[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

Woot!

We had a stale, old server vm that got powered on. Once we shut it 
downand then cycled these, they worked just fine.


Weird, but we're past this. Thanks!



On 12/07/2018 07:52 AM, Bret Wortman via FreeIPA-users wrote:


Other symptoms:

# kinit admin
:
# ipa help user
ipa: ERROR: No valid Negotiate header in server response

This is now happening on our primary IPA server.





On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote:

I'm seeing this in /var/log/messages periodically:

systemd: Starting IPA key daemon...
ipa-dnskeysyncd: ipa  : INFO LDAP bind...
ipa-dnskeysyncd: ipa  : ERROR Login to LDAP server failed: 
{'desc': 'Invalid credentials'}

ipa-dnskeysyncd: Traceback (most recent call last):
ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 94, in 

ipa-dnskeysyncd: ldap_connection.sasl_interactive_bind_s("", 
ipaldap.SASL_GSSAPI)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: res = 
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in 
_apply_method_s

ipa-dnskeysyncd: return func(self,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in 
_ldap_call

ipa-dnskeysyncd: result = func(*args,**kwargs)
ipa-dnskeysyncd: INVALID_CREDENTIALS:{'desc': 'Invalid credentials'}
systemd: ipa-dnskeysyncd.service: main process exited, code=exited, 
status=1/FAILURE

systemd: Unit ipa-dnskeysyncd.service entered failed state
systemd: ipa-dnskeysyncd.service failed.

Also, my main server is now spitting this into /var/log/messages on a 
regular basis:


GSSAPI Error: Unspecified GSS failure. Minor code may provide more 
information (Credential cache is empty)


Our whole development group is essential down while this is going on. 
No one can log on, DNS resolution isn't working at all, Kerberos 
tickets aren't working the way they should, and the IPA web UI isn't 
letting me log in via Kerberos _or_ with the admin account and its 
password (which _does_ work to grab the admin Kerberos ticket).


I'm very confused.


Bret
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

Other symptoms:

# kinit admin
:
# ipa help user
ipa: ERROR: No valid Negotiate header in server response

This is now happening on our primary IPA server.





On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote:

I'm seeing this in /var/log/messages periodically:

systemd: Starting IPA key daemon...
ipa-dnskeysyncd: ipa  : INFO LDAP bind...
ipa-dnskeysyncd: ipa  : ERROR Login to LDAP server failed: 
{'desc': 'Invalid credentials'}

ipa-dnskeysyncd: Traceback (most recent call last):
ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 94, in 

ipa-dnskeysyncd: ldap_connection.sasl_interactive_bind_s("", 
ipaldap.SASL_GSSAPI)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: res = 
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in 
_apply_method_s

ipa-dnskeysyncd: return func(self,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in 
_ldap_call

ipa-dnskeysyncd: result = func(*args,**kwargs)
ipa-dnskeysyncd: INVALID_CREDENTIALS:{'desc': 'Invalid credentials'}
systemd: ipa-dnskeysyncd.service: main process exited, code=exited, 
status=1/FAILURE

systemd: Unit ipa-dnskeysyncd.service entered failed state
systemd: ipa-dnskeysyncd.service failed.

Also, my main server is now spitting this into /var/log/messages on a 
regular basis:


GSSAPI Error: Unspecified GSS failure. Minor code may provide more 
information (Credential cache is empty)


Our whole development group is essential down while this is going on. 
No one can log on, DNS resolution isn't working at all, Kerberos 
tickets aren't working the way they should, and the IPA web UI isn't 
letting me log in via Kerberos _or_ with the admin account and its 
password (which _does_ work to grab the admin Kerberos ticket).


I'm very confused.


Bret
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

I'm seeing this in /var/log/messages periodically:

systemd: Starting IPA key daemon...
ipa-dnskeysyncd: ipa  : INFO LDAP bind...
ipa-dnskeysyncd: ipa  : ERROR Login to LDAP server failed: 
{'desc': 'Invalid credentials'}

ipa-dnskeysyncd: Traceback (most recent call last):
ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 94, in 

ipa-dnskeysyncd: ldap_connection.sasl_interactive_bind_s("", 
ipaldap.SASL_GSSAPI)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: res = 
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in 
_apply_method_s

ipa-dnskeysyncd: return func(self,*args,**kwargs)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in 
sasl_interactive_bind_s
ipa-dnskeysyncd: return 
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
ipa-dnskeysyncd: File 
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in 
_ldap_call

ipa-dnskeysyncd: result = func(*args,**kwargs)
ipa-dnskeysyncd: INVALID_CREDENTIALS:{'desc': 'Invalid credentials'}
systemd: ipa-dnskeysyncd.service: main process exited, code=exited, 
status=1/FAILURE

systemd: Unit ipa-dnskeysyncd.service entered failed state
systemd: ipa-dnskeysyncd.service failed.

Also, my main server is now spitting this into /var/log/messages on a 
regular basis:


GSSAPI Error: Unspecified GSS failure. Minor code may provide more 
information (Credential cache is empty)


Our whole development group is essential down while this is going on. No 
one can log on, DNS resolution isn't working at all, Kerberos tickets 
aren't working the way they should, and the IPA web UI isn't letting me 
log in via Kerberos _or_ with the admin account and its password (which 
_does_ work to grab the admin Kerberos ticket).


I'm very confused.


