[Freeipa-users] Using subdomains (or dots) in hostnames
Hi! We are in the process of deploying FreeIPA in our virtual environment. So far things are working smoothly and I am really impressed by the solution! One question has risen as we have added our first clients to the system. Because the total number of clients is 50 and going up, we have divided our servers to subdomains depending on the purpose of the server, ie. test servers in one subdomain, internal services on another and so on. There is, however, no need for each subdomain to have its own IPA server. Let's say we're using domain example.com. Adding clients a.example.com and b.example.com was smooth. Adding client a.sub1.example.com also had no problems until I tried to get sudoers from the IPA server (using SSSD and LDAP as suggested). The client fails to find any users matching the server name. Because the only difference compared to a fully functional server is the dot in the host name, that's probably the reason why no sudoers are found for the server in the subdomain? For IPA master I am using CentOS 6.4 and ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4 with ipa-client-3.0.0-26.el6_4.4.x86_64. Any help is appreciated! Please let me know if providing any piece of information helps. Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replication woes
My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231: master bad2.foo.net http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231: master good1.foo.net: master good2.foo.net: master good3.foo.net: master good4.foo.net: master # ipa-replica-manage list ipamaster.foo.nethttp://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231 good1.foo.net: replica good2.foo.net: replica good3.foo.net: replica good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net 'ipamaster.foo.net' has no replication agreement for 'bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net 'ipamaster.foo.net' has no replication agreement for 'bad2.foo.net' # * * What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? * * *Bret Wortman* http://damascusgrp.com/http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231 http://about.me/wortmanbrethttp://bl-1.com/click/load/ATBZa1QwVmsHbwNjVWU-b0231 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Bret Wortman wrote: The software is actually gone from both boxes -- one is dead and the other was reinstalled when the upgrade failed. So I can't get at the database for either one. Safe to just --cleanup in that case? Assuming that none of the good servers have an agreement with bad* then yes, safe to use. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:26 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bad1.foo.net: master bad2.foo.net http://bad2.foo.net: master good1.foo.net http://good1.foo.net http://good1.foo.net: master good2.foo.net http://good2.foo.net http://good2.foo.net: master good3.foo.net http://good3.foo.net http://good3.foo.net: master good4.foo.net http://good4.foo.net http://good4.foo.net: master # ipa-replica-manage list ipamaster.foo.net http://ipamaster.foo.net good1.foo.net http://good1.foo.net http://good1.foo.net: replica good2.foo.net http://good2.foo.net http://good2.foo.net: replica good3.foo.net http://good3.foo.net http://good3.foo.net: replica good4.foo.net http://good4.foo.net http://good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net http://bad1.foo.net http://bad1.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad1.foo.net http://bad1.foo.net http://bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net http://bad2.foo.net http://bad2.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad2.foo.net http://bad2.foo.net http://bad2.foo.net' # _ _ What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? I guess I'd start on bad1 and see what replication agreements it thinks it has. It is worth it to double-check on all the good hosts too, just to be sure that nobody has an agreement. Assuming it has no agreements, add the --cleanup flag to the del command. This will prompt you to erase the replica as a master. We have lots of warnings because this can be a pretty dangerous command. Once removed you can safely uninstall the replica and re-install if you'd like. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Not according to my poll of the good ones, so here goes. Thanks, Rob. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:35 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: The software is actually gone from both boxes -- one is dead and the other was reinstalled when the upgrade failed. So I can't get at the database for either one. Safe to just --cleanup in that case? Assuming that none of the good servers have an agreement with bad* then yes, safe to use. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:26 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bad1.foo.net: master bad2.foo.net http://bad2.foo.net: master good1.foo.net http://good1.foo.net http://good1.foo.net: master good2.foo.net http://good2.foo.net http://good2.foo.net: master good3.foo.net http://good3.foo.net http://good3.foo.net: master good4.foo.net http://good4.foo.net http://good4.foo.net: master # ipa-replica-manage list ipamaster.foo.net http://ipamaster.foo.net good1.foo.net http://good1.foo.net http://good1.foo.net: replica good2.foo.net http://good2.foo.net http://good2.foo.net: replica good3.foo.net http://good3.foo.net http://good3.foo.net: replica good4.foo.net http://good4.foo.net http://good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net http://bad1.foo.net http://bad1.