[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP
pgb205 via FreeIPA-users wrote: > I have also checked on the neighboring replica and can see the broken > server in > > ldapsearch -b "cn=masters, cn=ipa, cn=etc, dc=domain,dc=local" -D > cn="directory manager" -w "(objectclass=ipaReplTopoManagedServer)" > > output. > > so other servers are not losing the information. Just somehow broken > replica loses its own hostname in this list. You might want to dig through the access log on that master to look for any changes to cn=masters. You might also consider enabling the audit log to get more details if you find this but note that this logs EVERYTHING (including password changes) so be very careful with this log. I don't think entries will disappear on their own. Why an entry can disappear only one one box is a bit of a mystery though. rob > > > > *From:* Rob Crittenden> *To:* pgb205 ; FreeIPA users list > > *Sent:* Thursday, December 28, 2017 2:26 PM > *Subject:* Re: [Freeipa-users] Failed to read service file. Hostname > does not match any master server in LDAP > > pgb205 via FreeIPA-users wrote: >> Hello everyone. >> >> Periodically and seemingly at random our replicas crash with the above >> error. Dirsrv shows as stopped and restarting doesn't help. >> Someone suggested earlier that this is due to problems with topology >> plugin but I don't think that the cause as we are still on >> domainlevel=0. >> >> I'm not sure if it's a problem with 389ds or with some other part of >> freeipa. The only other clue I can think of is that often we see >> inconsistencies >> between replicas. IE a user that is supposed to be present everywhere >> goes missing on just one of the many replicas. >> >> I'm quite at a loss on how to troubleshoot this further. I hope that >> someone can assist. >> >> ipactl start >> Starting Directory Service >> Failed to read data from service file: Failed to get list of services to >> probe status! >> Configured hostname 'server.pop.domain.local' does not match any master >> server in LDAP: >> No master found because of error: no such entry >> Shutting down > > This isn't exactly a crash. In what context are you restarting it? > > You said it is intermittent, does it ever start working again on its own? > > Is this the correct hostname? > > IPA uses the hostname to look in LDAP for the list of enabled services > on a given host to know what to start. > > > rob > >> >> >> cat errors >> [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to >> SVRCore. You may need to run systemd-tty-ask-password-agent to provide >> the password. >> [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security >> Initialization: Enabling default cipher set. >> [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers >> [26/Dec/2017:21:15:56.236652729 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.236921632 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237114079 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled >> [26/Dec/2017:21:15:56.237317678 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237526365 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.237746660 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237908539 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> [26/Dec/2017:21:15:56.238087338 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238306056 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.238517868 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238724920 +] SSL >> alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238889982 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled >> [26/Dec/2017:21:15:56.239048124 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> [26/Dec/2017:21:15:56.239233534 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.239402097 +] SSL >> alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.239767245 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled >> [26/Dec/2017:21:15:56.239997083 +] SSL >> alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.240177269 +] SSL >> alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.240376177 +] SSL >> alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled >> [26/Dec/2017:21:15:56.240585031 +] SSL >> alert:
[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP
I have also checked on the neighboring replica and can see the broken server in ldapsearch -b "cn=masters, cn=ipa, cn=etc, dc=domain,dc=local" -D cn="directory manager" -w "(objectclass=ipaReplTopoManagedServer)" output. so other servers are not losing the information. Just somehow broken replica loses its own hostname in this list. From: Rob CrittendenTo: pgb205 ; FreeIPA users list Sent: Thursday, December 28, 2017 2:26 PM Subject: Re: [Freeipa-users] Failed to read service file. Hostname does not match any master server in LDAP pgb205 via FreeIPA-users wrote: > Hello everyone. > > Periodically and seemingly at random our replicas crash with the above > error. Dirsrv shows as stopped and restarting doesn't help. > Someone suggested earlier that this is due to problems with topology > plugin but I don't think that the cause as we are still on > domainlevel=0. > > I'm not sure if it's a problem with 389ds or with some other part of > freeipa. The only other clue I can think of is that often we see > inconsistencies > between replicas. IE a user that is supposed to be present everywhere > goes missing on just one of the many replicas. > > I'm quite at a loss on how to troubleshoot this further. I hope that > someone can assist. > > ipactl start > Starting Directory Service > Failed to read data from service file: Failed to get list of services to > probe status! > Configured hostname 'server.pop.domain.local' does not match any master > server in LDAP: > No master found because of error: no such entry > Shutting down This isn't exactly a crash. In what context are you restarting it? You said it is intermittent, does it ever start working again on its own? Is this the correct hostname? IPA uses the hostname to look in LDAP for the list of enabled services on a given host to know what to start. rob > > > cat errors > [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to > SVRCore. You may need to run systemd-tty-ask-password-agent to provide > the password. > [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security > Initialization: Enabling default cipher set. > [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers > [26/Dec/2017:21:15:56.236652729 +] SSL > alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled > [26/Dec/2017:21:15:56.236921632 +] SSL > alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > [26/Dec/2017:21:15:56.237114079 +] SSL > alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > [26/Dec/2017:21:15:56.237317678 +] SSL > alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > [26/Dec/2017:21:15:56.237526365 +] SSL > alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [26/Dec/2017:21:15:56.237746660 +] SSL > alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > [26/Dec/2017:21:15:56.237908539 +] SSL > alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [26/Dec/2017:21:15:56.238087338 +] SSL > alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > [26/Dec/2017:21:15:56.238306056 +] SSL > alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [26/Dec/2017:21:15:56.238517868 +] SSL > alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [26/Dec/2017:21:15:56.238724920 +] SSL > alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [26/Dec/2017:21:15:56.238889982 +] SSL > alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > [26/Dec/2017:21:15:56.239048124 +] SSL > alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [26/Dec/2017:21:15:56.239233534 +] SSL > alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [26/Dec/2017:21:15:56.239402097 +] SSL > alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [26/Dec/2017:21:15:56.239767245 +] SSL > alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [26/Dec/2017:21:15:56.239997083 +] SSL > alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled > [26/Dec/2017:21:15:56.240177269 +] SSL > alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled > [26/Dec/2017:21:15:56.240376177 +] SSL > alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > [26/Dec/2017:21:15:56.240585031 +] SSL > alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > [26/Dec/2017:21:15:56.240745192 +] SSL > alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled > [26/Dec/2017:21:15:56.240897126 +] SSL > alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > [26/Dec/2017:21:15:56.241075071 +] SSL > alert: TLS_AES_128_GCM_SHA256: enabled > [26/Dec/2017:21:15:56.241245788 +] SSL > alert: TLS_CHACHA20_POLY1305_SHA256: enabled > [26/Dec/2017:21:15:56.241456256 +] SSL > alert: TLS_AES_256_GCM_SHA384: enabled > [26/Dec/2017:21:15:56.241617090 +] SSL > alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled >
[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP
as far as hostname it's there on both failed replica with hostname -f commandbut also on the replica that it's connected to.on the neighbor replica I can ping failed replica by fqdnand it shows up in ipa-replica-manage list From: Rob CrittendenTo: pgb205 ; FreeIPA users list Sent: Tuesday, January 2, 2018 11:43 AM Subject: Re: [Freeipa-users] Failed to read service file. Hostname does not match any master server in LDAP pgb205 wrote: > We have a number of servers in different pops. When I say intermittent I > mean it doesn't just happen on the > same server again and again but rather on random servers each time. > There is no pattern as far as which > pop or time of day etc. > > I do ipactl status and see that dirsrv is STOPPED. ipactl restart > doesn't help, I just get the below error > message that ipa can't start without 389ds and to check journalctl. > > No matter what I've tried I never managed to fix the problem properly. I > just blow the replica out and reinstall. > > I've sanitized the file. The servers are actually named something > completely different than what's in logs below. > > > thank you and please let me know what other steps I should try. Like I said, this will blow up if the hostname is an unknown master so I'd start there. Check the list of masters and ensure the host is there (hostname -f) If dirsrv is stopped you should look for a core or some indication of why it is stopped. rob > > > > *From:* Rob Crittenden > *To:* pgb205 ; FreeIPA users list > > *Sent:* Thursday, December 28, 2017 2:26 PM > *Subject:* Re: [Freeipa-users] Failed to read service file. Hostname > does not match any master server in LDAP > > pgb205 via FreeIPA-users wrote: >> Hello everyone. >> >> Periodically and seemingly at random our replicas crash with the above >> error. Dirsrv shows as stopped and restarting doesn't help. >> Someone suggested earlier that this is due to problems with topology >> plugin but I don't think that the cause as we are still on >> domainlevel=0. >> >> I'm not sure if it's a problem with 389ds or with some other part of >> freeipa. The only other clue I can think of is that often we see >> inconsistencies >> between replicas. IE a user that is supposed to be present everywhere >> goes missing on just one of the many replicas. >> >> I'm quite at a loss on how to troubleshoot this further. I hope that >> someone can assist. >> >> ipactl start >> Starting Directory Service >> Failed to read data from service file: Failed to get list of services to >> probe status! >> Configured hostname 'server.pop.domain.local' does not match any master >> server in LDAP: >> No master found because of error: no such entry >> Shutting down > > This isn't exactly a crash. In what context are you restarting it? > > You said it is intermittent, does it ever start working again on its own? > > Is this the correct hostname? > > IPA uses the hostname to look in LDAP for the list of enabled services > on a given host to know what to start. > > > rob > >> >> >> cat errors >> [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to >> SVRCore. You may need to run systemd-tty-ask-password-agent to provide >> the password. >> [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security >> Initialization: Enabling default cipher set. >> [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers >> [26/Dec/2017:21:15:56.236652729 