Re: [Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
Thanks. Best regards, Ender Wiadomość napisana przez Rob Crittenden <rcrit...@redhat.com> w dniu 14 cze 2016, o godz. 13:56: > Łukasz Jaworski wrote: >> Hi, >> >> freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 >> >> I've tried add hostname with multiple hyphens. Sth like: >> example--name-of-host.example.com. Output is: ipa: ERROR: invalid >> ‘hostname’: invalid domain-name: only letters, numbers, ‘-’ are allowed. >> DNS label may not start or end with ‘-’ >> >> IMHO hyphens are not allowed: the first and last characters of a label >> (RFC 952 and 1123) >> >> If I'm right, in validate_dns_label (util.py) should be something like this: >> >> >> diff util.py util.py.corrected 225c225 < label_regex = >> >> r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' >> \ >> >>label_regex = >> >> r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]+?[%(base)s%(extra)s])*$' >>\ > > See > https://u2049412.ct.sendgrid.net/wf/click?upn=d8cswn-2BnEH-2B7WbzLTEgT0E1WY4setDHks-2BN0BaUeSRkffPOVmnu1j4NL5AZQSJz11-2BIlHFn-2BrzA2teewCcbEdg-3D-3D_an4-2Fi8Vk1W4hjXglTw5zijKXOIRderaI8LFDnF-2FT8B3V92yGlXo2OZHI8jnDj-2F4GSfoAeql5dkDdLpSdNoo-2BLrNmlfLJCTDqx2vIUS5iVOhvTPQEdtjoftVAz03IHNlO5HSli58l2DF6kpdgY7paaTVkbt70zgAI2bXtgtCjg1m7g7VRTyPTS9YXtJTrNXb-2B9GVDSMNn-2B8MiT-2FDUXEFjYucsxyrrqi7VrCmfGQOtuEM-3D > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
Hi, freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 I've tried add hostname with multiple hyphens. Sth like: example--name-of-host.example.com. Output is: ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' IMHO hyphens are not allowed: the first and last characters of a label (RFC 952 and 1123) If I'm right, in validate_dns_label (util.py) should be something like this: diff util.py util.py.corrected 225c225 < label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \ --- > label_regex = > r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]+?[%(base)s%(extra)s])*$' > \ Best regards, Łukasz Jaworski "Ender" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with ipa-csreplica reinitialize
Hi, We have strange problems in our environment. After ipa-csreplica-manage re-initialize servers crash (it happens very often, after second or third try, all dc, and pki replication gone. I've reinstalled server and setup new replication). There aren't any information in logs. It looks like process stops without any notice. During ipa-csreplica-manage re-initialize server shows: Update in progress, 3 seconds elapsed Update succeeded but dirsrv is gone. ps -ax |grep dirsrv shows nothing. after start dirsrv, replication is broken: The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. some information about our setup: Fedora 23 (updated from 22) freeipa-server-4.1.4-4.fc22.x86_64 389-ds-base-1.3.4.4-1.fc22.x86_64 389-ds-base-libs-1.3.4.4-1.fc22.x86_64 krb5-server-1.13.2-7.fc22.x86_64 krb5-workstation-1.13.2-7.fc22.x86_64 krb5-pkinit-1.13.2-7.fc22.x86_64 krb5-libs-1.13.2-7.fc22.x86_64 Best regards, Łukasz Jaworski Ender -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki
Hi, I have problem with setup new replicas. I tried setup two replicas, both failed with the same error. environment: Fedora 21 packages: freeipa-server-4.1.3-2.fc21.x86_64 389-ds-base-1.3.3.8-1.fc21.x86_64 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 pki-server-10.2.0-5.fc21.noarch same on server and replicas Output from ipa-replica-install: (…) Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance [3/22]: stopping certificate server instance to update CS.cfg [4/22]: backing up CS.cfg [5/22]: disabling nonces [6/22]: set up CRL publishing [7/22]: enable PKIX certificate path discovery and validation [8/22]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. >From /var/log/ipareplica.log 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted 2015-10-07T06:25:58Z DEBUG Waiting for CA to start... 2015-10-07T06:25:59Z DEBUG Starting external process 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c a/getStatus' 2015-10-07T06:25:59Z DEBUG Process finished, return code=8 2015-10-07T06:25:59Z DEBUG stdout= 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59-- https://182.example.com:8443/ca/admin/ca/getStatus Resolving 182.example.com (182.example.com)... xx.xx.xx.xx Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... connected. WARNING: cannot verify 182.example.com's certificate, issued by ‘CN=Certificate Authority,O=ecample.com’: Self-signed certificate encountered. HTTP request sent, awaiting response... HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2923 Date: Wed, 07 Oct 2015 06:25:59 GMT Connection: close 2015-10-07 08:25:59 ERROR 500: Internal Server Error. Any idea? Best regards, Ender -- Łukasz Jaworski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki
Looks like system is missing ca cert (should it be added during ipa-replica-install?) I don't know if missing cert is main problem in my case, but I made some tests: try 1: openssl s_client -connect `hostname -f`:8443 (…) Verify return code: 19 (self signed certificate in certificate chain) try 2: openssl s_client -connect `hostname -f`:8443 -CAfile /etc/ipa/ca.crt (…) Verify return code: 0 (ok) After I've added ipa.cert into /etc/pki/tls/cert.pem cat /etc/ipa/ca.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem try 3: openssl s_client -connect `hostname -f`:8443 (…) Verify return code: 0 (ok) Best regards, Ender -- Łukasz Jaworski Wiadomość napisana przez Łukasz Jaworski <en...@kofeina.net> w dniu 7 paź 2015, o godz. 08:35: > Hi, > > I have problem with setup new replicas. > I tried setup two replicas, both failed with the same error. > > environment: > Fedora 21 > > packages: > freeipa-server-4.1.3-2.fc21.x86_64 > 389-ds-base-1.3.3.8-1.fc21.x86_64 > 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 > pki-server-10.2.0-5.fc21.noarch > > same on server and replicas > > > Output from ipa-replica-install: > (…) > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/22]: creating certificate server user > [2/22]: configuring certificate server instance > [3/22]: stopping certificate server instance to update CS.cfg > [4/22]: backing up CS.cfg > [5/22]: disabling nonces > [6/22]: set up CRL publishing > [7/22]: enable PKIX certificate path discovery and validation > [8/22]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> From /var/log/ipareplica.log > 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted > 2015-10-07T06:25:58Z DEBUG Waiting for CA to start... > 2015-10-07T06:25:59Z DEBUG Starting external process > 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c > a/getStatus' > 2015-10-07T06:25:59Z DEBUG Process finished, return code=8 > 2015-10-07T06:25:59Z DEBUG stdout= > 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59-- > https://182.example.com:8443/ca/admin/ca/getStatus > Resolving 182.example.com (182.example.com)... xx.xx.xx.xx > Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... > connected. > WARNING: cannot verify 182.example.com's certificate, issued by > ‘CN=Certificate Authority,O=ecample.com’: > Self-signed certificate encountered. > HTTP request sent, awaiting response... > HTTP/1.1 500 Internal Server Error > Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 2923 > Date: Wed, 07 Oct 2015 06:25:59 GMT > Connection: close > 2015-10-07 08:25:59 ERROR 500: Internal Server Error. > > Any idea? > > Best regards, > Ender > > -- > Łukasz Jaworski > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication Questions
Yes. ipa-replica-manage connect s2 s3 and for CA replication: ipa-csreplica-manage connect s2 s3 Best regards, Ender Wiadomość napisana przez John Stein tde3...@gmail.com w dniu 7 lip 2015, o godz. 07:56: Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with replication
: Hi, there seem to be different issues, - I don't know what the ipactl status is looking for when it generates the error message about no matching master, but I don't think it is related to the retro changelog. - the retro changelog errors for adding and deleting -- the add failures are about aborted transactions because a page cannot be accessed, this maybe caused by concurrent mods on different backends, which want to update teh shared retro cl database. the changenumber reprted seems to be increasing, one error is about changenumber 44975, the next about 45577, so it looks like changes into the changelog are written and teh changenumber increases -- i'm not sure about the delete errors, but normally trimming would go on after such an error message, the changenumber attempted to delete are increasing. Could you verify which changes are in the changelog, and if these are changing: ldapsearch -b cn=changelog dn On 05/06/2015 09:52 AM, Łukasz Jaworski wrote: Hi, One of our replica hanged up morning. Error log after dirsrv restart: [06/May/2015:09:28:15 +0200] - Retry count exceeded in delete [06/May/2015:09:28:15 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 38376 (rc: 51) [06/May/2015:09:28:15 +0200] - Operation error fetching Null DN (6368aeb7-f3c111e4-ae70ce39-9b469c1f), error -30993. [06/May/2015:09:28:15 +0200] - dn2entry_ext: Failed to get id for