On 04/01/2021 17:46, Alexander Bokovoy wrote:
On ma, 04 tammi 2021, lejeczek via FreeIPA-users wrote:
Hi guys.
I'm trying to setup a first master during which I get:
...
 [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service
(ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Named service failed to start (CalledProcessError(Command
['/bin/systemctl', 'restart', 'named-pkcs11.service']
returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because a timeout was
exceeded.\nSee "systemctl status named-pkcs11.service"
and "journalctl -xe" for details.\n'))
...
and that is the only error from the setup which seemingly
continues and completes successfully:
...
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: c8kubermaster1.private.openshift.c8
Realm: PRIVATE.OPENSHIFT.C8
DNS Domain: private.openshift.c8
IPA Server: c8kubermaster1.private.openshift.c8
BaseDN: dc=private,dc=openshift,dc=c8
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring private.openshift.c8 as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
DNS query for c8kubermaster1.private.openshift.c8. 1
failed: The DNS operation timed out after
30.000322580337524 seconds
unable to resolve host name
c8kubermaster1.private.openshift.c8. to IP address,
ipa-ca DNS record will be incomplete
==============================================================================
Setup complete
Next steps:
   1. You must make sure these network ports are open:
      TCP Ports:
       * 80, 443: HTTP/HTTPS
       * 389, 636: LDAP/LDAPS
       * 88, 464: kerberos
       * 53: bind
      UDP Ports:
       * 88, 464: kerberos
       * 53: bind
       * 123: ntp
   2. You can now obtain a kerberos ticket using the
command: 'kinit admin'
     This ticket will allow you to use the IPA
tools (e.g., ipa user-add)
     and the web user interface.
Be sure to back up the CA certificates stored in
/root/cacert.p12
These files are required to create replicas. The password
for these
files is the Directory Manager password
The ipa-server-install command was successful
Yet, very first reboot and ipa.service fails to start,
but before that reboot if I
-> $ systemctl restart named-pkcs11.service
I takes rather long 10 or so secons and journal shows
...
LDAP configuration synchronization failed: socket is not
connected
...
but socket is there:
/var/run/slapd-PRIVATE-OPENSHIFT-C8.socket
More from named's journal:
...
esolver priming query complete
LDAP error: Can't contact LDAP server: ldap_sync_poll()
failed
ldap_syncrepl will reconnect in 60 seconds
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
successfully reconnected to LDAP server
LDAP configuration for instance 'ipa' synchronized
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
LDAP data for instance 'ipa' are being synchronized,
please ignore message 'all zones loaded'
Is it named-pkcs11 looking for wrong bits or something
not good with dirsrv or .. maybe something else... would
you anybody know?
It looks like 389-ds LDAP server start takes quite some
time before it
starts listening on the LDAPI socket, so first attempt to
connect by
bind-dyndb-ldap driver fails.
Not sure it is a problem with the amount of resources
available on this
system (a VM? a container? How many CPUs available? Disk
is slow? etc).
Eventually bind-dyndb-ldap succeeds on re-try so it might
only be a too
fast parallel startup for some components and not the other.
If this happens later, when 389-ds already started, there
might be
another issue -- if it is really slow to respond on LDAPI
connection,
may be LDAP server was already swapped out by something
more memory
hungry? In general, it would be good to look at the
overall picture with
the workload you have on that system.
Actually it happens to the 'named-pkcs11.service' at any
time all the time.
dirsrv@ will up & running and without any evident errors and
restart of 'named-pkcs11.service' would succeed but always with:
-> $ systemctl restart named-pkcs11.service
...
GSSAPI client step 2
LDAP data for instance 'ipa' are being synchronized, please
ignore message 'all zones loaded'
connection to the LDAP server was lost
GSSAPI client step 1
GSSAPI client step 1
and still after reboot ipa.service I'll find in 'failed' state.
It's surely not SELinux as I try with SELINUX=disabled
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
