On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote:
> On 2013/30/01 09:37, Martin Kosek wrote:
>> On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote:
>>> On 2013/30/01 09:19, Martin Kosek wrote:
>>>> On 01/30/2013 03:16 PM, Patrick Hemmer wrote:
>>>>> On 2013/30/01 03:33, Martin Kosek wrote:
>>>>>> On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote:
>>>>>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote:
>>>>>>>> On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote:
>>>>>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after 
>>>>>>>>> using the
>>>>>>>>> `ipa-replica-install` script to configure the replica server, the 
>>>>>>>>> service
>>>>>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism 
>>>>>>>>> available"
>>>>>>>>> during start.
>>>>>>>>>
>>>>>>>>> Any ideas?
>>>>>>>>>
>>>>>>>>> Full output:
>>>>>>>>>
>>>>>>>>> # /etc/init.d/ipa start
>>>>>>>>> Starting Directory Service
>>>>>>>>> Starting dirsrv:
>>>>>>>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>>>>>>>     PKI-IPA...                                             [  OK  ]
>>>>>>>>> Failed to read data from Directory Service: Unknown error when 
>>>>>>>>> retrieving
>>>>>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism 
>>>>>>>>> available: ',
>>>>>>>>> 'desc': 'Unknown authentication method'}
>>>>>>>>> Shutting down
>>>>>>>>> Shutting down dirsrv:
>>>>>>>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>>>>>>>     PKI-IPA...                                             [  OK  ]
>>>>>>>> Sounds like DS did not start under the CA. Please check the DS logs in 
>>>>>>>> the
>>>>>>>> PKI instance.
>>>>>>> ns-slapd appears to be starting fine. I can even start it manually, but 
>>>>>>> `ipactl
>>>>>>> status` still shows the error:
>>>>>>> Below is the result of me starting it manually (directly running 
>>>>>>> ns-slapd):
>>>>>>>
>>>>>>> # ps ax|grep slapd
>>>>>>> 15540 ?        Sl     0:00 /usr/sbin/ns-slapd -D 
>>>>>>> /etc/dirsrv/slapd-PKI-IPA -i
>>>>>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w 
>>>>>>> /var/run/dirsrv/slapd-PKI-IPA.startpid
>>>>>>> 15586 ?        Sl     0:00 /usr/sbin/ns-slapd -D
>>>>>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i
>>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w
>>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid
>>>>>>> # netstat -tpnl | grep slapd
>>>>>>> tcp        0      0 :::636                      :::*                    
>>>>>>>    
>>>>>>> LISTEN      15586/ns-slapd     
>>>>>>> tcp        0      0 :::7389                     :::*                    
>>>>>>>    
>>>>>>> LISTEN      15540/ns-slapd     
>>>>>>> tcp        0      0 :::7390                     :::*                    
>>>>>>>    
>>>>>>> LISTEN      15540/ns-slapd     
>>>>>>> tcp        0      0 :::389                      :::*                    
>>>>>>>    
>>>>>>> LISTEN      15586/ns-slapd     
>>>>>>> # ipactl status
>>>>>>> Directory Service: RUNNING
>>>>>>> Unknown error when retrieving list of services from LDAP: {'info': 
>>>>>>> 'SASL(-4):
>>>>>>> no mechanism available: ', 'desc': 'Unknown authentication method'}
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> OK, it seems that ipactl could not bind to your Directory Server. This 
>>>>>> script
>>>>>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf 
>>>>>> to
>>>>>> connect to Directory Server via EXTERNAL auth.
>>>>>>
>>>>>> You can verify yourself if that bind works or not with the following 
>>>>>> ldapsearch
>>>>>> (just replace $LDAP_URI_VALUE with your setting):
>>>>>>
>>>>>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b
>>>>>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com"
>>>>>>
>>>>>> I assume it will report the same error as ipactl. We need to verify that 
>>>>>> the
>>>>>> referred LDAP URI is indeed right and functional.
>>>>>>
>>>>>> Martin
>>>>> The system had no /etc/ipa/default.conf
>>>>> I copied the one from the master server, changed the `host=` and
>>>>> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl
>>>>> status`, along with everything else, is working perfectly.
>>>>> Should that file have been created during the `ipa-replica-install`
>>>>> process? I don't see anything in the documentation about having to copy
>>>>> and edit it manually.
