## Problem and version info I recently took over as the sysadmin for a system that was previously set up, and has not had a sysadmin for 6+ months, plus appears to have been fairly neglected even before then. It has three FreeIPA nodes that have not seen a system update in several years, and CentOS can no longer be updated so I cannot update them. I'm planning to replace them but have not created the replacements yet and need the current system to continue functioning, both in general and also in order to enroll new nodes and replicate to them before bringing down the old ones.
``` $ ipa --version VERSION: 4.9.6, API_VERSION: 2.245 $ lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 34 (Thirty Four) Release: 34 Codename: ThirtyFour ``` I have been working my way through system updates and improvements, but had not checked the expiration dates on the server certificates yet, and the certificates expired on June 21. I saw this and got a new (wildcard, as before) certificate and began replacing them. I'm new to FreeIPA and had only used it to add a handful of users and set a few DNS entries. I bypassed the certificate error in the browser to go to the FreeIPA web UI ( https://freeipa1.mydomain.com/ipa/ui/#), and tried to log in and got the error message "Login failed due to an unknown reason". I am certain of my password. I saw that it runs httpd, so I copied the new cert onto the server and changed the httpd config to point to it and the appropriate key. Now, when I navigate to the web UI I no longer get a certificate error, but I continue to get the same error message when I try to log in. FreeIPA appears to be working partially, because it governs `sudo` access and login within this system and I am still able to login and `sudo`. When I try to use any `ipa` commands, however, I get the following or something similar: ``` $ sudo ipa-certupdate Connection to https://freeipa1.mydomain.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) Connection to https://freeipa2.mydomain.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) Connection to https://freeipa3.mydomain.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129) cannot connect to 'any of the configured servers': https://freeipa1.mydomain.com/ipa/json, https://freeipa2.mydomain.com/ipa/json, https://freeipa3.mydomain.com/ipa/json The ipa-certupdate command failed. ``` and ``` $ ipa user-find ipa: ERROR: cannot connect to 'any of the configured servers': https://freeipa1.mydomain.com/ipa/json, https://freeipa2.mydomain.com/ipa/json, https://freeipa3.mydomain.com/ipa/json ``` I am able to get correct responses from `id [username]` and `getent passwd [username]`, and am able to `kinit`, `ssh`, and `sudo` using credentials that are governed by these servers. ## What I have tried - I replaced the old certificate in the httpd config with a new one that is essentially the same except it has an updated valid date window, and is signed with RSA384 instead of RSA356 (I don't think this matters, but including for completeness), and then restarted httpd - I did `ipactl restart` and `systemctl restart sssd` - I put the old certificate back in place, disabled NTP on the server and set the time back to a date when the prior certificate was valid - I have looked through sssd_* and /var/log/secure for relevant logs. I found one at /var/log/sssd/sssd_mydomain.com.log, with error logs that appear relevant, but I'm not able to tell what is not working. I have not found other relevant-looking entries in other sssd logs - `dig -t SRV _ldap._tcp.freeipa1.mydomain.com @127.0.0.1` from the freeipa1 terminal gave a reasonable response I also tried an ldapsearch that had worked previously: ``` $ ldapsearch -x -b "dc=mydomain,dc=com" -H ldap://freeipa1.mydomain.com -D "cn=admin,dc=mydomain,dc=com" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) ``` ## Logs Here is a snippet from a very large log file from freeipa3.mydomain.com:/var/log/sssd/sssd_mydomain.com.log. I elided portions that seem to be generic, and kept lines that mention mydomain.com and what appears to be related context. It's possible I elided something important, and can provide unelided logs or specific portions if needed. There are 3 backtraces here, the first is long and elided and the last two are short and included in full. I notice the conspicuous "Network is unreachable" messages, and checked to confirm that I am able to ping all three servers from everywhere in the network (including from these servers themselves), so I don't believe it is actually a network outage. ``` (2024-06-27 9:24:14): [be[mydomain.com]] [server_setup] (0x1f7c0): Starting with debug level = 0x0070 (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_connect_send] (0x0020): [RID#1] connect failed [101][Network is unreachable]. