On 2013/30/01 11:59, Dmitri Pal wrote: > On 01/30/2013 11:43 AM, [email protected] wrote: >> On 2013/30/01 09:37, Martin Kosek wrote: >>> On 01/30/2013 03:22 PM, [email protected] wrote: >>>> On 2013/30/01 09:19, Martin Kosek wrote: >>>>> On 01/30/2013 03:16 PM, Patrick Hemmer wrote: >>>>>> On 2013/30/01 03:33, Martin Kosek wrote: >>>>>>> On 01/30/2013 02:05 AM, [email protected] wrote: >>>>>>>> On 01/29/2013 07:49 PM, Dmitri Pal wrote: >>>>>>>>> On 01/29/2013 07:26 PM, [email protected] wrote: >>>>>>>>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after >>>>>>>>>> using the >>>>>>>>>> `ipa-replica-install` script to configure the replica server, the >>>>>>>>>> service >>>>>>>>>> will not start. Whenever I try it throws "SASL(-4): no mechanism >>>>>>>>>> available" >>>>>>>>>> during start. >>>>>>>>>> >>>>>>>>>> Any ideas? >>>>>>>>>> >>>>>>>>>> Full output: >>>>>>>>>> >>>>>>>>>> # /etc/init.d/ipa start >>>>>>>>>> Starting Directory Service >>>>>>>>>> Starting dirsrv: >>>>>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>>>>> PKI-IPA... [ OK ] >>>>>>>>>> Failed to read data from Directory Service: Unknown error when >>>>>>>>>> retrieving >>>>>>>>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism >>>>>>>>>> available: ', >>>>>>>>>> 'desc': 'Unknown authentication method'} >>>>>>>>>> Shutting down >>>>>>>>>> Shutting down dirsrv: >>>>>>>>>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>>>>>>>>> PKI-IPA... [ OK ] >>>>>>>>> Sounds like DS did not start under the CA. Please check the DS logs >>>>>>>>> in the >>>>>>>>> PKI instance. >>>>>>>> ns-slapd appears to be starting fine. I can even start it manually, >>>>>>>> but `ipactl >>>>>>>> status` still shows the error: >>>>>>>> Below is the result of me starting it manually (directly running >>>>>>>> ns-slapd): >>>>>>>> >>>>>>>> # ps ax|grep slapd >>>>>>>> 15540 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>>>>> /etc/dirsrv/slapd-PKI-IPA -i >>>>>>>> /var/run/dirsrv/slapd-PKI-IPA.pid -w >>>>>>>> /var/run/dirsrv/slapd-PKI-IPA.startpid >>>>>>>> 15586 ? Sl 0:00 /usr/sbin/ns-slapd -D >>>>>>>> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i >>>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w >>>>>>>> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid >>>>>>>> # netstat -tpnl | grep slapd >>>>>>>> tcp 0 0 :::636 :::* >>>>>>>> >>>>>>>> LISTEN 15586/ns-slapd >>>>>>>> tcp 0 0 :::7389 :::* >>>>>>>> >>>>>>>> LISTEN 15540/ns-slapd >>>>>>>> tcp 0 0 :::7390 :::* >>>>>>>> >>>>>>>> LISTEN 15540/ns-slapd >>>>>>>> tcp 0 0 :::389 :::* >>>>>>>> >>>>>>>> LISTEN 15586/ns-slapd >>>>>>>> # ipactl status >>>>>>>> Directory Service: RUNNING >>>>>>>> Unknown error when retrieving list of services from LDAP: {'info': >>>>>>>> 'SASL(-4): >>>>>>>> no mechanism available: ', 'desc': 'Unknown authentication method'} >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> OK, it seems that ipactl could not bind to your Directory Server. This >>>>>>> script >>>>>>> uses a "ldap_uri" configuration option value from /etc/ipa/default.conf >>>>>>> to >>>>>>> connect to Directory Server via EXTERNAL auth. >>>>>>> >>>>>>> You can verify yourself if that bind works or not with the following >>>>>>> ldapsearch >>>>>>> (just replace $LDAP_URI_VALUE with your setting): >>>>>>> >>>>>>> # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b >>>>>>> "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com" >>>>>>> >>>>>>> I assume it will report the same error as ipactl. We need to verify >>>>>>> that the >>>>>>> referred LDAP URI is indeed right and functional. >>>>>>> >>>>>>> Martin >>>>>> The system had no /etc/ipa/default.conf >>>>>> I copied the one from the master server, changed the `host=` and >>>>>> `xmlrpc_uri=` parameters to reflect the replica server, and now `ipactl >>>>>> status`, along with everything else, is working perfectly. >>>>>> Should that file have been created during the `ipa-replica-install` >>>>>> process? I don't see anything in the documentation about having to copy >>>>>> and edit it manually. >>>>>> >>>>>> Thanks >>>>>> >>>>>> -Patrick >>>>>> >>>>> Yeah, this should have been created during