On 4.12.2014 05:02, Janelle wrote: > Thanks -- still a bit strange that it did not show up on some servers - vary > random and intermittent. > > BTW - a bit of information others might find useful. If you try to use the > "LDAP" portion of IPA for authentication - rather than fulling installing the > IPA client and using Kerberos - the servers running ds-389 do not do well in > handling the load. In other words - a few hundred hosts trying to authenticate > via LDAP only will send CPU through the roof and crashes the slapd process > often. Since IPA is supposed to handle all options, I guess I am > disappointed. > > regards > ~J > > > On 12/3/14 2:56 PM, Dmitri Pal wrote: >> On 12/03/2014 04:40 PM, Janelle wrote: >>> Here is a bit of baffling one on 4.0.5: >>> >>> Replica install p11-kit??? >> >> This is a part of the DNSSEC set of packages. >> >>> >>> Connection from master to replica is OK. >>> >>> Connection check OK >>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> ... >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> LDAP error: UNWILLING_TO_PERFORM >>> database is read-only >>> >>> >>> Thoughts?
We need more information about your problem. As always, please start with information requested on http://www.freeipa.org/page/Troubleshooting#Reporting_bugs /var/log/ipa*.log from affected replica will be invaluable (along with exact package version numbers [including p11-kit] and repo configuration). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project