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad1.foo.net http://bad1.foo.net http://bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net http://bad2.foo.net http://bad2.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad2.foo.net http://bad2.foo.net http://bad2.foo.net' # _ _ What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? I guess I'd start on bad1 and see what replication agreements it thinks it has. It is worth it to double-check on all the good hosts too, just to be sure that nobody has an agreement. Assuming it has no agreements, add the --cleanup flag to the del command. This will prompt you to erase the replica as a master. We have lots of warnings because this can be a pretty dangerous command. Once removed you can safely uninstall the replica and re-install if you'd like. rob __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Bret Wortman wrote: How can I tell if this is working? It's been 10 minutes and it hasn't returned; IPA response is sluggish and top doesn't show anything obviously running sucking up CPU. It should be nearly instantaneous. It doesn't actually do a lot. It deletes the master from cn=masters, removes its entries from S4U2proxy delegation and in newer versions attempts to save its DNA configuration, if any. It should be safe to break out of it and re-run it. You may want to check the 389-ds logs to see what it has already done. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:16 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231: master bad2.foo.net http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231: master good1.foo.net http://good1.foo.net: master good2.foo.net http://good2.foo.net: master good3.foo.net http://good3.foo.net: master good4.foo.net http://good4.foo.net: master # ipa-replica-manage list ipamaster.foo.net http://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231 good1.foo.net http://good1.foo.net: replica good2.foo.net http://good2.foo.net: replica good3.foo.net http://good3.foo.net: replica good4.foo.net http://good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net http://bad1.foo.net 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad1.foo.net http://bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net http://bad2.foo.net 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad2.foo.net http://bad2.foo.net' # _ _ What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? _ _ *Bret Wortman* http://damascusgrp.com/ http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231 http://about.me/wortmanbret http://bl-1.com/click/load/ATBZa1QwVmsHbwNjVWU-b0231 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Well, my master ground to a halt and wasn't responding. I rebooted the system and now I can't access the web UI or ssh to the master either. I have console access but that's it. The services all say they're running, but the web UI gives an Unknown Error dialog and ssh fails with ssh_exchange_identification: Connection closed by remote host whenever I try to ssh to ipamaster. I think something has gone really wrong inside my master. Any ideas? Even after the reboot, --cleanup isn't helping and just hangs. The logfiles end (as of the time I ^C'd the process) with: NSMMReplicationPlugin - agmt=cn=meTogood3.spx.net (good3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address)) NSMMReplicationPlugin - CleanAllRUV Task: Replica not online (agmt=cn= meTogood3.foo.net (good3:389)) NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, retrying in 160 seconds..., So it looks like it's having trouble talking with one of my replicas and is doggedly trying to get the job done. Any idea how to get the master back working again while I troubleshoot this connectivity issue? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 11:11 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: How can I tell if this is working? It's been 10 minutes and it hasn't returned; IPA response is sluggish and top doesn't show anything obviously running sucking up CPU. It should be nearly instantaneous. It doesn't actually do a lot. It deletes the master from cn=masters, removes its entries from S4U2proxy delegation and in newer versions attempts to save its DNA configuration, if any. It should be safe to break out of it and re-run it. You may want to check the 389-ds logs to see what it has already done. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:16 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wortman@**damascusgrp.combret.wort...@damascusgrp.com wrote: My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bl-1.com/click/load/**VGVbaVI2BjtTO1ExAjY-b0231http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231 : master bad2.foo.net http://bl-1.com/click/load/**ADEOPARgATxfN1Q0BjM-b0231http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231 : master good1.foo.net http://good1.foo.net: master good2.foo.net http://good2.foo.net: master good3.foo.net http://good3.foo.net: master good4.foo.net http://good4.foo.net: master # ipa-replica-manage list ipamaster.foo.net http://bl-1.com/click/load/**BDUBM1I2UWxfN1c3V2U-b0231http://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231 good1.foo.net http://good1.foo.net: replica good2.foo.net http://good2.foo.net: replica good3.foo.net http://good3.foo.net: replica good4.foo.net http://good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net http://bad1.foo.net 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad1.foo.net http://bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net http://bad2.foo.net 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad2.foo.net