ipa-replica-install. >>>>> >>>>> Can you please check /var/log/ipareplica-install.log and check if >>>>> ipa-client-install (which is run as part of ipa-replica-install) >>>>> succeeded? I >>>>> have a suspicion you hit a bug I was fixing recently. >>>>> >>>>> Martin >>>> No, the client install failed: >>>> 2013-01-29T23:24:05Z DEBUG stderr= >>>> 2013-01-29T23:24:05Z DEBUG Restarting the web server >>>> 2013-01-29T23:24:06Z DEBUG args=/sbin/service httpd restart >>>> 2013-01-29T23:24:06Z DEBUG stdout=Stopping httpd: [ OK ] >>>> Starting httpd: [ OK ] >>>> >>>> 2013-01-29T23:24:06Z DEBUG stderr= >>>> 2013-01-29T23:24:20Z DEBUG args=/usr/sbin/ipa-client-install --on-master >>>> --unattended --domain cliff.cloudburrito.com --server >>>> i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com --realm >>>> CLIFF.CLOUDBURRITO.COM >>>> 2013-01-29T23:24:20Z DEBUG stdout=Discovery was successful! >>>> Hostname: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com >>>> Realm: CLIFF.CLOUDBURRITO.COM >>>> DNS Domain: cliff.cloudburrito.com >>>> IPA Server: i-d26b7f8b.ipa-server.us-west-1.cliff.cloudburrito.com >>>> BaseDN: dc=cliff,dc=cloudburrito,dc=com >>>> >>>> >>>> Configured /etc/sssd/sssd.conf >>>> Installation failed. Rolling back changes. >>>> >>>> 2013-01-29T23:24:20Z DEBUG stderr=DNS domain 'cliff.cloudburrito.com' is >>>> not configured for automatic KDC address lookup. >>>> KDC address will be set to fixed value. >>>> >>>> Failed to add CA to the default NSS database. >>>> >>>> 2013-01-29T23:24:20Z DEBUG Failed to configure the client >>>> File "/usr/sbin/ipa-replica-install", line 496, in <module> >>>> main() >>>> >>>> File "/usr/sbin/ipa-replica-install", line 485, in main >>>> raise RuntimeError("Failed to configure the client") >>>> >>> Getting warmer... Can you please check /var/log/ipaclient-install.log if >>> there >>> is a reason why it failed? The problem here is that the client removed >>> default.conf, keytabs etc. when it uninstalled itself due to the failure. >>> >>> Thanks, >>> Martin >> Below is the last few lines of the file. >> It looks like it's failing because sssd is already configured. This is >> true as our servers are preconfigured for sssd to use the IPA master >> server. If this is indeed the cause, is there any way to have it not >> configure sssd? Or should I wipe the sssd config before attempting to >> set up the replica? >> Could it also be fixed so that if the client install does fail, that it >> doesn't break the server? >> >> 2013-01-30T16:28:38Z DEBUG stderr= >> 2013-01-30T16:28:38Z DEBUG Restoring client configuration files >> 2013-01-30T16:28:38Z DEBUG args=/usr/sbin/selinuxenabled >> 2013-01-30T16:28:38Z DEBUG stdout= >> 2013-01-30T16:28:38Z DEBUG stderr= >> 2013-01-30T16:28:38Z DEBUG Saving Index File to >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> 2013-01-30T16:28:38Z DEBUG -> no files, removing file >> 2013-01-30T16:28:38Z DEBUG args=/sbin/service nscd status >> 2013-01-30T16:28:38Z DEBUG stdout= >> 2013-01-30T16:28:38Z DEBUG stderr=nscd: unrecognized service >> >> 2013-01-30T16:28:38Z INFO nscd daemon is not installed, skip configuration >> 2013-01-30T16:28:38Z DEBUG args=/sbin/service nslcd status >> 2013-01-30T16:28:38Z DEBUG stdout= >> 2013-01-30T16:28:38Z DEBUG stderr=nslcd: unrecognized service >> >> 2013-01-30T16:28:38Z INFO nslcd daemon is not installed, skip configuration >> 2013-01-30T16:28:38Z DEBUG The original configuration of SSSD included >> other domains than IPA-based one. >> 2013-01-30T16:28:38Z DEBUG Original configuration file is restored, >> restarting SSSD service. >> 2013-01-30T16:28:38Z DEBUG args=/sbin/service sssd restart >> 2013-01-30T16:28:38Z DEBUG stdout=Stopping sssd: [FAILED] >> Starting sssd: [ OK ] >> >> 2013-01-30T16:28:38Z DEBUG stderr=cat: /var/run/sssd.pid: No such file >> or directory >> > Any what do SSSD logs say? > I seems that restart of SSSD did not go that smoothly.
sssd started up fine, it's running right now. Looks like a race condition, the pid file has an mtime of 16:28:38, the same second as the "No such file or directory" error. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
