On 01/30/2013 03:16 PM, Patrick Hemmer wrote:
> On 2013/30/01 03:33, Martin Kosek wrote:
>> On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote:
>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote:
>>>> On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote:
>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using 
>>>>> the
>>>>> `ipa-replica-install` script to configure the replica server, the service
>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism 
>>>>> available"
>>>>> during start.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Full output:
>>>>>
>>>>> # /etc/init.d/ipa start
>>>>> Starting Directory Service
>>>>> Starting dirsrv:
>>>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>>>     PKI-IPA...                                             [  OK  ]
>>>>> Failed to read data from Directory Service: Unknown error when retrieving
>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ',
>>>>> 'desc': 'Unknown authentication method'}
>>>>> Shutting down
>>>>> Shutting down dirsrv:
>>>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>>>     PKI-IPA...                                             [  OK  ]
>>>> Sounds like DS did not start under the CA. Please check the DS logs in the
>>>> PKI instance.
>>> ns-slapd appears to be starting fine. I can even start it manually, but 
>>> `ipactl
>>> status` still shows the error:
>>> Below is the result of me starting it manually (directly running ns-slapd):
>>>
>>> # ps ax|grep slapd
>>> 15540 ?        Sl     0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA 
>>> -i
>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid
>>> 15586 ?        Sl     0:00 /usr/sbin/ns-slapd -D
>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i
>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w
>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid
>>> # netstat -tpnl | grep slapd
>>> tcp        0      0 :::636                      :::*                       
>>> LISTEN      15586/ns-slapd     
>>> tcp        0      0 :::7389                     :::*                       
>>> LISTEN      15540/ns-slapd     
>>> tcp        0      0 :::7390                     :::*                       
>>> LISTEN      15540/ns-slapd     
>>> tcp        0      0 :::389                      :::*                       
>>> LISTEN      15586/ns-slapd     
>>> # ipactl status
>>> Directory Service: RUNNING
>>> Unknown error when retrieving list of services from LDAP: {'info': 
>>> 'SASL(-4):
>>> no mechanism available: ', 'desc': 'Unknown authentication method'}
>>>
>>
>> Hello,
>>
>> OK, it seems that ipactl could not bind to your Directory Server. This script
>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf to
>> connect to Directory Server via EXTERNAL auth.
>>
>> You can verify yourself if that bind works or not with the following 
>> ldapsearch
>> (just replace $LDAP_URI_VALUE with your setting):
>>
>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b
>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com"
>>
>> I assume it will report the same error as ipactl. We need to verify that the
>> referred LDAP URI is indeed right and functional.
>>
>> Martin
> 
> The system had no /etc/ipa/default.conf
> I copied the one from the master server, changed the `host=` and
> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl
> status`, along with everything else, is working perfectly.
> Should that file have been created during the `ipa-replica-install`
> process? I don't see anything in the documentation about having to copy
> and edit it manually.
> 
> Thanks
> 
> -Patrick
> 

Yeah, this should have been created during ipa-replica-install.

Can you please check /var/log/ipareplica-install.log and check if
ipa-client-install (which is run as part of ipa-replica-install) succeeded? I
have a suspicion you hit a bug I was fixing recently.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to