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * [be[mydomain.com]] [become_user] (0x0200): Trying to become user [0][0]. * [be[mydomain.com]] [become_user] (0x0200): Already user [0]. * [be[mydomain.com]] [ldb] (0x0400): server_sort:Unable to register control with rootdse! * (2024-06-27 9:24:14): [be[mydomain.com]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb * (2024-06-27 9:24:14): [be[mydomain.com]] [dp_get_options] (0x0400): Option lookup_family_order has value ipv4_first * (2024-06-27 9:24:14): [be[mydomain.com]] [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6 * (2024-06-27 9:24:14): [be[mydomain.com]] [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 3 * (2024-06-27 9:24:14): [be[mydomain.com]] [dp_get_options] (0x0400): Option dns_resolver_server_timeout has value 1000 * (2024-06-27 9:24:14): [be[mydomain.com]] [dp_get_options] (0x0400): Option dns_discovery_domain has no value * (2024-06-27 9:24:14): [be[mydomain.com]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first * (2024-06-27 9:24:14): [be[mydomain.com]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel * (2024-06-27 9:24:14): [be[mydomain.com]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x0400): No enumeration for [implicit_files]! * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x0400): No enumeration for [mydomain.com]! * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information * (2024-06-27 9:24:14): [be[mydomain.com]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 * (2024-06-27 9:24:14): [be[mydomain.com]] [sss_domain_get_state] (0x1000): Domain mydomain.com is Active * (2024-06-27 9:24:14): [be[mydomain.com]] [sysdb_domain_init_internal] (0x0200): DB File for mydomain.com: /var/lib/sss/db/cache_mydomain.com.ldb * (2024-06-27 9:24:14): [be[mydomain.com]] [sysdb_domain_init_internal] (0x0200): Timestamp file for mydomain.com: /var/lib/sss/db/timestamps_mydomain.com.ldb * (2024-06-27 9:24:14): [be[mydomain.com]] [ldb] (0x0400): asq: Unable to register control with rootdse! * (2024-06-27 9:24:14): [be[mydomain.com]] [sss_domain_get_state] (0x1000): Domain mydomain.com is Active * (2024-06-27 9:24:14): [be[mydomain.com]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. * (2024-06-27 9:24:14): [be[mydomain.com]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. * (2024-06-27 9:24:14): [be[mydomain.com]] [sbus_server_socket_listen] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_mydomain.com.849,guid=1f7cd8ed5f762a097bce948b667d67fe * (2024-06-27 9:24:14): [be[mydomain.com]] [sbus_server_symlink_create] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_mydomain.com.849 to a link /var/lib/sss/pipes/private/sbus-dp_mydomain.com ... * (2024-06-27 9:24:14): [be[mydomain.com]] [sbus_connect_private_done] (0x0400): Connected to unix:path=/var/lib/sss/pipes/private/ sbus-dp_mydomain.com bus as sssd.domain_2emydomain_2ecom ... * (2024-06-27 9:24:15): [be[mydomain.com]] [krb5_service_new] (0x0100): write_kdcinfo for realm mydomain.com set to true * (2024-06-27 9:24:15): [be[mydomain.com]] [fo_new_service] (0x0400): Creating new service 'IPA' * (2024-06-27 9:24:15): [be[mydomain.com]] [resolv_is_address] (0x4000): [freeipa3.mydomain.com] does not look like an IP address * (2024-06-27 9:24:15): [be[mydomain.com]] [fo_add_server_to_list] (0x0400): Inserted primary server 'freeipa3.mydomain.com:0' to service 'IPA' * (2024-06-27 9:24:15): [be[mydomain.com]] [_ipa_servers_init] (0x0400): Added Server freeipa3.mydomain.com ... * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option krb5_realm set to mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [sdap_set_sasl_options] (0x0100): Will look for [email protected] in default keytab * (2024-06-27 9:24:15): [be[mydomain.com]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab * (2024-06-27 9:24:15): [be[mydomain.com]] [find_principal_in_keytab] (0x4000): Trying to find principal [email protected] in keytab. * (2024-06-27 9:24:15): [be[mydomain.com]] [find_principal_in_keytab] (0x0400): No principal matching [email protected] found in keytab. * (2024-06-27 9:24:15): [be[mydomain.com]] [find_principal_in_keytab] (0x4000): Trying to find principal [email protected] in keytab. * (2024-06-27 9:24:15): [be[mydomain.com]] [find_principal_in_keytab] (0x0400): No principal matching [email protected] found in keytab. * (2024-06-27 9:24:15): [be[mydomain.com]] [find_principal_in_keytab] (0x4000): Trying to find principal host/[email protected] in keytab. * (2024-06-27 9:24:15): [be[mydomain.com]] [match_principal] (0x1000): Principal matched to the sample (host/[email protected]). * (2024-06-27 9:24:15): [be[mydomain.com]] [select_principal_from_keytab] (0x0200): Selected primary: host/ freeipa3.mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [select_principal_from_keytab] (0x0200): Selected realm: mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/freeipa3.mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base expanded to cover cn=trusts base * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ldap_host_search_base set to cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [HOST][cn=accounts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ipa_deskprofile_search_base set to cn=desktop-profile,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_DESKPROFILE][cn=desktop-profile,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0400): Option ldap_service_search_base set to cn=ipservices,cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=ipservices,cn=accounts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=mydomain,cs=com][SUBTREE][] * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=mydomain,cs=com][SUBTREE][] ... * (2024-06-27 9:24:15): [be[mydomain.com]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [sysdb_update_view_name] (0x4000): View name already in place. * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_init_server_mode] (0x0100): The value of dns_discovery_domain will be ignored in ipa_server_mode * (2024-06-27 9:24:15): [be[mydomain.com]] [sysdb_get_certmap] (0x0400): No certificate maps found. * (2024-06-27 9:24:15): [be[mydomain.com]] [sdap_setup_certmap] (0x4000): No certmap data, nothing to do. * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_server has value freeipa3.mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value freeipa3.mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_host_search_base has no value * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option krb5_realm has value mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_refresh has value 5 * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_selinux_refresh has value 5 * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_hbac_support_srchost is FALSE * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_automount_location has value default * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_enable_dns_sites is FALSE * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_server_mode is TRUE * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option krb5_confd_path has value /var/lib/sss/pubconf/krb5.include.d * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_deskprofile_search_base has value cn=desktop-profile,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_deskprofile_refresh has value 5 * (2024-06-27 9:24:15): [be[mydomain.com]] [dp_copy_options_ex] (0x0400): Option ipa_deskprofile_request_interval has value 60 ... * (2024-06-27 9:24:15): [be[mydomain.com]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_auth_options] (0x0100): Option krb5_fast_principal set to host/ [email protected] ... * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [SUDO][cn=sudo,dc=mydomain,cs=com][SUBTREE][] ... * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_get_autofs_options] (0x1000): Option ldap_autofs_search_base set to cn=default,cn=automount,dc=mydomain,cs=com * (2024-06-27 9:24:15): [be[mydomain.com]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=mydomain,cs=com][SUBTREE][] ... * (2024-06-27 9:24:15): [be[mydomain.com]] [ipa_subdom_reinit] (0x2000): Re-initializing domain mydomain.com * (2024-06-27 9:24:15): [be[mydomain.com]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] * (2024-06-27 9:24:15): [be[mydomain.com]] [sss_write_krb5_libdefaults_snippet] (0x0200): File for KRB5 kibdefaults configuration is [/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults] * (2024-06-27 9:24:15): [be[mydomain.com]] [sss_domain_get_state] (0x1000): Domain mydomain.com is Active * (2024-06-27 9:24:16): [be[mydomain.com]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [mydomain.com] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_mydomain_com] ... * (2024-06-27 9:24:16): [be[mydomain.com]] [sbus_dispatch] (0x4000): Dispatching. * (2024-06-27 9:24:16): [be[mydomain.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getDomains on /sssd * (2024-06-27 9:24:16): [be[mydomain.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ssh] * (2024-06-27 9:24:16): [be[mydomain.com]] [dp_attach_req] (0x0400): [RID#1] DP Request [Subdomains #1]: REQ_TRACE: New request. Flags [0000]. * (2024-06-27 9:24:16): [be[mydomain.com]] [dp_attach_req] (0x0400): [RID#1] Number of active DP request: 1 * (2024-06-27 9:24:16): [be[mydomain.com]] [sdap_id_op_connect_step] (0x4000): [RID#1] beginning to connect * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_resolve_service_send] (0x0100): [RID#1] Trying to resolve service 'IPA' * (2024-06-27 9:24:16): [be[mydomain.com]] [get_server_status] (0x1000): [RID#1] Status of server 'freeipa3.mydomain.com' is 'name not resolved' * (2024-06-27 9:24:16): [be[mydomain.com]] [get_port_status] (0x1000): [RID#1] Port status of port 0 for server 