[Freeipa-users] WARNING: Existing users or groups do not have a SID identifier assigned
Hello, When setting up a trust between IPA and AD I am having the Warning below. Question: Is this going to affect the users in Active Directory if IPA sync back with AD? # ipa-adtrust-install WARNING: 200 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] WARNING: Existing users or groups do not have a SID identifier assigned
Hello, When setting up a trust between IPA and AD I am having the Warning below. Question: Is this going to affect the users in Active Directory if IPA sync back with AD? Any help? # ipa-adtrust-install WARNING: 200 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: Thank you, Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] httpd broken
Hey guys, After updating my IPA and http packages, httpd and samba are not starting. Something weird happening to the python code. Any idea? httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d └─ipa.conf Active: failed (Result: exit-code) since Sat 2017-01-14 23:44:50 EST; 33s ago Docs: man:httpd(8) man:apachectl(8) Process: 3445 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=1/FAILURE) Jan 14 23:44:50 master.mydomaine.local ipa-httpd-kdcproxy[3445]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1643, in __wait_for_connection Jan 14 23:44:50 master.mydomaine.local ipa-httpd-kdcproxy[3445]: wait_for_open_socket(lurl.hostport, timeout) Jan 14 23:44:50 master.mydomaine.local ipa-httpd-kdcproxy[3445]: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1286, in wait_for_open_socket Jan 14 23:44:50 master.mydomaine.local ipa-httpd-kdcproxy[3445]: raise e -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-replica-install command failed
Hello, Need some help installing replica - FREEIPA on Centos 7. My networking is run, DNS is up on the master IPA all ports are opened. But I can't isolate the problem. Any help? -- Error: The ipa-replica-install command failed, exception: SystemExit: Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. -- Command # ipa-replica-install --setup-dns --setup-ca --no-forwarder --ip-address=172.20.10.100 /var/lib/ipa/replica-info-sys-sec-repl.ipa.domain.com.gpg Directory Manager (existing master) password: Run connection check to master ad...@ipa.domain.com password: ipa.ipapython.install.cli.install_tool(Replica): ERRORConnection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. ipa.ipapython.install.cli.install_tool(Replica): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information - LOG at /var/log/ipareplica-install.log 2016-12-20T19:14:50Z DEBUG stdout=Check connection from replica to remote master ' sys-pri-repl.ipa.domain.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check RPC connection to remote master Retrying using SSH... Check SSH connection to remote master Could not SSH into remote host. Error output: OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to sys-pri-repl.ipa.domain.com [172.20.10.99] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 6r:0e:15:55:dk:17:86:27:53:02:02:89:c7:98:20:11 Warning: Permanently added 'sys-pri-repl.ipa.domain.com,172.20.10.99' (ECDSA) to the list of known hosts. debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic Connection closed by 172.20.10.99 2016-12-20T19:14:50Z DEBUG stderr=Could not SSH to remote host. 2016-12-20T19:14:50Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File
Re: [Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access
Any help guys? Gady From: Gady Notrica Sent: April 29, 2016 1:37 PM To: 'freeipa-users@redhat.com' Subject: Ldap error in ModifyPassword - 50: Insufficient access Hey guys, After my previous issue, my password do not sync anymore with IPA. No password changed for the sync user. Any ideas? Thank you, 04/29/16 13:32:56: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:56: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:56: Deferring password change for jlaporte 04/29/16 13:32:58: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:58: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:58: Deferring password change for jlaporte 04/29/16 13:33:02: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:02: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:02: Deferring password change for jlaporte 04/29/16 13:33:10: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:10: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:10: Deferring password change for jlaporte Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access
Hey guys, After my previous issue, my password do not sync anymore with IPA. No password changed for the sync user. Any ideas? Thank you, 04/29/16 13:32:56: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:56: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:56: Deferring password change for jlaporte 04/29/16 13:32:58: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:58: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:58: Deferring password change for jlaporte 04/29/16 13:33:02: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:02: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:02: Deferring password change for jlaporte 04/29/16 13:33:10: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:10: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:10: Deferring password change for jlaporte Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] krb5kdc service not starting
All good!!! Gady -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: April 27, 2016 1:19 PM To: Gady Notrica Cc: Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello Ludwig, > >Is there a reason why my AD show offline? > >[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : >online CD-PRD : offline wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. You need to make sure that 'getent passwd CD-PRD\\Administrator' resolves via SSSD. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] krb5kdc service not starting
No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn’t generate any log, nothing. [root@cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv@IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) [root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root@cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image001.jpg@01D1A06F.6FD59F60] I don’t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try
