[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]
On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote: On 19-10-17 15:07, Alexander Bokovoy wrote: On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote: [...] [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth resumed Again, I would really appreciate if someone could hint how to debug this. For example, what commands can I use to check the connection (in both directions)? My understanding is that if you get the last message ("Replication bind with GSSAPI auth resumed"), you don't need to worry about the ones above. An intermittent issue of expired ticket is OK, SASL GSSAPI mechanism in CyrusSASL will reacquire credentials again after few attempts. Technically these could be multiple times depending on how many threads are utilizing the same creds at the same time. Thanks Alexander, I'll let it run for a couple of days then and see how often this pops up. I've checked the tickets as follows (from the Troubleshooting page [1]), and it looks there nothing wrong with them. # kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname --fqdn` # klist # ldapsearch -Y GSSAPI -h linge.ghs.nl -b "" -s base # ldapsearch -Y GSSAPI -h rotte.ghs.nl -b "" -s base The only noteworthy difference is this: @@ -74,12 +75,12 @@ supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.3.4.9 B2016.109.158 -dataversion: 020171016093621020171016093621 -netscapemdsuffix: cn=ldap://dc=linge,dc=ghs,dc=nl:389 -lastusn: 174571 +dataversion: 020171011071705020171011071705020171011071705 +netscapemdsuffix: cn=ldap://dc=rotte,dc=ghs,dc=nl:389 +lastusn: 8107596 changeLog: cn=changelog -firstchangenumber: 25375 -lastchangenumber: 35897 +firstchangenumber: 2505058 +lastchangenumber: 2518477 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1 The difference above is expected. In short, I don't see any serious issue. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]
On 19-10-17 15:07, Alexander Bokovoy wrote: > On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote: >> [...] >> [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - >> agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth >> resumed >> >> Again, I would really appreciate if someone could hint how to debug this. >> For example, what commands can I use to check the connection (in both >> directions)? > My understanding is that if you get the last message ("Replication bind > with GSSAPI auth resumed"), you don't need to worry about the ones > above. An intermittent issue of expired ticket is OK, SASL GSSAPI > mechanism in CyrusSASL will reacquire credentials again after few > attempts. Technically these could be multiple times depending on how > many threads are utilizing the same creds at the same time. > Thanks Alexander, I'll let it run for a couple of days then and see how often this pops up. I've checked the tickets as follows (from the Troubleshooting page [1]), and it looks there nothing wrong with them. # kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname --fqdn` # klist # ldapsearch -Y GSSAPI -h linge.ghs.nl -b "" -s base # ldapsearch -Y GSSAPI -h rotte.ghs.nl -b "" -s base The only noteworthy difference is this: @@ -74,12 +75,12 @@ supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.3.4.9 B2016.109.158 -dataversion: 020171016093621020171016093621 -netscapemdsuffix: cn=ldap://dc=linge,dc=ghs,dc=nl:389 -lastusn: 174571 +dataversion: 020171011071705020171011071705020171011071705 +netscapemdsuffix: cn=ldap://dc=rotte,dc=ghs,dc=nl:389 +lastusn: 8107596 changeLog: cn=changelog -firstchangenumber: 25375 -lastchangenumber: 35897 +firstchangenumber: 2505058 +lastchangenumber: 2518477 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1 -- Kees Bakker ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]
On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote: On 19-10-17 10:03, Kees Bakker via FreeIPA-users wrote: On 18-10-17 22:57, Robbie Harwood wrote: Kees Bakker writes: Since I've setup a replica it gives errors like these: [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) Well, is the ticket expired? Maybe. The message suggests it is. Which ticket is this, and how do I check the expiration? Does the ticket even exist? I would assume so. The replica seems to be working correctly, besides the mentioned error messages. And are the machine clocks synced? Yes they are. Perhaps the following is valuable information, perhaps not. The installation failed at first due to a timeout problem. I've changed the Python to increase the time, and after that the replica installation succeeded. I'm able to connect to it (LDAP and web UI), and new information entered in the master was replicated correctly. But now I see some clients having Kerberos ticket problems, most likely because they use the replica, which is not valid anymore. Should I abandon the replica and reinstall it, and if so, how should I do that (safely)? If the replica is not able to bind correctly: yes, it needs to be abandoned or fixed (someone else who knows should say more in this area). Thanks, --Robbie Like mentioned above, it seems to function alright. It's just that error message that worries me. Now on the first master (rotte) there are similar error message too, but the other way around. [18/Oct/2017:11:23:41 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)) errno 0 (Success) [18/Oct/2017:11:23:41 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:23:41 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)) [18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:45 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:51 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:24:03 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind
[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]
On 19-10-17 10:03, Kees Bakker via FreeIPA-users wrote: > On 18-10-17 22:57, Robbie Harwood wrote: >> Kees Bakker writes: >> >>> Since I've setup a replica it gives errors like these: >>> >>> [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Ticket expired)) errno 2 >>> (No such file or directory) >> Well, is the ticket expired? > Maybe. The message suggests it is. Which ticket is this, and how do I check > the expiration? > >> Does the ticket even exist? > I would assume so. The replica seems to be working correctly, besides the > mentioned error messages. > >> And are the >> machine clocks synced? > Yes they are. > >>> Perhaps the following is valuable information, perhaps not. The >>> installation failed at first due to a timeout problem. I've changed >>> the Python to increase the time, and after that the replica >>> installation succeeded. I'm able to connect to it (LDAP and web UI), >>> and new information entered in the master was replicated correctly. >>> But now I see some clients having Kerberos ticket problems, most >>> likely because they use the replica, which is not valid anymore. >>> >>> Should I abandon the replica and reinstall it, and if so, how should I >>> do that (safely)? >> If the replica is not able to bind correctly: yes, it needs to be >> abandoned or fixed (someone else who knows should say more in this >> area). >> >> Thanks, >> --Robbie > Like mentioned above, it seems to function alright. It's just that > error message that worries me. Now on the first master (rotte) there are similar error message too, but the other way around. [18/Oct/2017:11:23:41 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)) errno 0 (Success) [18/Oct/2017:11:23:41 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:23:41 +0200] NSMMReplicationPlugin - agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)) [18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:45 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:51 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:23:51 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:24:03 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [18/Oct/2017:11:24:03 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin -
[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]
On 18-10-17 22:57, Robbie Harwood wrote: > Kees Bakker writes: > >> Since I've setup a replica it gives errors like these: >> >> [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could >> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local >> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired)) errno 2 (No such >> file or directory) > Well, is the ticket expired? Maybe. The message suggests it is. Which ticket is this, and how do I check the expiration? > Does the ticket even exist? I would assume so. The replica seems to be working correctly, besides the mentioned error messages. > And are the > machine clocks synced? Yes they are. > >> Perhaps the following is valuable information, perhaps not. The >> installation failed at first due to a timeout problem. I've changed >> the Python to increase the time, and after that the replica >> installation succeeded. I'm able to connect to it (LDAP and web UI), >> and new information entered in the master was replicated correctly. >> But now I see some clients having Kerberos ticket problems, most >> likely because they use the replica, which is not valid anymore. >> >> Should I abandon the replica and reinstall it, and if so, how should I >> do that (safely)? > If the replica is not able to bind correctly: yes, it needs to be > abandoned or fixed (someone else who knows should say more in this > area). > > Thanks, > --Robbie Like mentioned above, it seems to function alright. It's just that error message that worries me. -- Kees Bakker ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org