On 23.6.2016 15:27, Günther J. Niederwimmer wrote: > Hello Martin, > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: >>>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote: >>>>> hello, >>>>> >>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: >>>>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >>>>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: >>>>>>>>> Hello List, >>>>>>>>> >>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: >>>>>>>>>>>> Hello >>>>>>>>>>>> >>>>>>>>>>>> on my system the ods-exporter i mean have a problem. >>>>>>>>>>>> >>>>>>>>>>>> I have this in the logs >>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>>>>>>>> >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise >>>>>>>>>>>> errors.ACIError(info=info) >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>>>>>>>> Insufficient >>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>>>>>>>>>>> failure. >>>>>>>>>>>> Minor code may provide more information (Ticket expired) >>>>>>>>>>>> >>>>>>>>>>> ^^^^^^^^^^^^^^ >>>>>>>>>>> >>>>>>>>>>> Here seems to be a reason why it failed. >>>>>>>>>>> But I can't help you more. >>>>>>>>>> >>>>>>>>>> Lukas is right. Interesting, this should never happen :-) >>>>>>>>> >>>>>>>>> this have I also found ;-) >>>>>>>>> >>>>>>>>>> Please enable debugging using procedure >>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_ >>>>>>>>>> re >>>>>>>>>> tu >>>>>>>>>> rn >>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>>>>>>>> Thank you! >>>>>>>>> >>>>>>>>> OK, >>>>>>>>> >>>>>>>>> I attache the messages log? >>>>>>>>> >>>>>>>>> I mean this is a problem with my DNS ? >>>>>>>> >>>>>>>> Hello, >>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? >>>>>>>> >>>>>>>> identity/services/ipa-ods-exported/<hostname> >>>>>>>> There should be kerberos status in right top corner in details view >>>>>>> >>>>>>> I have a >>>>>>> identity/services/ipa-ods-exporter/.. >>>>>>> >>>>>>> with a "Kerberos Key Present, Service Provisioned" >>>>>>> >>>>>>> but no Certificate ? >>>>>> >>>>>> Can you try, >>>>>> >>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab >>>>>> ipa-ods-exporter/$(hostname) >>>>> >>>>> OK >>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- >>>>> exporter/$(hostname)" >>>>> >>>>> written on one line!! is this OK. >>>>> >>>>>> and do ldapsearch >>>>>> # ldapsearch -Y GSSAPI >>>>> >>>>> and also ldapsearch is OK >>>>> >>>>>> It should show us if keytab is okay >>>>> >>>>> But the Error is present :-(. >>>> >>>> We need to see precise error. Please copy&paste it into the e-mail. >>> >>> that is it. >>> >>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. >>> >>>> It would be awesome if you could follow general rules for bug reporting: >>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html >>>> >>>> Besides other things it would allow us to help you in shorter time. >>>> >>>> Have a nice day! >> >> This is weird, It looks like your kerberos keytab is valid, but I have >> no idea why you are getting ticket expired messages. It should just >> kinit again. >> >> Can you please remove this ccache file? >> /var/opendnssec/tmp/ipa-ods-exporter.ccache > > OK now i make a ipactl stop remove the ccache file and start ipa again. > > to start the ods-exporte I have to wait a long time 1-2 min. ;-) > > I send you the log without debug when you like this with debug tell me. > Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- > exporter", line 656, in <module> > Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ > ipapython/ipaldap.py", line 1085, in gssapi_bind > Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, > client_controls) > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ > contextlib.py", line 35, in __exit__ > Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ > ipapython/ipaldap.py", line 992, in error_handler > Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient > access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Ticket expired) > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process exited, > code=exited, status=1/FAILURE > Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed > state. > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed.
This is really weird, I have no idea what happened. We can try a big hammer: Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g. /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT and re-run ipa-dns-install with the same options as you used for the first time. It should re-create the keytab and all other things. I hope it will help. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project