Re: [Freeipa-users] krb5kdc service not starting
Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg@01D1A069.EF91B910] I don’t know if that helps. Gady From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] krb5
Re: [Freeipa-users] krb5kdc service not starting
HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -Original Message- > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary > server) is fine though. > > Gady Notrica > > -Original Message- > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root@cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obt
Re: [Freeipa-users] krb5kdc service not starting
Hey world, Any ideas? Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 26, 2016 10:10 AM To: Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter) Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: April 26, 2016 10:02 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:26 PM, Gady Notrica wrote: > Here... > > [root@cd-p-ipa1 log]# ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other > services > ipa: INFO: The ipactl command was successful > > [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service > -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor > preset: disabled) > Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; > 30min ago >Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i > -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, > error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax > OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. this says the server doesn't know a syntax oid, but it is a known one. It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? And, did you do any changes to the system before this problem started ? > [root@cd-p-ipa1 log]# > > Gady > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky > Sent: April 26, 2016 9:17 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 03:13 PM, Gady Notrica wrote: >> Hello world, >> >> >> >> I am having issues this morning with my primary IPA. See below the >> details in the logs and command result. Basically, krb5kdc service >> not starting - krb5kdc: Server error - while fetching master key. >> >> >> >> DNS is functioning. See below dig result. I have a trust with Windows AD. >> >> >> >> Please help…! >> >> >> >> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l >> >> ● krb5kdc.service - Kerberos 5 KDC >> >> Loaded: loaded (/usr/lib
Re: [Freeipa-users] krb5kdc service not starting
No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter) Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: April 26, 2016 10:02 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:26 PM, Gady Notrica wrote: > Here... > > [root@cd-p-ipa1 log]# ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other > services > ipa: INFO: The ipactl command was successful > > [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service > -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor > preset: disabled) > Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; > 30min ago >Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i > -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 > cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - > valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type > attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, > error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax > OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. this says the server doesn't know a syntax oid, but it is a known one. It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? And, did you do any changes to the system before this problem started ? > [root@cd-p-ipa1 log]# > > Gady > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky > Sent: April 26, 2016 9:17 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 03:13 PM, Gady Notrica wrote: >> Hello world, >> >> >> >> I am having issues this morning with my primary IPA. See below the >> details in the logs and command result. Basically, krb5kdc service >> not starting - krb5kdc: Server error - while fetching master key. >> >> >> >> DNS is functioning. See below dig result. I have a trust with Windows AD. >> >> >> >> Please help…! >> >> >> >> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l >> >> ● krb5kdc.service - Kerberos 5 KDC >> >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >> disabled; vendor preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 >> EDT; 41min ago >> >>Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >> $KRB5KDC_ARGS (code=exited, status
Re: [Freeipa-users] krb5kdc service not starting
Here... [root@cd-p-ipa1 log]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root@cd-p-ipa1 log]# Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 26, 2016 9:17 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:13 PM, Gady Notrica wrote: > Hello world, > > > > I am having issues this morning with my primary IPA. See below the > details in the logs and command result. Basically, krb5kdc service not > starting - krb5kdc: Server error - while fetching master key. > > > > DNS is functioning. See below dig result. I have a trust with Windows AD. > > > > Please help…! > > > > [root@cd-ipa1 log]# systemctl status krb5kdc.service -l > > ● krb5kdc.service - Kerberos 5 KDC > >Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > >Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 > EDT; 41min ago > > Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos > 5 KDC... > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot > initialize realm IPA.DOMAIN.LOCAL- see log file for details > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > control process exited, code=exited status=1 > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > Kerberos 5 KDC. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > krb5kdc.service entered failed state. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. > > [root@cd-ipa1 log]# > > > > Errors in /var/log/krb5kdc.log > > > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > > > [root@cd-ipa1 log]# systemctl status httpd -l > > ● httpd.service - The Apache HTTP Server > >Loaded: loaded (/etc/systemd/system/httpd.service; disa