changenumber=44975,cn=changelog from entryrdn index (-30993) [06/May/2015:09:28:15 +0200] - Operation error fetching changenumber=44975,cn=changelog (null), error -30993. [06/May/2015:09:28:15 +0200] DSRetroclPlugin - replog: an error occured while adding change number 44975, dn = changenumber=44975,cn=changelog: Operations error. [06/May/2015:09:28:15 +0200] retrocl-plugin - retrocl_postob: operation failure [1] [06/May/2015:09:28:15 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:03 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:06 +0200] - Retry count exceeded in delete [06/May/2015:09:30:06 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39297 (rc: 51) I did re-initialize from other replica. Now ipactl doesn't work. Shows: Configured hostname 'replica09.local' does not match any master server in LDAP. On lists replica09 is exists (twice) # ipactl status Failed to get list of services to probe status! Configured hostname 'replica09.local' does not match any master server in LDAP: replica01.local replica02.local replica03.local replica04.local replica05.local replica06.local replica07.local replica08.local replica09.local replica10.local replica09.local After dirsrv stop/start: In error logs there are many: [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39290 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39291 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39292 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39293 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39294 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39295 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39296 (rc: 32) etc. [06/May/2015:09:51:08 +0200] - Operation error fetching Null DN (9f51430a-f3c411e4-927ece39-9b469c1f), error -30993. [06/May/2015:09:51:08 +0200] - dn2entry_ext: Failed to get id for changenumber=45577,cn=changelog from entryrdn index (-30993) [06/May/2015:09:51:08 +0200] - Operation error fetching changenumber=45577,cn=changelog (null), error -30993. [06/May/2015:09:51:08 +0200] DSRetroclPlugin - replog: an error occured while adding change number 45577, dn = changenumber=45577,cn=changelog: Operations error. [06/May/2015:09:51:08 +0200] retrocl-plugin - retrocl_postob: operation failure [1] [06/May/2015:09:51:08 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 Packages: freeipa-server-4.1.3-2.fc21.x86_64 389-ds-base-1.3.3.8-1.fc21.x86_64 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 Best regards, Ender -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with replication
Hi, ipactl stops working after dirsrv-stop/start. There are many changes in the changelog: from 39399 to 44397 (…) # 44393, changelog dn: changenumber=44393,cn=changelog # 44394, changelog dn: changenumber=44394,cn=changelog # 44395, changelog dn: changenumber=44395,cn=changelog # 44396, changelog dn: changenumber=44396,cn=changelog # 44397, changelog dn: changenumber=44397,cn=changelog # search result search: 2 result: 11 Administrative limit exceeded # numResponses: 5001 # numEntries: 5000 After some seconds dirsrv stops responding. In error log: [06/May/2015:11:00:04 +0200] agmt=cn=cloneAgreement1-replica09.local-pki-tomcat (replica08:389) - Can't locate CSN 55100d8c069f in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [06/May/2015:11:00:04 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 ldapsearch hangs. Dirsrv is not responding now. This replica is on virtual machine (ganeti). We had problems with replication to vm, but after force-sync all was fine. On physical servers all works fine. Lukasz Jaworski 'Ender' Wiadomość napisana przez Ludwig Krispenz lkris...@redhat.com w dniu 6 maj 2015, o godz. 10:52: Hi, there seem to be different issues, - I don't know what the ipactl status is looking for when it generates the error message about no matching master, but I don't think it is related to the retro changelog. - the retro changelog errors for adding and deleting -- the add failures are about aborted transactions because a page cannot be accessed, this maybe caused by concurrent mods on different backends, which want to update teh shared retro cl database. the changenumber reprted seems to be increasing, one error is about changenumber 44975, the next about 45577, so it looks like changes into the changelog are written and teh changenumber increases -- i'm not sure about the delete errors, but normally trimming would go on after such an error message, the changenumber attempted to delete are increasing. Could you verify which changes are in the changelog, and if these are changing: ldapsearch -b cn=changelog dn On 05/06/2015 09:52 AM, Łukasz Jaworski wrote: Hi, One of our replica hanged up morning. Error log after dirsrv restart: [06/May/2015:09:28:15 +0200] - Retry count exceeded in delete [06/May/2015:09:28:15 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 38376 (rc: 51) [06/May/2015:09:28:15 +0200] - Operation error fetching Null DN (6368aeb7-f3c111e4-ae70ce39-9b469c1f), error -30993. [06/May/2015:09:28:15 +0200] - dn2entry_ext: Failed to get id for changenumber=44975,cn=changelog from entryrdn index (-30993) [06/May/2015:09:28:15 +0200] - Operation error fetching changenumber=44975,cn=changelog (null), error -30993. [06/May/2015:09:28:15 +0200] DSRetroclPlugin - replog: an error occured while adding change number 44975, dn = changenumber=44975,cn=changelog: Operations error. [06/May/2015:09:28:15 +0200] retrocl-plugin - retrocl_postob: operation failure [1] [06/May/2015:09:28:15 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:03 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:06 +0200] - Retry count exceeded in delete [06/May/2015:09:30:06 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39297 (rc: 51) I did re-initialize from other replica. Now ipactl doesn't work. Shows: Configured hostname 'replica09.local' does not match any master server in LDAP. On lists replica09 is exists (twice) # ipactl status Failed to get list of services to probe status! Configured hostname 'replica09.local' does not match any master server in LDAP: replica01.local replica02.local replica03.local replica04.local replica05.local replica06.local replica07.local replica08.local replica09.local replica10.local replica09.local After dirsrv stop/start: In error logs there are many: [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39290 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39291 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39292 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39293 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39294 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39295 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39296 (rc: 32) etc. [06/May/2015:09:51:08 +0200] - Operation error fetching
Re: [Freeipa-users] Problem with replication
dbstat: MacBookPro-10DDB1EAF1CC-1522:~ ender$ cat FILE Default locking region information: 139 Last allocated locker ID 0x7fff Current maximum unused locker ID 9 Number of lock modes 200 Initial number of locks allocated 0 Initial number of lockers allocated 200 Initial number of lock objects allocated 1 Maximum number of locks possible 1 Maximum number of lockers possible 1 Maximum number of lock objects possible 312 Current number of locks allocated 151 Current number of lockers allocated 250 Current number of lock objects allocated 40 Number of lock object partitions 8191Size of object hash table 275 Number of current locks 303 Maximum number of locks at any one time 6 Maximum number of locks in any one bucket 174 Maximum number of locks stolen by for an empty partition 13 Maximum number of locks stolen for any one partition 124 Number of current lockers 124 Maximum number of lockers at any one time 223 Number of current lock objects 233 Maximum number of lock objects at any one time 3 Maximum number of lock objects in any one bucket 49 Maximum number of objects stolen by for an empty partition 5 Maximum number of objects stolen for any one partition 82905 Total number of locks requested 82018 Total number of locks released 0 Total number of locks upgraded 68 Total number of locks downgraded 8 Lock requests not available due to conflicts, for which we waited 12 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 2MB 304KB Region size 0 The number of partition locks that required waiting (0%) 0 The maximum number of times any partition lock was waited for (0%) 0 The number of object queue operations that required waiting (0%) 0 The number of locker allocations that required waiting (0%) 4 The number of region locks that required waiting (0%) 5 Maximum hash bucket length =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock REGINFO information: Environment Region type 1 Region ID /var/lib/dirsrv/slapd-/db/__db.001 Region name 0x7fd376ff3000 Region address 0x7fd376ff30a0 Region allocation head 0x7fd376ffb2b0 Region primary address 0 Region maximum allocation 0 Region allocated Region allocations: 796 allocations, 0 failures, 539 frees, 3 longest Allocations by power-of-two sizes: 1KB 781 2KB 3 4KB 6 8KB 3 16KB 0 32KB 1 64KB 0 128KB 0 256KB 2 512KB 0 1024KB 1 REGION_SHARED Region flags =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock region parameters: 2 Lock region region mutex [4/3168 0% !Own] wakeups 0/2 16381 locker table size 8191object table size 34128 obj_off 889656 locker_off 0 need_dd =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lock conflict matrix: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Locks grouped by lockers: Locker Mode Count Status - Object --- 1 dd=122 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 1 READ 1 HELDuserRoot/id2entry.db handle0 2 dd=121 locks held 0write locks 0pid/thread 1863/140490519340800 flags 0priority 100 2 READ 1 WAITuserRoot/id2entry.db page 2495 3 dd=120 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 3 READ 1 HELDipaca/id2entry.db handle0 4 dd=119 locks held 0write locks 0pid/thread 1863/140491426347008 flags 0priority 100 5 dd=118 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 5 READ 1 HELDipaca/entryrdn.db handle0 6 dd=117 locks held 0write locks 0pid/thread 1863/140491426347008 flags 0priority 100 7 dd=116 locks held 0write locks 0pid/thread 1863/140491426347008 flags 0priority 100 8 dd=115 locks held 0write locks 0pid/thread 1863/140491426347008 flags 0priority 100 9 dd=114 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 9 READ 1 HELDipaca/vlv#allcertspkitomcatindex.db handle 0 d dd=113 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 d READ 1 HELDipaca/vlv#allnonrevokedcertspkitomcatindex.db handle0 f dd=112 locks held 1write locks 0pid/thread 1863/140491426347008 flags 10 priority 100 f READ
[Freeipa-users] Problem with replication
Hi, One of our replica hanged up morning. Error log after dirsrv restart: [06/May/2015:09:28:15 +0200] - Retry count exceeded in delete [06/May/2015:09:28:15 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 38376 (rc: 51) [06/May/2015:09:28:15 +0200] - Operation error fetching Null DN (6368aeb7-f3c111e4-ae70ce39-9b469c1f), error -30993. [06/May/2015:09:28:15 +0200] - dn2entry_ext: Failed to get id for changenumber=44975,cn=changelog from entryrdn index (-30993) [06/May/2015:09:28:15 +0200] - Operation error fetching changenumber=44975,cn=changelog (null), error -30993. [06/May/2015:09:28:15 +0200] DSRetroclPlugin - replog: an error occured while adding change number 44975, dn = changenumber=44975,cn=changelog: Operations error. [06/May/2015:09:28:15 +0200] retrocl-plugin - retrocl_postob: operation failure [1] [06/May/2015:09:28:15 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:03 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [06/May/2015:09:30:06 +0200] - Retry count exceeded in delete [06/May/2015:09:30:06 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39297 (rc: 51) I did re-initialize from other replica. Now ipactl doesn't work. Shows: Configured hostname 'replica09.local' does not match any master server in LDAP. On lists replica09 is exists (twice) # ipactl status Failed to get list of services to probe status! Configured hostname 'replica09.local' does not match any master server in LDAP: replica01.local replica02.local replica03.local replica04.local replica05.local replica06.local replica07.local replica08.local replica09.local replica10.local replica09.local After dirsrv stop/start: In error logs there are many: [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39290 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39291 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39292 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39293 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39294 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39295 (rc: 32) [06/May/2015:09:50:30 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 39296 (rc: 32) etc. [06/May/2015:09:51:08 +0200] - Operation error fetching Null DN (9f51430a-f3c411e4-927ece39-9b469c1f), error -30993. [06/May/2015:09:51:08 +0200] - dn2entry_ext: Failed to get id for changenumber=45577,cn=changelog from entryrdn index (-30993) [06/May/2015:09:51:08 +0200] - Operation error fetching changenumber=45577,cn=changelog (null), error -30993. [06/May/2015:09:51:08 +0200] DSRetroclPlugin - replog: an error occured while adding change number 45577, dn = changenumber=45577,cn=changelog: Operations error. [06/May/2015:09:51:08 +0200] retrocl-plugin - retrocl_postob: operation failure [1] [06/May/2015:09:51:08 +0200] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 Packages: freeipa-server-4.1.3-2.fc21.x86_64 389-ds-base-1.3.3.8-1.fc21.x86_64 389-ds-base-libs-1.3.3.8-1.fc21.x86_64 Best regards, Ender -- Lukasz Jaworski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What am I missing? ipaca?