>>>>>
>>>>> Thanks
>>>>>
>>>>> -Patrick
>>>>>
>>>> Yeah, this should have been created during ipa-replica-install.
>>>>
>>>> Can you please check /var/log/ipareplica-install.log and check if
>>>> ipa-client-install (which is run as part of ipa-replica-install) 
>>>> succeeded? I
>>>> have a suspicion you hit a bug I was fixing recently.
>>>>
>>>> Martin
>>> No, the client install failed:
>>> 2013-01-29T23:24:05Z DEBUG stderr=
>>> 2013-01-29T23:24:05Z DEBUG Restarting the web server
>>> 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart
>>> 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd:          [  OK  ]
>>> Starting httpd:                                            [  OK  ]
>>>
>>> 2013-01-29T23:24:06Z DEBUG stderr=
>>> 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master
>>> --unattended --domain cliff.cloudburrito.com --server
>>> i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm
>>> CLIFF.CLOUDBURRITO.COM
>>> 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful!
>>> Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com
>>> Realm: CLIFF.CLOUDBURRITO.COM
>>> DNS Domain: cliff.cloudburrito.com
>>> IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com
>>> BaseDN: dc=cliff,dc=cloudburrito,dc=com
>>>
>>>
>>> Configured /etc/sssd/sssd.conf
>>> Installation failed. Rolling back changes.
>>>
>>> 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is
>>> not configured for automatic KDC address lookup.
>>> KDC address will be set to fixed value.
>>>
>>> Failed to add CA to the default NSS database.
>>>
>>> 2013-01-29T23:24:20Z DEBUG Failed to configure the client
>>>   File "/usr/sbin/ipa-replica-install", line 496, in <module>
>>>     main()
>>>
>>>   File "/usr/sbin/ipa-replica-install", line 485, in main
>>>     raise RuntimeError("Failed to configure the client")
>>>
>> Getting warmer... Can you please check /var/log/ipaclient-install.log if 
>> there
>> is a reason why it failed? The problem here is that the client removed
>> default.conf, keytabs etc. when it uninstalled itself due to the failure.
>>
>> Thanks,
>> Martin
> Below is the last few lines of the file.
> It looks like it's failing because sssd is already configured. This is
> true as our servers are preconfigured for sssd to use the IPA master
> server. If this is indeed the cause, is there any way to have it not
> configure sssd? Or should I wipe the sssd config before attempting to
> set up the replica?
> Could it also be fixed so that if the client install does fail, that it
> doesn't break the server?
>
> 2013-01-30T16:28:38Z DEBUG stderr=
> 2013-01-30T16:28:38Z DEBUG Restoring client configuration files
> 2013-01-30T16:28:38Z DEBUG args=/usr/sbin/selinuxenabled
> 2013-01-30T16:28:38Z DEBUG stdout=
> 2013-01-30T16:28:38Z DEBUG stderr=
> 2013-01-30T16:28:38Z DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2013-01-30T16:28:38Z DEBUG   -> no files, removing file
> 2013-01-30T16:28:38Z DEBUG args=/sbin/service nscd status
> 2013-01-30T16:28:38Z DEBUG stdout=
> 2013-01-30T16:28:38Z DEBUG stderr=nscd: unrecognized service
>
> 2013-01-30T16:28:38Z INFO nscd daemon is not installed, skip configuration
> 2013-01-30T16:28:38Z DEBUG args=/sbin/service nslcd status
> 2013-01-30T16:28:38Z DEBUG stdout=
> 2013-01-30T16:28:38Z DEBUG stderr=nslcd: unrecognized service
>
> 2013-01-30T16:28:38Z INFO nslcd daemon is not installed, skip configuration
> 2013-01-30T16:28:38Z DEBUG The original configuration of SSSD included
> other domains than IPA-based one.
> 2013-01-30T16:28:38Z DEBUG Original configuration file is restored,
> restarting SSSD service.
> 2013-01-30T16:28:38Z DEBUG args=/sbin/service sssd restart
> 2013-01-30T16:28:38Z DEBUG stdout=Stopping sssd:           [FAILED]
> Starting sssd:                                             [  OK  ]
>
> 2013-01-30T16:28:38Z DEBUG stderr=cat: /var/run/sssd.pid: No such file
> or directory
>
Any what do SSSD logs say?
I seems that restart of SSSD did not go that smoothly.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to