On my master (where this error is occurring), I've got, in /etc/hosts: 127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain 1.2.3.4 ipamaster.foo.net ipamaster
So that should be okay, right? # host ipamaster.foo.net ipamaster.foo.net has address 1.2.3.4 # host ipamaster ipamaster.foo.net has address 1.2.3.4 # host localhost localhost has address 127.0.0.1 localhost has IPv6 address ::1 # I checked the other system (the one I can't connect to) to be safe, and its /etc/hosts is similarly configured. It even has the master listed with its correct IP address. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:02 PM, Simo Sorce <s...@redhat.com> wrote: > On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote: > > So, any idea how to fix the Kerberos problem? > > > > If your server is trying to get a tgt for ldap/localhost it probably > means your /etc/hosts file is broken and has a line like this: > > 1.2.3.4 localhost my.real.name > > When GSSAPI tries to resolve my.realm.name it gets back that 'localhost' > is the canonical name so it tries to get a TGT with that name and it > fails. > > If /etc/host sis fine then the DNS server may be returning an IP address > that later resolves to localhost again. > > To unbreak make sure that if you have your fully qualified name > in /etc/hosts that it is on its own line pointing at the right IP > address and where the FQDN name is the first in line: > eg: > > this is ok: > 1.2.3.4 server.full.name server > > this is not: > 1.2.3.4 server server.full.name > > Simo. > > > > Bret Wortman > > > > > > http://damascusgrp.com/ > > > > http://about.me/wortmanbret > > > > > > > > On Mon, Aug 19, 2013 at 12:19 PM, Bret Wortman > > <bret.wort...@damascusgrp.com> wrote: > > ...and I got the web UI, authentication and sudo back via: > > > > > > # ipactl stop > > # ipactl start > > > > > > Not sure why that worked, but it did. I was grasping at > > straws, honestly. > > > > > > > > > > > > Bret Wortman > > > > > > http://damascusgrp.com/ > > > > http://about.me/wortmanbret > > > > > > > > > > On Mon, Aug 19, 2013 at 12:18 PM, Bret Wortman > > <bret.wort...@damascusgrp.com> wrote: > > Digging further, I think this log entry might be the > > problem between the two servers that aren't talking: > > > > > > slapd_ldap_sasl_interactive_bind - Error: could not > > perform interactive bind for id[] mech [GSSAPI]: LDAP > > error -2 (Local error) (SASL(-1): generic failure: > > GSSAPI Error: Unspecified GSS failure. Minor code may > > provide more information (Server > > ldap/localh...@spx.net not found in Kerberos > > database)) errno 2 (No such file or directory) > > > > > > Did I build something incorrectly when that server was > > set up originally? > > > > > > > > > > > > > > > > Bret Wortman > > > > > > http://damascusgrp.com/ > > > > http://about.me/wortmanbret > > > > > > > > > > On Mon, Aug 19, 2013 at 12:02 PM, Bret Wortman > > <bret.wort...@damascusgrp.com> wrote: > > I ran it on a good master, against a bad one. > > As in, I ran this command on my master IPA > > node: > > > > > > # ipa-replica-manage del --force bad1.foo.net > > --cleanup > > > > > > Was that wrong? I was trying to delete the bad > > replica from the master, so I figured the > > command needed to be run on the master. But > > again, my master is now in a state where it's > > not resolving DNS, user logins, or sudo at the > > very least. > > > > > > Oh, and I checked the node that it was > > complaining about earlier. The network > > connection to it is the pits, but it's there. > > And it resolves. > > > > > > > > > > > > Bret Wortman > > > > > > http://damascusgrp.com/ > > > > http://about.me/wortmanbret > > > > > > > > On Mon, Aug 19, 2013 at 11:58 AM, Rob > > Crittenden <rcrit...@redhat.com> wrote: > > Rob Crittenden wrote: > > Bret Wortman wrote: > > Well, my master ground > > to a halt and wasn't > > responding. I rebooted > > the > > system and now I can't > > access the web UI or > > ssh to the master > > either. I > > have console access > > but that's it. > > > > The services all say > > they're running, but > > the web UI gives an > > "Unknown > > Error" dialog and ssh > > fails with > > > "ssh_exchange_identification: > > Connection closed by > > remote host" whenever > > I try to ssh to > > ipamaster. I > > think something has > > gone really wrong > > inside my master. Any > > ideas? Even > > after the reboot, > > --cleanup isn't > > helping and just > > hangs. > > > > The logfiles end (as > > of the time I ^C'd the > > process) with: > > > > NSMMReplicationPlugin > > - > > agmt="cn= > meTogood3.spx.net > > < > http://meTogood3.spx.net>" (good3:389): Replication bind with GSSAPI > > auth failed: LDAP > > error -2 (Local error) > > (SASL(-1): generic > > failure: > > GSSAPI Error: > > Unspecified GSS > > failure. Minor code > > may provide more > > information (Cannot > > determine realm for > > numeric host address)) > > NSMMReplicationPlugin > > - CleanAllRUV Task: > > Replica not online > > (agmt="cn= > meTogood3.foo.net <http://meTogood3.foo.net>" (good3:389)) > > NSMMReplicationPlugin > > - CleanAllRUV Task: > > Not all replicas > > online, > > retrying in 160 > > seconds..., > > > > So it looks like it's > > having trouble talking > > with one of my > > replicas and > > is doggedly trying to > > get the job done. Any > > idea how to get the > > master > > back working again > > while I troubleshoot > > this connectivity > > issue? > > > > That suggests a DNS problem, > > and it might explain ssh as > > well depending > > on your configuration. > > > > > > To be clear, you ran --cleanup against > > one of the bad masters, not a good > > one, right? > > > > rob > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users