http://bad2.foo.net' # _ _ What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? _ _ *Bret Wortman* http://damascusgrp.com/ http://bl-1.com/click/load/**U2JdbwdjBThROQZmAzA-b0231http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231 http://about.me/wortmanbret http://bl-1.com/click/load/**ATBZa1QwVmsHbwNjVWU-b0231http://bl-1.com/click/load/ATBZa1QwVmsHbwNjVWU-b0231 __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Bret Wortman wrote: Well, my master ground to a halt and wasn't responding. I rebooted the system and now I can't access the web UI or ssh to the master either. I have console access but that's it. The services all say they're running, but the web UI gives an Unknown Error dialog and ssh fails with ssh_exchange_identification: Connection closed by remote host whenever I try to ssh to ipamaster. I think something has gone really wrong inside my master. Any ideas? Even after the reboot, --cleanup isn't helping and just hangs. The logfiles end (as of the time I ^C'd the process) with: NSMMReplicationPlugin - agmt=cn=meTogood3.spx.net http://meTogood3.spx.net (good3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address)) NSMMReplicationPlugin - CleanAllRUV Task: Replica not online (agmt=cn=meTogood3.foo.net http://meTogood3.foo.net (good3:389)) NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, retrying in 160 seconds..., So it looks like it's having trouble talking with one of my replicas and is doggedly trying to get the job done. Any idea how to get the master back working again while I troubleshoot this connectivity issue? That suggests a DNS problem, and it might explain ssh as well depending on your configuration. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 11:11 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: How can I tell if this is working? It's been 10 minutes and it hasn't returned; IPA response is sluggish and top doesn't show anything obviously running sucking up CPU. It should be nearly instantaneous. It doesn't actually do a lot. It deletes the master from cn=masters, removes its entries from S4U2proxy delegation and in newer versions attempts to save its DNA configuration, if any. It should be safe to break out of it and re-run it. You may want to check the 389-ds logs to see what it has already done. rob _ _ *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:16 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com mailto:bret.wortman@__damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: My replication situation has gotten a bit messed up. I have four replicas that are up and running and two that I'm trying to delete (one is not a replica any more, one didn't upgrade well during its fedup upgrade from F17-F18 and as such I had to do a clean OS install). # ipa-replica-manage list bad1.foo.net http://bad1.foo.net http://bl-1.com/click/load/__VGVbaVI2BjtTO1ExAjY-b0231 http://bl-1.com/click/load/VGVbaVI2BjtTO1ExAjY-b0231: master bad2.foo.net http://bad2.foo.net http://bl-1.com/click/load/__ADEOPARgATxfN1Q0BjM-b0231 http://bl-1.com/click/load/ADEOPARgATxfN1Q0BjM-b0231: master good1.foo.net http://good1.foo.net http://good1.foo.net: master good2.foo.net http://good2.foo.net http://good2.foo.net: master good3.foo.net http://good3.foo.net http://good3.foo.net: master good4.foo.net http://good4.foo.net http://good4.foo.net: master # ipa-replica-manage list ipamaster.foo.net http://ipamaster.foo.net http://bl-1.com/click/load/__BDUBM1I2UWxfN1c3V2U-b0231 http://bl-1.com/click/load/BDUBM1I2UWxfN1c3V2U-b0231 good1.foo.net http://good1.foo.net http://good1.foo.net: replica good2.foo.net http://good2.foo.net http://good2.foo.net: replica good3.foo.net http://good3.foo.net http://good3.foo.net: replica good4.foo.net http://good4.foo.net http://good4.foo.net: replica # ipa-replica-manage del --force bad1.foo.net http://bad1.foo.net http://bad1.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad1.foo.net http://bad1.foo.net http://bad1.foo.net' # ipa-replica-manage del --force bad2.foo.net http://bad2.foo.net http://bad2.foo.net 'ipamaster.foo.net http://ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'bad2.foo.net http://bad2.foo.net http://bad2.foo.net' # _ _ What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? _ _
Re: [Freeipa-users] Replication woes
Rob Crittenden wrote: Bret Wortman wrote: Well, my master ground to a halt and wasn't responding. I rebooted the system and now I can't access the web UI or ssh to the master either. I have console access but that's it. The services all say they're running, but the web UI gives an Unknown Error dialog and ssh fails with ssh_exchange_identification: Connection closed by remote host whenever I try to ssh to ipamaster. I think something has gone really wrong inside my master. Any ideas? Even after the reboot, --cleanup isn't helping and just hangs. The logfiles end (as of the time I ^C'd the process) with: NSMMReplicationPlugin - agmt=cn=meTogood3.spx.net http://meTogood3.spx.net (good3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address)) NSMMReplicationPlugin - CleanAllRUV Task: Replica not online (agmt=cn=meTogood3.foo.net http://meTogood3.foo.net (good3:389)) NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, retrying in 160 seconds..., So it looks like it's having trouble talking with one of my replicas and is doggedly trying to get the job done. Any idea how to get the master back working again while I troubleshoot this connectivity issue? That suggests a DNS problem, and it might explain ssh as well depending on your configuration. To be clear, you ran --cleanup against one of the bad masters, not a good one, right? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication woes
