On 01/30/2013 11:43 AM, [email protected] wrote: > On 2013/30/01 09:37, Martin Kosek wrote: >> On 01/30/2013 03:22 PM, [email protected] wrote: >>> On 2013/30/01 09:19, Martin Kosek wrote: >>>> On 01/30/2013 03:16 PM, Patrick Hemmer wrote: >>>>> On 2013/30/01 03:33, Martin Kosek wrote: >>>>>> On 01/30/2013 02:05 AM, [email protected] wrote: >>>>>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote: >>>>>>>> On 01/29/2013 07:26 PM, [email protected] wrote: >>>>>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after >>>>>>>>> using the >>>>>>>>> `ipa-replica-install` script to configure the replica server, the >>>>>>>>> service >>>>>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism >>>>>>>>> available" >>>>>>>>> during start. >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Full output: >>>>>>>>> >>>>>>>>> # /etc/init.d/ipa start >>>>>>>>> Starting Directory Service >>>>>>>>> Starting dirsrv: >>>>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>>>> PKI-IPA... [ OK ] >>>>>>>>> Failed to read data from Directory Service: Unknown error when >>>>>>>>> retrieving >>>>>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism >>>>>>>>> available: ', >>>>>>>>> 'desc': 'Unknown authentication method'} >>>>>>>>> Shutting down >>>>>>>>> Shutting down dirsrv: >>>>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>>>> PKI-IPA... [ OK ] >>>>>>>> Sounds like DS did not start under the CA. Please check the DS logs in >>>>>>>> the >>>>>>>> PKI instance. >>>>>>> ns-slapd appears to be starting fine. I can even start it manually, but >>>>>>> `ipactl >>>>>>> status` still shows the error: >>>>>>> Below is the result of me starting it manually (directly running >>>>>>> ns-slapd): >>>>>>> >>>>>>> # ps ax|grep slapd >>>>>>> 15540 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>>>> /etc/dirsrv/slapd-PKI-IPA -i >>>>>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w >>>>>>> /var/run/dirsrv/slapd-PKI-IPA.startpid >>>>>>> 15586 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i >>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w >>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid >>>>>>> # netstat -tpnl | grep slapd >>>>>>> tcp 0 0 :::636 :::* >>>>>>> >>>>>>> LISTEN 15586/ns-slapd >>>>>>> tcp 0 0 :::7389 :::* >>>>>>> >>>>>>> LISTEN 15540/ns-slapd >>>>>>> tcp 0 0 :::7390 :::* >>>>>>> >>>>>>> LISTEN 15540/ns-slapd >>>>>>> tcp 0 0 :::389 :::* >>>>>>> >>>>>>> LISTEN 15586/ns-slapd >>>>>>> # ipactl status >>>>>>> Directory Service: RUNNING >>>>>>> Unknown error when retrieving list of services from LDAP: {'info': >>>>>>> 'SASL(-4): >>>>>>> no mechanism available: ', 'desc': 'Unknown authentication method'} >>>>>>> >>>>>> Hello, >>>>>> >>>>>> OK, it seems that ipactl could not bind to your Directory Server. This >>>>>> script >>>>>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf >>>>>> to >>>>>> connect to Directory Server via EXTERNAL auth. >>>>>> >>>>>> You can verify yourself if that bind works or not with the following >>>>>> ldapsearch >>>>>> (just replace $LDAP_URI_VALUE with your setting): >>>>>> >>>>>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b >>>>>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com" >>>>>> >>>>>> I assume it will report the same error as ipactl. We need to verify that >>>>>> the >>>>>> referred LDAP URI is indeed right and functional. >>>>>> >>>>>> Martin >>>>> The system had no /etc/ipa/default.conf >>>>> I copied the one from the master server, changed the `host=` and >>>>> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl >>>>> status`, along with everything else, is working perfectly. >>>>> Should that file have been created during the `ipa-replica-install` >>>>> process? I don't see anything in the documentation about having to copy >>>>> and edit it manually. >>>>> >>>>> Thanks >>>>> >>>>> -Patrick >>>>> >>>> Yeah, this should have been created during ipa-replica-install. >>>> >>>> Can you please check /var/log/ipareplica-install.log and check if >>>> ipa-client-install (which is run as part of ipa-replica-install) >>>> succeeded? I >>>> have a suspicion you hit a bug I was fixing recently. >>>> >>>> Martin >>> No, the client install failed: >>> 2013-01-29T23:24:05Z DEBUG stderr= >>> 2013-01-29T23:24:05Z DEBUG Restarting the web server >>> 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart >>> 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] >>> Starting httpd: [ OK ] >>> >>> 2013-01-29T23:24:06Z DEBUG stderr= >>> 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master >>> --unattended --domain cliff.cloudburrito.com --server >>> i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm >>> CLIFF.CLOUDBURRITO.COM >>> 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! >>> Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com >>> Realm: CLIFF.CLOUDBURRITO.COM >>> DNS Domain: cliff.cloudburrito.com >>> IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com >>> BaseDN: dc=cliff,dc=cloudburrito,dc=com >>> >>> >>> Configured /etc/sssd/sssd.conf >>> Installation failed. Rolling back changes. >>> >>> 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is >>> not configured for automatic KDC address lookup. >>> KDC address will be set to fixed value. >>> >>> Failed to add CA to the default NSS database. >>> >>> 2013-01-29T23:24:20Z DEBUG Failed to configure the client >>> File "/usr/sbin/ipa-replica-install", line 496, in <module> >>> main() >>> >>> File "/usr/sbin/ipa-replica-install", line 485, in main >>> raise RuntimeError("Failed to configure the client") >>> >> Getting warmer... Can you please check /var/log/ipaclient-install.log if >> there >> is a reason why it failed? The problem here is that the client removed >> default.conf, keytabs etc. when it uninstalled itself due to the failure. >> >> Thanks, >> Martin > Below is the last few lines of the file. > It looks like it's failing because sssd is already configured. This is > true as our servers are preconfigured for sssd to use the IPA master > server. If this is indeed the cause, is there any way to have it not > configure sssd? Or should I wipe the sssd config before attempting to > set up the replica? > Could it also be fixed so that if the client install does fail, that it > doesn't break the server? > > 2013-01-30T16:28:38Z DEBUG stderr= > 2013-01-30T16:28:38Z DEBUG Restoring client configuration files > 2013-01-30T16:28:38Z DEBUG args=/usr/sbin/selinuxenabled > 2013-01-30T16:28:38Z DEBUG stdout= > 2013-01-30T16:28:38Z DEBUG stderr= > 2013-01-30T16:28:38Z DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2013-01-30T16:28:38Z DEBUG -> no files, removing file > 2013-01-30T16:28:38Z DEBUG args=/sbin/service nscd status > 2013-01-30T16:28:38Z DEBUG stdout= > 2013-01-30T16:28:38Z DEBUG stderr=nscd: unrecognized service > > 2013-01-30T16:28:38Z INFO nscd daemon is not installed, skip configuration > 2013-01-30T16:28:38Z DEBUG args=/sbin/service nslcd status > 2013-01-30T16:28:38Z DEBUG stdout= > 2013-01-30T16:28:38Z DEBUG stderr=nslcd: unrecognized service > > 2013-01-30T16:28:38Z INFO nslcd daemon is not installed, skip configuration > 2013-01-30T16:28:38Z DEBUG The original configuration of SSSD included > other domains than IPA-based one. > 2013-01-30T16:28:38Z DEBUG Original configuration file is restored, > restarting SSSD service. > 2013-01-30T16:28:38Z DEBUG args=/sbin/service sssd restart > 2013-01-30T16:28:38Z DEBUG stdout=Stopping sssd: [FAILED] > Starting sssd: [ OK ] > > 2013-01-30T16:28:38Z DEBUG stderr=cat: /var/run/sssd.pid: No such file > or directory > Any what do SSSD logs say? I seems that restart of SSSD did not go that smoothly.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
