Re: [Freeipa-users] dead in the water IPA server
On mån, 2012-05-07 at 00:22 +, Steven Jones wrote: Interesting memory message.as attached I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... Nope, your machine ran out of memory and the directory server fell victim for the OOM-killer )-. At this point you need to reboot the machine to recover but with some luck, the syslog should contain some hints of where the memory went. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] dead in the water IPA server
Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: Interesting memory message.as attached I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] dead in the water IPA server
On 05/07/2012 02:55 PM, Steven Jones wrote: Hi, Yes I have a memory leak see attached graphs Yes looks like the killer killed slapd...dont know what caused this yetif its the killer looks like its decided to kill slapd or slapd was going to kill the system anyway so it may have done the right thing. Looks like I have 3 days between reboots if i dont IPA losses the plot big timevery bad news..I will I think slow IPA deployment here at this timethis cant be deployed for us as it is, I cant even test as if something doesn't work I don't know if its my configuring error or an inconsistent IPA. :/ Thanks for this info I will pursue this through RH support for a perm fix, adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users and about 6 client machines seems a lot. Right. See https://fedorahosted.org/389/ticket/51 and especially all of the comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701 You will need to closely monitor your entry cache usage. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Monday, 7 May 2012 9:45 p.m. To: Steven Jones Cc: Jan Cholasta; freeipa-users@redhat.com Subject: Re: [Freeipa-users] dead in the water IPA server This sound very much the same as the issue I've been having. Did you check to see if it was the directory server that consumed all of your memory too? https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html Regards, Siggi On Mon, May 7, 2012 11:32, Jan Cholasta wrote: Hi, It seems that your system ate all the available memory and the kernel decided to kill a directory server instance to free some. The kernel agent responsible for this is called the out-of-memory killer, you can read more about it and how to configure it not to kill important processes here: http://lwn.net/Articles/317814/ On 7.5.2012 02:22, Steven Jones wrote: Interesting memory message.as attached I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] No Dogtag certificate system installed on slave IPA servers installed
Hi, I installed a master IPA server with dogtag certificate system installed; then use ipa-replica-prepare and ipa-replica-install to install two IPA replica servers. The two replicas are installed and 'ipa-replica-manage' commands shows that user/group data replication link is established between master and replicas. But the problem is, although dogtag certificate system was installed on Master, it (the dogtag) is not installed onto replicas by default with ipa-replica commands, let alone the certificate replication. Another finding is that, all the masters and replicas servers doesn't have host certificates created automatically. Is this normal and intended, or there is something wrong? I'am running ipa-server-2.1.3-9 on red hat 6.2. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else?
Hi, Can I change the default user group for new users to something else? and disable automatically creation of private groups? Basically I migrates hundreds of Linux accounts from openldap to IPA, and those users have a default group 'exampleGroup' with GID 500. And it is company policy to have all users to use the same container user group, and disable private groups. So can I change the IPA policy to change the default user group from 'ipausers' to some thing else to 'exampleGroup'? what's the immediately and potential effect on adjustment? Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Please help: Any way to turn off IPA creation of private user group?
Hi folks, Are there any way to turn off IPA automatic creation of private user group? We use a common user group like ‘nis-wheel’, and completely disabled private groups in openldap before migration. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root@ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Debug output is attached as well. root : DEBUG [21/29]: setting up initial replication [21/29]: setting up initial replication root : DEBUG args=/sbin/service dirsrv restart JIGSAW-COM root : DEBUG stdout=Shutting down dirsrv: JIGSAW-COM... [ OK ] Starting dirsrv: JIGSAW-COM... [ OK ] root : DEBUG stderr= Starting replication, please wait until this has completed. [ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] creation of replica failed: Failed to start replication root : DEBUG Failed to start replication File /usr/sbin/ipa-replica-install, line 482, in module main() File /usr/sbin/ipa-replica-install, line 433, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 135, in install_replica_ds pkcs12_info) File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 284, in create_replica self.start_creation(Configuring directory server, 60) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 297, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.6/site-packages/ipaserver/install/replication.py, line 694, in setup_replication raise RuntimeError(Failed to start replication) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. --Guolin From: David Copperfield cao2...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, May 7, 2012 8:38 PM Subject: IPA replica server rebuilding failed with 'Invalid credentials' error. I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root@ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA replica server rebuilding failed with 'Invalid credentials' error.