Digging further, I think this log entry might be the problem between the two servers that aren't talking: slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id[] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localh...@spx.net not found in Kerberos database)) errno 2 (No such file or directory) Did I build something incorrectly when that server was set up originally? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: I ran it on a good master, against a bad one. As in, I ran this command on my master IPA node: # ipa-replica-manage del --force bad1.foo.net --cleanup Was that wrong? I was trying to delete the bad replica from the master, so I figured the command needed to be run on the master. But again, my master is now in a state where it's not resolving DNS, user logins, or sudo at the very least. Oh, and I checked the node that it was complaining about earlier. The network connection to it is the pits, but it's there. And it resolves. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 11:58 AM, Rob Crittenden rcrit...@redhat.comwrote: Rob Crittenden wrote: Bret Wortman wrote: Well, my master ground to a halt and wasn't responding. I rebooted the system and now I can't access the web UI or ssh to the master either. I have console access but that's it. The services all say they're running, but the web UI gives an Unknown Error dialog and ssh fails with ssh_exchange_identification: Connection closed by remote host whenever I try to ssh to ipamaster. I think something has gone really wrong inside my master. Any ideas? Even after the reboot, --cleanup isn't helping and just hangs. The logfiles end (as of the time I ^C'd the process) with: NSMMReplicationPlugin - agmt=cn=meTogood3.spx.net http://meTogood3.spx.net (good3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address)) NSMMReplicationPlugin - CleanAllRUV Task: Replica not online (agmt=cn=meTogood3.foo.net http://meTogood3.foo.net (good3:389)) NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas online, retrying in 160 seconds..., So it looks like it's having trouble talking with one of my replicas and is doggedly trying to get the job done. Any idea how to get the master back working again while I troubleshoot this connectivity issue? That suggests a DNS problem, and it might explain ssh as well depending on your configuration. To be clear, you ran --cleanup against one of the bad masters, not a good one, right? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: Replication woes
On my master (where this error is occurring), I've got, in /etc/hosts: 127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain 1.2.3.4ipamaster.foo.net ipamaster So that should be okay, right? # host ipamaster.foo.net ipamaster.foo.net has address 1.2.3.4 # host ipamaster ipamaster.foo.net has address 1.2.3.4 # host localhost localhost has address 127.0.0.1 localhost has IPv6 address ::1 # I checked the other system (the one I can't connect to) to be safe, and its /etc/hosts is similarly configured. It even has the master listed with its correct IP address. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:02 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote: So, any idea how to fix the Kerberos problem? If your server is trying to get a tgt for ldap/localhost it probably means your /etc/hosts file is broken and has a line like this: 1.2.3.4 localhost my.real.name When GSSAPI tries to resolve my.realm.name it gets back that 'localhost' is the canonical name so it tries to get a TGT with that name and it fails. If /etc/host sis fine then the DNS server may be returning an IP address that later resolves to localhost again. To unbreak make sure that if you have your fully qualified name in /etc/hosts that it is on its own line pointing at the right IP address and where the FQDN name is the first in line: eg: this is ok: 1.2.3.4 server.full.name server this is not: 1.2.3.4 server server.full.name Simo. Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: ...and I got the web UI, authentication and sudo back via: # ipactl stop # ipactl start Not sure why that worked, but it did. I was grasping at straws, honestly. Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:18 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: Digging further, I think this log entry might be the problem between the two servers that aren't talking: slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id[] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localh...@spx.net not found in Kerberos database)) errno 2 (No such file or directory) Did I build something incorrectly when that server was set up originally? Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: I ran it on a good master, against a bad one. As in, I ran this command on my master IPA node: # ipa-replica-manage del --force bad1.foo.net --cleanup Was that wrong? I was trying to delete the bad replica from the master, so I figured the command needed to be run on the master. But again, my master is now in a state where it's not resolving DNS, user logins, or sudo at the very least. Oh, and I checked the node that it was complaining about earlier. The network connection to it is the pits, but it's there. And it resolves. Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 11:58 AM, Rob Crittenden rcrit...@redhat.com wrote: Rob Crittenden wrote: Bret Wortman wrote: Well, my master ground to a halt and wasn't responding. I rebooted the system and now I can't access the web UI or ssh
