On 03/07/2013 10:26 AM, Dale Macartney wrote: > > Hi all > > I've been trying to document the domain trust process for the past two > days and I am seeing the same results no matter the configuration. > > Basically I have nuked and rebuilt my environment several times and all > yields the same results. > > Steps to reproduce > > 1, Clean install of RHEL 6.4 2, yum install ipa-server bind > bind-dyndb-ldap 3, ipa-server-install --setup-dns 4, yum install > ipa-server-trust-ad 5, kinit admin 6, ipa-adtrust-install > > all the above steps work perfectly, however I thought the problem was an > issue in running "ipa trust-add" but I have just tried "ipa host-find" and > get the same output. > > If someone is able to reproduce the issue to remove myself from the > equation that would be fantastic. Its either something I'm doing wrong or > there is a bug here somewhere.. (note, no problems at all with same > procedure with Fedora 18 and IPA 3.1) > > output is below from adding "debug=true" to /etc/ipa/default.conf > > [root@ds01 ~]# ipa host-find ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing > plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: > args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 > > ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: > DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: > args=keyctl search @s user ipa_session_cookie:[email protected] ipa: > DEBUG: stdout= ipa: DEBUG: stderr=keyctl_search: Required key not > available > > ipa: DEBUG: failed to find session_cookie in persistent storage for > principal '[email protected]' ipa: INFO: trying > https://ds01.example.com/ipa/xml ipa: DEBUG: Created connection > context.xmlclient ipa: DEBUG: raw: host_find(None, all=False, raw=False, > version=u'2.46') ipa: DEBUG: host_find(None, all=False, raw=False, > version=u'2.46', pkey_only=False) ipa: INFO: Forwarding 'host_find' to > server u'https://ds01.example.com/ipa/xml' ipa: DEBUG: NSSConnection init > ds01.example.com ipa: DEBUG: Connecting: 10.0.1.11:0 ipa: DEBUG: > auth_certificate_callback: check_sig=True is_server=False Data: Version: > 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 > SHA-256 With RSA Encryption Issuer: CN=Certificate > Authority,O=EXAMPLE.COM Validity: Not Before: Wed Mar 06 14:55:15 2013 > UTC Not After: Sat Mar 07 14:55:15 2015 UTC Subject: > CN=ds01.example.com,O=EXAMPLE.COM Subject Public Key Info: Public Key > Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: > c0:68:63:da:ad:0a:97:9a:5c:9c:41:c7:f3:02:ef:1b: > 7f:8d:eb:e9:49:b0:f5:be:30:8a:1a:c5:5d:b9:77:1d: > 4e:50:50:76:a3:11:a7:ae:a4:92:92:ea:9b:03:b1:13: > 38:a1:d9:6c:80:e0:2a:75:83:ad:3a:bd:e6:3c:ae:3e: > fe:22:9f:48:41:85:a9:80:35:aa:af:e6:43:4e:d0:36: > b9:8a:ab:22:98:cf:14:67:7b:0b:46:0e:cd:97:a2:57: > 6b:fc:04:c1:59:75:91:c6:f7:0c:a9:8c:ed:3e:35:0e: > 06:03:99:83:78:45:0d:af:ce:db:b3:c4:a7:2f:44:0d: > 06:0c:8f:29:0a:9b:d6:a1:4b:55:55:33:a5:0f:6a:87: > 9c:64:59:7d:dc:e8:4c:13:0b:31:0e:b1:0d:52:88:db: > f3:84:0c:fc:71:bd:46:49:60:29:48:d2:00:0a:6a:a2: > 75:fd:51:51:0b:d1:7d:8a:de:c6:96:61:71:7a:4a:d8: > d7:ae:16:2f:7c:61:73:34:98:bd:dc:0a:c4:36:04:98: > 6b:ed:19:45:d6:94:c2:75:85:32:a1:20:06:6a:ec:ce: > f2:ef:35:b1:bc:08:e5:87:87:14:02:3e:62:5e:0e:c9: > a5:13:89:bd:c9:b3:fb:1e:3e:f0:e7:08:61:73:46:6f Exponent: 65537 (0x10001) > Signed Extensions: (5) Name: Certificate Authority Key Identifier > Critical: False Key ID: ee:91:e7:1c:8b:37:ff:ce:ce:2a:5e:5b:9e:50:b2:87: > 8c:6e:7b:fa Serial Number: None General Names: [0 total] > > Name: Authority Information Access Critical: False > > Name: Certificate Key Usage Critical: True Usages: Digital Signature > Non-Repudiation Key Encipherment Data Encipherment > > Name: Extended Key Usage Critical: False Usages: TLS Web Server > Authentication Certificate TLS Web Client Authentication Certificate > > Name: Certificate Subject Key ID Critical: False Data: > b2:de:43:35:0d:ab:02:03:c7:d0:b4:cf:bb:bd:06:37: 79:fd:58:e6 > > Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA > Encryption Signature: 72:dc:84:fd:65:d3:72:6b:6a:5c:b0:fb:6b:51:db:28: > bf:d7:69:e5:ea:ec:a0:3d:1a:b9:50:b6:82:1c:38:9b: > 70:3c:0e:c4:ba:c7:05:92:12:b6:b5:e5:c9:b3:fc:d0: > 30:80:f2:32:d6:c1:68:56:c1:ae:c5:b6:b3:1a:ce:04: > 4a:fb:68:5c:25:11:a9:44:41:b8:1b:75:d5:29:2c:12: > 5d:c8:2a:10:ab:88:ce:ee:50:dc:9c:7a:3b:62:10:97: > 26:10:49:d7:ea:7a:3e:de:d8:c4:65:bf:e7:a1:57:77: > d0:35:94:13:54:1c:ec:05:e8:ba:23:6e:f3:19:c4:99: > 73:d2:3a:56:38:e4:4b:a2:ea:d4:e4:43:64:c8:19:de: > 91:5f:e5:85:11:7b:86:3e:ed:92:96:63:42:3c:f1:8b: > 8b:96:10:d1:0c:4d:6c:57:ac:3d:b4:b0:03:de:45:10: > 0c:8a:c7:c9:57:5c:8a:09:11:94:c3:f2:48:6e:1a:10: > ac:60:34:3d:03:0a:b6:bd:79:18:ca:67:06:d9:36:a2: > 31:6d:a3:f6:d3:66:02:27:fc:12:b4:1f:df:b7:5d:19: > d2:42:11:53:39:0c:dd:32:82:98:a0:5d:26:1b:78:c5: > 15:9e:71:53:b2:2b:fb:58:80:60:b9:4b:d6:3a:a2:e8 Fingerprint (MD5): > ce:83:b5:4a:ae:27:c0:dd:f4:67:a5:53:3b:3a:2f:aa Fingerprint (SHA1): > 2f:49:8e:05:18:1b:fa:6a:5f:13:4d:1a:96:7c:36:e1: 65:c8:bc:d3 ipa: DEBUG: > approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert > valid True for "CN=ds01.example.com,O=EXAMPLE.COM" ipa: DEBUG: handshake > complete, peer = 10.0.1.11:443 ipa: DEBUG: Caught fault 907 from server > https://ds01.example.com/ipa/xml: cannot connect to > u'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': LDAP Server Down ipa: > DEBUG: Destroyed connection context.xmlclient ipa: ERROR: cannot connect > to u'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': LDAP Server Down > [root@ds01 ~]# > > > Any thoughts? > > Dale >
Hello Dale, I did not manage to reproduce this on my RHEL-6.4 VM - I used the same steps as you did. ipa host-find returned a proper result. The log you sent suggests that IPA cannot connect to the Directory Server ldapi socket. I would advise to check the following: Is the DS running? Are there any relevant SELinux failures in /var/log/audit/audit.log? Is there anything suspicious in /var/log/dirsrv-EXAMPLE-COM/errors? When on IPA server, can you bind to the Directory Server via LDAPI socket? # ldapsearch -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "" -x -b "" -s base Thanks, Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