[Freeipa-users] krb5kdc service not starting
Hello world, I am having issues this morning with my primary IPA. See below the details in the logs and command result. Basically, krb5kdc service not starting - krb5kdc: Server error - while fetching master key. DNS is functioning. See below dig result. I have a trust with Windows AD. Please help…! [root@cd-ipa1 log]# systemctl status krb5kdc.service -l ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; 41min ago Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 KDC... Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: control process exited, code=exited status=1 Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start Kerberos 5 KDC. Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service entered failed state. Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. [root@cd-ipa1 log]# Errors in /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL [root@cd-ipa1 log]# systemctl status httpd -l ● httpd.service - The Apache HTTP Server Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; 39min ago Docs: man:httpd(8) man:apachectl(8) Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=1/FAILURE) Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in __wait_for_connection Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: wait_for_open_socket(lurl.hostport, timeout) Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in wait_for_open_socket Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: error: [Errno 2] No such file or directory Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: ipa : ERRORUnknown error while retrieving setting from ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such file or directory Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: control process exited, code=exited status=1 Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The Apache HTTP Server. Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service entered failed state. Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. [root@cd-ipa1 log]# DNS Result for dig redhat.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;redhat.com.IN A ;; ANSWER SECTION: redhat.com. 60 IN A 209.132.183.105 ;; AUTHORITY SECTION: . 849 IN NS f.root-servers.net. . 849 IN NS e.root-servers.net. . 849 IN NS k.root-servers.net. . 849 IN NS m.root-servers.net. . 849 IN NS b.root-servers.net. . 849 IN NS g.root-servers.net. . 849 IN NS c.root-servers.net. . 849 IN NS h.root-servers.net. . 849 IN NS l.root-servers.net. . 849 IN NS a.root-servers.net. . 849 IN NS j.root-servers.net. . 849 IN NS i.root-servers.net. . 849 IN NS d.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 3246IN A 192.58.128.30 ;; Query time: 79 msec ;; SERVER: 10.20.10.41#53(10.20.10.41) ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 ;; MSG SIZE rcvd: 282 Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotr...@candeal.com<mailto:gnotr...@candeal.c
[Freeipa-users] RoundRobin - Cname - 2 servers with same services
Hello World, I am trying to enable roundrobin on freeipa. I have 2 servers providing same service (http). I am trying to give it a friendly name so that when user what to access it, they can land on any one of the 2 servers. But IPA dns doesn't want to let me create CName that has the same name but 2 different destination. How do I go around this? Thanks, Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
You guys are awesome # ipa-client-install --enable-dns-updates --mkhomedir --no-ntp Discovery was successful! … Continue to configure the system with these values? [no]: yes … Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf …. Systemwide CA database updated. Added CA certificates to the default NSS database. … Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub …. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.candeal.ca as NIS domain. Client configuration complete. Gady -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: April 20, 2016 4:16 PM To: Gady Notrica Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Generated by NetworkManager > >search ipa.candeal.ca > >nameserver 172.20.10.40 > >nameserver 172.20.10.41 This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca > > > >[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin > >[domain_realm] > >.AD.candeal.ca = AD.CANDEAL.CA > >AD.candeal.ca = AD.CANDEAL.CA > >[capaths] > This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin Remove both files. It is safe. They will be created by sssd after start. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
[root@cd-s-prd-db1 krb5.include.d]# ls -l
-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca
-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin
[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
# Generated by NetworkManager
search ipa.candeal.ca
nameserver 172.20.10.40
nameserver 172.20.10.41
[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin
[domain_realm]
.AD.candeal.ca = AD.CANDEAL.CA
AD.candeal.ca = AD.CANDEAL.CA
[capaths]
[root@cd-s-prd-db1 krb5.include.d]# uname -a
Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31
16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
It's Centos 7.
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 4:04 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the
client installer creates looks ok. It does include files from
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in
there and if so, what the contents are?
BTW, what distro and release of ipa-client is this?
thanks
rob
Rob Crittenden wrote:
> Gady Notrica wrote:
>> Please find below the kr5.conf. Still has with original content.
>>
>> [root@prddb1]# ipa-client-install
>>
>> Discovery was successful!
>>
>> ...
>>
>> Continue to configure the system with these values? [no]: yes
>>
>>
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos
>> configuration file while initializing Kerberos 5 library
>>
>> Installation failed. Rolling back changes.
>>
>> Failed to list certificates in /etc/ipa/nssdb: Command
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>> exit status 255
>>
>> Disabling client Kerberos and LDAP configurations
>>
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted
>>
>>
>>
>> Client uninstall complete.
