Re: [Freeipa-users] Dead Freeipa
On 07/28/2011 05:30 AM, Simo Sorce wrote: On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? It is possible. Is there any way to get the output and/or result code of that ldapsearch? Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ == 8><- that fixed it thanksnow to try and fix the minor/major problem 8><--- If you started your services manually on the server did you start ipa_kpasswd? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Steven Jones wrote: Hi, Nopedidnt know I had to, never heard of this service! is it documented? I will start itand test. For the record, what are the packages and what is the correct manual order to stop and start please? or is this documented somewhere? It is the same as in v1, I assume that stuff was pulled forward to the v2 docs. ipactl is authoritative in this regard though. In the troubleshooting part of teh guide can we have an order ans a command line test for each service in turn with the correct return? Also using yum to downgrade libcurl failslots of broken dependenciesoops as they say. # yum downgrade curl libcurl* regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ what release of freeipa on what platform RHEL6.1 client, as patched yesterday...ditto I patched the IPA server because of the minor/major version problem in adding new clients. I thought you said this was RHEL 5.6, or is it happening on 6.1 as well? ipa-client = 2.0.0-23 64bit password not updated, because I cant login with the new password but continue to login with the old and it asks me every time to change.like ground-hog day Did you start ipa_kpasswd as suggested? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Steven Jones wrote: Hi, Im wondering thatI was tempted to edit the existing or write my own simple wrapper script with sleep's in it to seecertainly starting by hand seems to be ok, so 30secs sleeps say Starting by hand != running ipactl. If you want to put a sleep anywhere put it in that script. At the moment of course with libcurl and password changing failure in effect I have a sev 1 on my handsfortunately its only a POC, otherwise if this were to happen in production there would be a lot of Q's asked...such a hole shouldn't exist frankly. We have no control over libcurl nor its upstream. It was as much a surprise to us as anyone. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, Nopedidnt know I had to, never heard of this service! is it documented? I will start itand test. For the record, what are the packages and what is the correct manual order to stop and start please? or is this documented somewhere? In the troubleshooting part of teh guide can we have an order ans a command line test for each service in turn with the correct return? Also using yum to downgrade libcurl failslots of broken dependenciesoops as they say. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ what release of freeipa on what platform RHEL6.1 client, as patched yesterday...ditto I patched the IPA server because of the minor/major version problem in adding new clients. ipa-client = 2.0.0-23 64bit password not updated, because I cant login with the new password but continue to login with the old and it asks me every time to change.like ground-hog day From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 1:16 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > Hi, > > Further issues, when I change the password in freeipa gui, and then login to > the first RHEL5.6 guest it asks for the password and insists on a change, but > doesnt update it, so I cant login. We need a lot more details: * what release of freeipa on what platform * what version of ipa-client do you have installed on 5.6 * were any errors logged on either the client or the server? * how do you know the password wasn't updated? If you started your services manually on the server did you start ipa_kpasswd? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, Im wondering thatI was tempted to edit the existing or write my own simple wrapper script with sleep's in it to seecertainly starting by hand seems to be ok, so 30secs sleeps say At the moment of course with libcurl and password changing failure in effect I have a sev 1 on my handsfortunately its only a POC, otherwise if this were to happen in production there would be a lot of Q's asked...such a hole shouldn't exist frankly. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 8>< Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, I had a similar problem. For me the /etc/dirsrv/slapd-IX-TEST-COM/dse.ldif file was suddenly 0 bytes long. I recovered by restoring a copy of the dse.ldif.bak file in the same folder. I was under the impression that this was my own fault due to continuous power cuts to my test bench, but have a look. Rgds, Siggi On 07/27/2011 11:40 PM, Steven Jones wrote: regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-bounces@redhatcom] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.like Oops... The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhatcom https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Steven Jones wrote: Hi, Further issues, when I change the password in freeipa gui, and then login to the first RHEL5.6 guest it asks for the password and insists on a change, but doesnt update it, so I cant login. We need a lot more details: * what release of freeipa on what platform * what version of ipa-client do you have installed on 5.6 * were any errors logged on either the client or the server? * how do you know the password wasn't updated? If you started your services manually on the server did you start ipa_kpasswd? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Simo Sorce wrote: On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. It also does a query to determine what services it needs to start in what order. If the query fails it shuts dirsrv down. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: > On 07/27/2011 03:40 PM, Steven Jones wrote: > > regards > Thanks. To follow up from IRC: > If Steven starts up dirsrv manually, then krb, then named then httpd, > everything works fine. Not sure what the ipa script is doing that > kills > dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, Further issues, when I change the password in freeipa gui, and then login to the first RHEL5.6 guest it asks for the password and insists on a change, but doesnt update it, so I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, 28 July 2011 9:53 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Steven Jones [steven.jo...@vuw.ac.nz<mailto:steven.jo...@vuw.ac.nz>] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Steven Jones [steven.jo...@vuw.ac.nz<mailto:steven.jo...@vuw.ac.nz>] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com<mailto:rcrit...@redhat.com>] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.like Oops... The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.like Oops... The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that > without going near it for a month when I try and join a new client I get a > client / server version mismatch.quite why on an unchanged environment > this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched > them, but now IPA wont start.like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users errors Description: errors ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that > without going near it for a month when I try and join a new client I get a > client / server version mismatch.quite why on an unchanged environment > this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched > them, but now IPA wont start.like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that > without going near it for a month when I try and join a new client I get a > client / server version mismatch.quite why on an unchanged environment > this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched > them, but now IPA wont start.like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Hi, After some (5?+) minutes I have fianlly been able to start dirsrv, then I have been able to restart all the servicesI am going to try a reboot and see if this happens again. regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
Steven Jones wrote: Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.like Oops... The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
On Wed, 2011-07-27 at 20:58 +, Steven Jones wrote: > Hi, > > I just went back to the prrod of concept to have a wee play and I find that > without going near it for a month when I try and join a new client I get a > client / server version mismatch.quite why on an unchanged environment > this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched > them, but now IPA wont start.like Oops... > > The KDC is dead, The KDC simply tells you it can't operate w/o Directory Server running. [..] > and named isnt or wont run any longer. Same here, the bind-dyndb-ldap plugin depends on Directory Server running. > dirsrv isnt running Here is the culprit, check DSs access and errors log and see if there are any complaints there. Also if you run service ipa start do you get errors ? > Ive attached a screenshot of the boot fail > > Ive looked through messages and other logs, cant see any reason for this. Try the above, see if you missed anything. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users