Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Failed to add CA to the
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Failed to add CA to the default NSS database. 2013-01-29T23:24:20Z DEBUG Failed to configure the client File
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 2013/30/01 09:37, Martin Kosek wrote: On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is not configured for automatic KDC address lookup. KDC address will be set to
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote: On 2013/30/01 09:37, Martin Kosek wrote: On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is not configured for
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 2013/30/01 11:59, Dmitri Pal wrote: On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote: On 2013/30/01 09:37, Martin Kosek wrote: On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com BaseDN: dc=cliff,dc=cloudburrito,dc=com Configured /etc/sssd/sssd.conf Installation failed. Rolling back changes. 2013-01-29T23:24:20Z DEBUG stderr=DNS domain
Re: [Freeipa-users] Unable to start replica server after setting up replication
On Wed, Jan 30, 2013 at 12:02:30PM -0500, free...@stormcloud9.net wrote: On 2013/30/01 11:59, Dmitri Pal wrote: On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote: On 2013/30/01 09:37, Martin Kosek wrote: On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::* LISTEN 15586/ns-slapd tcp0 0 :::7389 :::* LISTEN 15540/ns-slapd tcp0 0 :::7390 :::* LISTEN 15540/ns-slapd tcp0 0 :::389 :::* LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a ldap_uri configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin The system had no /etc/ipa/default.conf I copied the one from the master server, changed the `host=` and `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl status`, along with everything else, is working perfectly. Should that file have been created during the `ipa-replica-install` process? I don't see anything in the documentation about having to copy and edit it manually. Thanks -Patrick Yeah, this should have been created during ipa-replica-install. Can you please check /var/log/ipareplica-install.log and check if ipa-client-install (which is run as part of ipa-replica-install) succeeded? I have a suspicion you hit a bug I was fixing recently. Martin No, the client install failed: 2013-01-29T23:24:05Z DEBUG stderr= 2013-01-29T23:24:05Z DEBUG Restarting the web server 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] Starting httpd:[ OK ] 2013-01-29T23:24:06Z DEBUG stderr= 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain cliff.cloudburrito.com --server i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm CLIFF.CLOUDBURRITO.COM 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com Realm: CLIFF.CLOUDBURRITO.COM DNS Domain: cliff.cloudburrito.com IPA Server:
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start replica server after setting up replication
On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the service will not start. Whenever I try it throws SASL(-4): no mechanism available during start. Any ideas? Full output: # /etc/init.d/ipa start Starting Directory Service Starting dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CLIFF-CLOUDBURRITO-COM... [ OK ] PKI-IPA... [ OK ] Sounds like DS did not start under the CA. Please check the DS logs in the PKI instance. ns-slapd appears to be starting fine. I can even start it manually, but `ipactl status` still shows the error: Below is the result of me starting it manually (directly running ns-slapd): # ps ax|grep slapd 15540 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid 15586 ?Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid # netstat -tpnl | grep slapd tcp0 0 :::636 :::*LISTEN 15586/ns-slapd tcp0 0 :::7389 :::*LISTEN 15540/ns-slapd tcp0 0 :::7390 :::*LISTEN 15540/ns-slapd tcp0 0 :::389 :::*LISTEN 15586/ns-slapd # ipactl status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users