On 06/08/2015 01:09 PM, nat...@nathanpeters.com wrote:
[root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
  \2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
  RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
  0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
  I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA
  ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
  13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
  PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
  /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA
  AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
  mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
  NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
nsds50ruv: {replicageneration} 553fe9bb000000040000
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
  000000040000 5575dff8000000040000
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
  4000000030000 557244db001700030000
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
  t:389} 5575df5e
nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
  et:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150608183216Z
nsds5replicaLastUpdateEnd: 20150608183216Z
nsds5replicaChangesSentSinceStartup:: NDozMC8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd
  ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

=====================================================
hmmm, problem still exists and not sure how to fix it
=====================================================


This is also really strange, when I run an ipactl restart I get the
following weird stuff in my log.  messages about ACL targets not existing

Not sure about this.

and a strange kerberos error where the host can't find it's own keytab or
ldap service record?

See below.


[08/Jun/2015:19:04:06 +0000] - 389-Directory/1.3.3.8 B2015.040.128
starting up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING -- Minimum cache size is 512000 --
rounding up
[08/Jun/2015:19:04:06 +0000] - WARNING: userRoot: entry cache size 512000B
is less than db size 12500992B; We recommend to increase the entry cache
size nsslapd-cachememsize.
[08/Jun/2015:19:04:06 +0000] - WARNING: ipaca: entry cache size 512000B is
less than db size 1343488B; We recommend to increase the entry cache size
nsslapd-cachememsize.
[08/Jun/2015:19:04:06 +0000] - WARNING: changelog: entry cache size
512000B is less than db size 45654016B; We recommend to increase the entry
cache size nsslapd-cachememsize.
[08/Jun/2015:19:04:06 +0000] - resizing db cache size: 400000 -> 320000
[08/Jun/2015:19:04:06 +0000] schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipadomain,dc=net
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
ou=sudoers,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipadomain,dc=net does not exist
[08/Jun/2015:19:04:08 +0000] NSACLPlugin - The ACL target cn=automember
rebuild membership,cn=tasks,cn=config does not exist
[08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
should be added before the CoS Definition.
[08/Jun/2015:19:04:08 +0000] set_krb5_creds - Could not get initial
credentials for principal [ldap/dc1.ipadomain....@ipadomain.net] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[08/Jun/2015:19:04:08 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (No Kerberos credentials
available)) errno 0 (Success)
[08/Jun/2015:19:04:08 +0000] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipadomain,dc=net--no CoS Templates found, which
should be added before the CoS Definition.
[08/Jun/2015:19:04:08 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[08/Jun/2015:19:04:08 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (No Kerberos credentials available))
[08/Jun/2015:19:04:08 +0000] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[08/Jun/2015:19:04:08 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[08/Jun/2015:19:04:08 +0000] - Listening on
/var/run/slapd-IPADOMAIN-NET.socket for LDAPI requests
[08/Jun/2015:19:04:38 +0000] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Cannot contact any KDC
for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress)
[08/Jun/2015:19:04:38 +0000] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[08/Jun/2015:19:04:39 +0000] NSMMReplicationPlugin -
agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI
auth resumed

This last line means "everything is ok now - I can use the keytab". The problem is that dirsrv starts very early, before kerberos is available. Replication keeps trying until kerberos is available. I admit the errors look scary but as long as you see the "

Replication bind with GSSAPI
auth resumed

Then everything is fine.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to