ipa/xml > [Tue Jun 27 19:15:32.616436 2023] [:error] [pid 6955] ipa: INFO: 401 > Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Credential > cache is empty) > [Tue Jun 27 19:15:32.934945 2023] [:error] [pid 6954] ipa: INFO: 401 > Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Credential > cache is empty) > > And i also found some errors in /var/log/dirsv/slapd-EXAMPLE-COM/errors: > [27/Jun/2023:17:29:09.056259008 +0200] - ERR - cos-plugin - cos_dn_defs_cb - > Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no > CoS Templates found, which should be added before the CoS Definition. > [27/Jun/2023:17:29:09.178628062 +0200] - ERR - set_krb5_creds - Could not get > initial credentials for principal [ldap/[email protected]] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [27/Jun/2023:17:29:09.246224361 +0200] - INFO - slapd_daemon - slapd started. > Listening on All Interfaces port 389 for LDAP requests > [27/Jun/2023:17:29:09.315077882 +0200] - INFO - slapd_daemon - Listening on > All Interfaces port 636 for LDAPS requests > [27/Jun/2023:17:29:09.375742873 +0200] - INFO - slapd_daemon - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [27/Jun/2023:17:29:09.415783191 +0200] - ERR - schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [27/Jun/2023:17:29:10.745933826 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > [27/Jun/2023:17:29:14.894515440 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com > [27/Jun/2023:17:29:20.263045483 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com > [27/Jun/2023:17:29:20.308590630 +0200] - ERR - schema-compat-plugin - > Finished plugin initialization. > [27/Jun/2023:17:30:44.625896180 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): > Replication bind with GSSAPI auth resumed > [27/Jun/2023:19:04:28.171069570 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > [27/Jun/2023:19:07:37.983080605 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): > Replication bind with GSSAPI auth resumed > [27/Jun/2023:19:55:46.403689644 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > [27/Jun/2023:19:57:19.079492205 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): > Replication bind with GSSAPI auth resumed > [27/Jun/2023:20:20:55.449501930 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389) - > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP > server) () > [27/Jun/2023:20:22:28.551932671 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToreplica1.example.com" (replica1:389): > Replication bind with GSSAPI auth resumed > > Do you have any other insights or things I could try to help resolve my issue?
I'd suggest doing what was done in https://lists.fedoraproject.org/archives/list/[email protected]/thread/VCARE7OOXWBEB5UXF75AQVFQXNOA43XM/#VFPHENT3PPWTY6W5L42FKQJFQ5GBWKOR And either insert a pdb.set_trace() right before the check or print the value of keys. This might provide a clue as to what host name is being provided vs what it is expecting. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