>>
>> [root@prddb1]# cat /etc/krb5.conf
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>
>> dns_lookup_realm = false
>>
>> ticket_lifetime = 24h
>>
>> renew_lifetime = 7d
>>
>> forwardable = true
>>
>> rdns = false
>>
>> # default_realm = EXAMPLE.COM
>>
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>>
>> # EXAMPLE.COM = {
>>
>> # kdc = kerberos.example.com
>>
>> # admin_server = kerberos.example.com
>>
>> # }
>>
>> [domain_realm]
>>
>> # .example.com = EXAMPLE.COM
>>
>> # example.com = EXAMPLE.COM
>>
>> [root@prddb1]#
>
> Ok, I agree with the others then, we need to see the full
> ipaclient-install.log. This file looks fine which means the temporary
> one that is configured must be bad in some way. The log will tell how.
>
> rob
>
>>
>> Gady
>>
>> -Original Message-
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: April 20, 2016 3:14 PM
>> To: Gady Notrica; Martin Basti;
>> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>> Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>> Gady Notrica wrote:
>>
>> > Thank you guys for your help.
>>
>> >
>>
>> > Still can't enroll the client. Any suggestion on the errors below?
>>
>> >
>>
>> > /Kerberos authentication failed: kinit: Improper format of
>> Kerberos
>>
>> > configuration file while initializing Kerberos 5 library/
>>
>> What does /etc/krb5.conf look like?
>>
>> > Installation failed. Rolling back changes.
>>
>> >
>>
>> > /Failed to list certificates in /etc/ipa/nssdb: Command
>>
>> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>>
>> > exit status 255/
>>
>> This is unrelated to the enrollment problem.
>>
>> rob
>>
>> >
>>
>> > Disabling client Kerberos and LDAP configurations
>>
>> >
>>
>> > Gady Notrica
>>
>> >
>>
>> > -Original Message-
>>
>>
Re: [Freeipa-users] ipa-client-install errors
Original file attached - no changes to the file
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:52 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote:
> Please find below the kr5.conf. Still has with original content.
>
> [root@prddb1]# ipa-client-install
>
> Discovery was successful!
>
> ...
>
> Continue to configure the system with these values? [no]: yes
>
>
>
> Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
>
> Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
> exit status 255
>
> Disabling client Kerberos and LDAP configurations
>
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
>
>
>
> Client uninstall complete.
>
> [root@prddb1]# cat /etc/krb5.conf
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> renew_lifetime = 7d
>
> forwardable = true
>
> rdns = false
>
> # default_realm = EXAMPLE.COM
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> # EXAMPLE.COM = {
>
> # kdc = kerberos.example.com
>
> # admin_server = kerberos.example.com
>
> # }
>
> [domain_realm]
>
> # .example.com = EXAMPLE.COM
>
> # example.com = EXAMPLE.COM
>
> [root@prddb1]#
Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary one that
is configured must be bad in some way. The log will tell how.
rob
>
> Gady
>
> -----Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: April 20, 2016 3:14 PM
> To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Gady Notrica wrote:
>
> > Thank you guys for your help.
>
> >
>
> > Still can't enroll the client. Any suggestion on the errors below?
>
> >
>
> > /Kerberos authentication failed: kinit: Improper format of Kerberos
>
> > configuration file while initializing Kerberos 5 library/
>
> What does /etc/krb5.conf look like?
>
> > Installation failed. Rolling back changes.
>
> >
>
> > /Failed to list certificates in /etc/ipa/nssdb: Command
>
> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
> > exit status 255/
>
> This is unrelated to the enrollment problem.
>
> rob
>
> >
>
> > Disabling client Kerberos and LDAP configurations
>
> >
>
> > Gady Notrica
>
> >
>
> > -Original Message-
>
> > From: freeipa-users-boun...@redhat.com
> <mailto:freeipa-users-boun...@redhat.com>
>
> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
>
> > Sent: April 20, 2016 2:12 PM
>
> > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
> <mailto:freeipa-users@redhat.com>
>
> > Subject: Re: [Freeipa-users] ipa-client-install errors
>
> >
>
> > Any specific command in particular to remove that keytab?
>
> >
>
> > Since these don't work
>
> >
>
> > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>
> > Kerberos context initialization failed
>
> >
>
> > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>
> > /etc/krb5.keytab Kerberos context initialization failed
>
> >
>
> > [root@cprddb1 /]#
>
> >
>
> > Gady
>
> >
>
> > -Original Message-
>
> >
>
> > From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
> >
>
> > Sent: April 20, 2016 1:59 PM
>
> >
>
> > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
> <mailto:freeipa-users@redhat.com>
>
> > <mailto:freeipa-users@redhat.com>
>
> >
>
> > Subject: Re: [Freeipa-users] ipa-client-install errors
>
> >
>
> > Martin Basti wrote:
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > On 20.04.2016 18:00, Gad
Re: [Freeipa-users] ipa-client-install errors
Please find below the kr5.conf. Still has with original content.