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.236921632 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237114079 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled >> [26/Dec/2017:21:15:56.237317678 +] SSL >> alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237526365 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.237746660 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.237908539 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> [26/Dec/2017:21:15:56.238087338 +] SSL >> alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238306056 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [26/Dec/2017:21:15:56.238517868 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238724920 +] SSL >> alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> [26/Dec/2017:21:15:56.238889982 +] SSL >> alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled >> [26/Dec/2017:21:15:56.239048124 +] SSL >> alert:
[Freeipa-users] Re: AD Trust
On ke, 03 tammi 2018, Sumit Bose via FreeIPA-users wrote: On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users wrote: I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works. kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 What? /etc/krb5.conf is the same. ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04. I also can't get access from AD member windos to SAMBA shares on IPA members linux, What can i do? Oh, I forgot to say about error! For kinit AD user i get: kinit: KDC reply did not match expectations while getting initial credentials Then using 'kinit -C ...' or 'canonicalize= true' in krb5.conf should help. A bit of caution: Ubuntu may use Heimdal and their parser for krb5.conf does not know about 'canonicalize' option at all, so you'd have always use 'kinit --canonicalize' when running with Heimdal. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: debian 8 freeipa-client
Doesn't really address the core issue, but wanted to chime in that we ended up having to manually configure our Debian 8 instances to work with our RHEL IPA servers. We use ansible to automate the entire process, the playbook contents below should be descriptive enough to know what is being done. We got the config files from other RHEL IPA clients and tweaked as necessary for platform differences (PAM was kinda tricky): - name: apt - update base image apt: upgrade=dist update_cache=yes - name: apt - install packages apt: name={{ item }} update_cache=yes state=latest with_items: - curl - krb5-user - libpam-ccreds - libpam-krb5 - libselinux1 - ntpdate - openssl - policycoreutils - sssd - name: ntp - run ntpdate action: command ntpdate 10.xxx.xxx.123 - name: kerberos - add krb5.keytab copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root group=root mode=0600 notify: sssd_restart - name: sssd - add sssd.conf copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root mode=0600 notify: sssd_restart - name: kerberos - create config directory file: path=/etc/krb5.conf.d state=directory mode=0755 notify: sssd_restart - name: kerberos - create ipa directory file: path=/etc/ipa state=directory mode=0755 notify: sssd_restart - name: kerberos - add ca.crt copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root group=root mode=0600 notify: sssd_restart - name: kerberos - add krb5.conf copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644 notify: sssd_restart - name: systemd - enable and start sssd service: name=sssd state=started enabled=yes - name: pam - add modified config files copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root group=root mode=0644 with_items: - common-account - common-auth - common-password - common-session - name: ssh - add sshd_config copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=0644 notify: ssh_restart - name: sudo - add sudoers-custom copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom owner=root group=root mode=0644 On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote: Hello! I have freeipa server 4.5 on Centos 7. And want to enroll host on Debian 8 to domain. I've found freeipa-client 4.4 in the sid repo, installing of it was almost successful... apt-get cannot complete configuring for certmonger, and I've got following error: == # journalctl -u certmonger -- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21 15:39:01 MSK. -- Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring and PKI enrollment... Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 [18411] Unable to set well-known bus name "org.fedorahosted.certmonger": Connection ":1.4" is not allowed to own the service "org.fedora Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus. Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered failed state. Does anyone know how to deal with it? Thanks! -- Best regards, Andrew. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, you are not the first one seeing this issue (see BZ 1504688 [1]) but it was not investigated because we were not able to reproduce. The config file for certmonger/dbus is stored in /etc/dbus-1/system.d/certmonger.conf, so I would start by checking that its content is OK. The bus name seems to be already owned by another process, you may try to restart the dbus service in case some internal data were not properly cleaned: sudo systemctl restart dbus Flo [1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD Trust
I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works. kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 What? /etc/krb5.conf is the same. ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04. I also can't get access from AD member windos to SAMBA shares on IPA members linux, What can i do? Oh, I forgot to say about error! For kinit AD user i get: kinit: KDC reply did not match expectations while getting initial credentials My krb5.conf: includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FS.LAN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h dns_canonicalize_hostname = false forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] FS.LAN = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .fs.lan = FS.LAN fs.lan = FS.LAN -- С уважением, Николай. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org