Temporarily fixed by myself. -- remove replica ipareplica02 by FORCE again and again on IPA master, until the replica doesn't show up when run 'ipa-replica-manage list'. Could some one at Redhat IPA project please give a step-by-step how to remove a IPA replica, and how to add it back -- reimage and rebuild --. Thanks. [root@ipamaster .ssh]# ipa-replica-manage list ipareplica01.example.com: master ipareplica02.example.com: master ipamaster.example.com: master [root@ipamaster .ssh]# [root@ipamaster .ssh]# ipa-replica-manage del ipareplica02.example.com --force Unable to connect to replica ipareplica02.example.com, forcing removal 'ipamaster.example.com' has no replication agreement for 'ipareplica02.example.com' 'ipareplica01.example.com' has no replication agreement for 'ipareplica02.example.com' [root@ipamaster .ssh]# ipa-replica-manage list ipareplica01.example.com: master ipamaster.example.com: master [root@ipamaster .ssh]# --David From: David Copperfield cao2...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com; d...@redhat.com d...@redhat.com; E Deon Lackey dlac...@redhat.com Sent: Monday, May 7, 2012 8:41 PM Subject: Re: IPA replica server rebuilding failed with 'Invalid credentials' error. Debug output is attached as well. root : DEBUG [21/29]: setting up initial replication [21/29]: setting up initial replication root : DEBUG args=/sbin/service dirsrv restart JIGSAW-COM root : DEBUG stdout=Shutting down dirsrv: JIGSAW-COM... [ OK ] Starting dirsrv: JIGSAW-COM... [ OK ] root : DEBUG stderr= Starting replication, please wait until this has completed. [ipamaster.qe9.jigsaw.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] creation of replica failed: Failed to start replication root : DEBUG Failed to start replication File /usr/sbin/ipa-replica-install, line 482, in module main() File /usr/sbin/ipa-replica-install, line 433, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 135, in install_replica_ds pkcs12_info) File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 284, in create_replica self.start_creation(Configuring directory server, 60) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 248, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 297, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.6/site-packages/ipaserver/install/replication.py, line 694, in setup_replication raise RuntimeError(Failed to start replication) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. --Guolin From: David Copperfield cao2...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, May 7, 2012 8:38 PM Subject: IPA replica server rebuilding failed with 'Invalid credentials' error. I have a IPA replica server with disk problems, and then it is reimaged and rebuild. But when the IPA replica function is rebuilt, it reports the following problem: [root@ipareplica02 ipa]# ipa-replica-install --no-ntp /var/lib/ipa/replica-info-ipareplica02.example.com.gpg ... [21/29]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.example.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] ... Before I run the replica rebuilding step on IPA replica, I already run 'ipa-replica-manage disconn ipareplica01.example.com' on IPA master, and delete the host entry for ipareplica02 as well. Did I missed any steps above? Please help. Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] krbPasswordExpiration field not updating?
Hi, Spec: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Issue: Firstly I'll declare someone must have seen this by now? I've set the password policy to 9; [root@sysvm-ipa ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 But old accounts are not getting the change at the ldap level, even though IPA claims the expiry date has updated. e.g. [root@sysvm-ipa ~]# ipa pwpolicy-show --user=john Group: global_policy Max lifetime (days): 9 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 6 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ldapsearch (command chopped) # john, users, accounts, teratext.saic.com.au dn: uid=john,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120506011529Z So now when the user(s) logs in, I'm getting password will expire in XX days messages. Any ideas? Can I globally update this somehow, otherwise I'll be re-typing passwords for a while. cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users