[root@prddb1]# ipa-client-install
Discovery was successful!
...
Continue to configure the system with these values? [no]: yes
Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil'
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
Client uninstall complete.
[root@prddb1]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@prddb1]#
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote:
> Thank you guys for your help.
>
> Still can't enroll the client. Any suggestion on the errors below?
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library/
What does /etc/krb5.conf look like?
> Installation failed. Rolling back changes.
>
> /Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
> exit status 255/
This is unrelated to the enrollment problem.
rob
>
> Disabling client Kerberos and LDAP configurations
>
> Gady Notrica
>
> -Original Message-
> From:
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
> Sent: April 20, 2016 2:12 PM
> To: Rob Crittenden; Martin Basti;
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
>
> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab Kerberos context initialization failed
>
> [root@cprddb1 /]#
>
> Gady
>
> -Original Message-
>
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
> Sent: April 20, 2016 1:59 PM
>
> To: Martin Basti; Gady Notrica;
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> <mailto:freeipa-users@redhat.com>
>
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Martin Basti wrote:
>
> >
>
> >
>
> > On 20.04.2016 18:00, Gady Notrica wrote:
>
> >>
>
> >> Hello World,
>
> >>
>
> >> I am having these errors trying to install ipa-client-install.
> Every
>
> >> other machine is fine and they IPA servers are functioning
> perfectly
>
> >>
>
> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> >>
>
> >> Kerberos authentication failed: kinit: Improper format of Kerberos
>
> >> configuration file while initializing Kerberos 5 library
>
> >>
>
> >> Then I have "/Installation failed. Rolling back changes."/
>
> >>
>
> >> I have tried everything I know with no luck. Any idea on how to
> FIX
>
> >> this? Below is the full log.
>
> >>
>
> >> ---
>
> >>
>
> >> /Continue to configure the system with these values? [no]: yes/
>
> >>
>
> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> >>
>
> >> /Skipping synchronizing time with NTP server./
>
> >>
>
> >> /User authorized to enroll computers: admin/
>
> >>
>
> >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/>
> <mailto:ad...@ipa.domai
Re: [Freeipa-users] ipa-client-install errors
Thank you guys for your help. Still can't enroll the client. Any suggestion on the errors below? Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> --- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/> >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> --- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for ad...@ipa.domain.com:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Thank you Martin, I have tried many different ways. I can't seem to be able to remove anything in the file. Gady From: Martin Basti [mailto:mba...@redhat.com] Sent: April 20, 2016 12:50 PM To: Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@ipa.domain.com<mailto:ad...@ipa.domain.com>: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --- Gady Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install errors
Please find attached the install log
Gady
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
On 04/20/2016 06:00 PM, Gady Notrica wrote:
> Hello World,
>
> I am having these errors trying to install ipa-client-install. Every
> other machine is fine and they IPA servers are functioning perfectly
>
> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library
>
> Then I have "/Installation failed. Rolling back changes."/
>
> I have tried everything I know with no luck. Any idea on how to FIX
> this? Below is the full log.
>
> ---
>
> /Continue to configure the system with these values? [no]: yes/
>
> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> /Skipping synchronizing time with NTP server./
>
> /User authorized to enroll computers: admin/
>
> /Password for ad...@ipa.domain.com:/
>
> /Please make sure the following ports are opened in the firewall
> settings:/
>
> / TCP: 80, 88, 389/
>
> / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> /Also note that following ports are necessary for ipa-client working
> properly after enrollment:/
>
> / TCP: 464/
>
> / UDP: 464, 123 (if NTP enabled)/
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos
> configuration file while initializing Kerberos 5 library/
>
> //
>
> /Installation failed. Rolling back changes./
>
> /Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
> exit status 255/
>
> /Disabling client Kerberos and LDAP configurations/
>
> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted/
>
> /Restoring client configuration files/
>
> /nscd daemon is not installed, skip configuration/
>
> /nslcd daemon is not installed, skip configuration/
>
> /Client uninstall complete./
>
> /---/
>
> Gady
>
>
>
We would need to see the whole log, it should be located in
'/var/log/ipaclient-install.log'
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
# cat /var/log/ipaclient-install.log
2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True,
'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name':
None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp':
False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None,
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname':
'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False,
'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location':
None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates':
True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir':
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug':
False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False}
2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively
later
2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
2016-04-20T16:04:34Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-04-20T16:04:34Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-04-20T16:04:34Z DEBUG [IPA Discovery]
2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None,
servers=None, hostname=cd-s-prd-db1.ipa.domain.com
2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in
"ipa.domain.com" (domain of the hostname) and its sub-domains
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of
_ldap._tcp.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG [Kerberos realm search]
2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com"
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of
_kerberos._udp.ipa.domain.com
2016-04-20T16:04:34Z DEB
[Freeipa-users] ipa-client-install errors
Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. --- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@ipa.domain.com: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --- Gady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server
Hi Rob,
Thanks for the reply. I did reset the user password multiple times to a simple
password, still having same issue.
