On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: > > On 2013/30/01 09:19, Martin Kosek wrote: >> On 01/30/2013 03:16 PM, Patrick Hemmer wrote: >>> On 2013/30/01 03:33, Martin Kosek wrote: >>>> On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: >>>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote: >>>>>> On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: >>>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after >>>>>>> using the >>>>>>> `ipa-replica-install` script to configure the replica server, the >>>>>>> service >>>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism >>>>>>> available" >>>>>>> during start. >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Full output: >>>>>>> >>>>>>> # /etc/init.d/ipa start >>>>>>> Starting Directory Service >>>>>>> Starting dirsrv: >>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>> PKI-IPA... [ OK ] >>>>>>> Failed to read data from Directory Service: Unknown error when >>>>>>> retrieving >>>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism available: >>>>>>> ', >>>>>>> 'desc': 'Unknown authentication method'} >>>>>>> Shutting down >>>>>>> Shutting down dirsrv: >>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>> PKI-IPA... [ OK ] >>>>>> Sounds like DS did not start under the CA. Please check the DS logs in >>>>>> the >>>>>> PKI instance. >>>>> ns-slapd appears to be starting fine. I can even start it manually, but >>>>> `ipactl >>>>> status` still shows the error: >>>>> Below is the result of me starting it manually (directly running >>>>> ns-slapd): >>>>> >>>>> # ps ax|grep slapd >>>>> 15540 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>> /etc/dirsrv/slapd-PKI-IPA -i >>>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w >>>>> /var/run/dirsrv/slapd-PKI-IPA.startpid >>>>> 15586 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i >>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w >>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid >>>>> # netstat -tpnl | grep slapd >>>>> tcp 0 0 :::636 :::* >>>>> >>>>> LISTEN 15586/ns-slapd >>>>> tcp 0 0 :::7389 :::* >>>>> >>>>> LISTEN 15540/ns-slapd >>>>> tcp 0 0 :::7390 :::* >>>>> >>>>> LISTEN 15540/ns-slapd >>>>> tcp 0 0 :::389 :::* >>>>> >>>>> LISTEN 15586/ns-slapd >>>>> # ipactl status >>>>> Directory Service: RUNNING >>>>> Unknown error when retrieving list of services from LDAP: {'info': >>>>> 'SASL(-4): >>>>> no mechanism available: ', 'desc': 'Unknown authentication method'} >>>>> >>>> Hello, >>>> >>>> OK, it seems that ipactl could not bind to your Directory Server. This >>>> script >>>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf to >>>> connect to Directory Server via EXTERNAL auth. >>>> >>>> You can verify yourself if that bind works or not with the following >>>> ldapsearch >>>> (just replace $LDAP_URI_VALUE with your setting): >>>> >>>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b >>>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com" >>>> >>>> I assume it will report the same error as ipactl. We need to verify that >>>> the >>>> referred LDAP URI is indeed right and functional. >>>> >>>> Martin >>> The system had no /etc/ipa/default.conf >>> I copied the one from the master server, changed the `host=` and >>> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl >>> status`, along with everything else, is working perfectly. >>> Should that file have been created during the `ipa-replica-install` >>> process? I don't see anything in the documentation about having to copy >>> and edit it manually. >>> >>> Thanks >>> >>> -Patrick >>> >> Yeah, this should have been created during ipa-replica-install. >> >> Can you please check /var/log/ipareplica-install.log and check if >> ipa-client-install (which is run as part of ipa-replica-install) succeeded? I >> have a suspicion you hit a bug I was fixing recently. >> >> Martin > No, the client install failed: > 2013-01-29T23:24:05Z DEBUG stderr= > 2013-01-29T23:24:05Z DEBUG Restarting the web server > 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart > 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > 2013-01-29T23:24:06Z DEBUG stderr= > 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master > --unattended --domain cliff.cloudburrito.com --server > i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm > CLIFF.CLOUDBURRITO.COM > 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! > Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com > Realm: CLIFF.CLOUDBURRITO.COM > DNS Domain: cliff.cloudburrito.com > IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com > BaseDN: dc=cliff,dc=cloudburrito,dc=com > > > Configured /etc/sssd/sssd.conf > Installation failed. Rolling back changes. > > 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is > not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Failed to add CA to the default NSS database. > > 2013-01-29T23:24:20Z DEBUG Failed to configure the client > File "/usr/sbin/ipa-replica-install", line 496, in <module> > main() > > File "/usr/sbin/ipa-replica-install", line 485, in main > raise RuntimeError("Failed to configure the client") >
Getting warmer... Can you please check /var/log/ipaclient-install.log if there is a reason why it failed? The problem here is that the client removed default.conf, keytabs etc. when it uninstalled itself due to the failure. Thanks, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users