Hi, Wiadomość napisana przez Martin Kosek mko...@redhat.com w dniu 24 mar 2015, o godz. 17:08: Right. Maybe you reinstalled IPA replica (several times) without cleaning the RUV? With # ipa-replica-manage list-ruv # ipa-replica-manage clean-ruv you should be able to clean the old (lower) RUVs and see if the error disappears. More info in man ipa-replica-manage and on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#cleanruv Martin After cleanruv looks better. But I had some problems with ipa-replica-manage 1. loks like ipa-replica-manage works only with dc=x replicas, not o=ipaca 2. There is no option clean-ruv in ipa-csreplica-manage Best regards, Ender -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What am I missing? ipaca?
Hi,
Wiadomość napisana przez thierry bordaz tbor...@redhat.com w dniu 24 mar
2015, o godz. 10:01:
It seems that this error is logged each time a replication session is
started. At the beginning of the session, the replica that receive the
replication request, tries to update the referral list of the replicated
suffix (replica) according to the metadata sent by the master.
At this step, it fails with these logs.
I would like to check the validity (duplicate ?) of if the referrals
contained in the master metadata. Would it be possible you do the following
command on all your instances:
ldapsearch -h .. -pxxx -D cn=directory manager -w xxx -b o=ipaca
((objectclass=nstombstone)(nsUniqueId=---))
nscpentrywsi
Servers:
dc1:
host25.x1.net:
host26.x1.net:
host27.x1.net:
host28.x1.net:
host68.x1.net:
dc2:
host51.x2:
host52.x2:
host32.x2:
host33.x2:
host18.x2:
connected:
68 28 25 51 33 18
| | ||
| | ||
27 26 52 32
host25.x1.net:
# extended LDIF
#
# LDAPv3
# base o=ipaca with scope subtree
# filter:
((objectclass=nstombstone)(nsUniqueId=---))
# requesting: nscpentrywsi
#
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: objectClass: top
nscpentrywsi: objectClass: nsDS5Replica
nscpentrywsi: objectClass: extensibleobject
nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
nscpentrywsi: nsDS5ReplicaType: 3
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-s50026.x1.net-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=replication manager,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-s41651.x2-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: cn: replica
nscpentrywsi: nsDS5ReplicaId: 96
nscpentrywsi: nsDS5Flags: 1
nscpentrywsi: creatorsName: uid=pkidbuser,ou=people,o=ipaca
nscpentrywsi: modifiersName: cn=Multimaster Replication
Plugin,cn=plugins,cn=config
nscpentrywsi: createTimestamp: 20150323102941Z
nscpentrywsi: modifyTimestamp: 20150324090956Z
nscpentrywsi: nsState:: YADcKRFVAgACAA==
nscpentrywsi: nsDS5ReplicaName: 7bed7405-d14711e4-92bcd6f7-18cf6218
nscpentrywsi: numSubordinates: 3
nscpentrywsi: nsds50ruv: {replicageneration} 550feb150060
nscpentrywsi: nsds50ruv: {replica 96 ldap://host25.x1.net:389}
550feb1d0060 551129d70060
nscpentrywsi: nsds50ruv: {replica 1195 ldap://host28.x1.net:389}
550feed904ab 551129d7000804ab
nscpentrywsi: nsds50ruv: {replica 1685 ldap://host68.x1.net:389}
551016e70695 551016e800030695
nscpentrywsi: nsds50ruv: {replica 1690 ldap://host68.x1.net:389}
551012ed069a 551012ee0001069a
nscpentrywsi: nsds50ruv: {replica 1695 ldap://host68.x1.net:389}
55100d8b069f 55100d8c0001069f
nscpentrywsi: nsds50ruv: {replica 91 ldap://host51.x2:389}
550ff144005b 551113bd0003005b
nscpentrywsi: nsds50ruv: {replica 97 ldap://host26.x1.net:389}
550feb270061 5511271100040061
nscpentrywsi: nsds50ruv: {replica 1095 ldap://host27.x1.net:389}
550fecef0447 55111c8b00050447
nscpentrywsi: nsds50ruv: {replica 1295 ldap://host52.x2:389}
550ff348050f 5511138e000b050f
nscpentrywsi: nsds50ruv: {replica 1395 ldap://host32.x2:389}
550ff5ed0573 55110c8500030573
nscpentrywsi: nsds50ruv: {replica 1495 ldap://host33.x2:389}
550ff83705d7 551125b1000105d7