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 18, 2016 2:25 PM
To: Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication
required - User can't access any centos server
Gady Notrica wrote:
> Hi guys,
>
> From the ipa server, I am having issue with the single user. Everyone
> else is fine, just this one single user and no help anywhere online.
>
> Please help!
Decrypt integrity check failed almost always means bad password.
rob
>
> Thank you
>
> Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes
> {18
> 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*:
> bcos...@ipa.domain.com for krbtgt/ipa.domain@ipa.domain.com,
> *Additional pre-authentication
> required*
>
> Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12
>
> Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth
> (encrypted_timestamp) verify failure: *Decrypt integrity check failed*
>
> Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes
> {18
> 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*:
> bcos...@ipa.domain.com for krbtgt/ipa.domain@ipa.domain.com,
> Decrypt integrity check failed
>
> Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12
>
> Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes
> {18
> 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*:
> bcos...@ipa.domain.com for krbtgt/ipa.domain@ipa.domain.com,
> *Additional pre-authentication
> required*
>
> Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12
>
> Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth
> (encrypted_timestamp) verify failure: *Decrypt integrity check failed*
>
> Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes
> {18
> 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*:
> bcos...@ipa.domain.com for krbtgt/ipa.domain@ipa.domain.com,
> Decrypt integrity check failed
>
>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server
Hi guys,
>From the ipa server, I am having issue with the single user. Everyone else is
>fine, just this one single user and no help anywhere online.
Please help!
Thank you
Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcos...@ipa.domain.com for
krbtgt/ipa.domain@ipa.domain.com, Additional pre-authentication required
Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12
Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcos...@ipa.domain.com for
krbtgt/ipa.domain@ipa.domain.com, Decrypt integrity check failed
Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12
Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcos...@ipa.domain.com for
krbtgt/ipa.domain@ipa.domain.com, Additional pre-authentication required
Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12
Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcos...@ipa.domain.com for
krbtgt/ipa.domain@ipa.domain.com, Decrypt integrity check failed
Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797
| gnotr...@candeal.com<mailto:gnotr...@candeal.com>
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |
www.candeal.com<http://www.candeal.ca/> | Follow us: [Description: Description:
cid:image003.jpg@01CBD419.622CDF90] <http://www.twitter.com/candeal>
[Description: Description: Description: cid:image002.jpg@01CBD419.622CDF90]
<http://www.linkedin.com/profile/view?id=36869324=tab_pro>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-Server installation
Hi, Trying to install IPA-Server but failing. The file "b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2" is no longer available. It has been replace by "14824767ac8a1b07914066cf2f721b1ba0de7cf93e04662a6f669cb302de61d1-primary.sqlite.bz2" NEW FILE http://mirror.its.sfu.ca/mirror/CentOS/7.2.1511/updates/x86_64/repodata/14824767ac8a1b07914066cf2f721b1ba0de7cf93e04662a6f669cb302de61d1-primary.sqlite.bz2 OLD FILE http://centos.bhs.mirrors.ovh.net/ftp.centos.org/7.2.1511/updates/x86_64/repodata/b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found http://centos.mirror.netelligent.ca/centos/7.2.1511/updates/x86_64/repodata/b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found http://mirror.esecuredata.com/centos/7.2.1511/updates/x86_64/repodata/b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotr...@candeal.com<mailto:gnotr...@candeal.com> CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com<http://www.candeal.ca/> | Follow us: [Description: Description: cid:image003.jpg@01CBD419.622CDF90] <http://www.twitter.com/candeal> [Description: Description: Description: cid:image002.jpg@01CBD419.622CDF90] <http://www.linkedin.com/profile/view?id=36869324=tab_pro> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
