On 2013/30/01 09:19, Martin Kosek wrote: > On 01/30/2013 03:16 PM, Patrick Hemmer wrote: >> On 2013/30/01 03:33, Martin Kosek wrote: >>> On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: >>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote: >>>>> On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: >>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using >>>>>> the >>>>>> `ipa-replica-install` script to configure the replica server, the service >>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism >>>>>> available" >>>>>> during start. >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Full output: >>>>>> >>>>>> # /etc/init.d/ipa start >>>>>> Starting Directory Service >>>>>> Starting dirsrv: >>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>> PKI-IPA... [ OK ] >>>>>> Failed to read data from Directory Service: Unknown error when retrieving >>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism available: >>>>>> ', >>>>>> 'desc': 'Unknown authentication method'} >>>>>> Shutting down >>>>>> Shutting down dirsrv: >>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>> PKI-IPA... [ OK ] >>>>> Sounds like DS did not start under the CA. Please check the DS logs in the >>>>> PKI instance. >>>> ns-slapd appears to be starting fine. I can even start it manually, but >>>> `ipactl >>>> status` still shows the error: >>>> Below is the result of me starting it manually (directly running ns-slapd): >>>> >>>> # ps ax|grep slapd >>>> 15540 ? Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA >>>> -i >>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid >>>> 15586 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i >>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w >>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid >>>> # netstat -tpnl | grep slapd >>>> tcp 0 0 :::636 :::* >>>> LISTEN 15586/ns-slapd >>>> tcp 0 0 :::7389 :::* >>>> LISTEN 15540/ns-slapd >>>> tcp 0 0 :::7390 :::* >>>> LISTEN 15540/ns-slapd >>>> tcp 0 0 :::389 :::* >>>> LISTEN 15586/ns-slapd >>>> # ipactl status >>>> Directory Service: RUNNING >>>> Unknown error when retrieving list of services from LDAP: {'info': >>>> 'SASL(-4): >>>> no mechanism available: ', 'desc': 'Unknown authentication method'} >>>> >>> Hello, >>> >>> OK, it seems that ipactl could not bind to your Directory Server. This >>> script >>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf to >>> connect to Directory Server via EXTERNAL auth. >>> >>> You can verify yourself if that bind works or not with the following >>> ldapsearch >>> (just replace $LDAP_URI_VALUE with your setting): >>> >>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b >>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com" >>> >>> I assume it will report the same error as ipactl. We need to verify that the >>> referred LDAP URI is indeed right and functional. >>> >>> Martin >> The system had no /etc/ipa/default.conf >> I copied the one from the master server, changed the `host=` and >> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl >> status`, along with everything else, is working perfectly. >> Should that file have been created during the `ipa-replica-install` >> process? I don't see anything in the documentation about having to copy >> and edit it manually. >> >> Thanks >> >> -Patrick >> > Yeah, this should have been created during ipa-replica-install. > > Can you please check /var/log/ipareplica-install.log and check if > ipa-client-install (which is run as part of ipa-replica-install) succeeded? I > have a suspicion you hit a bug I was fixing recently. > > Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd: [ OK ]
2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Failed to add CA to the default NSS database. 2013-01-29T23:24:20Z DEBUG Failed to configure the client File "/usr/sbin/ipa-replica-install", line 496, in <module> main() File "/usr/sbin/ipa-replica-install", line 485, in main raise RuntimeError("Failed to configure the client") _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users