Bret
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

Yes:

# KRB5_TRACE=/dev/stderr ldapsearch -H 
'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI -b 
'cn=dns,dc=my,dc=net'

SASL/GSSAPI authentication started
[28940] 1544178390.191479: ccselect module real chose cache 
KEYRING:persistent:0:0 with client principal DNS/ipa3.my@my.net for 
server principal ldap/ipa3.my@my.net
[28940] 1544178390.191480: Getting credentials DNS/ipa3.my@my.net -> 
ldap/ipa3.my@my.net using ccache KEYRING:persistent:0:0
[28940] 1544178390.191481: Retrieving DNS/ipa3.my@my.net -> 
ldap/ipa3.my@my.net from KEYRING:persistent:0:0 with result: 0/Success
[28940] 1544178390.191479: Creating authenticator for 
DNS/ipa3.my@my.net -> ldap/ipa3.my@my.net, segnum 57129937, 
subkey aes256-cts/D4C9, session key aes256-cts/0CA2

ldap_sasl_interactive_bind_s: Invalid credentials (49)
#


On 12/06/2018 03:20 PM, Robbie Harwood wrote:

Bret Wortman via FreeIPA-users 
writes:


So I started working through the guide below and most of thesteps just
worked. No errors, which was odd. For example:

# kinit -kt /etc/named.keytab DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my@my.net

Valid starting

12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/my@my.net
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI
-b 'cn=dns,dc=my,dc=net'

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Invalid credentials (49)

That's the first such error I received as I worked my way down the page,
but there's no real guidance there as to what to do when this fails. The
text assumes it'll work, but the previous steps didn't turn up anything
wrong...

I've been completely unable to turn on any sort of Kerberos logging
despite attempting both approaches in the guide.

Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?

Thanks,
--Robbie


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Robbie Harwood via FreeIPA-users]

Bret Wortman via FreeIPA-users 
writes:

> So I started working through the guide below and most of thesteps just 
> worked. No errors, which was odd. For example:
>
> # kinit -kt /etc/named.keytab DNS/ipa3.my.net
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: DNS/ipa3.my@my.net
>
> Valid starting
>
> 12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/my@my.net
> # ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI 
> -b 'cn=dns,dc=my,dc=net'
>
> SASL/GSSAPI authentication started
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> That's the first such error I received as I worked my way down the page, 
> but there's no real guidance there as to what to do when this fails. The 
> text assumes it'll work, but the previous steps didn't turn up anything 
> wrong...
>
> I've been completely unable to turn on any sort of Kerberos logging 
> despite attempting both approaches in the guide.

Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

So I started working through the guide below and most of thesteps just 
worked. No errors, which was odd. For example:


# kinit -kt /etc/named.keytab DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my@my.net

Valid starting

12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/my@my.net
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI 
-b 'cn=dns,dc=my,dc=net'


SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Invalid credentials (49)

That's the first such error I received as I worked my way down the page, 
but there's no real guidance there as to what to do when this fails. The 
text assumes it'll work, but the previous steps didn't turn up anything 
wrong...


I've been completely unable to turn on any sort of Kerberos logging 
despite attempting both approaches in the guide.




On 12/06/2018 08:42 AM, Bret Wortman via FreeIPA-users wrote:


I'll check it out. Thanks, Flo!


On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote:

On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote:
After a reboot, my IPA replica won't start. I've tracked it down to 
an error in the named startup. From /var/log/messages(all messags 
from named-pkcs11):


bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, 
complier 4.8.5 20150623 (Red Hat 4.8.5-16)

LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission 
denied

dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)

So I tried manually:

# kinit -kt /etc/named.keytab DNS/ipa3.my@my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.my@my.net

Valid starting   Expires  Service principal
12/06/2018 12:26:17  12/07/2018 12:26:17 krbtgt/my@my.net

I've restarted now using ipactl start --ignore-service-failure but 
where should I be looking next to get this fixed?




Hi,

you can find a lot of information in this page:
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html

flo


--
photo

*Bret Wortman*
Founder, Damascus Products, LLC

855-644-2783  | b...@wrapbuddies.co 



http://wrapbuddies.co/

70 Main St. Suite 23 Warrenton, VA 20186








___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org








___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Bret Wortman via FreeIPA-users]

I'll check it out. Thanks, Flo!


On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote:

On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote:
After a reboot, my IPA replica won't start. I've tracked it down to 
an error in the named startup. From /var/log/messages(all messags 
from named-pkcs11):


bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, 
complier 4.8.5 20150623 (Red Hat 4.8.5-16)

LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission denied
dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)

So I tried manually:

# kinit -kt /etc/named.keytab DNS/ipa3.spx@my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.spx@my.net

Valid starting   Expires  Service principal
12/06/2018 12:26:17  12/07/2018 12:26:17 krbtgt/my@my.net

I've restarted now using ipactl start --ignore-service-failure but 
where should I be looking next to get this fixed?




Hi,

you can find a lot of information in this page:
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html

flo


--
photo

*Bret Wortman*
Founder, Damascus Products, LLC

855-644-2783  | b...@wrapbuddies.co 



http://wrapbuddies.co/

70 Main St. Suite 23 Warrenton, VA 20186








___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica won't start

[Florence Blanc-Renaud via FreeIPA-users]

On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote:
After a reboot, my IPA replica won't start. I've tracked it down to an 
error in the named startup. From /var/log/messages(all messags from 
named-pkcs11):


bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 
4.8.5 20150623 (Red Hat 4.8.5-16)

LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission denied
dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)

So I tried manually:

# kinit -kt /etc/named.keytab DNS/ipa3.spx@my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.spx@my.net

Valid starting   Expires  Service principal
12/06/2018 12:26:17  12/07/2018 12:26:17 krbtgt/my@my.net

I've restarted now using ipactl start --ignore-service-failure but where 
should I be looking next to get this fixed?




Hi,

you can find a lot of information in this page:
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html

flo


--
photo   

*Bret Wortman*
Founder, Damascus Products, LLC

855-644-2783  | b...@wrapbuddies.co 



http://wrapbuddies.co/

70 Main St. Suite 23 Warrenton, VA 20186

   
  





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org