nscpentrywsi: nsds50ruv: {replica 1595 ldap://host18.x2:389}
550ffc6b063b 550ffc6c0001063b
nscpentrywsi: nsds50ruv: {replica 1590 ldap://host18.x2:389}
551a0636 551b00010636
nscpentrywsi: nsds50ruv: {replica 1585 ldap://host18.x2:389}
551003850631 5510038700010631
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-host26.x1.net-pki-tomcat;host26.x1.net;389;97;551129d70060
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-host28.x1.net-pki-tomcat;host28.x1.net;389;1195;551129d70060
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;cloneAgreement1-host51.x2-pki-tomcat;host51.x2;389;91;551129d70060
nscpentrywsi: nsruvReplicaLastModified: {replica 96
ldap://host25.x1.net:389} 551129d5
nscpentrywsi: nsruvReplicaLastModified: {replica 1195
ldap://host28.x1.net:389} 551129d8
nscpentrywsi: nsruvReplicaLastModified: {replica 1685
ldap://host68.x1.net:389}
nscpentrywsi: nsruvReplicaLastModified: {replica 1690
ldap://host68.x1.net:389}
nscpentrywsi: nsruvReplicaLastModified: {replica 1695
ldap://host68.x1.net:389}
nscpentrywsi: nsruvReplicaLastModified:
Re: [Freeipa-users] group issue (freeipa4)
This ^^ line tells me it's a known SSSD bug: https://fedorahosted.org/sssd/ticket/2421 This bug only happens in a combination of old client and a particular server version. IIRC a subsequent server update fixed the ACIs on the server so that at least objectClass was readable. You can also work around the bug on the client by disabling dereference: ldap_deref_threshold = 0 btw sssd version 1.8 is quite old and not supported upstream anymore.. Thx. We will switch to newer version sssd. Best regards, Ender -- Łukasz Jaworski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] group issue (freeipa4)
Hello, I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1). If user has assigned Role I couldn't get all groups with id command. All works for users without role/special permissions. Information about test users from ipa server: User with role helpdesk: # ipa user-show test1 User login: test1 Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1 Roles: helpdesk User without role: # ipa user-show test2 User login: test2 Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3 Information about user on client (ubuntu 12.04): # id test1 uid=1016(test1) gid=1016(test1) groups=1016(test1) # id test2 uid=1022(test2) gid=1022(test2) groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1) (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test1' matched without domain, user is test1 (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test1] from [ALL] (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [te...@example.com] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test1] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] has no attributes (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_x_deref_parse_entry] (0x0040): sdap_parse_deref failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0020): reply parsing callback failed. (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_x_deref_search_done] (0x0100): sdap_get_generic_ext_recv failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_deref_search_done] (0x0040): dereference processing failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 22, Init group lookup failed Will try to return what we have in cache sssd.conf: [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = example ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = test.example.com chpass_provider = ipa ipa_server =ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt enumerate = False min_id = 1000 lookup_family_order = ipv4_only [sssd] services = nss, pam, sudo, ssh config_file_version = 2 domains = example.com [nss] [pam] [sudo] [autofs] [ssh] Best regards Łukasz Jaworski Ender -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
