Package: bind9-dyndb-ldap Version: 6.0-4 Severity: important Dear Maintainer, I have bind in freeipa setup with 389 directory server as backend. Everything worked fine until yesterday's restart of whole server, after which bind can't see LDAP zones contents any more. Configuration haven't changed so I suspect some of the updates that came in after last restart (must have happend before 11-1). The bind log contains these entries: named[18922]: LDAP instance 'ipa' is being synchronized, please ignore message 'all zones loaded' reloading configuration succeeded any newly configured zones are now loaded LDAP error: Server is unwilling to perform: Too many active synchronization sessions: unable to start SyncRepl session ldap_syncrepl will reconnect in 60 seconds received control channel command 'reconfig' ldap_sync_prepare() failed, retrying in 1 second: shutting down ...
LDAP server error log is empty, but access log shows there is some problem with search operation: conn=39352 fd=110 slot=110 connection from local to /var/run/slapd-REALM.socket conn=39352 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI conn=39352 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=39352 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=39352 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=39352 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI conn=39352 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=dns/hostname@domain,cn=services,cn=accounts,dc=domain,dc=xx" conn=39351 op=3 SRCH base="cn=dns,dc=domain,dc=xx" scope=2 filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" attrs=AL conn=39351 op=4 UNBIND conn=39351 op=4 fd=108 closed - U1 conn=39351 op=3 RESULT err=53 tag=101 nentries=0 etime=0 If I try to use ldapsearch with same parameters (kinit -k -t /etc/bind/named.keytab DNS/hostname and than ldapsearch -Y GSSAPI) I get the correct result and LDAP log contains: conn=39404 op=3 RESULT err=0 tag=101 nentries=85 etime=0 So it seems bind sets some connection or search parameters that cause the problem when querying LDAP. I've tried to increase bind log verbosity. but it didn't help as it seems it doesn't affect this plugin. Bind config is set as: dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-REALM.socket"; arg "base cn=dns, dc=domain,dc=xx"; arg "fake_mname hostname.; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/hostname"; arg "serial_autoincrement yes"; }; If there is a way I could help debugging the problem, I can add more information here. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (650, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9-dyndb-ldap depends on: ii bind9 1:9.9.5.dfsg-12+b1 ii libc6 2.19-22 ii libdns100 1:9.9.5.dfsg-12+b1 ii libkrb5-3 1.13.2+dfsg-4 ii libldap-2.4-2 2.4.42+dfsg-2 bind9-dyndb-ldap recommends no packages. bind9-dyndb-ldap suggests no packages. -- no debconf information