'freeipa3.mydomain.com' is 'neutral' * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_resolve_service_activate_timeout] (0x2000): [RID#1] Resolve timeout [dns_resolver_timeout] set to 6 seconds * (2024-06-27 9:24:16): [be[mydomain.com]] [get_server_status] (0x1000): [RID#1] Status of server 'freeipa3.mydomain.com' is 'name not resolved' * (2024-06-27 9:24:16): [be[mydomain.com]] [resolv_is_address] (0x4000): [RID#1] [freeipa3.mydomain.com] does not look like an IP address * (2024-06-27 9:24:16): [be[mydomain.com]] [resolv_gethostbyname_step] (0x2000): [RID#1] Querying files * (2024-06-27 9:24:16): [be[mydomain.com]] [resolv_gethostbyname_files_send] (0x0100): [RID#1] Trying to resolve A record of 'freeipa3.mydomain.com' in files * (2024-06-27 9:24:16): [be[mydomain.com]] [set_server_common_status] (0x0100): [RID#1] Marking server 'freeipa3.mydomain.com' as 'resolving name' * (2024-06-27 9:24:16): [be[mydomain.com]] [set_server_common_status] (0x0100): [RID#1] Marking server 'freeipa3.mydomain.com' as 'name resolved' * (2024-06-27 9:24:16): [be[mydomain.com]] [be_resolve_server_process] (0x1000): [RID#1] Saving the first resolved server * (2024-06-27 9:24:16): [be[mydomain.com]] [be_resolve_server_process] (0x0200): [RID#1] Found address for server freeipa3.mydomain.com: [192.168.6.13] TTL 7200 * (2024-06-27 9:24:16): [be[mydomain.com]] [ipa_resolve_callback] (0x0400): [RID#1] Constructed uri 'ldap://freeipa3.mydomain.com' * (2024-06-27 9:24:16): [be[mydomain.com]] [unique_filename_destructor] (0x2000): [RID#1] Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_D5zpou] * (2024-06-27 9:24:16): [be[mydomain.com]] [unlink_dbg] (0x2000): [RID#1] File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_D5zpou] * (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_socket_init_send] (0x4000): [RID#1] Using file descriptor [22] for the connection. * (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_connect_send] (0x0020): [RID#1] connect failed [101][Network is unreachable]. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_socket_init_done] (0x0020): [RID#1] sdap_async_sys_connect request failed: [101]: Network is unreachable.(2024-06-27 9:24:16): [be[mydomain.com]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1] sssd_async_socket_init request failed: [101]: Network is unreachable. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_socket_init_send] (0x0400): [RID#1] Setting 6 seconds timeout [ldap_network_timeout] for connecting * (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_socket_init_done] (0x0020): [RID#1] sdap_async_sys_connect request failed: [101]: Network is unreachable. * (2024-06-27 9:24:16): [be[mydomain.com]] [sssd_async_socket_state_destructor] (0x0400): [RID#1] closing socket [22] * (2024-06-27 9:24:16): [be[mydomain.com]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1] sssd_async_socket_init request failed: [101]: Network is unreachable. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2024-06-27 9:24:16): [be[mydomain.com]] [sdap_sys_connect_done] (0x0020): [RID#1] sdap_async_connect_call request failed: [101]: Network is unreachable. (2024-06-27 9:24:16): [be[mydomain.com]] [fo_resolve_service_send] (0x0020): [RID#1] No available servers for service 'IPA' ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-06-27 9:24:16): [be[mydomain.com]] [sdap_sys_connect_done] (0x0020): [RID#1] sdap_async_connect_call request failed: [101]: Network is unreachable. * (2024-06-27 9:24:16): [be[mydomain.com]] [sdap_handle_release] (0x2000): [RID#1] Trace: sh[0x55aae80acbd0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] * (2024-06-27 9:24:16): [be[mydomain.com]] [_be_fo_set_port_status] (0x8000): [RID#1] Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_set_port_status] (0x0100): [RID#1] Marking port 0 of server 'freeipa3.mydomain.com' as 'not working' * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_set_port_status] (0x0400): [RID#1] Marking port 0 of duplicate server 'freeipa3.mydomain.com' as 'not working' * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_resolve_service_send] (0x0100): [RID#1] Trying to resolve service 'IPA' * (2024-06-27 9:24:16): [be[mydomain.com]] [get_server_status] (0x1000): [RID#1] Status of server 'freeipa3.mydomain.com' is 'name resolved' * (2024-06-27 9:24:16): [be[mydomain.com]] [get_port_status] (0x1000): [RID#1] Port status of port 0 for server 'freeipa3.mydomain.com' is 'not working' * (2024-06-27 9:24:16): [be[mydomain.com]] [get_port_status] (0x0080): [RID#1] SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues. * (2024-06-27 9:24:16): [be[mydomain.com]] [fo_resolve_service_send] (0x0020): [RID#1] No available servers for service 'IPA' ********************** BACKTRACE DUMP ENDS HERE ********************************* ```
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
